Brand new website!

To subscribe to the blog for fortnightly newsletters and new blog updates, visit

https://lukewarmsecurityinfo.com/#/portal/signup. Or click the button below

Subscribe Now

What are cookies?

Cookies are small text files stored in your internet browser containing information intended to track user activity, generally aimed at improving your browsing experience. They can be created by the site you’re visiting (first-party cookies) or by other sites that own some of the content, like ads or images, you see on the webpage you’re visiting (third-party cookies).

These cookies are designed to track various things, thus, there are many different types of cookies. Some of these are listed below. Note, this is a basic classification, and it doesn’t necessarily adhere to a “standard.” Different websites may use different terms for these cookies, so it’s crucial to understand what you’re accepting.

Authentication Cookies

These cookies are used to track a user’s login session. This way, whenever a new page loads or the site refreshes, the user is still logged in - usually for a set maximum period of time. If you’ve ever logged into your email on the browser, logged off your computer, logged back into your computer several hours later, opened the browser and you’re still logged into your email - this is because there are authentication cookies being used to keep your login session.

For example, when you log into a school, work, or personal Microsoft account, you might be prompted with the option to “Stay logged in”. What this does is it saves the cookies in your browser to keep you from having to log into each new platform every time.

Session Cookies

Differing from authentication cookies, these are designed to track what you do and what is saved in your session. Rather than having the sole purpose of verifying you are who you say you are, like authentication cookies, session cookies track what you’ve saved or updated in your session to keep those changes for the duration of your session. These are erased when you close your browser.

Persistent Cookies

Unlike session cookies, persistent cookies remain in your browser until they are manually deleted or until they reach their set expiration date. These cookies often store preferences to enhance your browsing experience over time.

Tracking Cookies

Marketing teams employ tracking cookies to monitor which pages or products you browse, enabling them to produce targeted ads. However, this aspect of cookies can raise ethical questions. While it’s understandable for a company like Google to want to learn more about their customers to optimize advertising, this approach can sometimes blur ethical boundaries. It can feel akin to someone monitoring CCTV footage across all stores you visit to deduce your preferences.

Physical customer tracking has posed challenges for retailers in the past. Recent solutions include WiFi Analytics, which measures a customer’s phone’s WiFi signal strength to track their movements within the store.

Understanding the Role of Cookies in Privacy and Cybersecurity

Cookies can be exploited in several types of cyberattacks, such as cross-site scripting (XSS) or cross-site request forgery (CSRF). Therefore, understanding how to manage them is essential for safe browsing.

The use of cookies, particularly third-party cookies, can have a large impact on user privacy. Cookies can help companies build a profile of users’ internet behaviour, which can then be used for targeted advertising.

Legal Regulations Around Cookies

Various regulations worldwide, such as the General Data Protection Regulation (GDPR) in Europe, mandate companies to get users’ consent before using certain types of cookies. You’ve likely seen cookie banners on websites asking for your consent in compliance with these laws.

Are cookies necessary?

Certain cookies, like authentication cookies, are essential. However, while cookies generally aim to enhance your browsing experience, they also enable companies to track your activity to streamline their advertising strategies.

Do I have to allow cookies?

No. In security, we use the term of zero trust, or the principle of least privilege when deciding how to delegate access to certain files. For example, if you’re in the sales department, you’re not going to need access to the files in the operations department for your normal work, so we won’t give you access to it. This same principle should apply when companies ask for data or permission to track you (cookies).

How do I block cookies?

Websites typically prompt you to either “accept all” cookies, “reject all” cookies, or selectively accept/reject cookies. However, complying with these preferences depends on the website itself, so it does not always guarantee that cookies won’t be used.

Fortunately, privacy-focused browsers such as Brave, Firefox and Opera (to name a few) that either contain plugins that allow cookies to be blocked automatically, or have a built in option (like Brave).

TL;DR

Cookies are text files containing user information used for various purposes, ranging from authentication to tracking user activity. Cookies have significant implications for both user privacy and cybersecurity. Remember, you don’t always have to ‘accept all’ cookies when you visit a website and, as good privacy practice, it might be better to ‘reject all’ that you can.

View it on the website!

What are Traditional Firewalls?

Traditional firewalls are network security devices that are designed to monitor and control incoming and outgoing network traffic based on predefined rules. These rules can be based on items such as IP addresses, port numbers and protocols.

To better grasp the concept of IP Addresses, ports, and protocols, imagine a moving truck filled with boxes. The moving truck has a specific house that it’s going to (IP Address). It has boxes inside that are labelled, with each label representing a different room in the house (different ports). Each of these labels, however, might be written in a different language (protocol) that need to be handled by certain people who understand that language.

These firewalls can be hardware-based, software-based, or a combination of both, sitting between the outside world and your house - like a security guard, but for your network.

Without going too complex into the different features traditional firewalls can provide, but the primary one is packet filtering.

Packet filtering just means that it can allow or block network traffic (moving boxes) based on where it came from (source IP Address), what port number it’s using (which room it’s labelled for), and the protocol (which language the label is written in).

For example, a firewall could block all packets (boxes) sent from Joe’s house, who has an IP Address of 1.2.3.4, or it could block all boxes that are labelled to go into your office (port). More commonly you’ll find ports being blocked.

What are Next-Generation Firewalls (NGFWs)?

Next Generation Firewalls (NGFWs) are an advanced version of the traditional firewall with additional features such as intrusion prevention, application visibility and control, and advanced threat protection.

Unlike traditional firewalls that simply control access to network resources based on IP addresses and port numbers, NGFWs have the ability to identify and control applications, users, and content flowing through the network, providing a more granular level of security.

What are the components of a NGFW?

Below are SOME of the common components utilised in Next Generation Firewalls (NGFWs).

1. Application control

NGFWs can identify and control applications being used on devices on your home network; including blocking access.

2. Intrusion prevention

NGFWs can detect (Intrusion Detection System - IDS) and prevents (Intrusion Prevention System - IPS) potentially malicious internet traffic (boxes) based on certain patterns or indicators.

3. Threat intelligence

Gathering threat feeds and information from other sources allows NGFWs to stay up-to-date on the latest attacks, patterns and indicators to ensure that networks stay safe from any new malicious traffic (boxes).

TL;DR

Next Generation Firewalls (NGFWs) are advanced network security devices that are capable of conducting all traditional firewall tasks such as packet filtering, but also include features such as intrusion prevention, application visibility and control, and advanced threat protection (threat feeds, pattern and behaviour identification).

Overall, traditional firewalls are still an essential part of network security, but have limitations in dealing with advanced threats and the growing complexity of network traffic. This has led to the development of Next Generation Firewalls (NGFWs), which offer more advanced capabilities and provide a higher level of protection in this next generation of threats.

ChatGPT is an AI Large Language Model created by OpenAI that was released to the public on the 30th of November 2022.

Large Language Models are a type of Machine Learning Model, which is a subtype of Artificial Intelligence (AI). These models are designed to be able to read, make predictions from, and learn from data. Therefore, the more data available, the more accurate the results are.

There are many Machine Learning Models, of which Language Models are one of them. The “Large” simply refers to the scale and amount of data given to the Language Model.

When the data goes bad.

AI can only base it’s results on the data it’s been trained with. If an AI machine that generated images (instead of text, for example) was asked to print out a picture of a dumbbell without being told what a dumbbell is, it would have a difficult time generating one, and at the very least would generate one that likely looks nothing to how we would consider a dumbbell to look (probably some strange combination of two objects that contain the words “dumb” and “bell” in it).

Consider a case where the AI is presented with a large collection of images of dumbbells and it’s asked to generate an image of a dumbbell. Google’s DeepDream project did just that, and this was the result.

Why did this happen? Simple. The majority of the data supplied were likely images like the ones below.

What about bad data in ChatGPT?

Large Language Models like ChatGPT gather their data from text available on the internet in the forms of books, articles, websites and likely forums. What this can mean, in worst-case scenario, is that ChatGPT and other language models can be racist / sexist / discriminatory purely based on the data it reads in. This has been a big challenge for Language Models to master; how to detect and remove discriminatory views (not just language) from data.

The Echo Chamber.

Discriminatory language isn’t the only challenge that Large Language Models (LLM’s) face. Since LLM’s gather their data from internet sources, what is stopping a tool like ChatGPT from reading its own output that someone has pasted on the internet, adding itself to the pool of data, and reading what it learnt from itself as human output to influence how it understands humans to interact?

This probably doesn’t sound like that big of an issue since ChatGPT would likely have some way to detect whether or not the output was from itself, but what if there was another LLM? If that other LLM received output from ChatGPT as part of it’s data collection, then it would receive information filtered through the lens of ChatGPT which is built to simply summarise an answer to questions that the user prompts them with.

The issue of an echo chamber lies in the loop of LLM’s sending each other information.

It’s important to emphasise that these LLM’s dont “understand” language in the way that we do. They are coded to be able to read the data given to them and learn what a typical response to that question would be. ChatGPT and other LLM’s simply regurgitate and summarise information found on the internet.

The first call.

Given the simplicity of spamming the internet with repeated comments from bots (spend 5 minutes on twitter and you’ll understand what I mean), and the knowledge of locating the places in which information is obtained from the internet for these LLM’s, there’s the very real potential for ChatGPT or another LLM to respond to a user’s question with misinformation that poisoned its way into the data set. Since this (ChatGPT) would probably be a trusted resource, or with people posting the results of ChatGPT comments onto the internet, other LLM’s would likely be poisoned with the same misinformation - thus beginning the echo chamber.

How do we silence the echo?

There would be multiple ways, but two ways to stop misinformation from spreading like wildfire through ChatGPT or other LLM’s are listed below.

Blocking Invalid Data

This involves detecting whether or not the data being read is misinformation or valid information. The difficulty here lies in the ability to actually detect false information in a way that isn’t just by consensus (since this can be overrun by bots).

Blocking LLM output from being counted as data

Assuming that the LLM only wants to read human-generated input, a solution to this problem is already being put into active use with the primary goal being to detect whether a student actually did their work or got ChatGPT to do it for them.

GPTZero, created by Edward Tian, utilises the “perplexity” and “burstiness” of output generated by ChatGPT to determine whether or not it was written by a human. This will, however, likely be a cat and mouse game of ChatGPT generating output to avoid this detection, and then the GPTZero finding another way to detect AI output.

TLDR

ChatGPT is a very powerful tool that, if used improperly, can result in an echo chamber spreading misinformation. Data is powerful, good data can yield good results, but bad data can yield bad results. The work lies in figuring out what is bad data and blocking it so as to not poison these Machine Learning Models.

This is a very valid point.

If I had my VPN turned on ALL the time, then all of my traffic would be sent to a single point which, should that server be compromised or the owner of the server have bad intentions, it would mean that my data is compromised.

In a recent blog post about how VPNs work, I introduced some of the benefits of using a VPN. One of these points was the ability to access region-specific content. Although gaining their popularity through this beneficial aspect, VPNs are not the only way to access region-specific content.

Without diving too deep into a what a proxy is (I’ll explain it in a later post), it can be (for this case) be described as a VPN without the secure tunnel (unencrypted).

This then raises the question:

What role do VPNs play in privacy and security if we can access region-specific content other ways AND using a VPN introduces a single-source of failure?

It’s all about trust.

VPNs and their secure tunnels allow those on the same network as you (and everyone up the VPN server [including your ISP]) from viewing the data that you send (for example, your login details) and where you send that data (for example, which website). When using public WiFi, the biggest threat is an attacker or someone with a computer that’s been compromised (with a virus) on the same internet as you.

Diagram showing an attacker attempting to read data sent from a user with a VPN activated.

To understand this better, I’d recommend reading my previous post first which dives into what VPNs are and how they work.

One simple way to counter these threats would be to encrypt your data and hide where you’re sending it to; which is achieved with a VPN.

It seems to come down to protecting yourself from whatever is a bigger threat to your security and privacy.

Choosing the right VPN service is important. I’ll be releasing a blog soon about recommendations and what to look for when choosing a VPN service, but for now, my recommendation would be to look into ProtonVPN.

Recommendations

Public Wifi

If you’re using public wifi, then you should 100% use a VPN. There are many guides and proof of concept videos on the internet to show how easy it is for someone to access your unencrypted data on public wifi.

Home Network

If you’re using your hsome network, it’s actually recommended that you don’t use a VPN (unless it’s for region-specific content or you don’t trust the website you’re visiting). This is because of the concerns mentioned above about the single point of failure.

Mobile Data

If you’re using your mobile data / personal hotspot you probably don’t need to (although it might be good) practise to. While I’ve heard of security and privacy issues on mobile data (3G, 4G & 5G), I haven’t been able to find any proof of concepts or articles about this (in similar usage to public wifi hacking).

What are some examples of Multi-Factor Authentication?

Multi-Factor Authentication can come in many forms. Typically there’s a preference to call two forms of authentication (such as the example above) two-factor authentication (2FA). For the sake of simplicity, this blog will be referring to them as equivalent.

Since MFA is simply multiple forms of authentication, a better question would be to ask what are examples of authentication used as an extra step in the MFA process. Anyways, here’s a compiling some of the common ways MFA is implemented:

OTP (One Time Password)

These can be found in emails and text messages and are valid for only one login, expiring on use.

TOTP (Time-based One Time Password)

TOTPs are the pin codes that you’ll find in your authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, etc.) that change every 30 seconds. These don’t expire on use but can be used multiple times within the 30-second time period

.

Verification from a trusted device

These are typical for platforms that have an application or similar and have a known trusted device. These platforms require the known device (such as your phone) to verify that it’s you logging in from a new computer.

Biometric Verification

While this is less common as secondary authentication, it is a means of authentication that can be and has been used alongside pins, passwords, and other forms of authentication.

Email Verification

Differing from OTP, it’s becoming increasingly common for the platform you’re using to send through a link to be opened to verify the login attempt. With phishing becoming more and more prevalent, it’s important to be wary of the links sent to us by email or other means.

Secret Question Verification

While it’s much less common nowadays, a typical way of authenticating someone’s identity was for them to answer questions they had previously answered; questions such as “What is your mother’s maiden name?” or “What is the name of your favourite pet?” etc.

Are all Multi-Factor Authentication methods equal?

No, not all authentication methods are equal. Certain methods, such as secret question verification and even OTP sent via text messages are weaker than other means such as TOTP or verification from a trusted device.

Hopefully, when required to set up MFA for your login, you are given the option of multiple means - whether that be by receiving a text message or by setting up a code-generator app. While both methods inevitably make your account harder to log into, it’s important that there’s a level of understanding of which method is better.

SMS text verification is notoriously simple to crack. KrebsOnSecurty released an article here describing a method used by some attackers to intercept SMS OTP codes. Forbes also released an article here describing the lack of security with these methods. With this in mind, one major takeaway is to avoid SMS verification and instead use TOTP (code-generator apps).

TLDR

Multi-Factor Authentication is simply a means of using multiple forms of authentication to verify a login of an account. These can come in the form of OTP, TOTP, emails, etc. It’s important to understand the differences in these implementations, but of note SMS verification (OTP) should be avoided, and instead, TOTP (code-generator apps) should be used.

How does antivirus protect my device?

Scanning

Scanning is typically in the form of a Full-System Scan or similar, where each file is hashed (like how passwords are hashed) and their hash output (fingerprint) is compared to a list of known bad hashes.

In less-technical terms, each file has a unique fingerprint. This fingerprint does not change unless the file contents change. It’s the equivalent of the antivirus software having a database of fingerprints of all the criminals, and then grabbing the fingerprint of every file. If the file’s fingerprint is in the database, then it’s flagged as a bad file (and sometimes deleted).

Blocking

Whenever a new file is downloaded, (sometimes) when a website is visited, or an external storage device is connected (like a USB), the antivirus scans the file/s to make sure that none of them have a bad fingerprint (hash value).

Even if the file’s fingerprint isn’t in the database, sometimes the file will still be flagged if it comes from a known bad website (server) or the filename is similar to known virus filenames.

What devices can get antivirus software?

All major operating systems (Windows, Mac, Linux, iOS etc.) have access to some form of antivirus software.

For some operating systems like iOS, however, the extent at which they can function is limited because of the inbuilt security features of these operating systems - basically, everything is run in it’s own isolated container.

This is good because it means that malicious applications can’t access your files (like photos) without access being explicitly given to them. But this also means that antivirus software can’t access everything it needs to to do deep scans of the device.

Deep Scans are essentially scans of all of the files found on the device.

Do I need antivirus software?

Yes.

Antivirus software is an essential security tool needed on your device. While there are inbuilt security components (like Windows Defender), these are not sufficient to properly protect your device.

Since antivirus is available on all devices, you should be getting antivirus on all of your devices - not just to protect the device that it’s on, but also to protect other devices.

Viruses are usually designed to target one specific operating system. With this, it’s somewhat common for someone on a Mac computer to download a Windows virus. The Windows virus might not infect their computer, but when they take their Mac to their friends house, it might infect their friend’s Windows computer. The Antivirus software would detect the Windows virus and delete it even if it isn’t infecting the Mac computer, inevitably protecting their friend’s Windows computer.

TLDR;

Antivirus is a type of software that scans for and blocks viruses on a device. They’re available on almost all operating systems and it’s highly recommended that everyone installs antivirus on ALL of their devices.

Bitdefender is currently the highest performing (as of November 2022) antivirus software (detection score). Kaspersky is also rated highly but is not recommended due to it’s ties with Russia, likely resulting in a lack of detection of Russian viruses. Check out https:// www.av-test.org/en/ for up-to-date antivirus software ratings.

What are the different types of Encryption Algorithms?

There are many different types of encryption algorithms that are used across the world. From how we access websites, to how E2EE apps’ messages are encrypted, even how we watch videos online, everything is encrypted.

These algorithms typically fall into one of two categories: symmetric or asymmetric, which are differentiatied by how the encryption and decryption keys are implemented, as well as how many keys are required.

Symmetric Encryption Algorithms

Symmetric Encryption algorithms are essentially where the same key that was used to encrypt the data is also used to decrypt the data. These sort of algorithms are used when encrypting hard drives, laptops, password managers etc. This is equivalent to a lock on a chest, where the one key is used to lock and unlock the chest (assuming there’s only one lock on the chest of course)

AES, DES and Triple DES are some common symmetric encryption algorithms. AES (Advanced Encryption Standard) was released in 1998 and supersedes DES (Data Encryption Standard) (first published in 1977) as the standard for symmetric encryption.

Of these symmetric encryption algorithms, there are two types of traditional ciphers known as substitution ciphers and transposition ciphers.

Substitution Ciphers

These are ciphers that have a one-to-one mapping of characters to an encoded character. A common example of this is a caesar cipher or ROT13, where each letter is mapped to another letter in the alphabet. For ROT13, all letters are mapped to the letter 13 characters away. The caesar cipher follows the same concept, but instead of the “rotation” being 13, it’s any arbituary value n which is the key

Example: The ciphertext “Yhxrjnez Frphevgl Vasb vf gur orfg!” would be decoded to “Lukewarm Security Info is the best!” (ROT13).

Transposition Ciphers

These are ciphers where the text is reordered without changing the characters themselves. Common examples of these include the “Rail Fence Cipher”, “Skytale” (similar to the Rail Fence Cipher), and “Route Cipher”.

Example: The above example would be written in ciphertext as “SED ERTOE CC”, being decoded to “SECRETCODE” (Rail Fence Cipher).

Asymmetric Encryption Algorithms

Asymmetric Encryption algorithms use different keys to encrypt and decrypt. The approach behind these is that one key is a public key (publicly known), and one is a private key (kept as a secret to just you). This type of encryption is used to encrypt messages to others, but also as a verification method for message receivers.

RSA (Rivest, Shamir, and Adleman - names after the three creators) is a commonly used asymmetric encryption algorithm found in many online tools such as HTTPS, E2EE Apps, SSH, and GitHub.

RSA Encryption Algorithm

The RSA Algorithm is a common public-key encryption algorithm that was created in 1977 and is still used today. With complex maths involved, it utilises the mathematics property where summing two numbers together is easy to do, but finding the two original numbers used to sum is much harder. For example, if the sum is 18, three possible values (or key pairs) would be

Imagine a post box. Anyone can put a letter in, (public) but only the person with a certain private key can unlock the box and view the letter. The hole in the box is synonymous to a public key that everyone has access to. The box, however, can only be unlocked and the messages read by the holder of the key.

TLDR;

Encryption algorithms are cryptographic algorithms that output a type of text known as ciphertext. This text needs to be unable to be understood (like hashing algorithms), but when passed through the same algorithm with the same (symmetric) or different (asymmetric) keys, it needs to be able to be understood again. There are two types of ways to encrypt data, these are symmetric algorithms which have one key to encrypt and decrypt the data, and asymmetric algorithms which have two keys; one to encrypt and one to decrypt.

End-to-End Encryption (E2EE) is a security implementation used to ensure that only the sender and receiver can view a message.

The equivalent would be sending a letter to your friend through the mail in a locked box that only you and your friend have a key for. The letter still needs to go through the post office to get to your friend, but the post office won’t be able to read the message.

Where is this used?

End-to-End Encryption is used in many online messaging platforms. The most notable of these platforms are Signal, Whatsapp, Threema, iMessage, and WeChat. It has become much more prominent recently with the rise of privacy demands among users, but the concept has been around for ages (HTTPS could be seen as a form of E2EE).

How is this implemented?

Typically, each device has its own decryption key. When sending a message, the text is first encrypted with a secret key that only the sender (you) and receiver know. Since each service uses some type of server to send the message (like a post office), the encrypted message is then sent to the server and forwarded to the receiver. When the message arrives at it’s destination, the device (end-point) decrypts the message with the key they have on their phone which produces human-readable (plaintext) content.

End-to-End Encryption means that even if that server is hacked and everything is leaked, the messages won’t be able to be read because only you and your friend can decrypt them.

Encryption is used in a number of different services. Most devices are encrypted and require your password to decrypt them for use. Encryption is similar to hashing, except it can be reversed if you know the secret that was used to encrypt it. There are a whole range of different forms of encryption which I’ll write a blog post about soon.

Are all E2EE messaging apps equal?

The short answer is no. There are a couple of things to consider when looking at End-to-End Encrypted messaging apps. Some obvious questions, surrounding the trustworthiness of the End-to-End Encryption practices in certain apps (is it truly End-to-End Encrypted?) are legitimate, but let’s assume that they are End-to-End Encrypted.

Note: The following is more of a comment on what other privacy practices are put in place with these End-to-End Encrypted messaging applications.

A “recently discovered FBI training document” released in this article from November 2021 contains a brief list of the information able to be obtained from different End-to-End Encrypted messaging platforms.

To summarise what the FBI can “legally” access (based on this image), Whatsapp, iMessage, and Line had message content that can be retrieved, even with End-to-End Encrypted communications. But how?

For these three mentioned, the way they obtained message content wasn’t to do with how E2EE was implemented or anything, but that the devices backed up the message content and encryption keys (for iMessage) to the cloud, which meant that they simply needed access to the cloud rather than cracking the encryption.

This raises a good point about security defence vs offence. Defenders have to block every point of entry for an attacker, whereas an attacker only needs one point of entry. For End-to-End Encryption, while the encryption methods and message exchange might be secure, if the phone (end-point) is insecure, then the easiest point of attack would be to spy on the phone after it has decrypted the messages.

With this, however, it’s important to note that even in this worst case, the attacker only has access to one device’s messages, not every message sent on the platform.

Takeaways

Use an End-to-End Encryption messaging app. Privacy and Security are important, and E2EE messaging apps are vital to ensuring that we have privacy when communicating to others.

In terms of which app to use - I’d personally recommend Signal. It’s got the best track record (that I know of), is highly praised among the security community, it’s free, and it’s popular - so you’ll likely find that many people that you know are already using it.

Here’s a video that might help explain End-to-End Encryption more:

An example form of phishing attack is the browser-in-the-browser attack, where an attacker mimics the authentication page for another service to try and get the unsuspecting user to supply them with login credentials.

There are multiple terms for variations of the typical email phishing, such as vishing (voice phishing) and smishing (SMS phishing) that all describe different avenues in which an attacker targets their victim.

Where does it come from?

Phone “freaks” and fishing for information.

Back when telephone hacking was big(ger) and the Captain Crunch whistle could give you a free phone call, a term was created to group the people who found “hacks” or ways to trick different technology - “phone freakers” or “phreaks”.

From here, “phreaks” were associated with those fishing for information or scamming others, hence the term “phishing”. We really do enjoy combining words.

Although phishing was originally born from an association with phone hacking, it’s more commonly found in email campaigns nowadays, with email being a more common means of communication.

What is Spear phishing?

Spear phishing is a targeted form of phishing. While phishing attacks are generally there to “pick the low-hanging fruit”, spear phishing attackers typically have more information about their target and adjust their message for that specific person. This could mean impersonating someone from inside their company, advertising a specific niche of hobbies that they might be into or attempting to exploit them when an aspect of their personal life is in jeopardy (i.e., financial pressures).

Phishing attacks are more typically a “spray” type of attack; where a large number of people are sent the same email to catch out the few who bite. Spear phishing attacks would typically be sent to a single person.

How do I protect myself?

The most common advice is to simply never click on links sent to you from someone you don’t know. If it leads to a page that you need to access, however, it’s much better to type the link into the URL bar yourself. Better yet, if you could find the same page by a quick search, locate it that way rather than clicking on the link.

Anyone can very easily pretend a link is going to one page when it’s in fact leading to another. Read more about how this works here: https://blog.lukewarmsecurityinfo.com/posts/phishing-links

Typically, if you hover over the link on your computer, the true link location will be shown in the bottom left of the browser window. This can be used as a method to verify that a link does indeed lead to where it’s saying it does.

Browser-in-the-browser attacks are an exception to this, which is explained more in-depth here.

What can we do better to protect others from phishing?

In my opinion, there’s no need to depend on links for access to (most) things anymore. The common uses of links in emails (that I can think of) are:

• Email Verification

• Filling in a questionnaire

• Viewing a specific page

• Verifying a new device

• Shared online files (Dropbox, Google Docs)

With all of these, there are simple workarounds to solve the requirement of a link existing. Almost all of these can be supplemented with providing the user some sort of one-time or persistent access key to view/locate the document, image or questionnaire.

For example, to access a dropbox file that’s available for public viewing, share the unique identifier of the file (that’s in the URL anyways) with a generic find your file search section for the user to supply the unique identifier. This eliminates the requirement for links in emails and still provides the user with access to the document. There are no extra security measures that providing a link will do that cannot be implemented another way.

We all know what privacy is, and I’m sure you’ve heard many times before how much online privacy matters. This blog post isn’t here to convince you to start to care about privacy. This is just to help you realise that privacy is something that you already care about and rely on but don’t realise the extent to which it is exploited online.

This blog is only part of a series and will continue to be updated. Privacy is vital, which has become even more evident with the recent data breaches.

When I speak with others about online privacy, and why it’s not much of a concern to them, these are some of the responses I receive.

I have nothing to hide.

Have you ever said anything to a friend that might be offensive if it’s taken out of context? Or shared something with your doctor that you’d rather not have everyone know about? Do you lock your front door, or have a password on your phone or email account?

If we truly have nothing to hide, then by all means send all of your login details for all of your accounts to my email address here and I’ll read through all of your texts, emails and post all that I find online for your friends, family, neighbours, bosses etc. to see. After all, if there’s nothing to hide, then this wouldn’t matter, right?

In reality, all of us have certain things we’d rather not share with the entire world. This is why privacy is important.

Privacy and Secrets are not the same. While you might want to keep your secrets private (kind of core to it being a secret), some things require privacy. For example, when you go to your room to get dressed, it’s clear that you’re getting dressed, that’s not a secret, but typically you’d want some form of privacy with this. It’s probably safe to assume that (as fully grown adults) we wouldn’t want to get completely dressed and undressed in front of our grandparents… right?

They already know everything anyway.

This, being one of the most common arguments for why not to bother about privacy, is wrong. An important view to have when it comes to companies having your data is perspective; if you stopped sharing everything online today, then in 10 years, their data on you is much less relevant. Even if 90% of your life has been shared on social media up to this point, it doesn’t mean that the rest of your life needs to be shared.

Just because you’ve always eaten sugar, that doesn’t mean you always have to eat sugar. Similarly with online privacy, just because you’ve always posted everything online, it doesn’t mean that you need to continue to do so.

All in all, online privacy is comparable to “see it to believe it”, in that if we can’t directly see the consequences of it, we don’t fully comprehend the extent of it. If someone was physically standing there watching us all the time, then we would (most likely) feel quite uncomfortable about that, but when it comes to online, most of us are ok with people watching everything we do there; because we can’t physically see them watching us.

Recommended Follow-up

Below is a recording of a TED Talk by Glenn Greenwalk titled “Why Privacy Matters”. This is a phenomenal talk that looks into why privacy matters. I’d highly recommend watching this video to learn more about why privacy matters, and how it’s something we already all take into consideration; but just forget about when it comes to being online.

Most of you would have heard of the word ransom before, or to ‘demand a ransom’ – typically to pay for the release of a captive. Ransomware is the cyber version of that.

Historically it has been where a hacker unleashed a type of malware (computer virus) onto a victim’s computer that encrypts all of their files and data. The hacker then demands some sort of payment for them to decrypt the computer and allow the victim to access their files again.

Encrypting is a method of scrambling some form of text or data in a certain way so that it cannot be understood by a reader. Decrypting is unscrambling that text or data so that it can be understood. The different methods of scrambling data are known as encryption algorithms.

What do I do if I’ve been ‘Ransomwared’?

The advice given to people when they’re in this type of situation is to never pay the ransom.

Why?

1. The attacker might not give you a decryption key.

2. Even if the key works, it’s likely that you won’t get a full file recovery.

3. By paying the ransom, it’s funding the ransomware business. If ransomware attacks don’t lead to payments, then they won’t become a viable method of obtaining money which would (hopefully) lead to them not being used anymore.

Fortunately, there are several resources online that have publicly available decryption keys for different types of ransomware.

Decryption Keys are passwords or some type of secret that the decryption algorithm needs to correctly unscramble to text/data.

One example of this is a tool known as Crypto Sheriff which allows the user to type in the information provided to you in the ransom note, and searches their database for known decryption keys.

The other solution would be to restore from a previous backup. While this could lead to some type of data loss, depending on how long ago your last backup was; which leads into…

How do I prevent / prepare for a Ransomware attack?

BackupsThese are by far the greatest ‘counter’ to a ransomware attack, since the threat of not being able to access important files is made redundant.

It’s always good practice to keep multiple backups, including an offline backup, which is one that’s not connected to your company network so that the backups too won’t be encrypted.

Update / Patch Devices

Patching known vulnerabilities is always going to be one of the easiest and best security measures you can take for your devices. Leaving devices and software out of date is like leaving your house, knowing that the front door is broken and anyone can just walk in.

Antivirus

A lot of basic ransomware or other forms of computer viruses can be stopped with antivirus software. I’ll be writing a blog post looking into different antivirus software soon, but the recommendations for now would be to look into Bitdefender and to STAY AWAY from Kaspersky (Russian Antivirus Software).

Social Engineering Education

One of the most common avenues for ransomware to get into a company or home network is by a user clicking on a malicious link - typically from an email. Phishing is a type of Social Engineering attack in which the attacker pretends to offer something, or be someone else to try in an attempt to get the target to click on a link or download a file. I’ll be posting a blog about phishing soon.

Phishing attacks are typically a general spray attack in which an attacker sends an email out to a whole bunch of people and hopes for a response back from some of them. Spearphishing is a more targeted version of this.

Zero trust model (businesses)

Employee training and knowledge will always be vital in protecting your organisation, but no one is perfect, and even the most trained person who’s constantly on the lookout can be tricked. This is why it’s important to adopt something like the Zero Trust Model.

In short, this is basically where each user only had access to what they need to access. This can help restrict a ransomware attack to only the files that a specific user has access to which, under this model, would hopefully not be all of the company files.

Encrypting your files

To be clear, I don’t mean encrypting all of your files if you don’t need to, but for those with important information, it could be nice to add a little extra protection. Why this might be important will become more evident below.

How has Ransomware evolved?

Unfortunately, with the world becoming smarter in how they counter ransomware attacks by simply restoring from a backup, attackers have had to come up with new ways to keep the money rolling in.

Origami Evolution

One of these ways was an added element of leaking company data in a ransomware attack. What this means, is that typical attacks (on companies at least) would encrypt all of their files as well as threaten to leak those files (potentially classified) to the public internet, typically if the ransom isn’t paid within a time frame.

With this, there’s also usually the threat of “Do not contact the police or we will leak your company information” which (and fair enough) adds a lot more pressure on companies to pay the ransom.

How do we counter this evolved version?

Some of the measures mentioned above such as Backups, Zero Trust Model, and Encrypting your files can all be viable solutions to limit the damage caused by a ransomware attack. With the time frames though, it’s vital that a plan is in place to deal with this type of situation. While some companies have money set aside for ransom payments, having a cyber security company / branch on your incident response plan is vital, not just to protect your data, but also for possible legal repercussions afterwards.

TLDR;

To summarise, ransomware is a type of computer virus that encrypts your files and demands that you send money to the attacker to gain access to your files and to stop them from leaking your data to the public internet. The advice given on what to do if you are the victim of a ransomware attack is to not pay the ransom. There are several steps you can take to mitigate the damage caused by a ransomware attack, and steps you can take to prevent a ransomware attack in general, since most are caused by opportunity, rather than being targeted.

When looking around at cyber security concepts, one term that is used often is hashed password or to hash something. What this is, in a basic overview, is a one-way encrypted version of something.

Diagram showing plaintext and hashed text

Plaintext describes text that is human readable / understandable, such as (hopefully) this blog post, or the word “password”.
Hashed describes text that has gone through a hashing function and is typically a little less human readable, such as 5f4dcc3b5aa765d61d8327deb882cf99.

What is a hashing function?

Hashing functions (or hashing algorithms) are functions that take some type of data, run it through a series of complex mathematical steps, and spit out a result that looks like a weird string of letters and numbers.

Some of the most common hash functions include SHA256, SHA512, MD5 and many others.

Hash functions, however, are much more complex than just taking in data and spitting out a result. There are several rules that a hash function must live by for it to be used / counted as a hash function.

These rules / attributes a hash function must have are:

• Repeatable

• Unique

• Unpredictable

• Irreversible

• Consistent

What do these rules/attributes mean?

RepeatableThe repeatable attribute means that every time the same text is hashed with that hash function, it gets the same result. This should be the same result, independent of the time of day, computer hardware, operating system etc.

For example, if I run the plaintext “password” through the MD5 hashing algorithm, it should always produce the result 5f4dcc3b5aa765d61d8327deb882cf99.

UniqueHash results must all be unique, meaning that (to the best of their ability), there should ideally only be one input to produce that result.

Since it’s mathematically impossible to only have one input for each possible output (there are an infinite number of possible inputs and a finite number of possible outputs), as long as another input that produces the same output (collision value) cannot be predicted/ calculated, this is ok.

Having multiple inputs that produce the same hash output is called a hash collision.

UnpredictableHash results should not be able to be calculated or predictable, meaning that there should be no correlation between the hash of password1 and password2 for example.IrreversibleIt should not be possible to find the original input of a hash function based on its output. In essence, this should be a one-way encryption, and should not be able to be decrypted / reversed.

Note: Rainbow Tables are not decrypting / reversing the input since it only shows a possible input for the same output

A common way for someone to find the reverse of a hash output is through what is known as a Rainbow Table. These are databases or tables filled with various inputs, and their corresponding hash outputs.
To try this for yourself, paste in 5f4dcc3b5aa765d61d8327deb882cf99 into your search engine, and you should be able to find the result quite quickly.
(Hint: It’s the MD5 hash for “password”)

ConsistentThis is more about the output of a hash, while it should be repeatable, ALL hash outputs should be the same length. This is part of the unpredictable nature of a hash, ensuring that all hash outputs are just as difficult to crack as each other.

All hashes have their own Fixed-length Output. For example, the MD5 hash has a fixed-length output of 128 bits (or 32 hexadecimal digits). Also, all hex outputs are in hexadecimal digits, meaning that they are a combination of (lowercase OR UPPERCASE) letters and numbers.

Where are hashed passwords used?

Hashed passwords (ideally) are used whenever a website or server stores your password for login. What happens, is that when you register for a website, the website takes a hash of the password you typed in, and then stores that in their database, next to your username.

Why?If a website / company gets hacked (for example), the attackers can only grab the hashed passwords, meaning they don’t know what the actual password was (irreversible attribute).

Since one of the attributes of a hashed password is that it’s repeatable, every time we type in our password to the website to log in, the password that we typed in is hashed the same way as it was originally, and compared to what is stored on the websites database. If they match (uniqueness attribute saves us here), then the user entered the correct password, if they don’t, then their password was incorrect.

How do we secure a hashed password even further?

With Rainbow Tables and the like threatening the irreversible nature of hashed password, security engineers have become creative in their attempts to counter these tables, namely with salt and pepper.

Salt and Pepper

SaltA Salt (not the edible kind) is a random string of characters added to the start/end of a users password before it’s hashed. For example, if I registered an account on a website, and typed in my password as “password”, the website would take that password, add (for example) “supersecretcodethatwasrandomlygenerated” to the start of it (so the password being hashed is “supersecretcodethatwasrandomlygeneratedpassword”), and then they hash that new password and store it in the database.

Then, whenever someone tries to log into that account, they type in their password, the Salt is added to the start of it, and then it’s compared to the hash in the database.

Salt’s are typically consistent across all users, meaning that typically a website would use one randomly generated salt on all passwords.

PepperPepper (again, not the edible kind) is similar to a salt, and works the same way, except it only applies to one user, meaning that each user would have a different pepper.

Typically, these are stored on a database, near username and hashed password, and are added to the password before it’s hashed as well as the salt.

First of all, if you’re still considering whether or not to use a password manager - you should. Check out my blog giving a brief overview of some of the benefits of using a password manager here.

What to consider

When choosing a password manager, there are some things to consider:

• What are the capabilities? (i.e., MFA Code Generation, Random Password Generation, Generating Backups, Password Sharing etc.)

• What is the support like? (i.e., Is it community-driven? Are there resources online if I get stuck?)

• What are the costs? (Can I trial the software if there is a cost?)

• Personal or Business use?

• What platforms are their apps available on? (i.e., iOS, Mac, Windows, Linux, Android, Browser)

TLDRFor those starting out with a password manager, I would suggest trying 1Password. While it is paid, it’s quite cheap at $2.99 USD/month. It has many user-friendly features such as password recovery and travel mode, and has lots of online support available if you get stuck.

Summaries

Bitwarden

Bitwarden Logo

Best Open-Source Password Manager.

Bitwardenis an open-source (their source code is available for anyone to view / scrutinise) password manager with Free, Premium and Family packages for Personal use, as well as options for Business use.

• MFA Integration

• Password Generation

• Simple Import / Export

• Password Sharing

• Free option

• Cloud-Sync

• Cross-Platform

  • iOS/Android

  • Windows/Mac/Linux

  • Web-Application

1Password

1Password Logo

Best for Mac & Best for Families.

1Passwordis a cross-platform password manager with Individual and Family paid options available (14 day free trial) for Personal use, as well as business options. 1Password provides a strong support base, with user-friendly features. 1Password was originally built for Mac.

• MFA Integration

• Password Generation

• Simple Import / Export

• Password Sharing

• Free option

• Cloud-Sync

• Cross-Platform

  • iOS/Android

  • Windows/Mac/Linux

  • Web-Application

LastPass

LastPass Logo

Best for browser use.

LastPassis a freemium password manager, storing passwords online. Lastpass was recently involved in a data breach, leaking some of their source code and other information, but remains to be a popular password manager. It is known for it’s good customer support and ease-of-use.

• MFA Integration

• Password Generation

• Simple Import / Export

• Password Sharing

• Free option

• Cloud-Sync

• Cross-Platform

  • iOS/Android

  • Windows/Mac/Linux

  • Web-Application

Dashlane

Dashlane Logo

Best for password security.

Dashlaneis a french-based company that launched its password manager in 2009. One of the benefits of Dashlane is the Dark Web Monitoring, which allows users to ensure that their passwords haven’t been leaked online.

• MFA Integration

• Password Generation

• Simple Import / Export

• Password Sharing

• Free option

• Cloud-Sync

• Cross-Platform

  • iOS/Android

  • Windows/Mac/Linux

  • Web-Application

Keeper

Keeper Logo

Best for businesses.

Keeperwas rated by pcmag as their top password manager for 2022. The pros mentioned here include full password / file history, secure password sharing features, good user-interface as well as a wide variate of record type templates for storing all of your data in a secure place.

• MFA Integration

• Password Generation

• Simple Import / Export

• Password Sharing

• Free option

• Cloud-Sync

• Cross-Platform

  • iOS/Android

  • Windows/Mac/Linux

  • Web-Application

KeePassXC

KeePassXC Logo

Best choice for Linux & Most secure.

KeePassXCis a freely available, offline password manager that is local to a device (it’s not connected to any servers). This was ranked as most secure due to the range of authentication methods that can be added in order to gain access to the database, as well as it being fully offline, meaning that there’s no risk of a company data breach leaking the master password for your password manager.

• MFA Integration

• Password Generation

• Simple Import / Export

• Password Sharing

• Free option

• Cloud-Sync

• Cross-Platform

  • iOS/Android

  • Windows/Mac/Linux

  • Web-Application

What are in-app browsers?

Mobile applications such as Facebook, Instagram, Snapchat, Facebook Messenger, Discord and (more recently in the news) TikTok have their own in-app browsers that allow users to open links in a browser from within the application.

In-app browser, put simply, are inbuilt browsers that are used to open links while inside a mobile app. For example, if you’ve ever clicked on a link inside Facebook Messenger, you’ll notice that there’s a small pop-up that comes up with the website - this is their inbuilt browser.

Facebook Messenger’s In-App Browser

Why are these insecure?

Internet 2.0 recently released an analysis into the TikTok in-app browser, noting how when websites are loaded inside this in-app browser, pages are injected with malicious javascript before displaying it to the user that is used to track the users activity across their browsing session.

What this meant was that whenever a user clicked on a link from within the app, and the in-app browser was opened, anything that the user did to interact with the webpage, whether that be purchase a ticket (inputting credit card details), visiting a shopping site, reading a blog post etc. was all recorded and sent back to TikTok.

Not all in-app browsers inject malicious javascript into the pages, but it’s safer to assume that what we do inside an in-app browser is being tracked.

How do I protect myself?

The simplest way to protect against these possible privacy issues is to open the link in your browser, rather than within the app itself. This can be done by either copy and pasting the link into your browser, or (once opened within the in-app browser) there is typically an option to open the link in your default browser.

Opening the link in your default browser

While not all in-app browsers are there with malicious intent, it’s always better to take these small security measures to ensure that your data, credit card details and activity aren’t being tracked or recorded.

How can I detect if my activity is being recorded?

Twitter user @KrauseFx linked an online tool used in the investigation of the TikTok in-app browser called InAppBrowser.com that allows anyone to check what data is being recorded by the in-app browser, by analysing the javascript injected into the website.

InAppBrowser.com analysis of common in-app browsers

Keep in mind, this tool only detects some of the common /known ways that in-app browsers track user data. Even if the tool doesn’t detect any tracking javascript, it doesn’t mean that you’re not being tracked.

For more information, view the original blog announcement of this tool by KrauseFx here.

While a sticky note or your memory might keep track of all of the passwords that you’re using, more likely than not, you’re reusing the same passwords more than once, which can pose a major security risk to yourself

Password managers are a simple and secure way of holding all of your passwords, and making sure that all of your accounts are secure online.

Why should I use a password manager?

Easier to manage

The most obvious answer as to why you should use a password manager is that it’s easier to manage your passwords… it’s in the name. You can view all of your unique passwords from one place, without having to remember any of them.

Securing all of your accounts

One of the major security risks in personal security is the reuse of passwords. The reason for this, is that if that password gets leaked, then every login with that password is open to being breached.

My passwords won’t be leaked because I keep them in a secure place!

The majority of times, password leaks are not your fault at all. Most of these happen when a company is hacked and the user passwords (or password hashes) are released to the public.

With a password manager (and proper use), however, if the worst-case scenario happens of one of your passwords being leaked, then you’ll have to change just the one site that uses that password.

What are the best practices of using a password manager?

With all of your passwords being held in one place, we need to make sure that that one place is secure. To do this:

• Make sure that your master password is unique, strong and not used before.

• Secure your password manager login with Multi-Factor Authentication (MFA).

• Regularly backup your passwords. Most password managers have the option of exporting the database. Make sure these are offline backups, such as a USB in a safe.

Make sure that your Master Password (the one used to access your password manager) is secure and not used before. Losing this could mean losing all of your passwords. It’s best to write this one down…

To make best use of the password manager and to make sure that you’re as secure online as possible:

• Make sure all of your passwords are randomly generated using a combination of UPPERCASE, lowercase, numb3rs and $ymbols, as well as being at least 12 characters in length.

• Organise your passwords so that they’re easier to find…

What password manager should I use?

Check out my Recommended Password Managers for a list of recommended password managers.

Put simply, what a VPN means is that every time you send a request to load a page, or download a file, the request first gets sent to the VPN server and then to the website.

How does a VPN protect me?

Since all of your internet traffic is being sent first to a VPN server, and then to the website that you visit, this means that all the website thinks, is all of the traffic is coming from the VPN server. What this means, therefore, is that the VPN server hides your computer from the website, giving you privacy.

The security aspect of a VPN comes from how your requests are sent to the VPN server. When your computer first connects to the VPN server, it establishes a secure tunnel for all of the requests to be sent through, which means that all of your traffic is encrypted with a secret key that only your computer and the VPN server know - which is never reused again.

Since everything you send / receive is being passed through a VPN server, this will mean that your internet connection will be slower. It depends on where the VPN server is, as well as the quality of the server on how much slower it could be.

What does a VPN provide?

From a high overview, VPN’s provide privacy and security, but what does that mean and what are some other benefits?

Access to region-specific content

With the privacy features of a VPN, and since all of your traffic looks like it’s coming from the VPN server, if your VPN server is located in a different country (for example, United States of America), all of your web traffic to websites looks like it’s coming from within that country. What this means is that if there is content that is only accessible for computers inside that country, you’ll be able to access it since all of your traffic looks like it’s coming from within that country.

Secure Browsing

Certain online activities such as online banking need to stay secure. With a VPN, since your traffic is encrypted between the user and the VPN server in an extra layer of encryption, this means that anyone connected to the same internet connection as you, won’t be able to decrypt or view the information you are sending over the internet. While it’s still not great to use public wifi, this means that even public wifi would be secured enough to use it for online banking.

Hiding your IP address

With all of your requests going through a VPN server, the website that you’re visiting thinks that the computer sending the requests is the VPN server. Therefore, if you were to check your IP address when connected to a VPN server, it would be the IP address of the VPN server, not your computer, which means that a VPN server hides your IP address when online.

When should I use a VPN?

Typically, it’s safe to not use a VPN on your home networks - since they’re generally private anyways, but it depends on what you’re wanting a VPN for.

It’s recommended that VPN’s are used all of the time when travelling overseas.

If you want a VPN just to stay more secure online, then use a VPN whenever you’re connected to publicly accessible wifi. This could be at work, at the airport, at school etc. It’s also recommended that you use a VPN when you’re on your mobile data.

If you want a VPN for better privacy online, then use a VPN all the time - on your home wifi, on publicly accessible wifi, mobile data and other private networks.

A computer worm is a type of self-contained malware that replicates itself and spreads laterally (across computers in the same network) throughout a network without the need to call back to a command and control centre (a server that gives it instructions on what to do).

What this means, is that it’s not controlled by any particular server and that once released, it cannot be stopped since it automatically duplicates itself and attempts to infect all other computers on the network.

There are, however, like anything, cases where this isn’t the case and a callback server is required for the worm to do it’s damage. An example of this is a virus called WannaCry which, while still able to spread across computers, lays dormant as long as the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea. com is registered.

The domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is currently ‘Sinkholed’ (to hand out illegitimate routes to certain domains - can be used to capture unwanted traffic, to disable a botnet, for example) by Kryptos Logic.

What is the Morris Worm?

The morris worm, being considered as the first major attack on the Internet, was first unleashed on the evening on November 2, 1988 from a computer at MIT (Massachusets Institute of Technology).

Designed to exploit multiple backdoors on specific Unix devices and to stay hidden, it hit 10% (6 000) of the internet within the first 24 hours. It worked similar to a DOS (Denial-of-service), in that it was designed to hog resources from the computer until it shuts down.

The specific exploits it would run were vulnerabilities in Unix Sendmail, finger and rsh/exec, as well as brute-forcing login credentials on the targets computer; based on their username.

How did it work?

How the Morris worm would work is:

First, check if the Morris worm is already running on the target computer.

The worm was capable of infecting a computer up to 7 times. Why seven? This was to stop someone from spawning a fake Morris worm instance in an attempt to stop the worm from infecting the computer.

Second, attempt to spread to another computer on the network, through exploiting a known vulnerability, or guessing weak passwords.

Once the targets computer was infected by the worm too many (7) times, it would run out of computing resources required to work properly, and begin to malfunction.

Who created it?

Robert Tappan Morris had designed the worm as a learning project, that soon spun out of control.

While there are questions are the original motives of the worms creation, he knew the importance of covering his tracks - which was evident in how he hacked into an MIT Computer to launch the attack.

This worm led to the first conviction under the newly introduced 1986 Computer Fraud and Abuse Act and left Morris with a fine and 400 hours of Community Service.

Additional Resources / Further Reading

• FBI News Release

• Deeper look into Morris Worm

• Analysis of the Morris Worm

• Decomposed Source Code

A browser in a browser attack put simply is a phishing technique that allows an attacker to spawn a pop-up window in the user’s browser that appears to link to a legitimate website. It’s primarily used to mimic legitimate third-party authentication methods in an attempt to steal login credentials.

Phishing is a type of social engineering where an attacker would typically send the target some form of email claiming to be someone else, or promoting some sort of website with a malicious link.

Where is this exploited?

Many online services nowadays allow you to log in with another service. As an example, a website like Canva allows you to log in or ‘continue’ with a range of services such as Google, Facebook, Apple, Microsoft and Clever, as well as the typical email login.

When any of these are clicked, a small pop-up window appears with the login page for whatever service you decided to use.

These authentication pop-up windows are what attackers use for a BITB attack.

How do they do this?

For an attacker to make a convincing phishing page, they need at least one of the following, but typically both:

1. The webpage must look the same.

2. The URL must look the same, or be so similar that someone would miss the mistake.

URL Example: twiter.com vs twitter.com or facebook.com vs focebook.com

Convincing Webpage

It’s quite simple for an attacker (or anyone) to replicate a webpage. Anyone can view the source code of a webpage by right-clicking on their mouse and clicking ‘View page source’. Since the source code contains everything that makes the website look the way it does, someone simply needs to copy and paste this to a new website, make a few small adjustments, and then they have an identical looking webpage.

The source code is like the blueprint of a house that comes with the walls, doors, windows and roof all installed. Browsers read the source code and render the page to look the way it does, which is why copy and pasting the source code would give you (almost) the same result.
Almost, because sometimes things like the font or certain images don’t load properly and require the source code to be adjusted slightly.

Convincing URL?

Getting the url to look like the real url has been one of the biggest issues attackers have faced when it comes to phishing.

Many social media companies, such as Facebook or Instagram would typically own / have purchased (or even banned the purchase) of many similar domains in order to decrease these sort of attacks.

There have been multiple different avenues over the years such as using a domain name that looks similar to the original, using the actual website to link to another page (a url redirect), or more recently where attackers used a special character in the url so that when the url was read by the browser, it was read backwards.

What this meant was that a url like google.com/k9d8K3j/yl.tib would be read by the browser as bit.ly/j3K8d9k/moc.elgoog which could lead to something more malicious than google.

With this attack, however, while the actual URL is not the same as the original, with some javascript code, an attacker is able to make the URL look like it’s the same as the original website.

How do you spot the difference?

BITB attack browsers are not genuine browsers (like actual authentication pop-up windows are), they are simple HTML code that someone has built to try and look like a browser pop-up. With this, they have certain limitations that a genuine browser doesn’t have.

The usual tactic of hovering over the link to see the URL at the bottom corner will not work as a verification method.

One of these limitations is that the fake browser can’t be moved around outside of the browser window, or over the address bar. With that, here are some things you can do to test whether or not it’s a genuine authentication pop-up.

1. Can you move it off the webpage?

   • i.e. Onto a separate screen, over the URL bar at the top of your browser.

2. (If you’re tech savvy) Check the source code.

   • Are scripts being rendered from the authentication webpage (i.e. Facebook or Google)? Or from the website that you’re visiting (i.e. Canva)?

If the images are being rendered from the external website that you are authenticating your account from (such as logging into Facebook and the images are rendered from facebook.com), this is GOOD. If they are rendered from the website you’re visiting (such as Canva), this is BAD.