Security

Summary A sophisticated phishing campaign recently succeeded in compromising several widely-used npm packages, demonstrating how social engineering can bypass traditional security measures. The attackers cleverly used stolen credentials to inject malware directly into trusted npm packages without ever touching the corresponding GitHub repositories, making detection significantly more challenging. This incident serves as a stark reminder that even the most popular and trusted packages in our dependency chains can become vectors for malicious code distribution. ...

A common complaint that you often hear in Infosec is how hard it can be to report vulnerabilities sometimes. This story tells of my journey using OSINT tools to find the right person to responsibly report a bug to. Of course, I enjoyed the journey more than the destination. The Discovery Even today, you can still find lots of misconfigured S3 buckets full of juicy data. I recently found one which contained a lot of personal documents belonging to the employees of a electric vehicle startup, lets refer to them with a made up name to save them some face. Lets call them EVzap. ...

This post is mainly for users who use MFA authenticator apps on their smartphones. Earlier the process was to click either “Yes (Approve)” or “No (Deny)” and that would allow to login. Why is now one more step required to enter a value shown on the login page? Background We have been using passwords since years to secure our digital accounts. Since people need to have passwords for several different services and it becomes tough to remember them, they started to either (a) reuse the same password, (b) use an easy password, (c) write down the different passwords. ...

I use a burner (temporary) email for filling it at random websites for my testing. Still, I have taken care not to use this email address at unreliable websites. Somehow, someone got hold of this email address. Now, how can that person check that my address is still valid and active? They need to check this for sending me spam/phishing emails and get a better ROI. Here’s the technique they used, and I was impressed. Generally I don’t entertain my Spam folder and hence haven’t seen many of such mails. The mail says — ...

Amazon Web Services (AWS) is a great resource to try and learn cloud concepts and later setup your own infrastructure on cloud. Since very long, AWS is providing 1 year of free usage for a set of cloud services. If you own one laptop and want to have another machine for testing, you either need to install Virtualization software (Virtual Box, VMWare, etc) or you can use the free tier of AWS. Amazon EC2 (Elastic Compute Cloud) can be used to setup your own instances on the cloud to do this. While having a penetration testing machine on AWS, you need to take care of some points: ...

I am a customer of Eureka Forbes, and last year I was accessing their website for making a payment. I own an Aquaguard Water Purifier by them and wanted to pay for the yearly maintenance contract (AMC). For anything related to your account, you need to login via their website (https://www.eurekaforbes.com/). There is currently only 1 mechanism available for login – OTP Login. You provide your phone-number (registered with Eureka Forbes) and they send an SMS OTP to your phone. ...

Whenever I go on a trip I do the mandatory Check-in at Facebook, Twitter and Instagram, saying where I am going, who my travel-mates are, how many days I will be away and I post a picture of my Boarding-pass to prove it. I love doing it, its super cool for my friends and anyone who follow me! But sadly I am not aware of what an adversary can do with just my airplane boarding pass. ...

I am following an Instagram meme page with about 130K followers. These meme pages post ads sometimes when they get paid for them. One such ad said – “Get 10GB Data Everyday for Free for 3 Months – for Jio Prime Users”. Since I am a Jio user, I got curious to check this and was sure – this was some kind of fraud going on, and the ad was not by original Jio — they were using the name of Jio to milk their followers, since many of the users use Jio for their data connection. ...

Developers implement root-detection mechanism in Android to prevent users from using their app on a rooted phone. The app (apk) will implement different checks to determine whether the phone is rooted or not. Later, after this check, if the phone is rooted then the APK will display some message like: “This device is rooted, exiting the application” “This application will not work on rooted device, exiting!” And it will exit the application. ...

Honeyd is a small daemon for Linux (now also available for Windows) to simulate multiple virtual hosts on a single machine. It is a kind of an interactive honeypot. The latest release can be downloaded from Honeyd release page. For my project, I have been working with honeypots, and Honeyd is one of them. During the initial stage, I faced some problems while starting the basic setup of some personalities with Honeyd. Here I recall those problems and some misconfigurations which can result in errors (mainly: config file parse error) and can be a problem for first time users. ...