Trustwave Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 17:36:41 +0000 en-US hourly 1 https://wordpress.org/?v=67225 200474804 Snappy Tool Helps Avoid Fraudulent Wi-Fi Hotspots https://gridinsoft.com/blogs/snappy-wifi-tool/ https://gridinsoft.com/blogs/snappy-wifi-tool/#respond Thu, 06 Jul 2023 14:24:31 +0000 https://gridinsoft.com/blogs/?p=15766 Trustwave has created a Snappy tool that will make it easy to determine if the Wi-Fi network is fake or fraudulent. The utility particularly checks whether the network spoofs the MAC address and SSID. The solution is available for free downloading on the company’s GitHub repository. For years, security experts have been warning about the… Continue reading Snappy Tool Helps Avoid Fraudulent Wi-Fi Hotspots

The post Snappy Tool Helps Avoid Fraudulent Wi-Fi Hotspots appeared first on Gridinsoft Blog.

]]>
Trustwave has created a Snappy tool that will make it easy to determine if the Wi-Fi network is fake or fraudulent. The utility particularly checks whether the network spoofs the MAC address and SSID. The solution is available for free downloading on the company’s GitHub repository.

For years, security experts have been warning about the dangers of using Wi-Fi hotspots in public places, as in cafes, airports, hotels, or shopping malls. The fact is that these access points may turn out to be devices of intruders who will eventually be able to carry out a man-in-the-middle attack, intercept the victim’s traffic, credentials from her accounts, and payment information.

Consider reading our other articles regarding Wi-Fi usage dangers. We talked about FrAg attacks on Wi-Fi access points – one of the most widespread attack types. There was also an interesting experiment where a guy hacked 70% of Tel Aviv routers. Also, there was an article where specialists explained danger of Wi-Fi devices on airplanes

Snappy tool allows detecting fake Wi-Fi networks

Trustwave expert Tom Neaves writes that spoofing MAC addresses and SSIDs of real access points in open networks is a trivial task for attackers. As a result, people’s devices often try to automatically connect to networks they have previously connected to using a saved access point, but in fact connect to a malicious device. To make it easier to avoid such situations, Neaves has created a Python script called Snappy that helps determine whether the access point the user is connecting to is the same as always, or the user is dealing with a fake device of hackers.

Explaining the mechanism

After analyzing the Beacon Management Frames, the expert found certain static elements, including data about the provider, BSSID, supported speeds, channel, country, maximum transmit power, and so on. This data varies for different 802.11 wireless access points, but remains the same for a particular access point over time.

Beacon management frames Snappy
Beacon Management Frames, that may uncover the Wi-Fi spoofing attempt

Neaves concluded that it was possible to concatenate these elements and hash them using SHA256, creating a unique access point signature that could then be used to detect matches or mismatches. >So, matches mean that the access point is the same as always (that is, trustworthy), while a signature mismatch means that something has changed, and the access point may be malicious.

Snappy interface
Console interface of the Snappy tool

In addition, Snappy is able to detect hotspots created with Airbase-ng. This tool is often used by attackers to create fake access points, intercept packets of connected users, and inject data into other people’s network traffic.

The post Snappy Tool Helps Avoid Fraudulent Wi-Fi Hotspots appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/snappy-wifi-tool/feed/ 0 15766
The expert told how he hacked into a nuclear power plant https://gridinsoft.com/blogs/expert-hacked-nuclear-plant/ https://gridinsoft.com/blogs/expert-hacked-nuclear-plant/#respond Thu, 04 Mar 2021 16:44:51 +0000 https://blog.gridinsoft.com/?p=5201 Charles Hamilton, the chief security expert of the SpiderLabs team from the information security company Trustwave, described how he hacked into a nuclear power plant. In cybersecurity, the worst-case scenario is hackers taking control of critical infrastructure. In this scenario, cybercriminals or hackers working for a country’s government can use their exploits to endanger people’s… Continue reading The expert told how he hacked into a nuclear power plant

The post The expert told how he hacked into a nuclear power plant appeared first on Gridinsoft Blog.

]]>
Charles Hamilton, the chief security expert of the SpiderLabs team from the information security company Trustwave, described how he hacked into a nuclear power plant.

In cybersecurity, the worst-case scenario is hackers taking control of critical infrastructure. In this scenario, cybercriminals or hackers working for a country’s government can use their exploits to endanger people’s lives.

The worst situation is when hackers gain access to nuclear power plants or nuclear missiles. It would seem that such sensitive objects should have enhanced protection against cyberattacks, but is this really so?

SpiderLabs security consultant Charles Hamilton shared his experience of conducting penetration testing at a nuclear power plant. For security reasons, Hamilton did not disclose the location and time of testing.

As part of penetration testing, he literally managed to break into a nuclear power plant. There are many details that I cannot tell for obvious reasons.Hamilton said.

As explained by Hamilton, the main purpose of the testing was to find out if hackers could take control of a nuclear reactor. Fortunately, this is nearly impossible due to the physical barrier between the corporate network and the power plant itself.

Of course, we shouldn’t forget about malware like Stuxnet, designed specifically for attacks on a nuclear power plant and distributed via a USB stick. However, such scenarios are not part of a penetration testing plan.

The very first vulnerability discovered during testing was related to the contractors whose services the power plant was using. The contractors installed an unsecured Wi-Fi hotspot that became an entry point for the researcher into the corporate network.

When I logged in, it was the same corporate network as any other, with a bunch of Windows and Linux systems, and they were also running Windows NT 4.0. I was able to get direct access to the network and some interesting things, for example to monitoring tools.Hamilton said.

Two hours later, the researcher already had domain administrator privileges and gained access to information about how the power plant works.

If I was engaged in espionage or sabotage in the interests of a foreign state, I could see such indicators as the level of pressure, etc.said the researcher.

Even for companies or organizations not involved in critical infrastructure, Hamilton said, the key lesson here is that the corporate network will always be one of the most vulnerable points. Companies should always remember that their internal networks are just as vulnerable as their external perimeters.

Let me remind you that I also talked about the fact that Hacker changed the chemical composition of drinking water in a small Florida town.

The post The expert told how he hacked into a nuclear power plant appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/expert-hacked-nuclear-plant/feed/ 0 5201
Spammers hide behind hexadecimal IP addresses https://gridinsoft.com/blogs/spammers-hide-behind-hexadecimal-ip-addresses/ https://gridinsoft.com/blogs/spammers-hide-behind-hexadecimal-ip-addresses/#respond Mon, 21 Sep 2020 16:21:01 +0000 https://blog.gridinsoft.com/?p=4315 Trustwave experts have discovered that pharmaceutical spam attackers have started to insert unusual URLs into their messages. Spammers hide behind hexadecimal IP addresses. They use hexadecimal IPs to bypass email filters and other security solutions. The idea is based on the use of RFC791 standard. Researchers remind that, for example, https://google.com is the same as… Continue reading Spammers hide behind hexadecimal IP addresses

The post Spammers hide behind hexadecimal IP addresses appeared first on Gridinsoft Blog.

]]>
Trustwave experts have discovered that pharmaceutical spam attackers have started to insert unusual URLs into their messages. Spammers hide behind hexadecimal IP addresses. They use hexadecimal IPs to bypass email filters and other security solutions.

The idea is based on the use of RFC791 standard. Researchers remind that, for example, https://google.com is the same as https://216.58.199.78, it’s just the first option that is easier to remember.

“Technically, an IP address can be represented in several formats and therefore can be used in a URL in a variety of ways”, — explain Trustwave researchers.

For example, any IP address can be written in other formats, including:

  • octal IP address: https://0330.0072.0307.0116;
  • hexadecimal IP address: https://0xD83AC74E;
  • integer or DWORD IP address: https://3627730766.

This feature uses spammer, who have been using hexadecimal IP addresses in their mailings since July this year. While browsers understand these formats and direct the user to google.com anyway, as in the example above, many spam filters stop “seeing” dangerous URLs because of this.

“Any threat actor equipped with this knowledge can craft an obscure-looking URL like the ones shown above and send it via email with a convincing message to deceive the email gateway and the victim and lure them to click and open a site controlled by the attacker”, — write Trustwave researchers.

Spammers hide behind IP addresses
Attack scheme

Experts note that since the start of this trick, the activity of the enterprising spam group has markedly increased, as much more spam began to fall into user inboxes. At the peak of the campaign, scammers sent out about 25,000 letters. Spammers advertised various drugs to lower cholesterol, antifungal, anti-aging, anti-inflammatory drugs, medical masks, UV lamps, as well as all kinds of dietary supplements.

Interestingly, this is not the first such case discovered by information security specialists.

For example, last summer, Proofpoint experts talked about the PsiXBot Trojan, whose operators also used hexadecimal IP addresses to hide the location of their control servers.

Find out better how spam works in our blog post: Spam Email. What Do Spammers Hope For?

Spammers hide behind hexadecimal IP addresses

The post Spammers hide behind hexadecimal IP addresses appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/spammers-hide-behind-hexadecimal-ip-addresses/feed/ 0 4315