Cybersecurity

A common complaint that you often hear in Infosec is how hard it can be to report vulnerabilities sometimes. This story tells of my journey using OSINT tools to find the right person to responsibly report a bug to. Of course, I enjoyed the journey more than the destination. The Discovery Even today, you can still find lots of misconfigured S3 buckets full of juicy data. I recently found one which contained a lot of personal documents belonging to the employees of a electric vehicle startup, lets refer to them with a made up name to save them some face. Lets call them EVzap. ...

This post is mainly for users who use MFA authenticator apps on their smartphones. Earlier the process was to click either “Yes (Approve)” or “No (Deny)” and that would allow to login. Why is now one more step required to enter a value shown on the login page? Background We have been using passwords since years to secure our digital accounts. Since people need to have passwords for several different services and it becomes tough to remember them, they started to either (a) reuse the same password, (b) use an easy password, (c) write down the different passwords. ...

I use a burner (temporary) email for filling it at random websites for my testing. Still, I have taken care not to use this email address at unreliable websites. Somehow, someone got hold of this email address. Now, how can that person check that my address is still valid and active? They need to check this for sending me spam/phishing emails and get a better ROI. Here’s the technique they used, and I was impressed. Generally I don’t entertain my Spam folder and hence haven’t seen many of such mails. The mail says — ...

I am a customer of Eureka Forbes, and last year I was accessing their website for making a payment. I own an Aquaguard Water Purifier by them and wanted to pay for the yearly maintenance contract (AMC). For anything related to your account, you need to login via their website (https://www.eurekaforbes.com/). There is currently only 1 mechanism available for login – OTP Login. You provide your phone-number (registered with Eureka Forbes) and they send an SMS OTP to your phone. ...

I am following an Instagram meme page with about 130K followers. These meme pages post ads sometimes when they get paid for them. One such ad said – “Get 10GB Data Everyday for Free for 3 Months – for Jio Prime Users”. Since I am a Jio user, I got curious to check this and was sure – this was some kind of fraud going on, and the ad was not by original Jio — they were using the name of Jio to milk their followers, since many of the users use Jio for their data connection. ...

Phishtank is a project by OpenDNS community. OpenDNS is a company which provides its services for safe and fast browsing to the Internet. While Phishtank is a community where anyone can share or check phishing data. Phishtank is not a technology to filter phishing/spam or to protect against phishing attacks, but a platform to submit, verify, check or share phishing details so it provides as a repository of phishing data. How to support Phishtank? You can support Phishtank in either ways: ...

Apparatus: Distributed botnet, around tens of thousands of bots with their respective IP addresses A pass file of around 1000 entries with some normal passwords Default username: ‘admin’ Steps: WordPress 3.0 release before 3 years, users going on with ‘admin’ as their default username, and some usual password A brute-force with username: ‘admin’ and password from the above mentioned file The botnet, tries this attack on each and every wordpress portal available over Internet Objective: A well-planned distributed attack (just like itsoknoproblembro shook the banking world) against some hot-spot over the Internet. ...

Apart from the normal reasons for keeping our email accounts secure, there are many more which we try to ignore, or are not aware of the possibilities. Take this scenario – why to keep the work-related and social email accounts seperate and confidential (if possible): If someone knows the basic information about you, your social networking account can be hacked. The main ingredient is – your email id. Its better to keep the id secure which you are using for networking. If the work and social email ids are the same, there are more chances of people guessing-knowing your basic informations, providing more chance for your account to get compromised. ...

Smurf It’s a version of Denial of Service attack – floods the victim with spoofed broadcast pings. A large number of pings are sent to the IP broadcast address of the victim, it responds back with broadcast to all the hosts – and these hosts simultaneously reply – causing a major lock in the network. Ping of Death A funny ping – ICMP packet is sent to the victim – which floods its buffer, causing the system to reboot or the network getting hanged. ...