The ePickpocketer

The great EMV migration has been here with us for a while and everybody is excited with the new innovations of cashless payment (especially matatu industry) which brought a lot of excitement even though still trying to trace its tracks to be adopted industry-wide. This is because no other industry Kenyans detest like the matatu industry. Most Kenyans detest matatu drivers (because of careless driving) and conductor due to their crooked and dishonest behavior. No-wonder we use disgraced names like “Makanga”,”Concordi / Konkodi (Local Swahili slang for pickpocket-er)” etc to refer to conductors since there aim is to con us the meager shillings by increasing the fares or refusing to handover change. 

As the saying goes, “The more things cange, the more they remain the same”  ~Jean-Baptiste Alphonse Karr. Contactless / radio-frequency identification chips (RFID) / Near Field Communication (NFC) chips bring in new paradigm of IT risk profile revolutionizing ‘ Concordi (Konkodi)’ to ePickpocketer. Continue reading The ePickpocketer

The OpenSSL Vulnerability – CVE-2015-1793

Severity: High     

What is OpenSSL?
OpenSSL is a general purpose cryptography library that implements a cryptographic security protocol called TLS/SSL, and puts the “S” in HTTPS for many websites.

The Vulnerability
Hackers can lure or misdirect a user to a bogus website/ email server, and any other internet service using TLS/SSL for its secure communication so as to trick the user into thinking that they are somewhere legitimate and secure.

Effects of the bug
A hacker may be able to create a certificate in someone else’s name, and then to sneak it past OpenSSL’s certificate verifcation process without triggering a warning, even though the certificate isn’t signed by a trusted CA.

How big is the risk?
Four OpenSSL versions are affected:
• Versions 1.0.2b and 1.0.2c need updating to 1.0.2d. (The -a sub-version is immune.)
• Versions 1.0.1n and 1.0.1o need updating to 1.0.1p. (Sub-versions up to and including -n are immune.)
• All 0.9.8 versions are immune.
• All 1..0 versions are immune.

What to do?
If you are using any of the above OpenSSL versions you need to update.

References
https://www.openssl.org/news/secadv_20150709.txt

Spear Phishing – Simple, very effective and most prevalent social engineering hacking technique

Spear-phishing is an attempt by a hacker to obtain confidential information about a user through fraudulent means by targeting a specific employee in order to gain access to information. While phishers are usually attempting to steal from the victim, spear phishers attempt to compromise the victim’s company’s network and systems to steal corporate secrets, intellectual property, customer details and other valuable information. “Spear phishers play on people’s emotions, and often use curiosity, fear or the offer of a reward to arouse interest,” says Scott Greaux, a VP at anti-spear phishing training firm Phishme by use of email. Spear phishing uses the weakest point in security and that is us (people) as Bruce Schneier states “People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.” by use of social engineering to deceit, manipulate and “influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail.” ~ Kevin Mitnick.Spear Phising Fig. I – Spear Phising Continue reading Spear Phishing – Simple, very effective and most prevalent social engineering hacking technique

PENETRATION TESTING OF ANDROID-BASED TABLET

ABSTRACT
“If you know the enemy and know yourself you need not fear the results of a hundred
battles.” – Sun Tzu, Ancient Chinese Strategist and Philosopher
The purpose of this a study is to conduct a pen test in android-based tablet. The pen test
was implemented in a manner that simulated a malicious attacker engaging in a targeted
attack against the tablet with the goal of pinpointing how an attacker could penetrate
android-based tablet security features. The assessment was conducted in accordance with
the recommendations outlined in NIST SP 800-115 penetration testing guidelines.
The results of this assessment will be used by Network administrators, Information security
managers and Information system auditors on how to make decisions on securing tablets
and Bring Your Own Device (BYOD) accessing the organization network. All tests and
actions were conducted under controlled conditions and a report written with detailed
explanation of the activities involved and the objective of the test.

Get a copy  here

How to create strong passwords

How to create strong passwords

The world has become a digital village and each one of us has got various computing devices at their disposal (Mobile phones, Personal Computers, Laptops, and tablets). Operate myriads of social media accounts (Facebook, LinkedIn, yahoo, Gmail and many more). The common denominator for all of them is the ‘PASSWORD’. Oxford online dictionary password defines password as “A secret word or phrase that must be used to gain admission to a place” (Oxford Dictionary, 2014).

Continue reading How to create strong passwords

LEGAL ARGUMENTS FOR AND AGAINST THE USE OF OPEN SOURCE FORENSICS TOOLKITS IN COURT PROCEEDINGS IN KENYA

Abstract

Purpose – The purpose of this paper is to explore legal arguments for and against the use of open source forensics

tool kits in court proceedings in Kenya

Design/methodology/approach– The methodology used is literature review from scientific research papers and laws of

Kenya.

Findings–There is no relevant laws in Kenya about the support of usage or against usage of digital forensics tools

either open source or licensed. The laws currently in place does not clearly state on which methods should be used to

verify the accuracy and reliability of the tools used and how to determine the best tools to conduct open source digital

forensics.

Paper type – Research paper

Keywords—Computer, Forensics, digital, email

BitCyber Security Consultants

Abstract

Purpose – The purpose of this paper is to explore legal arguments for and against the use of open source forensics toolkits in court proceedings in Kenya

Design/methodology/approach– The methodology used is literature review from scientific research papers and laws of Kenya.

Findings–There is no relevant laws in Kenya about the support of usage or against usage of digital forensics tools either open source or licensed. The laws currently in place does not clearly state on which methods should be used to verify the accuracy and reliability of the tools used and how to determine the best tools to conduct open source digital forensics.

Paper type – Research paper

Keywords—Computer, Forensics, digital, email

Get a copy here!

View original post

#Shellshock bug – critical vulnerability in the Bash Unix command-line interpreter

Shellshock or Bashdoor is a  security bug found in Unix Bash shell. It is a critical flaw which has been discovered on 24 September 2014 by Akamai Technologies security researcher Stephane Chazelas. “Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system” (Wikipedia, 2014). Targeted system must have a script or application which attempts to call Bash in order for the attack to succeed.

Common Vulnerabilities and Exposures database (CVE)

The flaw was originally assigned CVE-2014-6271, but it was later discovered that the patch had an issue in the parser and did not fully address the problem. MITRE later assigned CVE-2014-7169 and CVE-2014-6277,  4.3 CVE-2014-6278, 4.4 CVE-2014-7169
4.5 CVE-2014-7186, and 4.6 CVE-2014-7187 to cover the remaining problems after the application of the first patch. (Wikipedia, 2014).

CVSS Severity (version 2.0):

CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit Continue reading #Shellshock bug – critical vulnerability in the Bash Unix command-line interpreter

Information Security Evangelist

%d bloggers like this: