#extremely hackable databases | Explore Tumblr posts and blogs

bloomuwebdev-blog · 6 years ago

Text

Online Personal Security

Source: https://www.bioedge.org/bioethics/no-privacy-in-a-transhumanist-future-says-former-presidential-candidate/12759

Online security is one of, if not the biggest concern for a lot of internet users. Personal info is left scattered online, payment details, browsing history, chat logs, and much more. While there are things you can do to increase your security online, you never are truly 100% safe. Here are some general tips you can use to further increase your online security as well as how they get bypassed.

· Secure your personal network – Having an unsecure network at home is the equivalent of having your front door completely unlocked at night! A secure network provides protection to the traffic going through your router. Applying any protection is better than having no security at all. One of the most common encryptions used a few years back was WEP (Wired Equivalent Privacy).

Source: https://www.wirelesshack.org/step-by-step-kali-linux-and-wireless-hacking-basics-wep-hacking-part-3.html

How it’s broken - Since then WEP has been proven to be vulnerable to attack, it isn’t recommended to use. It can be used in 64-bit strength and 128-bit strength. 256-bit has been introduced as well, but you hardly ever see it implemented, if ever. In 64-bit WEP it has a secret key of 40 bits and an initialization vector of 24 bits. In 128-bit WEP this increases to 104-bit secret key and the initialization vector is still the same at 24-bits. There are two methods to breaking WEP. We’re only going to cover one, the FMS attack. The attack is named after Fluhrer, Mantin, and Shamir. It’s based on a flaw of the RC4 encryption algorithm. The three discovered that since throughout the different sizes of WEP and the fact that they all used the same initialization vector this limits the possibility of initialization vectors to 16 million. Of all those combinations, 9000 of them were found to be weak. If one were to collect enough of these IV’s, you can recreate the key needed to connect to the network. You’re probably wondering how people collect these IV’s in the first place. This is where monitor mode comes in. This is a special mode that is available on all wireless cards, you just need software to tell your wireless card to go into this mode. Once it’s in monitor mode, you can use your wireless card to collect wireless packets that are transmitting between your computer and your router. After collecting 5 million packets or so (this takes about 10 minutes tops) you’ll have collected 3000 IV’s, roughly. These packets are then passed through a program that will calculate the first byte of the WEP key. The procedure is then repeated until the full key is discovered.

Is there another option? – Yes! WPA was passed as the standard later after WEP was proven to be broken. This as well was proven to be vulnerable to other forms of attack. This is when WPA2 was introduced. WPA2 is secure for the most part. It’s vulnerable to dictionary-based attack. This involves having a massive list of possible passwords and hammering the router with these passwords until you get lucky. Later on the in the lifespan of WPA2 there was a discovery in the WPS (Wi-Fi Protected Setup) feature in most routers. To be clear, this isn’t a fault in WPA2, this is a weakness in WPS.

How it’s broken, again – A WPS Pin is 8 digits long, the last digit is used as a checksum for the previous 7 digits. This means 107 = 10,000,000 million possible combinations. Surely, this is a ridiculous number of pins to test and go through, correct? When a pin is tested, it’s split in 2 parts, the first 4 digits are checked and if it passes, the following 4 digits (3 technically since the last digit is used as a checksum) are checked as well. 104 = 10,000 possible tests for the first half of the WPS pin. This is much more reasonable to brute-force and check. Once the first half is found, the following 3 digits are brute-forced which is again, 103 = 1000. Only a thousand combinations for the 2nd half of the pin. 11,000 total combinations to test and eventually connect to the network. 11,000 down from 10,000,000 million is much more possible. Let’s talk about mitigation. The WPS Pin attack has been around for a few years now and has been patched by most router manufacturers. After 3 attempts the router locks out the WPS feature and needs to be restarted to get more attempts at guessing. While this, doesn’t fix the problem, it makes the process of getting into a network take a much longer amount of time. The latest vulnerability in routers though, is a fault in WPA2 itself. It’s called KRACK. While this is the most interesting of the attacks, I will not be explaining the details as that would result in a paper on this subject alone. KRACK is short for Key Reinstallation AttaCK. To summarize, WPA2 uses a 4-way handshake to encrypt packets. By capturing and resending the 3rd message sent you can capture any network encrypted data and decrypt it. While this doesn’t give you the network passcode to connect to the router, it makes the content of whatever you’re doing very readable. Therefore, it is recommended to use “The S”. This is the S in HTTPS. The S stands for secure. It means whatever you’re doing on that webpage is encrypted from your pc to the other site you’re on. Making it much harder to do anything with anything captured through KRACK.

· Strong passwords/2 Step Verification – We all have those 2 emails we use for everything. A primary and a secondary. Without these, we’d be lost. Strong passwords are a common thing people struggle with. The most common password in 2017 was “123456” (http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/). People struggle with making secure passwords as well as using words in their passwords. A good place to check how long it would take a computer to guess your password is https://howsecureismypassword.net/ but this doesn’t stop dictionary attacks. Dictionary attacks are based off long word lists with numbers as well depending on how big the list is. Nowadays there are password managers that can generate and store passwords for you on the fly. This often assures that each password is unique and isn’t easily guessable. This can be a double-edged sword. You’re putting all your trust and personal details in someone else’s hands. LastPass is a password manager that is used by millions. They were hacked once in 2015 (https://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571) and again in 2017 (https://www.cnet.com/forums/discussions/last-pass-hacked-again/) during both hacks, users were told to change their master passwords that decrypted their databases that stored every password they used. Another common additional step that users like to add as another measure of precaution is 2 Step Authentication. This is the process of using your phone to generate a token that is usually 6 numbers to prove you’re the owner of whatever account you’re trying to access. Another tip with passwords, change them often! Most of the time people never change passwords.

· Use the S – The S in HTTPS is a new standard that encrypts traffic of websites you browse and secures the payment info when you buy something online. Less than 60% of the internets most popular websites have secure implementation. Generally when you see a lock next to your URL. You’re using https and you’re safe. Back in 2014 there was a bug that affected OpenSSL. OpenSSL is a library that was used by many services to implement https on many sites. This bug was called Heartbleed. Some popular sites that were affected by said bug include, Instagram, Google, Yahoo, AWS(Amazon Web Services) (https://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#K3TT49sSLaqm ). Those are just a few, most of the affected sites have issued patches to address the issue. Generally though, https is the ideal you want to use.

· Conclusion – Regardless of what tips there are to improve your online security, there are ways around many security measures. Bugs get discovered and patched. Online security is a extremely fast paced environment. Nothing you do online is 100% safe, but there are precautions you can take to improve the protection you have online.

Sources: https://en.wikipedia.org/wiki/Cracking_of_wireless_networks/

https://forbes.com/sites/nextavenue/2013/01/22/7-steps-to-protect-your-online-security/

http://heartbleed.com/

https://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#K3TT49sSLaqm

- Mena

1 note · View note

superjammixx-blog · 6 years ago

Text

LEARN ABOUT BIOMETRICS

Biometrics is the technical term for body measurements and calculations. It refers to metrics related to human characteristics. Biometricsauthentication (or realistic authentication) is used in computer science as a form of identification and access control.

PROBLEMS OF BIOMETRIC

1.) Biometrics aren’t private

Biometrics seem secure on the surface. After all, you’re the only one with your ears, eyes, and fingerprint. But that doesn’t necessarily make it more secure than passwords. A password is inherently private because you are the only one who knows it. Of course hackers can acquire it by brute force attacks or phishing, but generally, people can’t access it. On the other hand, biometrics are inherently public.

2.) Biometrics Are Hackable

Once a hacker has a picture of someone’s ear, eye, or finger, they can easily gain access to their accounts. While Apple’s TouchID was widely accepted as a biometric advancement, famous hacker Jan Krissler was able to beat the technology just a day after the iPhone was released. Likewise, researchers from the Chaos Computer Club created fake fingers to unlock iPhones

3.) Biometrics Hacks May Have Greater Consequences

Since a biometric reveals part of a user’s identity, if stolen, it can be used to falsify legal documents, passports, or criminal records, which can do more damage than a stolen credit card number.

Discussing its Advantages and Disadvantages

Facial recognition:

Advantages

a. Non intrusive

b. Cheap technology.

Disadvantages

a. 2D recognition is affected by changes in lighting, the person’s hair, the age, and if the person wear glasses.

b. Requires camera equipment for user identification; thus, it is not likely to become popular until most PCs include cameras as standard equipment.

Voice Recognition

Advantages

a. Non intrusive. High social acceptability.

b. Verification time is about five seconds.

c. Cheap technology.

Disadvantages:

a. A person’s voice can be easily recorded and used for unauthorised PC or network.

b. Low accuracy.

c. An illness such as a cold can change a person’s voice, making absolute identification difficult or impossible.

Signature recognition:

Advantages:

a. Non intrusive.

b. Little time of verification (about five seconds).

c. Cheap technology.

Disadvantages:

a. Signature verification is designed to verify subjects based on the traits of their unique signature. As a result, individuals who do not sign their names in a consistent manner may have difficulty enrolling and verifying in signature verification.

b. Error rate: 1 in 50.

DNA:

Advantages:

a. Very high accuracy.

b. It impossible that the system made mistakes.

c. It is standardized.

Disadvantages:

a. Extremely intrusive.

b. Very expensive.

Retinal scanning:

Advantages:

a. Very high accuracy.

b. There is no known way to replicate a retina.

c. The eye from a dead person would deteriorate too fast to be useful, so no extra precautions have to been taken with retinal scans to be sure the user is a living human being.

Disadvantages:

a. Very intrusive.

b. It has the stigma of consumer's thinking it is potentially harmful to the eye.

c. Comparisons of template records can take upwards of 10 seconds, depending on the size of the database.

d. Very expensive.

Iris recognition:

Advantages:

a. Very high accuracy.

b. Verification time is generally less than 5 seconds.

c. The eye from a dead person would deteriorate too fast to be useful, so no extra precautions have to been taken with retinal scans to be sure the user is a living human being.

Disadvantages:

a. Intrusive.

b. A lot of memory for the data to be stored.

c. Very expensive

Fingerprint:

Advantages:

a. Very high accuracy.

b. Is the most economical biometric PC user authentication technique.

c. it is one of the most developed biometrics

d. Easy to use.

e. Small storage space required for the biometric template, reducing the size of the database memory required

f. It is standardized.

Disadvantages:

a. For some people it is very intrusive, because is still related to criminal identification.

b. It can make mistakes with the dryness or dirty of the finger’s skin, as well as with the age (is not appropriate with children, because the size of their fingerprint changes quickly).

c. Image captured at 500 dots per inch (dpi). Resolution: 8 bits per pixel. A 500 dpi fingerprint image at 8 bits per pixel demands a large memory space, 240 Kbytes approximately → Compression required (a factor of 10 approximately).

Hand Geometry:

Advantages:

a. Though it requires special hardware to use, it can be easily integrated into other devices or systems.

b. It has no public attitude problems as it is associated most commonly with authorized access.

c. The amount of data required to uniquely identify a user in a system is the smallest by far, allowing it to be used with SmartCards easily.

Disadvantages:

a. Very expensive

b. Considerable size.

c. It is not valid for arthritic person, since they cannot put the hand on the scanner properly.

biometrics.pbworks.com/w/page/14811349/Advantages%20and%20disadvantages%20of%20technologies

https://blog.ipswitch.com/3-reasons-biometrics-are-not-secure

https://en.wikipedia.org/wiki/Biometrics

0 notes

topicprinter · 6 years ago

Link

I am writing this because I see so many Entrepreneurs, Wantrepreneurs or Bloggers who would love to try and test some projects but they don't do anything because they think an own website means monthly costs.I see others who are using the benefits of an own website but they are paying extremely high web hosting fees every month.So for all of you guys, there is this thing called GitHub, I am sure many of you heard of that before. GitHub is like Facebook for developers and with GitHub pages, you are able to host your page for free on the GitHub server.This also comes with plenty of benefits, your page is safe since you are using a static site which means not database, you're not hackable. The other benefit and the most important one is, the GitHub servers are pretty fast which means you can have an easy time in terms of SEO.You won't see a long loading time just because you are using a free hosting service. For instance, for my personal web designer page I am using GitHub as well https://lukaszadam.com I never had any speed issues.Of course if you need a dynamic page, a big e-commerce shop or something bigger GitHub is not for you but I am sure, there will be plenty of people and projects who would love to use this free service.More information is here: https://pages.github.com/ Another service which is awesome is Netlify https://www.netlify.com/. Same as GitHub and you even get SSL for free.

#/r/entrepreneur #reddit

0 notes

dannysdevblog · 7 years ago

Photo

Following a comment from the critique this week, I focused on some possible methods of presenting my game, as well as did some UI changes and slight gameplay changes to Getting Out of Bed Simulator.

For the game updates, here’s a quick changelog since it was mostly slight changes. >new menu >new UI for main game, allows for the prompt text to be longer and eventually tell a story in the future >frog will change their state depending on how much time as passed (for example, changes to anxiety mode upon it being the third day despite what you click -> coding more uncertainty and less control for the player) >frog animations now are perfectly centered, don’t move around >frog animations are now on one sprite sheet -> loads faster >added a sun >clouds now move more clearly, don’t move a pixel at a time >color changes less obscuring + new color changing code allows me to have everything change color separately based on what time is it (for example, the lamp could turn orange while the bed turns blue during the night) >I got in some music from my friend, but haven’t set it to play yet :)

However, I might throw most of this out the window now given the critique, since I think the suggestion (which I also had sketched out in my notes) to have text and options appear around the frog and be more contextual is a better UI set up, and will the keep the eye in one place. Making it more contextual does move it away from the point-and-click adventure game style, but I think because of how much changes in the game it’d be good to keep the player focused in one area, at least to some small extent. Also, having the game take place over multiple rooms throughout the house with various problems associated with them could be fun, and I could slowly warp the space like you had suggested, maybe making it more fantastical or surreal as things get worse/better, working towards that nonrepresentational space merritt was talking about. (This is also a mechanic used in a psychological point-and-click adventure game Fran Bow too, and much more simply in A Link to the Past’s Dark World, so it’s doable). It did seem like I was getting a reaction of stress/anxiety/futuility when people played it, so that’s a good sign, it just needs more expanding upon. I think I also do still want to work on doing a suite of games too, that could maybe be accessed through an overworld or database of games, or as various cartridges. Cartridges particularly interest me because I like the idea of switching out games for various problems you might have, perhaps mirroring how you use different coping mechanisms for different situations or change your identity to match your surroundings. Or maybe like a mental illness coping pocket knife/utility belt.

Following this and a comment I received during the critique about how I was thinking of presenting these games, I took various screenshots from my games and mapped them onto classic GameBoy Colors, a handheld gaming console from my childhood. I also made a few potential cartridges (GameBoy and GameBoy Advance) to go along with them, doing one just having the logo on the cartridge, to having an illustration of the game in a different graphic style. (examples here and here) More practically, I’ve been looking into the ArduBoy and the MintyPi as means to create a physical handheld console, since I’m not sure what legal ramifications there are for creating working Nintendo cartridges. It’s possible to do, but that gets into rom hacking and bootlegging, which I’m concerned about and also probably not smart enough to do. Making my own physical console and possibly my own controller may work out better, giving me more freedom and making use of some of the fabrication skills I’ve picked up. It would also allow me to make whatever buttons configurations I want and make the game more fine tuned to exactly the sort of hand motions I want, though losing the mouse and keyboard would limit accessibility, so I’d either need to make a PC version as well, or find some way to make the handheld device extremely usable.

Academically, not much has really been informing my work as we approach finals, because I’ve mostly been either working on completing silly science requirements or working on a video about how memes can be political tools when analyzed and viewed with an intersectional lens (which is interesting and cool, but doesn’t quite fit). Relating more closely to the building of a small handheld device, my digital media studies class did do a small part on the debate between usability and hackability for devices, using the iPhone and Android as ideas. Usability focuses more on making sure anyone can use the device despite any sort of prior technological experience, and guiding them through various programs for what they believe are the best results, while limiting their ability to change or look into how exactly the program is working. It keeps the user one or more levels of abstraction away from the core of the device, with the creator believing they don’t need to know the inner-workings to effectively create something. On the other hand, hackability sees devices like this as “tethered objects”, able to transmit data back to their manufacturer without the user’s knowledge or do any number of things behind the guise of a UI. Hackability relies then on users that are highly technologically skilled, allowing them to open up the device and have everything be largely open-source, such that they know exactly how everything is working, and not providing much of a guiding hand. The idea being that you do not own a device unless you can take it apart, and can be more creative if you have complete control. In response to this, usability design posits that it can help people create more freely because they don’t have to learn overly complicated processes, able to work abstractly and have everyone be able to create what they want, opening it to a larger userbase. Relating back to my potential consoles, I think it would be important to create a device that would be simple to use on the outside, while using some open-source code that could easily be viewed. Nintendo products are pretty accessible on the outside, only having a few labeled buttons and requiring your thumbs and index finger, though much of their code is locked up due to copyright and potential piracy. Using a raspberry pi/arduboy/mintypi/SD card would let people know exactly where all the code is and how I plan to use it, since you could just rip it off the memory card if you really wanted it. Just something interesting to think about, and also to be paranoid about as we all use our phones for everything haha.

0 notes

viewwrangler · 7 years ago

Text

US voting systems alarmingly vulnerable and fragile, and nobody who matters seems to care much

To be fair, even if they cared, it’s not at all clear they could do much about it in the near term, or even by the next presidential election, thanks to the incredibly patchwork nature of our system (which may be a weird saving grace). But care they do not.

Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known (bloomberg.com)

Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.

In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

(Blog Note: The attempt on the Illinois systems were known and reported at the time, although the source and extent was not included in those reports.)

The scope and sophistication so concerned Obama administration officials that they took an unprecedented step -- complaining directly to Moscow over a modern-day “red phone.” In October, two of the people said, the White House contacted the Kremlin on the back channel to offer detailed documents of what it said was Russia’s role in election meddling and to warn that the attacks risked setting off a broader conflict.

[...] Illinois, which was among the states that gave the FBI and the Department of Homeland Security almost full access to investigate its systems, provides a window into the hackers’ successes and failures.

In early July 2016, a contractor who works two or three days a week at the state board of elections detected unauthorized data leaving the network, according to Ken Menzel, general counsel for the Illinois board of elections. The hackers had gained access to the state’s voter database, which contained information such as names, dates of birth, genders, driver’s licenses and partial Social Security numbers on 15 million people, half of whom were active voters. As many as 90,000 records were ultimately compromised.

But even if the entire database had been deleted, it might not have affected the election, according to Menzel. Counties upload records to the state, not the other way around, and no data moves from the database back to the counties, which run the elections. The hackers had no way of knowing that when they attacked the state database, Menzel said.

The state does, however, process online voter registration applications that are sent to the counties for approval, Menzel said. When voters are added to the county rolls, that information is then sent back to the state and added to the central database. This process, which is common across states, does present an opportunity for attackers to manipulate records at their inception....

It’s worth noting, as the article does, that Russia has had three years to improve its techniques. It’s also worth noting that there is about to be a very expensive, and reportedly very close, special election in Georgia -- a state in which, due to the age of the equipment and truly horrible decisions back in 2002, voting machines have no audit trail, and are very very very hackable. (Seriously, Windows 2000?)

In fact, Georgia, along with Idaho, Indiana (oh, really?), West Virginia, and Kentucky have all accused the (then Obama administration’s) Department of Homeland Security itself of trying to hack their voting systems. Kentucky later withdrew its accusation, deciding that it was just ordinary web traffic, and West Virginia had in fact given its permission for DHS to scan its machines, so I’ve no idea what they were complaining about. One wonders if, now the administration has changed hands, those states have changed their tunes about allowing DHS to monitor their systems. If they were interested in assuring fair and impartial elections, they should want that help. If they are interested in preserving the ability to declare voter fraud that hasn’t happened (while ignoring hacking that has), then they wouldn’t want DHS to be able to verify what had or had not happened. (Not that the current DHS is particularly trustworthy, but it’s the best we’ve got, I guess.) Georgia, at least, requested that the Trump administration investigate their claim. There’s no sign that the administration has done so -- then again, they’ve been somewhat distracted.

Electoral apparatuses have now been declared critical national infrastructure. What that actually means is anyone’s guess. In theory, states now have much more limited ability to decline the government’s requests to audit and inspect. In practice ... well, we don’t know, because there aren’t many -- if any -- rules or laws governing the situation (and given the rules dismantling frenzy this administration displayed when it came in, it’s not at all clear that what rules and regulations there were still exist) and they’ve never been put into operation.

Basically, now that they know better, expect Russia to hack individual state voting registration databases -- which are centralized and possibly not well protected -- rather than the national vote itself, which is highly decentralized. Specific elections, such as Georgia’s special election for one representative, may well find themselves targeted, because that’s going to be a slightly easier target, with a list of easily accessible addresses where all the machines may be found.

As for the 2016 election ... while the general sense is that voting totals weren’t altered, for some places, we simply don’t know. In Michigan and Wisconsin, the voting machines produce both paper and electronic voting trails, so hacking the machines themselves would be difficult and pointless, apart from being a way to produce chaos. Hacking the secretary of state, on the other hand? May or may not be easier, but certainly more useful. Pennsylvania, on the other hand, uses some machines that don’t produce audit trails. There, the trick would be to know where they were and how to get into them. Extremely difficult, but maybe not impossible. And, of course, there were all the other states which may or may not have audit trails, and which may or may not have had compromised voter databases -- well, we know that attempts to compromise were made on 37 of them, but with the exception of a very few, we’ve no idea whether or not they succeeded.

#us politics #elections #voting system

0 notes