Archive

Archive for the ‘data transfer’ Category

SHODAN, the search engine: is it “scarry” or not?

April 12, 2013 27 comments

E-Crime Expert presents to you today a search engine which is totally different (in functionality and scope) than the ones we are used to (i.e Google, Bing etc).

For us  (E-crime Expert), Shodan has a positive value as it uncovers security vulnerabilities. Used by others (i.e. cybercriminals), Shodan could have a negative side as enables access to different systems (routers, webcams, etc) which have little or no security protection.

According to the description available on their main page here, “SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners”.

Web search engines, such as Google and Bing, are great for finding websites. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content.

How to use it:

Create and login using a SHODAN account, or Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID).

Login is not required, but country and net filters are not available unless you login.

Basic Operations:

Filters
-country: filters results by two letter country code hostname;

-filtering by country can also be accomplished by clicking on the country map (available from the drop down menu);

-mouse over a country for the number of scanned hosts for a particular country.

-filters results by specified text in the hostname or domain net;

-filter results by a specific IP range or subnet operating system;

-search for specific operating systems port: narrow the search for specific services;

After the search returns some entries (webcams located in a certain area), just click on one of those entries and you will have instant access to what that webcam records live (Fig 1).

Figure 1.

01

Examples:

Note:
E-Crime Expert will try contact all the owners of these vulnerable systems in order to report their security issues and advise how to protect their devices with appropriate passwords and security measures.

Please watch the video or read our material on how to create a stronger password.

1. Run a search for all existing default passwords, as shown in Figure 2.
Having access to the password, one could enter the router’s settings and change them or even more, use the router as a back door to access any device connected to it such as a computer, printer, etc.

Figure 2.

02

2. Once we selected a webcam, click on it and wait for the live footage to play.
What we see is an intersection which could be considered as a public space. The live feeds record everything live (Fig. 3).

Figure 3.

033. The access is granted regardless the geographical location: E-Crime Expert had access to a webcam located in Russia from a computer located in North America (Figure 4).

Figure 4.

04

4. We next tested a webcam which was recording someone’s home front steps for security reasons perhaps. But the issue here is how that camera’s angle is recording as you can also see the next neighbor’s front alley, car and probably anyone entering their house (Fig. 5).

Figure 5.

05

5. Next example is more intrusive as transmits live feeds from a restaurant where clients could be identified along with the staff members. The purpose of this camera is theft protection but due to its non-existing security measures, now anyone on the Internet could check who came at that restaurant and at what time, transforming the purpose of that camera into a monitoring one (Fig. 6).

Figure 6.

06

6. Not surprisingly, the next webcam becomes even more intrusive by showing live the staff member working in a convenience store, with a “from behind the counter” view. Anytime the staff opens the money drawer, everyone having access to this webcam (available worldwide as shown in this blog post) could approximate how much money is available there. Beside the privacy invasive aspect of the clients and also of the staff member, potentially, could also lead to robberies or similar attacks (Fig. 7).

Figure 7.

photo 07

7. Last examples is the most intrusive and concerning one as it transmits live video streaming from someone’s home. It is intrusive because most probably the guests visiting this person are not aware of the webcam, and also because the footage is now available not just to the security company in charge of protecting this home, but also to virtually anyone on the Internet. The second concerning aspect is that anyone could see what is available on the kitchen counter whether a large amount of cash or cheques or other valuable goods. This again, could lead to robberies or other violent crimes (Fig. 8).

Figure 8.

08

Conclusions:

SHODAN aggregates a significant amount of information that is not already widely available in an easy to understand format.

SHODAN collects basic information about the websites, the information “from the inside”, data covering the so-called back-end (simplified information about the type of your server software versions, and so on). On the one hand, it is therefore an excellent data base for those involved in security – but on the other, it is also a source of information for cybercriminals.

The Shodan software runs 24 hours a day. It automatically reaches out to the World Wide Web and identifies digital locators, known as internet protocol addresses, for computers and other devices. For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan.

From a privacy perspective, there on the World Wide Web could be some available information accessible to the regular people by simply running a search, which it is not necessarily to be regarded as publically available information, such as the webcam in someone’s home, in a store, gas station etc. This is not publically available information from a legal perspective but it actually becomes available to anyone as some monitoring systems have little or no security measures. According to most international privacy legislation, a surveillance camera should be installed and used just on a legal basis and after a privacy impact assessment is done (as a best practice). That legal basis strictly refers to the purpose of why that camera is used for which definitely does not grant worldwide access to the footage, except where in question is a public space (i.e. park, street, etc).

Even though in question is a public domain under surveillance, there are cases when footage or pictures of those public spaces record more than the public space itself (i.e. Google maps litigations for capturing more than the streets, etc).

The Privacy Impact Assessment is specifically done (among others) to make sure that no unauthorized person has access to the footage recorded by a surveillance camera. Being able to publically find this footage on the Internet, is outside the Privacy and Security requirements and measures in place for a surveillance camera located either within a public space (with the potential of recording private areas as well) and or in a household which is by definition a private space. Probably some of these surveillance cameras are installed by the household owners, aiming to act as a theft protection and consequently be accessible just by the police or other law enforcement entities.

Contrary, by having access globally to this kind of footage, does not align with most of the international existing privacy legislation.

Once again, E-Crime Expert has taken this opportunity (SHODAN – search as a positive tool) to asses current privacy and security issues.

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Bitcoin-The Virtual Currency

April 4, 2013 2 comments

Today, E-Crime Expert briefly explains what Bitcoin is.

Disclaimer:
This Blog post does not intend to make any advertising, encourage nor discourage people investing in Bitcoin. It is purely descriptive and provides our readers with the basic information on Bitcoin.

I. Characteristics:

Bitcoin is a decentralized digital currency based on an open-source, peer-to-peer internet protocol. It was introduced by a pseudonymous developer named Satoshi Nakamoto in 2009.

– can be exchanged through a computer or smartphone locally or internationally without an intermediate financial institution.

– in trade, one bitcoin is subdivided into 100 million smaller units called satoshis, defined by eight decimal points.

– It is not managed like typical currencies: it has no central bank or central organization. Instead, it relies on an internet-based peer-to-peer network. The money supply is automated and given to servers or “bitcoin miners” that confirm bitcoin transactions as they add them to a decentralized and archived transaction log approximately every 10 minutes (Fig. 1).

Fig. 1

bitcoin
II. Transactional model:

Bitcoin is the most widely used alternative currency and accepted by various merchants and services internationally. As of March 2013, the monetary base of bitcoin is valued at over $1 billion USD.
Each 10-minute portion or “block” of the transaction log (as time spent) has an assigned money supply that is awarded to the miners once a “block” is confirmed.

10 minutes time spent=certain Bitcoin amount

The amount per block depends on how long the network has been running and how much in transaction fees has been paid. Currently, 25 new bitcoins are generated with every 10-minute block. This will be halved to 12.5 BTC during the year 2017 and halved continuously every 4 years after until a hard limit of 21 million bitcoins is reached during the year 2140.

In October of 2011, a bitcoin was trading at around $5. Today, by contrast, a single bitcoin is worth just north of $140-$150.

The network’s software confirms transactions when it records them in the transaction log or “blockchain” stored across the peer-to-peer network every 10-minutes. Confirmation of future transaction records makes the ones before it increasingly permanent. After six confirmed records or “blocks” (usually one hour-10 minutes x 6 block), a transaction is usually considered confirmed beyond reasonable doubt.

Initiators of a bitcoin transaction may voluntarily pay a transaction fee for the confirmation of these records. Any fees are collected by the operators of bitcoin servers — often called nodes or “bitcoin miners”.

However, transaction fees may not cover the cost of electrical power required to operate a bitcoin miner. As a result the network server operators often rely on “mined” bitcoins as their only significant revenue.

Basically, mining means that a X user gets Y amount of Bitcoins (in transactions fees) for facilitating the transaction while lending out his resources (Computer, usage electricity, etc). It could be done either individually or by joining a mining pool. There is software for doing this: Python OpenCL Bitcoin Miner (poclbm, graphical interface (GUI), etc (Fig. 2).

Fig. 2

Bitcoin_Transaction_Visual

III. Authentication/Security:

The transaction log is authenticated by end-users through hashed ECDSA digital signatures (similar to a username and password-you could read E-Crime Expert’s Blog Post here) and confirmed by intense calculations of varying difficulty, performed by dedicated servers called bitcoin miners.

Based on digital signatures, payments are made to bitcoin “addresses” or “public keys”: human-readable strings of numbers and letters around 33 characters in length, always beginning with the digit 1 or 3, as in the example of 175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W.

Users obtain new bitcoin addresses as necessary; these are stored in a wallet file with links to cryptographic passwords or “private keys” that enable access to and transfer of bitcoins. A file or “wallet” containing bitcoin addresses is usually encrypted with an additional password.

An online purchase is considered safer with bitcoin versus a credit or debit card, according to Denis G. Kelly, a leading identity theft and fraud prevention expert.

When using payment cards, you are required to include your account number and your billing address,” Kelly said. “With this information, identity thieves are off and running. Whereas with Bitcoin, their encryption renders it so that only the owner of the bitcoins can use them.” (Fig. 3).

Fig.3

Bitcoinpaymentverification

IV. Privacy:

Because Bitcoin transactions are broadcast to the entire network, they are inherently public. Using external information, it is possible, though usually difficult, to associate Bitcoin identities with real-life identities. Unlike regular banking, which preserves customer privacy by keeping transaction records private, loose transactional privacy is accomplished in Bitcoin by using many unique addresses for every wallet, while at the same time publishing all transactions.

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

WHAT TO DO WHEN YOUR EMAIL GOT HACKED OR COMPROMISED

February 5, 2013 2 comments

E-Crime Expert explains in this blog post the steps to be taken when your email or Social Networking Site has been hacked or compromised.

When someone’s friends or close contacts start telling that they are receiving emails or messages that one never sent, or when appears online content that one never posted, it could mean that another person has gained illegitimate control over this individual’s email or Social Networking Site.

If this happened, in order to limit the damage and the possibility of spreading malwares/viruses to others, firstly the passwords to all accounts that have been compromised and to other important accounts should be changed*, and also notifications to all contacts regarding that they may receive spam messages that appear to come from the compromised account, should be sent.  

It could also happen that one cannot access his/her account anymore because a password has been changed.

If this happen, bellow are provided the contact details for the most popular email and Social Networking sites providers:

yahoo-logo

* Hacked account – click here:email-icon

* Account is sending spam – click here: email-icon

* Help Center – click here: telephone-logo

Gmail_logo

* Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

wave4hotmail

 * Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

* Help Center – click here: telephone-logo

twitterlogo_web

* Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

facebook-logo

* Hacked account – click here: email-icon

* Help Center – click here: telephone-logo

youtube_logo-copy1

* Hacked account – click here: email-icon

TIPS:

* How to choose a strong password:

Watch video : “Creatting a strong password video tutorial”

Read blog post: “Tips for a better, stronger password”

Frequently check your account activity/log in history as explained in this blog post: “Does anyone snoop in your email account? Find out”

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Transfer mechanisms of personal data from EU to third countries

January 8, 2013 2 comments

This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries.

Considering the legal requirements of the Directive 95/46/EC, Article 25
the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers:

-Standard Contractual Clauses – for single Organizations or entities

Binding Corporate Rulesfor multinational Organizations or entities

-Safe Harbor Agreement principles – for Organizations or entities located in the U.S.

The Article provides Organizations or entities with all current available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones.

This Article was written by Dan Manolescu. If interested, you could read the full Article published by InfoSec Institute here.

If you would like to find out more about InfoSec, you could visit this page here.

Dan Manolescu is now a frequent contributer for InfoSec Institute.

If you have any questions please contact us at: dan@e-crimeexpert.com

%d bloggers like this: