Uncategorized

Phishing Techniques

Phishing Techniques

Phis

Phishing is the method used to steal personal information through spamming or other deceptive means. There are a number of different phishing techniques used to obtain personal information from users. As technology becomes more advanced, the phishing techniques being used are also more advanced. To prevent Internet phishing, users should have knowledge of various types of phishing techniques and they should also be aware of anti-phishing techniques to protect themselves from getting phished. Let’s look at some of these phishing techniques.

Email / Spam

Phishers may send the same email to millions of users, requesting them to fill in personal details. These details will be used by the phishers for their illegal activities. Phishing with email and spam is a very common phishing scam. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, and verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.

Web Based Delivery

Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.

Instant Messaging

Instant messaging is the method in which the user receives a message with a link directing them to a fake phishing website which has the same look and feel as the legitimate website. If the user doesn’t look at the URL, it may be hard to tell the difference between the fake and legitimate websites. Then, the user is asked to provide personal information on the page.

Trojan Hosts

Trojan hosts are invisible hackers trying to log into your user account to collect credentials through the local machine. The acquired information is then transmitted to phishers.

Link Manipulation

Link manipulation is the technique in which the phisher sends a link to a website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. One of the anti-phishing techniques used to prevent link manipulation is to move the mouse over the link to view the actual address.

Key Loggers

Key loggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse click to make entries through the virtual keyboard.

Session Hacking

In session hacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.

System Reconfiguration

Phishers may send a message whereby the user is asked to reconfigure the settings of the computer. The message may come from a web address which resembles a reliable source.

Content Injection

Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is asked to enter personal information.

Phishing through Search Engines

Some phishing scams involve search engines where the user is directed to products sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.

Phone Phishing

In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.

Malware Phishing

Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.

Phishers take advantage of the vulnerability of web security services to gain sensitive information which is used for fraudulent purposes. This is why it’s always a good idea to learn about the various phishing techniques, including phishing with Trojans and Spyware.

Standard
Uncategorized

Banks push for tokenization standard to secure credit card payments

Tokenization addresses gaps in EMV smartcard standard, says indsutry group

A group representing 22 of the world’s largest banks is pushing for broad adoption in the U.S. of payment card technology called tokenization, citing shortcomings in the planned migration to the Europay MasterCard Visa (EMV) smartcard standard over the next two years.

The Clearing House Payments Company (TCH), whose owners include Bank of America, Citibank, Capital One and JP Morgan Chase, is working with member banks to see how tokenization can be applied to online and mobile payment environments to protect against fraud.

The effort stems from what the group says is the need to address gaps in the EMV standard involving mobile and online transactions.

“EMV has been out there for close to 20 years” and has served its purpose well, said Dave Fortney, senior vice president, product development and management for The Clearing House.

Debit and credit cards based on the EMV technology use an embedded microchip, instead of a magnetic stripe, to store data and are considered almost impossible to clone for fraudulent purposes. Though the rest of the world moved to the technology years ago, the U.S. has lagged behind for a variety of reasons.

However, after the recent Target breach that exposed data on 40 million debit and credit cards, calls to adopt the standard in the U.S. have become more strident. MasterCard and Visa have said they want merchants and banks to be ready to start accepting EMV cards by October 2015.

While the planned migration has its benefits, EMV is not quite the panacea that many assume it is, Fortney said. “The downside with EMV is that it was created when there was no Internet, no online commerce, no smartphones and no tablets.”

While EMV is great for securing card transactions at point-of-sale terminals, it is less useful for online payments and other card-not-present transactions. That is one of the major reasons why payment card fraud has migrated from point-of-sale systems to online channels in Europe and other places that have already adopted EMV.

Payment card tokenization is one way to address this gap, Fortney noted.

Tokenization is a method for protecting card data by substituting a card’s Primary Account Number (PAN) with a unique, randomly generated sequence of numbers, alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence.

The token is usually the same length and format as the original PAN, so it appears no different than a standard payment card number to back-end transaction processing systems, applications and storage.

The random sequence, or “token,” acts as a substitute value for the actual PAN while the data is at rest inside a retailer’s systems. The token can be reversed to its true associated PAN value at any time with the right decryption keys. Tokens can be either single use tokens or multi-use tokens.

Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks, said Fortney.

With tokenization, credit and debit card data is encrypted at the point where it is captured and sent to the merchant’s payment processor where the data is decrypted and the transaction is authorized. The processor then issues a token representing the entire transaction back to the retailer while the actual card number itself is securely stored in a virtual vault.

The retailer can use the token to keep track of the transaction and handle refunds, returns, exchanges and other transactions. The token itself would be of little value to data thieves because there would be no way to link the token back to the PAN without the decryption key.

Customers would do nothing different when paying for purchases using a credit or debit card. The card data is encrypted when the card is swiped through the payment terminal, sent to the processor where it is decrypted for transaction approval processes, and a token issued to the merchant all without the customer experiencing anything different.

Tokenization can also be implemented on-premise with the merchant itself hosting the server that does the decryption and token issuance.

Tokenization also offers a great way to secure emerging mobile payment applications, Fortney said. A mobile wallet operator like PayPal or Google could use the approach to store one-time use tokens in a consumer’s virtual wallet rather than actual credit and debit card numbers. Consumers could use the tokens to make purchases like they would with an actual payment card while merchants would be able to complete a transaction without touching or storing actual PAN data, he said.

One major advantage with tokenization is that it does not require merchants to make major changes to their current payment acceptance systems, like EMV does, Fortney said. Tokens are formatted in the same manner as card information so merchants have to make relatively minimal changes to their payment systems, he said.

The real heavy lifting would happen at the banks, or other entities that store PAN data, generate tokens and keep track of them through the entire transaction chain.

Tokenization is not new. The Payment Card Industry Security Council, which administers a set of security standards for payment systems, recommends it as an approach for reducing the work that companies have to do to become PCI compliant.

A growing number of retailers already use tokenization as a way to reduce PCI scope, and several vendors sell tokenization products and services.

The Clearing House effort is aimed at fostering standards that everyone in the payment industry can use to implement tokenization in a consistent manner, Fortney said. “Our desire is to have an open standard across the whole industry,” he said.

The Clearing House is not the only organization looking at tokenization.

Following the Target breach, EMVCo, an entity owned by American Express, MasterCard, Visa and three other credit card brands, also announced plans to develop a tokenization standard for securing credit and debit card payments made via mobile handsets, tablet computers and online channels.

EMVCo did not respond to multiple Computerworld requests for comment on their effort. But a press release from January said the new specification would complement the existing EMV smartcard specifications that all merchants and banks are required to migrate to by the end of next year.

EMVCo’s specification will describe a “consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement,” the statement noted.

The biggest benefit with tokenization is that it helps merchants remove payment card numbers from systems that don’t need it, said Terence Spies, chief technology officer at Voltage Security, a provider of encryption and other data masking technologies.

Since tokenization is done in a central way, only a small portion of the network knows how to generate and reverse a token. As a result, it is easier for banks and other third parties to protect that process, Spies said. He is also chairman of the cryptographic tools group at the X9 standards body responsible for developing cryptographic standards for the financial services industry.

Like EMVCo and The Clearing House, the X9 standards body is working on developing tokenization standards for the U.S. payment industry, Spies said. The X9 effort is focused on developing standard definitions for tokenization and for the processes for generating and validating tokens, he said. “There’s a lot of energy being putting into getting tokenization right,” Spies said.

(http://www.computerworld.com/article/2487635/data-security/banks-push-for-tokenization-standard-to-secure-credit-card-payments.html)

Standard
Uncategorized

Hollywood movies and computers…

Hacking is an art for some, for some it’s fun and for some it’s serious-tech stuff. For many people, hacking small Email account is hacking and for some taking down a nation a hacking. For me, it’s knowledge, and it’s safeguarding yourself from potential intruders. Normally, hacking is social engineering, and if you are landed here to watch some awesome movies on Hacking, you must be aware of what social engineering is. Anyways, The movie listed below doesn’t teach you how to hack, but these movies are good enough to inspire/motivate you for hacking.

Screen Shot 2015-04-21 at 22.12.38I don’t say, they all are the best one, but certainly they are the top in the hacking movies list and maybe you can add some from your movie collection.  This list is not in any particular order, and feel free to suggest and recommend more movies that inspired you for hacking.

1. Hackers(1995):

Hackers movie got a complete series, and it names as Hackers1, hackers2 and so on. We will start with my fav,”Hackers“. The main attraction of this movie is cyber-war between Acid Burn, i.e., Angelina Jolie and Zero Cool played by Jonny Lee Miller. Villain might look funny with his approach, and this is something not for a serious hacker. The movie got an average rating, but this movie is worth watching.
If you want to know how hackers use their social engineering skills to get sensitive details related to your hardware, this movie will not disappoint you.

2. Antitrust(2001):

A computer programmer’s dream job at a hot Portland-based firm turns nightmarish when he discovers his boss has a secret and ruthless means of dispatching anti-trust problems.

3.The Net (1995):

Identity theft is something that is not new to the online world of Hacking.  This movie is about Angela, a computer geek who lives a very low profile life. In this movie, her struggle of getting back her online identity is shown. Probably, an eye opener for many who think how is it possible to wipe completely off someone identity and create a new one.

4 Pirates of Silicon valley(1999):

This is a documentary movie about the birth of desktop computing. A complete saga of 1970’s to 1997. This documentary narrates the real incident happened in this period between Microsoft (Bill Gates) and Steve Jobs (Apple).  Again, not a real movie on hacking but worth watching for everyone. After all, Hacking is all about spirit and knowing the basics and our basic is computer.

5. Takedown(2000):

Kevin David Mitnick is at present working as an American computer security consultant. This movie is about his life and how a hacker turned down into country computer security counselor. Just to add more to the surprise, when Kevin was arrested for his cyber-crime, he was on the list of most wanted cyber criminal.

6 Wargames(1983):

An academy award winner movie which is about a young hacker who initiated a nuclear warhead by mistake, possibly a start of World War III. Somehow, I didn’t enjoy watching this movie much but many of my friends liked it and recommended to be added to this list.

7. Swordfish(2001):

Talking about Hacking how we can forget John Travolta’s Swordfish, which shows his intelligence and a master-plan to steal billions of dollar from U.S soil without getting caught.

8 Live free or die hard(2007):

This movie is about complete take down of a country by an attack in grids. Here villain Gabriel planned to take down last piece of data containing all financial transaction record for the country. This was a well-planned attack and at one point you will be amazed to see the pattern of attack. Though, it’s more of a Bruce Willis action movie sequel  but worth watching.

9. The Matrix(1999) : IMDB :

This movie is about “Neo”, a computer hacker who learns from mysterious rebels about the true nature of his reality and his role in the war against the controllers of it.  You might consider watching Matrix trilogy, as without watching sequel this movie is incomplete.

10. Untraceable(2008):

I saw this movie last week, and like the concept of the movie.The movie features gorgeous and sexy Diane Lane. The movie shows how a website http://www.killwithme.com which shows the live torturous killing of users become a hit, and the Diane ended up finding the killer.

11. Sneakers(1992) :

A group of computer hackers parleys their skills into a career, testing the security of computer systems by deliberately trying to break into them. They get entangled in a complex plot involving the National Security Agency and the Mafia.

12) The Social Network (2010):

Needless to mention it’s not a Hacking movie but I’m sure talking about Hacking, you might want to know How Facebook come into existence and why there are so many controversies related to Facebook. Probably, you might change your perception about Mark Zuckerberg. It’s a complete story of how a Harvard student started a simple site to compare girls and how he landed with the idea of Facebook. A complete journey of Facebook, which every geek should watch.

Standard
Uncategorized

Microsoft May Soon Replace Internet Explorer With a New Web Browser?

Microsoft’s Windows 10 operating system will debut with an entirely new web browser code-named Spartan, according to a report citing anonymous sources.

ZDNet’s Mary Jo Foley reports that this new browser is a departure from Internet Explorer, the Microsoft browser whose relevance has waned in recent years. According to Foley, it will be a “lightweight” browser that looks and feels more like the Google Chrome and Mozilla Firefox browsers. But her sources also indicate that Spartan will be offered alongside IE when Windows 10 debuts next year.

With Mozilla Firefox and Google Chrome grabbing so much of the desktop market—and Apple Safari, Google Chrome, and Google’s Android browser dominating the mobile market—Internet Explorer is no longer the force it once was. There was a time when it handled about over 90 percent of all web traffic on desktop and laptop machines, but according to research outfit Net Applications, its share has now dropped to 58 percent. On mobile, its share is about 2 percent.

Spartan attempts to address both these markets, according to Foley. Windows 10 is designed to run across a wide range of devices, and according to Foley, the new browser will be available on phones and tablets as well as laptops and desktops. It’s unclear whether Spartan will run on Android, Apple’s iOS, and other operating systems that compete with Windows, but Foley says there’s a chance it will.

Under new CEO Satya Nadella, the company realizes that, in the modern world, its software must run on more than just Windows. In March, Microsoft revealed a new version of Microsoft Office for the Apple iPad. In November, it debuted free versions of Word, Excel, and Powerpoint versions for the iPhone. And earlier this month, the company acquired the mobile email startup Acompli, an email client compatible on both iOS and Android mobile operating systems.

Maybe with this news IE jokes going to disappear?

Standard
Uncategorized

WhatsApp Voice-Call

WhatsApp-CallingA few weeks ago, WhatsApp’s Call feature made a small appearance for a few users, but at the time almost no one was able to trigger it reliably and keep it activated. The company appears to have flipped a few switches in its servers and the function is confirmed to work for those running version 2.11.528 from the Play Store, or 2.11.531 from WhatsApp’s website (also uploaded to APKMirror).

indexA few users have emailed us reporting getting the function activated over the past hours, and I just got mine up and running after receiving a call from Clinton (who got it from another friend, and so on). So as you are suspecting, the “invite” or, more accurately, the trigger that enables the feature has to be the reception of a call from someone who already has it. (Or maybe this terminal trick still works, I’m not sure.) Once that happens, WhatsApp’s UI switches (either immediately or after you exit and reopen the app) from just showing chats, to a 3-tab layout with calls, chats, and contacts.

Calls are well integrated in WhatsApp. The dedicated tab shows incoming, outgoing, and missed calls with precise timing. Ongoing calls stay in the notification panel until you hang up while missed calls leave a notification that you can later check out. While on a call, you can activate the loudspeaker or mute the microphone. If you open your text chats with any contact, a call button appears in the action bar, right next to the attach icon and the menu, to make it easier to talk to them. And finally, if you click a contact’s avatar, you now get a bigger profile image with the options to message or call them, or view their information.

The call button for all contacts now defaults to a WhatsApp call instead of going through your phone. I can’t find a way to trigger a regular network call from the app, which is a bit annoying because you might be in a spotty area or your contact might be offline. (For the record, in this case, the WhatsApp call still rings for a while, no one answers, and then gets disconnected. When the person goes back online, they see it as a missed call.) You’ll have to go to your regular Phone app to initiate a network call.

When you’re lucky enough to receive a WhatsApp call from a friend, you can go on enabling the feature by calling your other contacts. If they’re running an older version of the app that doesn’t support it, you will instantly see a message notifying you of that so you can tell them to update their app before you call them. Now all you have to do is cross your fingers and hope that someone shares the riches with you so you can spread them further.

alternative_whatsappWaht we can expect from competition?

Standard
Uncategorized

Half of all Android users vulnerable to year-old security flaw

android-evil

Half of all Android users are still vulnerable to a security flaw uncovered in the most-popular mobile operating system early last year, according to a new report from security firm Palo Alto Networks. The vulnerability in question allows an attacker to modify or replace Android apps with malware without the user’s knowledge.

Google was informed of the vulnerability in February 2014, a month after its discovery, and has since come up with a patch, which it has included in later revisions of Android 4.3 Jelly Bean and newer distributions. According to the latest data from Google, that still leaves 49.9 percent of all Android users unprotected.

The vulnerability lies in Android’s PackageInstaller, which handles the installation of apps, and, according to Palo Alto Networks, is restricted to apps downloaded — either through third-party app-stores or manually by users — in insecure locations, where they can be easily modified by attackers.

It basically affects just about every Android app store out there with the exception of Google Play, and other sources — like Amazon’s AppStore — which have been patched against the vulnerability. That said, sideloading APKs is still risky, as there’s no protection for apps that users manually download.

The vulnerability can be exploited through an app downloaded “from any normal app store”, according to Palo Alto Networks, which means that users do not have to necessarily be looking for trouble to be affected. The app in question can appear to be legitimate, and may only reveal its role while PackageInstaller is triggered.

In order for fewer users to be vulnerable Android vendors would have to release software updates for older devices, which, as we all know, is unlikely to happen. However, there are other ways to stay safe.

Other than buying a new handset, that is still supported by its manufacturer for a reasonable period of time, users can use the latest-available versions of their favorite third-party app stores, steer clear of shady sources, and pay more attention to which apps they install on their devices.

[http://betanews.com/2015/03/25/half-of-all-android-users-vulnerable-to-year-old-security-flaw]

Standard
Uncategorized

THE IMITATION GAME (Alan Turing defeat ENIGMA machine in World War II)

Yesterday finally I watched THE IMITATION GAME (Alan Turing defeat ENIGMA machine in World War II)

Alan Turing create the Turing test, that’s a test of a machine’s ability to exhibit intelligent behaviour equivalent to, or indistinguishable from, that of a human. In the original illustrative example, a human judge engages in natural language conversations with a human and a machine designed to generate performance indistinguishable from that of a human being. The conversation is limited to a text-only channel such as a computer keyboard and screen so that the result is not dependent on the machine’s ability to render words into audio. All participants are separated from one another. If the judge cannot reliably tell the machine from the human, the machine is said to have passed the test. The test does not check the ability to give the correct answer to questions; it checks how closely each answer resembles the answer a human would give.

But the movie focusses about defeating ENIGMA machines.

A-Three-Rotor-Enigma-Cipher-Machine

Enigma machine was any of several electro-mechanical rotor cipher machines used in the twentieth century for enciphering and deciphering secret messages. Enigma was invented by the German engineer Arthur Scherbius at the end of World War I. Early models were used commercially from the early 1920s, and adopted by military and government services of several countries, most notably Nazi Germany before and during World War II.

In a resume Alan team that from 6:00 am to 11:59 pm to try decrypted that day code and exist more than 159.000.000.000.000.000.000 possible combinations, and in my humble option the first right decision has been is necessary a machine to break a machine.

turing_bombe

CHRISTOPHER is the name Alan giving to is machine and we can say is that’s an approach to IA we see today in project has WASTON from IBM.

Frist tries has been a frustrating, because no one know who much time CHRISTOPHER going to been to decipher a code and after week don’t show any positive result.

Now can a several isolated and lucky circumstances that Alan Turing merge and idealize a new approach, why don’t teach CHRISTOPHER to understand a sequence that happen all day and they already know part of the message.

Again the weakness has been a German soldier that forgets to change encryption and always use the same, maybe if this weakness isn’t exploited, CHRISTOPHER going to never a lot more time…

Seeing the movie I don’t stop thinking that Alan Turing (the hero of World War II) has need a hacker and exploited a weakness of the system (in this case the human)

Kevin Mitnick in is particular way, perform social engineering to exploit the weakness of human.

Today phishing attacks have more success that exploiting systems.

 

Now came the question, is simply defeat the system of the weakness of the humans?

Standard