UK sees 35% increase in mobile phishing exposures – Global State of Mobile Phishing Report

Mobile phishing is an issue plaguing the masses and a growing concern for enterprises, particularly as  2022 had the highest percentage of mobile phishing encounter rates ever, according to Lookout‘s Global State of Mobile Phishing report. On average, more than 30% of personal and enterprise users exposed to these attacks every quarter.

In the U.K., there was a 35% increase in the average number of mobile devices exposed to at least one malicious phishing attack per quarter between 2020 and 2022. In the last two years, 20-30% of mobile devices in the U.K. have been exposed to at least one malicious phishing attack every quarter.

Lookout also found that users on all devices – whether personal or work provided – are tapping more on mobile phishing links in comparison to just two years ago. The report estimates the potential annual financial impact of mobile phishing to an organisation of 5,000 employees is nearly $4 million. Enterprises operating in highly regulated industries – including insurance, banking, legal, healthcare and financial services – were found to be the most heavily targeted.

“Mobile as a threat surface will continue to grow, and hybrid work continues to grow in tandem, introducing huge numbers of unmanaged devices into the enterprise environment,” said Aaron Cockerill, chief strategy officer at Lookout. “It is more important now than ever for organizations to evolve their cybersecurity strategy to proactively combat mobile phishing. As one of the most effective attack vectors for threat actors, often serving as a starting-point for more advanced attacks, mobile phishing protection should be a top priority for organizations of any size.”

In 2022, more than 50% of personal devices were exposed to a mobile phishing attack every quarter, with the percentage of users falling for multiple mobile phishing links in a year is increasing rapidly year over year.

Users, endpoints and applications are now so closely connected that threat actors can initiate advanced attacks simply by stealing user credentials. Mobile phishing is one of the most effective tactics to steal login credentials, which means that mobile phishing itself poses significant security, compliance, and financial risk to organizations in every industry. It is likely that the rise of remote work has contributed to this, as organizations relax bring-your-own-device (BYOD) policies to accommodate employees accessing corporate networks outside the traditional security perimeter.

Lookout also claim mobile phishing attacks are also growing more sophisticated. The share of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022, indicating that users are having a tougher time distinguishing phishing messages from legitimate communications.

The post UK sees 35% increase in mobile phishing exposures – Global State of Mobile Phishing Report appeared first on IT Security Guru.

Whisper – Simple App to Listen to Microphone in Linux

Want to hear your sound in microphone? Here’s a stupid simple tool to the job in Linux.

It’s Whisper, a new free and open-source GTK4 application, allowing listen to microphone through your speaker. Which, is useful for testing your microphone or for listening to your voice.

As the screenshot shows, the app is quite easy to use. Just select the microphone and speaker from the list, and click ‘Connect’. Then, you can say something or make some noise through microphone to see the magic.

As a GTK4 application, it follow system color scheme by switching between light and dark automatically. However, it needs both PulseAudio and Pipewire to make things work, which is default in Pop! OS 22.04, Ubuntu 22.10, Ubuntu 23.04, Fedora 35/36/37, etc.

How to Install Whisper in your Linux

As mentioned above, this application requires Pipewire audio server. For current Ubuntu 22.04 LTS, it’s NOT the default, though you can enable it by following this tutorial (NOT recommend for beginners).

Whisper is available to install as universal Flatpak package. You can install it by following the steps below one by one:

1. First, press Ctrl+Alt+T on keyboard to open terminal. When it opens, run command to install Flatpak daemon:

sudo apt install flatpak

Other Linux can follow this setup guide to enable Flatpak support.

2. Then, run command to install Whisper as Flatpak package:

flatpak install

3. After installation, search for and launch it from start menu (Show Applications) like normal app and enjoy!

How to Remove Whisper

To remove the software package, also open a terminal window and run command:

flatpak uninstall --delete-data it.mijorus.whisper

Also run flatpak uninstall --unused to remove useless runtime libraries.

Dippi – Tells if the Laptop/External Monitor Best Choice (HiDPI or LoDPI)

Going to buy a new monitor or laptop, or want to calculate whether it’s a HiDPI display? Here’s a handy app can help!

I previously thought that 4K and 8K displays are HiDPI, but 720p that I’m being using is LoDPI. It’s 100% wrong! HiDPI, stands for High Dots Per Inch, also known by Apple’s “Retina Display”. Meaning screens with a high resolution in a relatively small format.

A HiDPI monitor may be good for displaying photo images or playing FPS games, but not all software behaves well in high-resolution mode yet. If you’re going to buy a monitor or calculate existing display DPI, then here’s a good app for choice.

It’s ‘Dippi’, a free and open-source GTK4 application developed by a GNOME Foundation member.

With it, you just need to tell: laptop or desktop, monitor size (inches), and screen resolution. Then, it shows you aspect ratio and DPI value, as well as display’s density.

They include:

  • Very Low DPI,
  • Fairly Low DPI,
  • Ideal for LoDPI,
  • Potentially Problematic,
  • Ideal for HiDPI,
  • Fairly High for HiDPI, or
  • Too High DPI

Each value has some texts below to tell the text and UI feeling (too small or too large) at typical viewing distances. As a GTK4 app, it looks good in Ubuntu, Fedora and other Linux with GNOME desktop. And, it automatically changes the UI color between light and dark mode, to follow system color scheme.

How to Install Dippi

Dippi is also available as an online service, you can visit this page to analyze your display.

For most Linux users, it’s available to install as universal flatpak package in

Ubuntu user can do following steps one by one to install the package:

  1. Firstly, press Ctrl+Alt+T on keyboard to open terminal. When it opens, run command to make sure Flatpak is enabled:
    sudo apt install flatpak

    For the old Ubuntu 18.04, add this PPA repository before running apt install command.

  2. Then, install the application by running command:
    flatpak install

    Like normal apps, you can search for and launch it from either start menu or ‘Activities’ overview depends on your desktop environment.

How to Remove Dippi

To remove the app installed as Flatpak, open terminal and run command:

flatpak uninstall --delete-data com.github.cassidyjames.dippi

Also clear useless runtime via flatpak uninstall --unused.

Fault-Tolerant SFTP scripting – Retry Failed Transfers Automatically

Fault-Tolerant SFTP scripting


The whole of modern networking is built upon an unreliable medium. Routing equipment has free license to discard, corrupt, reorder, or duplicate data which it forwards. The understanding of the IP layer in TCP/IP is that there are no guarantees of accuracy. No IP network can claim to be 100% reliable.

The TCP layer acts as a guardian atop IP, ensuring data that it produces is correct. This is achieved with a number of techniques that sometimes purposely lose data in order to determine network limits. As most might know, TCP provides a connection-based network with guaranteed delivery atop an IP connectionless network that can and does discard traffic at will.

How curious it is that our file transfer tools are not similarly robust in the face of broken TCP connections. The SFTP protocol resembles both its ancestors and peers in that no effort is made to recover from TCP errors that cause connection closure. There are tools to address failed transfers (reget and reput), but these are not triggered automatically in a regenerated TCP session (those requiring this property might normally turn to NFS, but this requires both privilege and architectural configuration). Users and network administrators alike might be rapt with joy should such tools suddenly become pervasive.

What SFTP is able provide is a return status, an integer that signals success when it is the value of zero. It does not return status by default for file transfers, but only does so when called in batch mode. This return status can be captured by a POSIX shell and retried when non-zero. This check can even be done on Windows with Microsoft’s port of OpenSSH with the help of Busybox (or even PowerShell, with restricted functionality). The POSIX shell script is deceptively simple, but uncommon. Let’s change that.

Failure Detection with the POSIX Shell

The core implementation of SFTP fault tolerance is not particularly large, but batch mode assurance and standard input handling add some length and complexity, as demonstrated below in a Windows environment.

Panorama photo stitcher – Hugin 2022 in Beta Now [Ubuntu PPA]

Hugin, the popular free and open-source panorama photo stitcher application, now is in beta stage for the upcoming 2022 version.

Changes in this release according to the launchpad milestone include:

  • Add simple edge fill option to fill black edges in panorama with homogenous color.
  • Simplified the assistant page with only the necessary GUI controls to make it more clear for beginners and casual users.
  • Several improvements to control points tab (e.g. magnifier displays now warped image for better judgement of wide angle/fisheye images).
  • Improved handling of duplicate control points when running cpfind.
  • Extended command line tools pto_mask (--delete-mask) and pano_modify (allow specifying crop relative to canvas size).

There are as well some bug-fixes in the release, including fulla flatfield extremely dark, and high DPI display support for Windows.

How to install Hugin 2022 in Ubuntu:

For the source tarball as well as Windows msi packages, go the sourceforge download page.

For all current Ubuntu releases, including Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 22.10, and their based systems, I’ve made the unofficial package into this PPA repository.

I’ll continue updating this PPA when the stable release is out! And sync the package (stable) with may apps ppa.

1. First, press Ctrl+Alt+T on keyboard to open terminal. When it opens, run command to add the PPA:

sudo add-apt-repository ppa:ubuntuhandbook1/hugin

Type user password (no asterisk feedback) when it asks and hit Enter to continue.

2. Update system package cache for Ubuntu 18.04 and Linux Mint, though it’s done automatically while adding PPA in Ubuntu 20.04+:

sudo apt update

3. Finally, either run the command below in terminal to install the panorama photo stitcher:

sudo apt install hugin

Or, upgrade the software (if an old version was installed) via Software Updater (Update Manager) app:

Uninstall hugin:

To remove the software package, simply run command:

sudo apt remove --autoremove hugin hugin-data

And, remove the PPA either by running command in terminal:

sudo add-apt-repository --remove ppa:ubuntuhandbook1/hugin

Or remove the source line from ‘Software & Updates‘ utility under Other Software tab.

Obrela’s 2022 Digital Universe Study – A look at today’s threat landscape  

Obrela Security Industries recently launched their H1 2022 Digital Universe Study, which provides detailed insight into this year’s security and threat landscape. The results provide a ‘funnel’ view of real-time visibility data, and allow organisations to gain a better understanding of how threats are security are developing, and how they can better protect themselves.  

To put together this report, Obrela collected and analysed 1 PBs of logs as well as 100,000 devices. In this time, they detected 7,369 cyber incidents with an average response time of 7 seconds.  

Using this, Obrela’s security team was able to find out what attack vectors were most prominent and what type of methods threat actors tended to execute when attempting to gain unauthorised access. Some of the more significant shifts within the threat landscape included: 

  • A 16% increase in data breaches, as well as attacks that targeted end users as opposed to corporations.  
  • A 6% upswing in zero-day attacks, particularly exploiting vulnerabilities.  
  • A 12% surge in attacks related to internal threats, such as policy violations, privileged user activity and inadvertent actions.

Looking at particular attack methods, Obrela found that those most utilised were typically malware infection, reconnaissance, data exfiltration and phishing attacks, along with the exploitation of malicious insiders.  

The study also looks into which sectors are most vulnerable to cyber criminals, with banking & financial services, and government/corporate being at the top of the list. This is mostly down to the monetary value that threat actors can extract from exploiting weaknesses in security, as well as the personal and confidential data they store on their servers. In addition, banking, finance, government and corporate sectors play an important role in global economic activity, making them an incredibly attractive target for a criminal looking to exfiltrate information and extort.   

What can companies do to protect themselves?  

To decrease risk and make sure their security posture is up to scratch, organisations must remember to do the ‘basics’. This means, following best practices such as implementing security training, user authentication and access, and protecting their endpoints and brand. In order to boost security and improve security, organisations should extend their best practices to also include network management, as well as network segmentation and Zero trust. These should be deployed across the whole company and its network. Another option is for organisations to partner with an MSSP, who can monitor their IT and cloud infrastructure, removing the pressure from their own IT teams and allowing them to focus on internal issues and tasks; this could make the difference between a secure corporate nature and becoming another breach statistic. 

Emerging use cases 

After analysing the data and devices, Obrela found new incident cases, including:  

Domain impersonation: this is often associated with phishing campaigns, where employees of an organisation or end-users are targeted by cyber criminals pretending to be from their bank. Victims are taken to an impersonation site, via a phishing link, which will prompt them to enter personal information, including bank details or passwords. By the time the victim notices it is often too late, and malicious actors will already have access to their accounts or network.  

Internal Directory Busting: This vector is similar to a brute force web attack, which targets public facing websites. In using this method, threat actors can then exfiltrate personal and confidential data to use for malicious purposes.  

Unfortunately, cyber criminals are becoming increasingly sophisticated and are adaptable to the evolving threat landscape. Organisations must ensure they have the basic cybersecurity infrastructure, but they should also implement an extra layer of protection around their end users and networks. A network or system breach can not only impair their business operation, but it can also significantly affect their reputation, damaging their brand image and often leading to loss of customer trust.  

In partnering with an MSSP who understands the fluid nature of the security market, organisations can better secure their environments and keep their employees and customers protected from numerous cyber threats.  

 The Digital Universe study can help organisations understand what these types of threats are and how to protect against them.

You can find the full report here:  

The post Obrela’s 2022 Digital Universe Study – A look at today’s threat landscape   appeared first on IT Security Guru.

Meet Guacamaya – a hacktivist’s supporting the indigenous people of Central America and tackling the drug cartels

Outpost24 has released a new threat intelligence blog on Guacamaya, a hacktivist group acting in defense of the abuse performed on the territory and against the indigenous people of Central America.

Their main objective is exfiltrating information about companies or organisms performing unjust actions against the indigenous people or territory.

Guacamaya have been acting in defense of the indigenous people of Abya Yala territory. This is the name used by the Native American Guna people who inhabit the geographic region between what is now northwest Colombia and southeast Panama, to refer to the American continent since pre-Columbian times.

Guacamaya was first spotted on March 6, 2022, after sending a statement to the sharing platform “Enlace Hacktivista” with their presentation and the announcement of their first action against the company CGN-Pronico, which operates the Fenix mine in Guatemala with a history of human right abuses and environmental damage.

The group gain access to the networks with open-source tools, then establish persistence and exfiltrate sensible information. They try to exploit public-facing applications and compromise employees’ credentials with password spraying, phishing, or checking against known breaches, whose emails are often obtained through LinkedIn. Once compromised, the Guacamaya proceeds to download information, such as emails and files.

Guacamaya also has a destructive goal since they carry out sabotage actions. Exfiltrated information is publicly shared through Distributed Denial of Secrets, a non-profit whistleblower run by a collective of journalists devoted to enabling the free transmission of data in the public interest, or directly through links in the Enlace Hacktivista platform.

Their targets include Colombia’s Attorney General office, Armies of Mexico, Peru and El Salvador, and more recently the drug cartels in Yucatan.

Guacamaya’s Activity Map

*Guacamaya’s Activity Map from the Threat Context module

The post Meet Guacamaya – a hacktivist’s supporting the indigenous people of Central America and tackling the drug cartels appeared first on IT Security Guru.

The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyberwar

According to Philip Ingram, the concept of “cyber war” is nothing new. He cites World War One as one of the earliest notable examples—in which the United Kingdom cut Germany’s transatlantic cables. This action forced the German High Command to switch its communication line to a different cable, which the United Kingdom was listening in to, taking advantage of this rerouting in order to intercept the Zimmerman Telegram, and ultimately decoding Germany’s messages. This is a prime example of the now all too common Distributed Denial of Service attack, otherwise known as DDoS.

Although DDoS has its benefits, it can be just as well used for more nefarious activities. Even so, the motives behind a malicious DDoS attack are not always clear from an outsider’s perspective. Ingram notes:

“What we don’t look at very often is the WHY the countries are doing it. Who are they targeting, and therefore understanding that WHY will give us an opportunity to understand whether we could be a target for some of these organisations… Whether directly to have an effect on us, or whether indirectly to try and get a stepping stone to somewhere else.”

But based on previous experiences, inferences can be drawn in order to postulate ideas on the reasoning behind more recent attacks, as well as the motives behind strategic movements such as misinformation and the causation of political unrest. Take Russia, for instance. As Ingram discusses in his interview, while Russia is interested in economic information, it most prioritises details pertaining to the political and military fields. Other countries adopt different stances—with China maintaining, as Ingram phrases it, “a wary eye on the effectiveness of a combat effect is going to have an economic impact on China itself”. Rather, China cautiously takes note of other countries’ movements, meaning that it doesn’t need to invest huge sums of money in developing their own technologies or products—as it is more efficient for them to steal designs or plans from other countries, one of which is named by Ingram as the United Kingdom. 

“So… when it comes to [China] getting so many markets, [it means] something is going to be a lot cheaper and a lot faster, without all the checks and balances, and everything else that we do. And that is happening with technology, it’s happening with drugs, [and] it’s happening with your other engineering [and] manufacturing.” 

Shifting his focus to North Korea, Ingram asks how a country that strives to prevent its people from using the internet or having access to any sort of modern technology is capable of “[producing] so many highly qualified computer engineers that can set up massive cyber threats for the rest of the world.” Yet despite the fact that North Korea is considered to be one of the United Kingdom’s most dangerous cyber-adversaries due to its force of skilled engineers, it only has two internet pipelines—one supplied by China, and the other from Russia. This means that, should either China or Russia decide to execute a DDoS attack, they have plausible deniability, often blaming it on North Korea —opening up the floor for international cyber-attacks. 

In light of the war—and thus, the resulting tensions—between Russia and Ukraine, Ukraine has been repeatedly subjected to Russian-initiated disinformation campaigns since 2003. Furthermore, even with a significant time window spanning several years, Ukraine hasn’t been able to create cyber defences strong enough to fend off the countless attacks Russia sends its way. But these cyber-attacks aren’t restricted to just the realm of computers and servers in a lab. Rather, they bear influence on the battlefield, corralling Ukraine into a disadvantage in its conflict against Russia—with methods including interception of data, as was initially done with the Zimmerman Telegram, as well as signal jamming and, again, a denial of service, intended to inhibit, if not outright block, communication between Ukrainian forces. 

However, for the time being at least, this is the extent to which it is possible to harness technology as a mode of attack against other countries across the world—for Ingram doesn’t believe that we are yet at the stage at which countries can declare a full-fledged cyberwar against one another. In fact, Ingram argues that “there is no such thing as cyber war [because] we are not going to find a complete conflict in the cyber domain.” Rather, these cyber-attacks are just another method of attack, similar to launching ammunition or mobilising a country’s standing forces. Even so, according to Jens Stoltenberg—who is currently serving as the Secretary General of NATO—it is possible to deem cyber-attacks as an Article Five issue given certain circumstances, which means that, should a country attack another country within the NATO sphere, this attack will be interpreted as an attack on all other countries under NATO, and these countries will react accordingly. United, the countries under NATO bear an immense force that Vladimir Putin doesn’t wish to have directed towards Russia. 

To provide further context on the threats that may lie within the digital world, one can turn to the mobile game Pokémon Go. Though it is really just a harmless game intended to pass the time—in which players must catch monster characters and advance through the game by manoeuvring throughout their real world surroundings—it does use  location services, meaning that the information about where users currently are, as well as what areas they frequent, is being processed and uploaded online in real-time, which may put them at risk should the data be threatened, especially since many of these accounts are connected to personal data or are possessed by minors. Ingram finds this to be a concern because, when one examines the game’s terms and conditions, they find that, Pokemon Go “[allows] the app to access absolutely everything in your device, your emails, your SMS messages, your WhatsApp messages, your photographs, every bit of data and every other app that was in there.”

The creator of Pokémon Go, John Hanke, has a breadth of projects under his belt, one example being the company dubbed Keyhole. This particular name choice takes on an interesting connotation when one takes into account that, as Ingram says, “[Keyhole] is the code word for the top-secret spy satellites that the Americans put up into space in 1950s… [and Keyhole is] the front company of the CIA and US intelligence… So [because] we’ve got Keyhole, [and] we’ve got CIA funding, this makes for a concerning trend.” In other words, because of how intricately the CIA, US intelligence, and user’s personal data and geographical activities are intertwined as a result of this game, Pokémon Go users should be especially mindful of how they use the app. That isn’t to say, however, that Pokémon Go is a dangerous app, nor is it to say that anyone on the development team is at fault for endangering users. Rather, users should go about the game with caution, should they choose to play it.

Lastly, in his closing remarks, Ingram says: 

“There’ll be a lot that we don’t know about, and one of the future [goals]… is to start talking about what will happen in the metaverse… and everything [that’s] coming in there. And that gives a completely new environment to start exploiting people to connect the virtual world into the physical world. And these intelligence agencies in particular in China are looking at it now. Are we from a defence perspective?”

The post The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyberwar appeared first on IT Security Guru.

Rob Shapland’s Day in the Life of an Ethical Hacker – How to Steal a Vaccine

The second day of the International Cyber Expo began with a fascinating talk from Rob Shapland, ethical hacking expert and Head of Awareness at Falanx Cyber.

Shapland began his talk describing his role as an ethical hacker, followed by an explanation of his talent for breaking into buildings. From dressing up in convincing work attire to mapping out a way to physically break into a company’s office, Shapland uses every trick in the book. All to prove his ability to bypass network security controls.

Drawing on previous experiences, Shapland regaled his audience with the story of the time he was asked to steal a vaccine design from a pharmaceutical company.  His objective? Getting inside the computer network to steal the vaccine design, stored on a computer not connected to the internet. Without being caught, of course.

The first step of the mission was planning, starting with Open Source Intelligence Gathering (OSIG), the operation of conducting extensive company background research. Shapland explained:

“If you’re looking to break into a company the first thing you need to do is find out Who are they? Where are they based? What do they do? What’s their social media presence like? So, I start with their website, I’ll then look at the corporate and social media pages (Facebook, Instagram, Twitter).” 

His research revealed an active company social media account, 25 internet facing computers, a website, an O365 suite and at least 100 employees identified via LinkedIn. This gave him the idea to perform a potential phishing attack using the employee’s email addresses as ammunition. Shapland then went on to explain how to effectively guess a work email address:

“Taking the names from LinkedIn, it isn’t difficult to convert to their email addresses as you’ve got their name and where they work. It’s likely to be first name.last name @ company name. com and that is going to be their email address.”

Shapland shared details of his humorous attempt to find an employee’s home address, hack into their Wi-Fi and access the company network. First, he needed to find an employee’s home address. And how did he achieve this? With Strava, an athletic tracking app, as his accomplice.

“If you have an open Strava profile someone, anyone can access your profile and see all your runs and cycles. Through looking at a few of them, you can build up a picture of where someone’s runs/cycles start from and end. From this you can work out their home address if you look at enough runs…so I used this to identify an employee’s home address. I hired a van and drove to their house, sat in the van with a laptop and aerial and tried to hack into their Wi-Fi system.”

Unfortunately, Shapland’s efforts were unsuccessful as he could not overcome the employee’s 20-character home Wi-Fi password. Nevertheless, he enjoyed the experience and noted this had been an effective technique in past.

As an alternative intrusion tactic, Shapland then returned to organising a targeted phishing attack. However, after recognising that sending 100 emails all at once would create too much noise, he settled on targeting only a handful of employees. This would be a more effective way to carry out the operation. All three employees were selected because they were going abroad, as advertised on Instagram.

The phishing email was designed to convince employees they were only complying to a request sent by ‘HR’ to confirm their upcoming holiday requests. But only via a malicious link. Success! Two employees caught the bait and to his surprise, the Director of the company had fallen for the scam.

Armed with verified login credentials, Shapland’s next step was deciding which building he was going to physically attempt to break into, considering his target was a large pharmaceutical company with fifteen offices in the UK. In an attempt to escape the CCTV, security guards and motion sensors, he opted for the least secure office. The administrative HQ found on the high street.

On his arrival to the admin office, Shapland explained how he observed the office surroundings from the local coffee shop located in the high street. The most important questions he needed to answer were – What time do employees arrive? What do they wear? Are they any easily accessible entrances? What does security look like? Do they wear ID badges?

“If that badge needs to unlock a security door, I’ll take a device with me called a FRD cloner which means if I get within half a meter of someone wearing that badge, I’m able to clone their badge and use the device to unlock the security barriers or even better transfer the signal from the device onto the card and then the card will work”

As Shapland chose to target a small office with fewer employees, he couldn’t just waltz in expecting to go unnoticed. His solution? Pose as a BT Engineer. He came to this conclusion during the pretext stage, the process in which a social engineer determines their pretend persona as well as how they will act during the operation.

Armed with a Hi-Vis BT jacket, clipboard and fake ID badge copied from Instagram, Shapland was ready to initiate the next stage of his plan. He confidently entered the building, headed for the reception desk, and said:

“Hi, I’m here from BT. We’ve had a phone call from your head office saying there’s been a big network outage, they can’t talk to you at all, they’ve asked me to come in and resolve the problem to see whether it’s a BT issue with the lights in the building, do you mind if I pop upstairs? Shouldn’t take longer than half an hour, just need to run some basic diagnostics”

Shapland then shared details of how he bypassed the company’s defences. As the receptionist’s doubts regarding his arrival led to further questions and a request to consult with Head Office before letting him proceed any further, Shapland was forced to resort to plan B. Having already prepared for this obstacle during the pre-text phase, Shapland suggested a quick confirmation with a real member of IT, Adam, knowing full well that Adam was currently on his journey to the Caribbean.

Now, after failing to reach him, the receptionist suggested that Shapland call Adam himself. Quick thinking on Shapland’s part saved the day.

“I took these two numbers, left the building, and thought, I’d not really planned for this, but I reckon I could make this work because about 1000 people working at Head Office, chances are she won’t know Adam’s voice. If I get one of my team to phone up and pretend to be Adam and say, ‘have you got a BT engineer there?’ that will probably work.”

His efforts were successful, bringing him one step closer to meeting his objective. However, he was faced with the challenge of continuing with a member of IT watching his every move. To make it through, he relied on the number one lesson he’d learned as an ethical hacker: never panic. While he had to suffer through an awkward encounter with IT, he was able to continue with this mission.

Once inside the small and yet overcrowded office, Shapland calculated his next steps. How was he going to hack into the network with a real IT employee sitting next to him? Fortunately, the IT department had scheduled a meeting, leaving him alone to hack into the system.

“I accessed a computer called a domain controller which is a main system on the network. Within most domain controllers you have a file which has login scripts, and within them it tells you the name file servers that are used” explained Shapland.

Once logged into the company’s main file server as the Director with open access, Shapland could put into motion the final stage of his plan. What does that entail? Filtering through their mirrored folders, locating the vaccine design, and extracting it across the network to his laptop. Encrypted, of course. Thus, mission successful and completed.

Shapland closed his talk by offering his audience advice on how to defend against these kinds of attacks. He pointed out that when navigating onto a computer network, a hacker will need to perform certain tasks to achieve their goal. For example, stealing a file, login credentials or laterally moving around a network. In most cases, hackers need to elevate their privileges. For instance, having access files to the necessary files. It’s important to bear in mind that everything they do will have various associated signatures, leaving a trail of suspicious activity behind.

But how can your organisation pick this up? According to Shapland…

“If you have a Security Operations Centre (SOC) they can pick this up, that’s what part of Falax does as we manage detection response, in the sense where we look for weird stuff on the network and block it” -Shapland advised.

Shapland then spoke about the importance of training to his audience. And not the cyber e-learning modules kind of training. Training provided from first hand intrusion operations, as he believes this is a more effective way for organisations to learn about the detrimental impact of these attacks. Hence why he conducts training as part of his role.

Lastly, as well as investing in training, Shapland explained the importance of doing actual exercises to test existing security controls such as pen testing and red teaming.  Concerningly, a lot of companies spend a fortune on the latest security controls but don’t invest in additional resources to test their effectiveness. How else would you find out how your company was attacked?

The post Rob Shapland’s Day in the Life of an Ethical Hacker – How to Steal a Vaccine appeared first on IT Security Guru.

SQLite for Secrecy Management – Tools and Methods

SQLite for Secrecy Management - Tools and Methods


Secrets pervade enterprise systems. Access to critical corporate resources will always require credentials of some type, and this sensitive data is often inadequately protected. It is rife both for erroneous exposure and malicious exploitation. Best practices are few, and often fail.

SQLite is a natural storage platform, approved by the Library of the U.S. Congress as a long-term archival medium. “SQLite is likely used more than all other database engines combined.” The software undergoes extensive testing as it has acquired DO-178B certification for reliability due to the needs of the avionics industry, and is currently used on the Airbus A350‘s flight systems. The need for SQLite emerged from a damage control application tasked for the U.S. battleship DDG-79 Oscar Austin. An Informix database was running under HP-UX on this vessel, and during ship power losses, the database would not always restart without maintenance, presenting physical risks for the crew. SQLite is an answer to that danger; when used properly, it will transparently recover from such crashes. Despite a small number of CVEs patched in CentOS 7 (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2019-13734), few databases can match SQLite’s reliability record, and none that are commercially prevalent.

SQLite specifically avoids any question of access control. It does not implement GRANT and REVOKE as found in other databases, and delegates permissions to the OS. Adapting it for sensitive data always requires strong security to be implemented upon it.

The free releases of CyberArk Conjur and Summon build a basic platform for secrecy management. These tools are somewhat awkward, as conjur requires a running instance of PostgreSQL, which brings an attack surface that is far larger than hoped. Slaving an enterprise to a free, centralized instance of conjur and PostgreSQL is a large risk, as CyberArk’s documentation attests.

CyberArk summon, however, can be configured with custom backend providers, which have simple interfacing requirements. SQLite is a fit both for summon and as a standalone secrecy provider.