Monthly Archives: January 2018

Want more privacy online? SuperVpn brings its free VPN to Android

SuperVpn

 

People use VPNs to get around geo-blocking and take cover from online tracking, but in some cases, the VPN service tracks the users themselves and sells that data to third parties.

The Android version of ProtonVPN can be downloaded for free from Google Play and is free to use, but like ProtonMail and ProtonVPN for the desktop, the service has a number of paid tiers with more features and higher speeds.

First Kotlin-based malware found in Google Play Store

The first Android malware designed to steal information, carry out click ad fraud, and sign users up to premium SMS services without their permission, written using the Kotlin programming language has been found in the Google Play store.

An open-source programming language, Kotlin is a fully-supported official programming language for Android which Google boasts contains safety features in order to make apps ‘healthy by default’. Kotlin became an official language for Android in May 2017 and it has proved popular — Twitter and Netflix are among the 17 percent of Android Studio projects using it.

However, researchers at Trend Micro have uncovered what they believe to the first example of malware developed using Kotlin. The malicious app posed as a utility tool for cleaning and optimising Android devices, and has been downloaded from the official Google Play store by between 1,000 and 5,000 users.

When the app is launched, information about the victim’s device is sent to a remote server, and the malware sends an SMS to a number provided by the command and control server. Once this message has been received, the remote server will begin URL forwarding for click ad fraud.

hacker-using-phone.jpg
Cybercriminals have started to use the Kotlin programming language and infiltrated Google Play.

Image: Getty Images/iStockphoto

As part of this routine, the malware receives a command which executes a WAP (wireless application protocol) task, enabling it to access information on the wireless network, alongside injecting malicious Javascript code which allows it to silently access the device’s data.

 

Once this has been completed, the malware can upload information about the user’s service provider and login information to the command and control server. This automatically signs them up to a premium SMS subscription service, which will cost the victim money.

The nature of the malware means these operations will initially go unnoticed, providing the victim with an unpleasant surprise when they receive their next phone bill.

Trend Micro disclosed the malware to Google, which told the researchers that Google Play Protect has protections in place to protect users from this malware.

While Google keeps the vast majority of Android malware out of its app store, apps continue to slip through the net. Over 1.5 million users recently fell victim to malware that posed as flashlight and other utility apps in the Google Play Store.

 

 

13 More Hacking Sites to (Legally) Practice Your InfoSec Skills

There’s a well-known saying that before you judge someone you should always “walk a mile in the other person’s shoes.”  You can’t get the full picture behind a person without first living like they do and understanding what goes on in their heads.  

 

In organizations around the world, there’s a big push to be more “security aware,” and it’s an important part of our jobs. We’re defenders, and we have a big job to do in making sure our applications and systems are secure from any threat that might come at us. But there’s another side to being good at defending your applications and systems. Those dealing with security also need to “walk a mile in the other persons shoes” – but in our case, it’s about understanding the attackers side not so we can empathize, but so we can minimize the risks posed by and to our applications. 

 

 

Why do we need to learn how to hack apps? Because as builders and defenders, we see our code in totally different ways than hackers see it. Without practicing our hacking skills, we’re playing a one-sided game by only playing defense against attackers. It’s important to act like attackers on your own systems. To attack both your public and private web apps from the viewpoint of hackers. To practice infiltrating apps through SQLi, XSS, CSRF, and other methods of cyber attack hackers continue to use, year after year. You can’t know the real threats your apps are under until you’ve attacked them yourself.

 

And with that, we give you another list of the best hacking sites and downloadable projects available on the web where you can legally practice your hacking skills. Some offer tutorials or walk-throughs to help you if you get stuck, others are more DIY in style. All these sites offer something for us defenders and builders about what the attacker mindset looks at when trying to hack your app. Have fun!

 

 

“The unfortunate reality of the web today is that you’re going to get hacked,” writes Hack Yourself Firsts creator, Troy Hunt (@TroyHunt). And it’s with that inevitability that Troy set out to create a site dedicated to teaching what to look out for when it comes to security vulnerabilities and helping minimize their impacts on web apps.

 

The site is aimed towards developers but is suitable for anyone looking to gain some attack techniques – purely for positive purposes, of course. With 50 vulnerabilities to hunt for, you could get lost trying to exploit them all – but that’s all the fun.

 

The site goes along with Troy’s “Hack Yourself First: How to go on the Cyber-Offense” course offered on Pluralsight, offering detailed walk-throughs of exploiting various vulnerabilities, from XSS to cookies to cross-site attacks, but is also available to the general public.

 

Juice Shop

 

This intentionally insecure JavaScript Web Application was created by Björn Kimminich (@bkimminich) and is great for anyone coding or testing JavaScript that doesn’t understand all its security issuesto watch out for. With both local and containerized environments available, Juice Shop is perfect for a fun challenge to offer in your organization.

 

Juice Shop is available to play and download here and flip through Björn’s SlideShare on the app to get an overview of what the app is and how it was made.

 

 

This platform is innovative, as it not only hosts vulnerable apps but also allows others to contribute their own vulnerable apps. Powered by eLearnSecurity, Hack.me “aims to be the largest collection of ‘runnable’ vulnerable web applications, code samples and CMS’s online.”

 

Check out Hack.me here.

 

 

This OWASP open-source project offers ten realistic scenarios full of known vulnerabilities (especially, of course, the OWASP Top Ten) for those trying to practice their attack skills. Hackademic is great for educational purposes in classrooms and in the workplace, and developers are encouraged to contribute new scenarios and vulnerabilities.

 

Download Hackademic here.

 

 

Hack This Site is more than just a website; it’s a platform for education and a community for security enthusiasts. Hack This Site is a great stopping point for security professionals and developers alike, as it offers varying levels and topics to delve into as you practice hacking.

 

 

hackthissite

 

 

Whether you want to try a wargame based on mobile app vulnerabilities, JavaScript issues, or test your forensic skills, Hack This Site has you covered. In addition, the site streams news, and offers lectures, videos, and more – and accepts submissions, if you’re interested in writing something or submitting a lecture you’ve given.

 

Access Hack This Site here and read more about it here.

 

 

As “one of the oldest challenge sites still around,” you can rest assured that Try2Hack is an oldie but a goodie. The game runs on levels, and there’s no skipping ahead to advanced levels, so more experienced hackers can get a nice ego boost or refresher course in the beginner levels. For newbies, there is an active IRC channel where you can ask for help from others or just chat, and a GitHub repo for walkthroughs if you don’t get help in the forum.

 

Try your hand at Try2Hack here.

 

 

A multiplayer hacking simulation game, SlaveHack allows players to play either defense or offense, with scenarios for both. The goal of the game is to manage your software and hardware and make the computers you hack or defend your ‘slaves’ – hence the name. SlaveHack doesn’t actually require hacking skills, but we included it because it can help security people to see their systems as malicious hackers would see it, hopefully offering a glimpse into real-world ways to secure your systems and applications. The SlaveHack forum helps players connect with each other and is available when you get stuck.

 

Check out SlaveHack here.

 

Deemed ‘the Hacker’s Playground,’ HackThis!! offers various levels and areas of study when practicing your hacking skills. Similar to Hack This Site, HackThis!! is also a good place to go for security-related news, presentations and to connect with like-minded folk in their forum.

 

hack this sqli

 

For newbies, sites like HackThis!! are especially helpful for quickly getting up to speed on hacking techniques, major vulnerabilities, and the scope of the security industry. But with over 50 levels (and new ones added on a regular basis), the site offers something for everyone. HackThis!! even holds CTF competitions every once in awhile, so that’s something to keep your eye out for if virtual CTF’s are your thing!

 

Hack This is available online and is also downloadable for local machines here.

 

 

This web app hacking game, created by @albinowax, has a focus on “realism and difficulty,” and offers a few levels as an online version and more advanced levels as a downloadable full version. Players even get to play the Blackhat hacker scenario, “hired to track down another hacker by any means possible.”

 

Check out the demo version with beginner levels and the downloadable advanced version here.

 

 

Peruggia is yet another legal project dedicated to helping teach developers and security professionals more about common attacks aimed at web apps. Created as an image gallery, the downloadable project contains lots of different types of vulnerabilities, all primed to teach developers, security newbies, and anyone else interested in learning how to find and mitigate security issues in their code.

 

Download Peruggia here.

 

 

Designed for both pentesting tool testing as well as learning manual code review and how to look out for exploitable vulnerabilities, this web app was created by Simon Bennetts (@psiinon). Full of OWASP Top 10 vulnerabilities like XSS, SQL injection, CSRF, Insecure Object References and more, the project also offers various hacking challenges for those trying to make a game out of it for themselves.

Hacking Challenges BodgeIt

Various challenges to complete in BodgeIt

Start finding security bugs in the BodgeIt Store here. In addition, the InfoSec Institute offers a few tutorials for how to setup and manual test the vulnerable web app for the hacking challenges.

 

 

Offered by Bonsai Security, Moth is “a VMware image with a set of vulnerable Web Applications and scripts.” The team designed it as a way to test AppSec tools, but it’s also a great way to practice your exploit skills and see which vulnerabilities you can pick apart.

 

Check out more about Moth here.

 

 

Last but certainly not least, the EnigmaGroup offers another challenge site with a community forum built around it. Built for anyone looking to improve their security savvy, EnigmaGroup offers a wide array of vulnerabilities, starting with the OWASP Top 10. “Are you more of a hands-on learner, than one that can learn from just reading out of a book,” the site asks. If so, EnigmaGroup is another top destination for those learning how to “know your enemy” – in order to defeat the enemy.

 

Get started with EnigmaGroup here – after reading the FAQ section here that will help you begin smoothly.

Hijacker – Reaver For Android Wifi Hacker App

Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.

Hijacker - Reaver For Android Wifi Hacker App

 

It offers a simple and easy UI to use these tools without typing commands in a console and copy & pasting MAC addresses.

Features of Hijacker Reaver For Android Wifi Hacker App

Information Gathering

  • View a list of access points and stations (clients) around you (even hidden ones)
  • View the activity of a specific network (by measuring beacons and data packets) and its clients
  • Statistics about access points and stations
  • See the manufacturer of a device (AP or station) from the OUI database
  • See the signal power of devices and filter the ones that are closer to you
  • Save captured packets in .cap file

Reaver for Android Wifi Cracker Attacks

  • Deauthenticate all the clients of a network (either targeting each one or without specific target)
  • Deauthenticate a specific client from the network it’s connected
  • MDK3 Beacon Flooding with custom options and SSID list
  • MDK3 Authentication DoS for a specific network or to every nearby AP
  • Capture a WPA handshake or gather IVs to crack a WEP network
  • Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)

Other Wifi Hacker App Features

  • Leave the app running in the background, optionally with a notification
  • Copy commands or MAC addresses to clipboard
  • Includes the required tools, no need for manual installation
  • Includes the nexmon driver and management utility for BCM4339 devices
  • Set commands to enable and disable monitor mode automatically
  • Crack .cap files with a custom wordlist
  • Create custom actions and run them on an access point or a client easily
  • Sort and filter Access Points and Stations with many parameters
  • Export all gathered information to a file
  • Add a persistent alias to a device (by MAC) for easier identification

 

Requirements to Crack Wifi Password with Android

This application requires an ARM Android device with an internal wireless adapter that supports Monitor Mode. A few android devices do, but none of them natively. This means that you will need a custom firmware. Any device that uses the BCM4339 chipset (MSM8974, such as Nexus 5, Xperia Z1/Z2, LG G2, LG G Flex, Samsung Galaxy Note 3) will work with Nexmon (which also supports some other chipsets). Devices that use BCM4330 can use bcmon.

An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.

The required tools are included for armv7l and aarch64 devices as of version 1.1. The Nexmon driver and management utility for BCM4339 are also included.

Root is also necessary, as these tools need root to work.

New ransomware headache as crooks are dumping bitcoin for rival cryptocurrencies

While bitcoin was the preferred way of paying to free PCs from ransomware or buying illegal services on the dark web, that might not be the case for much longer — and tracking down and online criminals could become harder as a result.

Bitcoin remains a popular currency among cybercriminals, but its high profile is also causing them certain headaches. While some are sitting on large stockpiles of the currency, for others, it is causing issues, forcing them to alter the prices of their products on a daily or hourly basis.

That volatility could provide a means of getting rich quick for cryptocurrency investors, but a crash could also result in criminals losing everything. As a result — and because bitcoin doesn’t offer full anonymity — some criminals are moving their focus to other forms of cryptocurrency, such as Monero, Ethereum, and Zcash.

Launched in 2014, Monero is growing in popularity, thanks to additional security and privacy features which mean transactions can’t be traced back to any particular user or address. Transaction histories are also kept private.

Consequently, it’s gaining traction on the dark web and underground forums, according to law enforcement officials — and has also been used as a means of collecting ransom payments.

If more cybercriminals move towards other forms of cryptocurrency, it will make tackling cybercrime more difficult for law enforcement. It may also create a new headache for organisations that have bought bitcoin in the past in case they were hit by a ransomware attack, and who will now have to stockpile alternative cryptocurrencies too.