FruityWifi – Wireless Network Auditing Tool

FruityWifi – Wireless Network Auditing Tool

FruityWifi is an open source wireless network auditing tool, it allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it. Initially the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system.

FruityWifi is an open source tool to audit wireless networks. It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it.

Initialy the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system.

FruityWifi v2.0 has many upgrades. A new interface, new modules, Realtek chipsets support, Mobile Broadband (3G/4G) support, a new control panel, and more.

Tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi), Bugtraq.

What’s New

With the new version, it is possible to install external modules. This functionality gives the user more flexibility and the FruityWifi can be customized. The modules can be added or removed anytime using the on-line repository.

Now it is possible to use FruityWifi combining multiple networks and setups:

  • Ethernet <–> Ethernet,
  • Ethernet <–> 3G/4G,
  • Ethernet <–> Wifi,
  • Wifi <–> Wifi,
  • Wifi <–> 3G/4G, etc.

Within the new options on the control panel we can change the AP mode between Hostapd or Airmon-ng allowing to use more chipsets like Realtek.

It is possible customize each one of the network interfaces which allows the user to keep the current setup or change it completely. It also has a new interface, new modules, Realtek chipsets support, Mobile Broadband (3G/4G) support, a new control panel, and more.


  • Hostapd Karma
  • URLsnarf
  • DNSspoof
  • Kismet
  • Squid (code injection capabilities)
  • SSLstrip (code injection capabilities)
  • nmap
  • mdk3
  • ngrep
  • Captive Portal
  • Nessus
  • Ettercap
  • Tcpdump
  • AutoSSH
  • Supplicant
  • 3G/4G

You can download FruityWifi v2.2 from here:

Source :  fruitywifi

Original Post:

Test File: PDF With Embedded DOC Dropping EICAR

Over at the SANS ISC diary I wrote a diary entry on the analysis of a PDF file that contains a malicious DOC file.

For testing purposes, I created a PDF file that contains a DOC file that drops the EICAR test file.

The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder.


You can download the PDF file here. It is in a password protected ZIP file. The password is eicardropper, with eicar written in uppercase: EICAR.

This will generate an anti-virus alert. Use at your own risk, with approval. (https)
MD5: 65928D03CDF37FEDD7C99C33240CD196
SHA256: 48258AEC3786CB9BA032CD09DB09DC66E0EC8AA19677C299678A473895E79369

Original Post:

Sphinx, a new variant of Zeus available for sale in the underground

A new variant of the popular Zeus banking trojan dubbed was Sphinx is appeared for sale on the black market, it operates entirely through the Tor network.

A few days ago a new variant of the popular Zeus banking trojan was offered for sale on the black market, its name is Sphinx.

Sphinx code is written in C++ and is based on the source code of the ZeuS trojan. The authors have designed it to operate through the Tor network. According to the author, Sphinx is immune tosinkholing, blacklisting, and the ZeuS tracker.

sphinx botnet for sale

The Sphinx kit is currently available for sale at $500 USD per binary, the seller accepts Bitcoin and DASH as a method of payment. Buyer need to register on a website to make the payment, once registered both BTC and DASH addresses are generated.

When the seller will receive the payment, buyer account is enabled and will get the rights to edit the config and request a build.

sphinx botnet control panel

The seller sustains that operators that will buy it do not need bulletproof hosting, below the list of feature implemented in the Sphinx Features:


  • Formgrabber and Webinjects for latest Internet Explorer, Mozilla.
  • Firefox and Tor Browser with cookie grabber and transparent page redirect(Webfakes).
  • Backconnect SOCKS, VNC.
  • Socks 4/4a/5 with UDP and IPv6 support.
  • FTP, POP3 grabber.
  • Certificate grabber.
  • Keylogger.

Certificate grabber:

Sphinx is able to intercept certificates when they are in use to establish a secure connection or for signing a file. It is very common in the criminal underground to abuse digital certificates, for example to digitally sign malware code with digital certificates of a trusted organization in order to to bypass antivirus solutions.

Backconnect VNC:

This is the most essential feature of a banking trojan. It allows you to make money transfers from the victims computer. Your VNC is done on a different desktop than the victim’s desktop, so its completely hidden.

You can steal money from the bank while the victim is playing multiplayer games or watching movies. Forget about configuring the browser, because when carding with Sphinx you don’t need to.

With Backconnect VNC you can also remove anti-virus/rapport software from the victim’s computer. Port-forwarding for the victim is not required due to the use of Reverse connection.

Backconnect SOCKS:

Use your victims as a SOCKS proxy. Port-forwarding is not required due to use of Reverse connection.


Used for speeding up report gathering. With Webinjects you can change the content of a website and ask for more information. You can do such things as asking for credit-card data from victims PayPal/Amazon/Ebay/Facebook for successful login.

Webinjects use ZeuS format. You have to create your own web injects or use those that are publicly available. Sphinx uses ZeuS format so all released webinjects for Zeus/Spyeye/Citadel are compatible.


Used to do phishing attacks without having to trick the victim into going in to a fake domain. For example: When configured for bankofamerica, the user is transparently redirected to your phishing site without changing the url.


At the moment, the bot is primarily designed to work under Windows Vista/Seven, with enabled UAC, and without the use of local exploits. Therefore, the bot is designed to work with minimal privileges (including the user “Guest”).

In this regard the bot is always working within sessions-per-user. The bot can be set for each user in the OS, and the bots do not know about each other. When you run the bot as a “LocalSystem” user it will attempt to infect all users on the system.

When you install Sphinx, the bot creates its copy in the user’s home directory. This copy is tied to the current user and OS, and cannot be run by another user. The original copy of the same bot that was used for installation, will be automatically deleted, regardless of the installation success.


Session with the server through a variety of processes from an internal “white list” that allows you to bypass most firewalls. During the session, the bot can get the configuration to send the accumulated reports, report their condition to the server, and receive commands to execute on the computer.

The session takes place via HTTP-protocol, all data sent by a bot and received from the server is encrypted with a unique key for each botnet.


Sphinx command and control (C&C) has not changed from ZeuS. Old ZeuS fans will be pleased to use this comfortable bot network control system again. Its coded in PHP using extensions mbstring and mysql.


  • XMPP notification.
  • Statistics.
  • Botlist.
  • Scripts

XMPP notification:

You can receive notifications from the Control Panel in a Jabber-account.

At the moment there is the possibility of receiving notifications about a user entering defined HTTP/HTTPS-resources. For example: it is used to capture a user session at an online bank.


You can control the bots by creating a script for them. Currently, syntax and scripting capabilities, are very primitive.


  • Filtering the list by country, botnets, IP-addresses, NAT-status, etc.
  • Displaying desktop screenshots in real time (only for bots outside NAT).
  • Mass inspection of the Socks-servers state.

Displays detailed information about the bots:

  • Windows version, user language and time zone.
  • Location and computer IP-address (not for local).
  • Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
  • The first and last time of communication with the server.
  • Time online.
  • Ability to set comment for each bot.


  • Number of infected computers.
  • Current number of bots in the online.
  • The number of new bots.
  • Daily activity of bots.
  • Country statistics.
  • Statistics by OS.

The seller suggests “using Internet Explorer traffic for the exploit-kit in order to get maximal profit while using Sphinx.”

At the time I was writing the Tor website site http://dagxkme5nbxm5nkh.onion reported in the ad appears down.

Stay Tuned!

Original Post:

Ashley Madison hackers publish data on cheating site, ‘’ emails spotted among Hong Kong user details

Hackers who breached the servers of infidelity dating site Ashley Madison last month have allegedly followed up on their threat to post the service’s user database.

Calling themselves the Impact Team, the hackers dumped almost 10 gigabytes of data in a file that includes credit card transactions, thousands of emails and personal data of users including everything from people’s names to their sexual fantasies.

“Avid Life Media has failed to take down Ashley Madison,” the hackers wrote, referring to the site’s parent company in Canada.

“We have explained the fraud, deceit and stupidity of ALM and their members. Now everyone gets to see their data.”

The US Federal Bureau of Investigation said on Tuesday that it is investigating the breach, as ALM lashed out at the hackers for hurting “innocent” people.

ALM said the Royal Canadian Mounted Police, the Ontario Provincial Police and the Toronto Police services are also involved in the investigation.

The data, which was uploaded in a raw text format and requires relatively sophisticated technical skills to browse, was quickly pored over by cybersecurity researchers and interested gawkers.

A portrait of Ashley Madison CEO Noel Biderman in Hong Kong’s Tsim Sha Tsui just after the site was launched in the city in mid-2013. Photo: May Tse

On forum 8Chan, which helped share hundreds of leaked naked photos of celebrities last year, users quickly began sharing tidbits of information found in the files.

Shared material included the email addresses of UK government bodies and major corporations. Commenters also started to publicly identify some of the users.

The news may also alarm the service’s users in Hong Kong. Ashley Madison launched in the city in mid-2013.

An analysis of the email database published by the hackers returned more than 10,000 “.hk” addresses, as well as nine official “” email addresses. Governmental Ashley Madison users included employees of the Education Bureau, Social and Welfare Department, and the Legislative Council.

There were also hundreds of users with “” addresses, as well as 10 whose emails suggested they worked at one of the city’s many non-governmental organisations, including one Mensa member.

It is unclear how many of those users are still paying customers. One of the hackers’ main gripes with Ashley Madison was their allegation that the service’s “full-delete” function, which charged users US$20 to remove their information from their databases, did not work in practice. The site responded by wiping this fee.

Credit card data released by the hackers showed more than 770 transactions in the last three years from users who listed their location as Hong Kong.

Original Post:

YARA: Simple and Effective Way of Dissecting Malware

In this article, we will learn about the YARA tool, which gives a very simple and highly effective way of identifying and classifying malware. We all know that Reverse Engineering is the highly recommended method for performing a complete post-mortem of malicious files, but it is very expensive. Reverse Engineering involves the analysis of malicious files in depth which involves time and cost. It is considered good practice to observe malware behavior, group them in a signature, and then identify the related infected files. To cut the costs of R.E and identifying malware families based on signatures,q we can use an open source tool known as YARA.


YARA is a popular tool that provides a robust language, which is compatible with Perl-based Regular Expressions, and is used to examine the suspected files/directories and match strings as is defined in the YARA rules with the file.

Syntax of YARA rules

At its most basic, the following is the syntax of a YARA rule set:

rule RuleName  



              $test_string1= ”Testing”

              $test_string2= {E1 D2 C3 B4}


              $test_string1 or $test_string2


# RuleName is the identifier of the rule. Identifiers must follow the same lexical conventions of the C programming language, they can contain any alphanumeric character and the underscore character, but the first character cannot be a digit. Rule identifiers are case sensitive and cannot exceed 128 characters.

As you can see, the main body of the YARA rules contains two sections:

  • Strings: This section contains the strings/pattern/signature that we need to match against a file. The strings section is optional and can be left out if necessary. In YARA there are 3 types of strings named as follows:
    • Hexadecimal Strings: Hexadecimal Strings will match hexadecimal characters in the output file. This allows three special instructions such as wildcard, jumps, and alternatives.
      • Wildcard: This is represented by a ‘?’ and it indicates that some bytes in the pattern is unknown and should match anything. For example:
        • $hex_example = {B1 B2 ? ? B8}
      • Jumps: In circumstances when weknow the values of the pattern but their length varies then we can use jump. For example:
        • $jump_example= {F1 F2 [2-3] 24}; this indicates that any arbitrary sequence from 2 bytes to 3 bytes can occupy the sequence.
  • Text Strings: Text strings are in form of ASCII text which is then matched up with the condition set. This section also contains further types:
    • Case Sensitive Strings: Example = $text_case_example=”test”
    • Case Insensitive Strings: Example= $text_nocase_example=”test” nocase
    • Wide Character Strings: Example= $text_wide_example=”test” wide
  • Regular Expressions: Starting from v2.0 YARA has its own regular expression engine, which mostly resembles PCRE. YARA regular expression can be followed by any of the text strings mentioned above.
  • Conditions: Conditions sets evaluate Boolean expressions. For example, in the main example above, it evaluates either of $test_string1 or $test_string2 to be true. Under the Condition set, we can:
    • Count the string presence: #test_string1=2 and #test_string2<10
    • String Offsets: This used to find out that if a particular string is available at a specified offset of the running process. This is further achieved by following keywords:
      • at: $test_string1 at 200 and $test_string2 at 500; this will find whether the test_string1 is located at offset 200 of the running process and test_string2 at offset 500 of the running process
      • in: this is used when we define to define a range of memory location we need to search the string. For example $test_string1 in (100 .. 200) will find the test_string1 in the memory location between 100 to 200 of the running process.
    • Check file size: Example= filesize >10000
    • Set of strings: Example= 2 of ($test_string1, $test_string2, $test_string3); this will say at least two of the string enclosed must match with the file.

Use Cases

YARA has many use cases. Below section will highlight some of the important and famous ones

YARA with ClamAV Rules

YARA can be integrated with ClamAv rule database. Perform the below steps to integrate ClamAv rules with YARA:

YARA with PEiD

YARA can also be integrated with PEiD to check what packer was used to compile the malicious/suspected executable. To integrate the PEiD with YARA, perform the following steps:

  • Download the PEiD to YARA script from here:

  • Download the PEiD signatures directly from
  • Run the script:
    • Python –f useddb.txt –o testing_peid.yara
  • Run the YARA rule over the malicious executable:
    • yara testing_peid.yara malware_testing.exe; this will tell you that with which encoder it is packed with.
YARA with PE

Starting with version 3.0, YARA can parse Portable Executable (PE) files For example the following rule will parse the PE file and look for import section of PE along with the string:

Import “PE”

Rule PE_Parse_Check



$ string_pe=”abc” nocase


pe.imports (“Kernel32.dll”,”CreateProcess”) and

pe.imports (“wininet.dll”,”httpsendrequest”) and

$ string_pe


This rule, PE_Parse_Check, will check for the string “abc” and match it with PE import statements looking out for a “process creation” and “http send request”.


Earlier versions of YARA had the ability to match only a single process in which we have to give the processID which means that only one process can be checked at one time. To overcome this limitation, YARA has introduced support for WMI with help of which all running process can be scanned in one go. For example:

import os

import sys

import wmi

import yara


process=wmi.WMI()  # This is used to load all the attributes of WMI in a variable known as process

test_pid = os.getpid() # this is used to get the PID.

rules = yara.compile(filepath=”File_Path”) # This is used to compile YAR rules in java with the location of rules given in File_Path


for process in process.Win32_Process(): # For loop to iterate over all the running process

 process_id = process.ProcessId

 process_name = process.Name

 process_path = process.ExecutablePath


 if process_id != test_pid:


              rule_match = rules.match(pid=process_id) # this is to check for rules matching from the file_path and running processes.


              print(‘Error Matching for PID: %d’ % process_id)


 if rule_match:

              print(“%s matched %s [PID:%s]” % (rule_match, process_path, process_id))


              print(“No matches for %s [PID:%s]” % (process_name, process_id))

This can be easily modified to detect for rogue Process ID detection as well.

Limitations of YARA

While reading this, most of you might have felt that considering how sophisticated malware has become these days, YARA detection can be easily bypassed since YARA only does pattern/string/signature matching where a more effective method of detecting malware is available, i.e. behavior analysis. I totally agree that YARA has this limitation but with all other features, ad support YARA is necessary tool for analyzing malicious files.


In this article, we have learned about YARA, its structure, and famous use cases like YARA with WMI, PE, PEiD and ClamAV, as well as some limitations.

Original Post:

Technology Can’t Defend Your Network, but People Can

Enterprise-wide network security is getting a lot of attention. Countless whitepapers, conferences and presentations focus on cybersecurity, but a fundamental element is being ignored.

“Technology alone can’t defend your network; your people must drive your security.”

Technology is only a tool; hammers don’t drive nails on their own.

It is never anyone’s intent to build systems that don’t effectively leverage the skills of their workforce, but it happens all the time.

Network analysts often spend most of their time pushing buttons and watching lights. Good analysts want to contribute, but must be empowered to do so. And if they are empowered, how easy is it to deliver value?

Approval processes can be unwieldy to the point of inaction, especially for larger enterprise networks. For example, an analyst sees a threat that could be stopped in real-time, but the firewall protocols and approval cycle operate slowly in support of the hacker. A less dramatic, but perhaps more universal, example focuses on firewall logs. Asked if they collect and store firewall logs, all organizations will answer “yes.” That number goes way down, however, when asked how many correlate those logs with other data, learn from it, and make relevant changes to their network defenses.

Organizations do not consciously seek either outcome. It’s largely just a reflection of the day-to-day realities of network defense. It’s difficult for a global enterprise operating and defending 24/7 to make fundamental transformations, no matter how essential. It is, however, being done effectively, efficiently, and with compelling benefits by working from a people-centric perspective.

Process: Knowledge management is key. Connecting analysts across a network increases their knowledge and reduces duplication of effort. The organization is driven by shared intelligence.

Skills: Look critically at the mindset and the motivation of people rather than focusing on certifications. Seek and exploit diversity. Encourage people to find a niche that supports a common goal. The pursuit of passion rarely backfires.

Tools: Focus on the tools that allow analysts to practice their craft, and allow them to drive the tools—not the other way around. Millions of dollars are spent on tools that are soon relegated to the shelf. Address issues with technology that makes sense.

“Calls to action” often are calls for funding. It’s true that most security teams are under-resourced. Prior to spending the next dollar, however, consider this: A recent Ponemon Institute survey of IT leadership in North America revealed that 90 percent of organizations polled scrapped, or never used, security technology they purchased. The next time your organization considers its network defense posture, look first at how your workforce can be leveraged most effectively. Your network—human and technological —will benefit.

Original Post:

Email Security Awareness: How To Get Quick Results

Phishing and Spear phishing attacks on the rise

Phishing and spear phishing attacks are the most effective attack vectors. Despite the high level of awareness of the cyber threats, bad actors still consider email their privileged attack vector.

According to the security experts at Trend Micro firm, spear phishing is the attack method used in some 91 percent of cyber attacks,

The report titled the “Global Phishing Survey 2h3014” published by the Anti-Phishing Working Group (APWG) highlighted that in the second half of 2014, the domain names used for phishing broke a record. At least 123,972 unique attacks were observed all over the world, reaching the amazing figure of 95,321 unique domain names.

This data demonstrates intense activity related the phishing practices. In the majority of attack scenarios, they rely on malicious email that appears to come from a legitimate entity, which requests an action from the victims. Phishing messages usually include malicious links to websites controlled by bad actors, while others include a malicious attachment that once opened starts the infection process on the targeted system.

Differently from a common phishing attack, in the spear phishing attack scenario bad actors target a subset of people, usually the employees of an organization, members of an association or visitors of a particular website. The purpose of the attack is to collect personal information and other sensitive data that would be used later in further attacks against the victims.

Recent hacking campaigns carried out by several APT groups relied on malicious emails sent to the victims encouraging them to open Word or PDF documents that were specifically crafted to exploit vulnerabilities in the web browser to compromise the host. The analysis of the data related to the cyber attacks that occurred in the last five years demonstrates that email is the privileged threat vector for an attacker to compromise enterprises and organizations of any size.

The “Operation Aurora” attack (2010), the Target breach (2013), the most recent Sony Entertainment hack (2014), and the cyber attacks operated by Operation Carbanak and the Syrian Electronic Army are just a few examples of offensives that relied on spear phishing emails as an infection method.

In every case, the attacks started with malicious email not properly managed by the internal staff.

Every attack relying malicious email tries to exploit the weakest link of a security chain, the humans. It is clear that it is important to spread basic knowledge of email security in order to reduce drastically the success rate of the attacks.

Why criminals are interested my email account?

What is the commercial value of a hacked email account?

A couple of years ago, the popular investigator Brian Krebs published an interesting post to explain the commercial value of a hacked email account. The article provided useful information on the business model behind the theft of these precious commodities.

Email accounts are the containers where crooks can access an infinite amount of information, including passwords, documents, credit card data, utility bills and much more. A fraudster taking over a victim’s account could discover his network of contacts, examine his habits, find information about his expenses (e.g. Travel, books, etc.), and then use the hacked email account to gain the access to the accounts of other web services (i.e. Facebook, eBay, PayPal, other email accounts).

The post published by Brian Krebs highlighted the importance of email security. An email account is an essential component of our digital identity and must be properly protected.

By accessing an email account, cyber-criminals steal data to resell on the underground market. It is quite easy to find many offers for hacked email accounts on the principal black markets. There are forums specializing in the sale of email accounts by industry. This is the right place for attackers that want to target individuals in a specific sector.

Figure 1 – Brian Krebs – Hacked Email accounts

Criminals could be interested in hacking email accounts for various reasons. Hackers could access them to spy on directly-connected accounts, or to use them to run phishing campaigns. In some cases the crooks could try to monetize the hacked account directly. As explained by Krebs, an individual could receive a message from a his contact, the hacked email account, that asking him to wire money somewhere claiming the owner of the account was without funds in some other part of the globe.

Email accounts could also be used to obtain access to cloud file-storage services linked to the email. Web storage, such as Dropbox and Google Drive are a privileged target for cyber-criminals.

According to the principal security firms, the most valuable commodities traded in the principal black markets are:

  1. Annual accounting balances and financial reports;
  2. Project plans and strategies of the company for several years;
  3. Intellectual property and innovations used for successful business;
  4. Customers databases and partners’ contacts (CRM);
  5. Employee databases (Intranet systems);
  6. Credentials to corporate e-mails and personal e-mails of employees;
  7. Internal network infrastructure and its specifics.

Hacked email account could be used to gather access to payment systems such as PayPal, on daily basis cyber-criminals get access to tens of thousands of accounting credentials across multiple online payment processing services commercializing them in the underground.

Are you still convinced that your email account has no value for crooks?

Email Security Tips

Below is a list of useful suggestions that will allow you to secure your email account and your sensitive data:

Pay attention to the alleged phishing emails

Phishing emails are usually not solicited, and request sensitive information from the victims. Be wary when you receive messages asking for your personal information, or when the emails inform you that the service provider (i.e. Your Bank, Facebook, Twitter, eBay, etc.) is experiencing trouble with your account and request your credentials to solve the situation. In many cases, the malicious emails reproduce the layout of legitimate websites and include links to phishing pages crafted to request user data.

Never click links embedded in the Emails

In the majority of cases, when emails contains link you should not click on. It is a good practice to click on the link only when you’re are expecting a particular email that is sent by trusted sources or by a service you trust.

Never click on link and images contained in unsolicited emails that offer a particular service or product for sale. If the email pretends to be from your bank, do not use the link it contains. Instead, always visit the website manually and do not copy and paste the link in your browser.

Do not open attachments in unsolicited email

Malicious attachments are the most common vector for infections, do not open files attached to emails sent by unknown people. Never open attachments in unsolicited email. Do not trust the file extension. Filenames can be spoofed and JPEG images could be EXEs in disguise and hide a loader for malicious payloads.

Avoiding the use of a unique email account to manage several web services.

In the majority of cases, Internet users used to have a unique email account which servedv as a recipient of messages from several different platforms and services. The same account is often used for work, to receive messages from social media, to receive newsletters, and many other uses.

Concentrating all of our activities into a single email account is a common error, in case of breach our entire digital identity would be compromised.

Having separate email accounts will improve the security of our digital existence in a significant way, in case of hack just a portion of our messages would be compromised. It could be useful to have a work account, a personal account for private messages, an account for recreational activities such as social networks and ecommerce websites, and a throwaway account for potential spam links.

Never share the same password over multiple email services

Avoid using a unique password for each email account we have. Using a single password for all the email accounts is a common mistake. If an attacker hack into a user personal email account it is able to access all the other accounts belonging to the victim that share the same password. Unfortunately, this simple practice is still neglected by the majority of the internet users.

Always scan for malware

Every time you receive suspect emails, even from trusted sources, run a malware and virus scanner. The attackers can compromise email account of your business partner of your girlfriend and then spread malware to the entire list of contacts.

Avoid Public Wi-Fi

Another good suggestion to secure email is avoid checking email when you are on public Internet. Hackers can sniff your password, your sensitive data or run Man-In-The-Middle attacks in order to hack in your email account.

Adopt a defense-in-depth approach

Cyber threats to email services have different forms for this reason it is not possible to adopt a unique approach, instead it is important to implement a defense-in-depth model that involves different technologies, including:

  1. Antivirus and anti-malware
  2. Content filtering
  3. Anti-spam

Use two-factor authentication

The two-factor authentication mechanisms could drastically improve security of email accounts. The authentication requires the knowledge of the password with the possession of a second factor of authentication, like a smart card or a mobile device used to generate a one-time-password code or to involve in a challenge-response process.

Enabling the two-factor authentication, even if the password is hacked, your account will be protected by the second factor of authentication.

Encrypt your email

Another important suggestion to follow to protect the emails from prying eyes is to encrypt them. Encryption could be used to protect private emails, making them impossible to decipher, this means that even if the account is compromised, the contents of the message will be not accessible. The only way to access the mail is to have the encryption key. Most encryption uses the Advanced Encryption Standard (AES), which provides key lengths of 128, 192 and 256 bits.


The business behind a hacked email account

Original Post:

What is Traffic Fingerprinting and How it is Used to Attack Tor Network


Short Bytes: Traffic fingerprinting is a technique used to sniff the web traffic by analyzing the data packets’ flow pattern- without removing the encryption. This technique has been recently used successfully to break the layers of anonymity of the Tor network users and hidden services.

The Tor network is one of the most used popular system used to provide anonymity to the Internet users. People dive into the dark paths of the Deep Web using Tor network and remain hidden from the ordinary world. People like journalists, hackers, law enforcement officials, whistleblowers – and criminals have been using Tor network from a long time. But, lately, many security researchers have outlined the possible loopholes in Tor network that could be exploited to deploy an attack.

Just a few days ago we read about Tor Honeypot that could be used to set up a trap to capture the Tor user’s identity. Today, we are telling you about aresearch done by MIT and QCRI researchers that outlines vulnerabilities in Tor’s design. Before going into the details, let me explain the working of Tor as traffic fingerprinting is a continuation of the same.

How Tor works and why it’s called “The Onion Router”

A Tor network consists of many Tor-installed computers connected to the Internet. Each time a Tor user makes a request to visit a website like fossBytes, his/her computer will enclose this Web request in multiple encryption layers, and forward it to the a computer(called guard) which is a part of the Tor network. This selection is totally random and user’s request could be forwarded to any computer on the network. Now, guard computer will peel off the top layer of encryption and pass it to another random computer- and so on. As the wrapped request reaches the last computer, the final encryption layer is peeled off.

So, multiple layers of encryption like layers of onion – hence, Tor is an acronym for “The Onion Router.”

This last computer is known as the exit node and it knows the request’s final destination. Thus, the guard knows the address of the user, and the exit knows the address of the destination. tor-structure

The Tor network also provides some “hidden services” that protect the anonymity of destination site as well. These websites are configured to access traffic coming only through Tor network. The host’s computer uses Tor routers as the “introduction points” that are used by people to access the hidden website’s content.

If a person wants to browse the hidden service, a “Tor circuit” is created. User’s and host’s computer build Tor-secured links to the introduction point- that forms this Tor circuit. Identifying more hosts, routers, and the browser- Tor circuit builds another circuits. It’s called a rendezvous point and once again it has an anonymous location.

What is traffic fingerprinting and how is it used to attack Tor network?

What is traffic fingerprinting? The basic website traffic fingerprinting refers to recognize the web traffic by analyzing the patterns, responses, and packets sent and received in a particular direction- everything despite the use encryption or anonymity.

How is it used to attack Tor network? The traffic fingerprinting in Tor requires that attacker’s computer to act as the guard on a Tor circuit. If an attacker manages to connect lots of machines to the Tor network, there are good odds that, on some occasion, some computer of attacker will be at the right place and at the right times to sniff the traffic.

When a Tor circuit is established, the systems on Tor network pass a huge amount of data. MIT News writes: “By looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99% accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit.” To achieve this, breaking Tor’s encryption wasn’t necessary.

Similarly, using a Tor-enabled computer, traffic analysis could identify the hidden services with 88% accuracy. So, if the attacker happens to be in luck as a guard for a user, he/she can tell which sites the user accessed.

How to defend against traffic fingerprinting in Tor network?

Researchers recommend to mask the sequences to make all the sequences look identical- actually, send dummy data packets to make all different circuits look the same.

“We are considering their countermeasures as a potential improvement to the hidden service,” they add. “But we think we need more concrete proof that it definitely fixes the issue.”

Traffic fingerprinting in Tor network isn’t something that could be done over a period of few days. An attacker must spend a long time to collect data and to dig deeper into the network.

Original Post:

Up ↑