Doby all the best. The early days of April and winter holidays are over and the time has come to write in the blog. I would like to dedicate the first entry to this rock to a story behind the methods of stealing passwords in opposition to one of the previous publications: Once again, specify that the material of directing to non-fahivtsiv from the protection of information and may be of a recognizable nature. Wanting, perhaps, fakhіvtsі tezh podkreslyat themselves new.
As everyone did not hate passwords, until today they are deprived of the most popular method of identification, but, unfortunately, sometimes they steal from us. The problem is often supplemented by the virishity of two-factor authentication, but more often and less often the most critical services.
Behind the statistics, the most widespread reasons for losing control over accounts are two things: the use of simple (word) passwords and social engineering. In this article, I’ll tell you about the main methods of cracking passwords naturally with the method of promoting information in this food among a wide audience (the use of materials with a destructive method is punishable by law, the author doesn’t carry that otherwise blah blah blah).
- Vgaduvannya
Yes, it's that simple. Your password can be stupidly guessed. Remember all the episodes in Hollywood films, if the heroes break into your computer and try the password like the names of children, grandmother, didusiv, uncle, titka, nicknames of the victim's household creatures, etc.? So the axis, ce is true one of the worst methods of evil and the archaic method of effective dosi. Even if we publish tons of information about ourselves in social networks, and if the password is based on data that is related to the specialty of the public account, then the password pickup is on the right hand side of the hour (this is the very reason why passwords need to be changed periodically).
Protidiya method: in a flash, I'm spoofing, you figured out that tanyushka1990 is a filthy password, call it like Tanyushka, don't see it, but your love is onuka. Don't guess passwords intuitively. Periodically (at least once a day) change your passwords, if you like, before critical cloud entries.
- Social engineering
Social engineering is understood more widely. A social engineer can interact with the victim both especially, and by telephone, and most often through electronic communication channels - messengers, social media, e-mail. And here we can’t see the methods of social engineering as such, here I’d rather read the classics of the genre - the book by V. Simon and K. Mitnick “The Art of Deception”. Here it is important for us those who use social engineering methods to steal passwords directly to those who can tell the victim to give his own password. One of the applications looks like this: the attacker introduces himself as a new system administrator and tells the employee of your organization that he needs a password in the electronic mail of his practitioner to conduct some kind of spherical vacuum tests. Another example, if there is a special contact between the attacker and the victim during the day: Vyalove rozsilannya z posilannyam and alarming podomlennyam (for example, your account has been scammed, yoga has been blocked and you "need" to go through the bells and whistles to unlock). Phishing messages sent to the side, prepared by a malicious person in advance, and one by one I go to the authorization side of some popular service, for example: vk.com, gmail.com, facebook.com, etc. service, enter your login and password, these identification data are forced on the attacker, you can see the pardon warning there is no sense of trimming on the side of the story. Speaking of which, if you still don't know why Windows is asking you to press the Alt-Ctrl-Del keys before logging in, google it and read it.
Протидія методу: зазвичай на підприємствах використовуються гібридні методи протидії соціальної інженерії (на тих підприємствах природно, де взагалі перейнялися питаннями захисту інформації), але треба розуміти, що оскільки соціальний інженер може провзаємодіяти з жертвою і без використання будь-яких каналів зв'язку (і vidpovidno to filter, block, to inform you about it is possible), then the only truly effective method against informing spivrobitnikov (well, for yourself, it’s possible to go about special security) about the methods of social engineering. Aje, these days, few people will fall for the fall of the Nigerian prince when they are separated “Mom, put a penny on the number XXXX. I'll explain later, even if the methods were practiced.
- Pіdglyadannya
Here I’m only passing by thinking about such obvious speeches, like about passwords on stickers, like glued to the monitor or on papiers under the keyboard. Here you can see and understand the process of typing a password. Tobto the password is better to secure, if no one is behind the process. Є people with cіkavimi zdіbnosti. For example, one of my acquaintances was talking to me, to wonder how I enter the password on the laptop, and then repeat the entry of the password myself. I truly repeated. I’m even zdivuvavsya, to the one who is blind with a ten-finger dial, I can enter my password even more quickly. It turned out that someone I knew had a special photographic memory. Unsafe person =)
In order to help the evildoer to quickly remove the prepared password and not to go into other folding or resource-intensive techniques, about how to go further. But looking at the password “Ochima” is not the only way. For example, if you entered your password on someone else's computer and saved the password, left the public record, but didn’t clear the data, then it’s possible not only to enter the public record without knowing the password the password is clearly visible by inserting the login and password into the address bar of the browser on the side where the login and password (disguised with stars) are entered, the axis is such a simple script:
javascript:(function()(var%20s,F,j,f,i;%20s%20=%20%22%22; %20F%20=%20document.forms;%20for(j=0;%20j ) [gorge] If the password is victorious on other oblique records, then the attacker can take access to them too. It is categorically not recommended to change the same password for different accounts. Protidiya method: do not enter a password if you want to stand in order and marvel at your hands. Do not enter the password on untrusted devices. If it still happened, podbyte about clearing information about passwords and cookies. Until then, keyloggers can be installed on untrusted outbuildings. We smoothly transitioned from the intuitive and Shakhrai password hijacking techniques to the technical ones. The first search of passwords for dictionaries. Maybe, navit nefahіvtsі in the gallery of information security chuli z news about the great turns of passwords to mail screens on various mail services. As soon as we learned more from these turns, it was caused not by the evils of the servers of the post-master of the servants, but by the banal selection of passwords to the mailing screens for dictionaries. Most of the passwords of the "zlamanih" postal screens were combinations of the type "123456", "qwerty" or so. In the “Materials” section, I have added a couple of dictionaries with passwords (you can do them yourself), so you can spell like in other tools like John the Ripper or Hydra, or for reverification with a banal joke, a password. Yakscho є, then termіnovo minyaєmo! Protidiya to the method: using collapsible, non-wordy passwords. Naming the method like two English words: brute - brute and force - strength. Name it intuitively, which method is allowed in the front - here all possible combinations of the password are simply sorted out. The method is based on hours and resources, even for the selection of such a method, it will require counting resources. To this method, evil-doers go only in extreme situations. You can change the hour of selection, for example, by knowing the exact date of the password, or by knowing that passwords do not have special symbols or numbers. In such a rank, a number of possible combinations will soon appear. Protidiya method: rewriting old chaotic passwords and periodically changing passwords. Everyone who in the last years had to change the password to this service was responsible for remembering that earlier the services just forced you the password to the e-mail, now you need to come up with a new password. Why is it due to the fact that the service is suitable, that you respect yourself, do not save passwords from the open sight. Passwords are saved from looking at hashes. In a nutshell, the hash is the name of the result of the conversion to the text (in the case of the password), which is a non-returnable mathematical function. The result of the transformation by the MD5 algorithm of the word "password" (without paws) looks like this: Approximately in this way, our passwords are saved from service providers, and it is important that the functions are non-returnable, then the providers themselves cannot possibly know our password and send us yoga at the right sight. You can read the report about hashing. Row tables, to put it bluntly, allow you to recover a password by hash. The new process, obviously, richly folded, is lower. For those who are more familiar with the technology of the report, you can start from the side of Wikipedia. It would have been better if, for the help of the regional tables, it would have been possible to break the password, if only there was a password, but here there are some folds for the evildoer. Just as with brute force, you need time and resources to spend on the enumeration itself, then for different tables, the same is needed for generating the tables themselves. Whenever there is a set of regional tables, there is no difference between them, before they can be set for a double password, set for a set of symbols, set for a specific hashing algorithm. You can find regional tables for selecting passwords that do not exceed 6 characters, in order to avoid the letters of the English alphabet of both registers, but without special characters and numbers. But it’s already more serious to ask for pennies. Protidiya method: salting hashes. It's a pity that this type of antidote is only available on the rivers of administrators of services and can't be deposited in the city's koristuvach. Under hybrid methods, it is possible to understand the use of different methods, inducing more, in marriage. In fact, the best example of the "brute force" + "peep" methods is better than guidance. For example, an attacker can not look at the password as a whole, only symbols, and that number has a password. You should not allow yoma in the parameters for brute force, specify only the required symbols, and turn off the brute force, thereby reducing the number of possible combinations. Another example of the hybrid method: take a dictionary word and try to change letters into special characters. For example, take the dictionary password "password" and try the combinations "password123", " [email protected]", "pa$$w0rd" and so on. The antidote to hybrid methods is better than all methods of antidote, inducing more. Malicious people do not go to tricks, to steal passwords from the koristuvach to various resource resources - social media, igor-online, payment systems. The statistics of the theft of special data from the Merezhi are alarming figures. In order not to rank among the victims who have lost their appearance of records, let's take a look at the main methods of stealing passwords, like victorious hackers - , і . Mayuchi vyavlennya about tsі shkіdlі "technologies", їm can be effectively resisted, dotrimyuyuchis due level of security and confidentiality of special data. The urochistist of justice and remembrance comes in the period of the year. The little birds of the house painter, babbling close to the nest of the fathers with relish in the dzob, start, that they might call, that very trill, as they were taught to sleep in the first days of life. They take off the hedgehog, only the victors of the “right motive” are legally recessive, and the zozu birds are deprived of nothing and die of starvation. At first glance, the picture of nature is relevant, but it looks like an endless expanse of digital jungles to the Internet: and here are passwords; And here are the characters - evil and kind - hackers and zvichayn koristuvachs. Otzhe, shanovny chitacha, to save your passwords and passwords, in the form of poor people, you will not be able to tell the trill. Ale learn about the ways of stealing special data, we won’t take it... Do you want peace? Get ready for the war! Golovnі znaryaddya zlovyska in this way - the naїvnіst that naїvnіst tsіkavіst koristuvach. Everyday sophisticated software methods, available viruses and other hacker technologies. Dashing, knowing only the login from the postal screen, enter it at the login form to the service. And then we will alert the system that I forgot the password. On the monitor there is a control power supply - the burglar does not know the new type, but he already knows the other one. The axis is here and begins with the naytsіkavishe: on the basis of those nutritional faults, the victim is ruled by the “cunning leaf”, in a veiled form, it is suggested to see the correct answer. The approach of the messenger might look something like this: “Good day! Mi, the culinary site is such, ..... and so on. And what is your love for Strava? I only have an okremy butt. Khitroschiv of this kind "walking along the borders" great wealth . Reports about social engineering were written by us. I also marvel at the wallpaper, reading the leaves! cookie At a new, in a hidden look, login, password, id and other information are saved, until a resource is periodically retrieved in the process of online work. A hacker, knowing the inconsistency of a particular site (forum, postal service, social media), write a special script, which "wins" cookies from the victim's browser and manages it. You can’t do without the participation of the master of the oblikovogo record, the “black on the right” can’t do it, the shards themselves can run the script. Therefore, the code, before being edited, is wrapped in a special “bait”: a picture, a sheet, just a sip. Golovne zavdannya - sob the victim went over to proponovanim posilannyam. And even though it still trap, the hacker cookie script from the browser transmits a sniffer (transferring traffic), installations on a third-party hosting. And then we send the koristuvach, where you will find it on the day - to the dating site, video hosting, photo gallery and other. To get rid of the cracker, a kind of brute force victorious, with your nose, create folding passwords, swear. We need quotes and background articles for the publication of our forum. We have a proofreader and an editor, so you don’t have to worry about the spelling and formatting of the text. Everything is perevirimo and beautifully arranged. For the rest of the days in the news, they discovered that logins and passwords were posted on the Internet in millions of mailed screenshots of Google (Gmail), Yandex and mail.ru. It’s impossible to choose a bigger, smaller folding password, but more services have been set up so that after dekilkoh pardons proponu koristuvachevi enter captcha, otherwise just block IP from which brute forcing is carried out. In the most important place in the history of passwords, wines are not cunningly evil of popular services, but they themselves are coristuvachi, as they allowed the password to be compromised. Tom would like to get fed up, like hackers stealing your passwords and what you can do to protect yourself. The essence of the offensive. Under any kind of drive koristuvach lure to the site of a hacker. Most of all, on this site there is one single page, but it looks exactly like the right page for authorization from your mail screen. Disrespectful koristuvach to enter the login and password, yakі directly dragged to the attacker. How to fight: - Shchoraz, if you know the need for authorization, look at the domain. In most cases, attackers can create unique domain names, for example: www.mail.ru.free-host.net www.yandex-ru.spb.ru www.gmail-com.com www.yandex.ru.mail.redte.ru www.turian.ru/mail.ru www.mail-compose.ru/yandex 145.35.77.1/mail.ru Skins from these domains are not suitable for popular mail services. As a rule, authorization is requested more than once, so the first time you enter a password, you will spend an hour on getting a domain name. Okremo varto give respect to those who, like hackers, try to lure you to their shkidlivy sides. I’ll give a sprinkling of examples, but they don’t exhaust the options: - you will receive a sheet in the mail, in which you will be informed that you have been taken away (the leaflet is either accepted otherwise, or else it’s not accepted anymore and you need your negative business, so that the account was not blocked, the pennies were not lost), etc.) i є possilannya, according to what you need to go; - SMS informs you that you took the sheet and prompts you to go for help to read the sheet<любое женское имя>). - at splicing windows on sites or programs, they tell you that you took the sheet. Remember about tse, just be respectful. Give respect to the rubbish. For example, we often select the “Save password” option in the browser, and if the right mail service asks to re-authorize (re-authorizes differently), then the insult in the end (login and password) is often already remembered and we just need to press the login button. Hackers can enter your login (especially if they sent you a password), but hackers cannot enter your password. That's why you commemorated the non-violent behavior, it's respectful to change the domain. If the domain is correct, but if everything is wrong, maybe you have another problem, as it was looked at in the next paragraph. Any computer under the Windows operating system has a hosts file, which is located in the C:WindowsSystem32Driversetc directory Proponuemo to your respect the new course of the command The Codeby- "Testing Web Apps for penetration from scratch". General theory, work preparation, passive phasing and fingerprinting, active phasing, conflict, post-exploitation, instrumentation, social engineering and much more. There you can register a redirect. As a result, such a domain in the address bar of your browser will be absolutely true, but in reality you will use hackers on the authorization side, which, of course, will steal your password: On scho respect respect: - Open the C:WindowsSystem32Driversetchosts file with a text editor and look at it - it’s not the fault of the mysteries of popular sites, but it’s a suspect; - another indicator is those that you enter the correct login and password, but authorization is not required; – on the third party authorization you will be asked to correct the SMS to a short number, whether it be a drive (confirmation to the phone, try an evil one, that is, the account is not active and if the vision is not confirmed, it is necessary to enter the number of deletion from the SMS confirmed to you). ). How to fight iz tsim: - As a rule, the hosts file is changed by viruses, it is necessary to install an anti-virus program, as there is no such program and rewire the computer. Like an anti-virus program, upgrade it and turn over your computer. – delete entry rows from the hosts file Another option is kiloger. These are programs that override everything that you type on the keyboard and edit the hacker. In fact, for viruses, it is necessary to fight against these programs just the same as against other viruses. If your mail is permanently “hacked”, then invert the computer with an antivirus, do not confuse suspected files that are being checked (they have the extension .exe, .msi, .hta, .scr, they can also be Install an antivirus that you can update, update it regularly and check your computer (or switch to Linux). How to fight iz tsim: - if you have detected a virus, then, in every case, remember your passwords in the form of mail and social security; - It was already said about it, but the pardon is so wide, so once again, do not zavantazhite files from suspected dzherel. Get them from official sites. Do not confuse files sent by mail to unknown people (for example, send photos of me in a bathing suit, etc.). Beware of saving up to the hacking of the files, remember that the stench was sent to you by people you know - it could be so that they hacked your mail earlier than yours and in the name of your name the hacker expanded his shkidli programs; - in Internet cafes, in all situations, if you need to log in to someone else's computer, type in the screen keyboard, but there is no 100% guarantee, but for rich kilogers, such a turn will be too tough. It didn’t sound so gloomy, but at the same time with such trivial ways, most coristuvachiv spend their passwords, and here there is no place for hacker attacks on mail services, or cryptanalysis tricks. 16.07.2015 09:37:37 This type of merging shakhraystva is used to lure a coristuvach to the details of any service (payment system, social services, online store, postal service) and ask to enter your login and password on this details side. The evildoer, having lured the koristuvach to the update side of any service, and having forced to enter your login and password on this update side, denying access to your oblique record in this service, it can be done to work with your oblique record, write everything, please tell me: leaf your know me too. Wanting for phishing, decoy leaves are often used, following this method of shahraystvo in the form of savage spam, on the kshtalt of “Nigerian leaves”. The authors of the "Nigerian Leaflets" try to trick you into telling them pennies on their own. Phishing transfers more sophisticated technology, if you don't ask for pennies. Navpaki, you are told to improve your safety. Phisheri rozsilayut to potential victims of the sheet, nadіslanі nibito vіd adminіstrаtsії chi podtrimki service popular online resource. Such leaves can be seen in the light of the right ones. Most often they talk about some problem, connected with the official record of the oberzhuvach. For example: The text can be reconciled in advance, but in any case you should be asked to log in: for whom it is necessary either to go to the site (for details), or to enter your data in the form, adding directly to the sheet. І form for introduction, and tsіliy podrobleny site can be completed with exact copies of this service, including the logo and other design elements. However, once you are pledged in a proponated way, your login and password will immediately become known to shahrai. E-mail Crimea, phishers can boost their notifications through messengers like ICQ or Skype, VKontakte internal notifications or other social media, as well as forums and comments. With the growing popularity of smartphones and tablets, phishers have appeared, as they create web site updates for mobile browsers. Losing your login and password is fraught with various incompatibilities, so it’s better to go about e-mail. It is not enabled that when registering on some resource, you will automatically receive a sheet from your login and password to that resource by e-mail. In addition, a lot of online services propagate the procedure for renewing a forgotten password, as they send the redirected sheet to your email address, and often, if there are no necessary additional payments, you will be scammed. In this way, your mail is the key of the attacker to your public records in rich other services. In addition, your mailing screen still has an anonymous address, so spammers and scammers can click. Speaking in your name, the stench will take a lot more opportunities for shkіdlivih dіy, nizh tі, hto rozsiláє smіtya zі third-party address. If you think about the attacker's access to the oblіkovogo record in the payment system, then the risks are obvious: you'll just lose your pennies. For skeptics, we will bring up statistics, selected by the experts of Kaspersky Lab, based on data from anti-virus add-ons. In 2013, more than 35% of attempts to access web pages were associated with phishing attacks on social networks, the bulk of clicks (22%) fell on Facebook. The number of phishing attacks that fall on payment systems was less - 31.5%, from 22% - for banking sites. Another 23% of the attacks fell on postal services. It can be said that “straight” paths up to pennies are beaten by phishers less at the skin of the third attack. It’s also the mother of the country, that you opened the web page in the browser, but didn’t enter your own data in the form, but it still doesn’t mean that you didn’t become a victim of shakhraiv. Checking the details of the sites in the transmission of the possibility of infection of the computer through the critical susceptibility of the operating system and the browser. The presence on the computer of the current anti-virus complex, insanely, helps to see a significant part of the phishing lists and web pages. And in a series of vipadkіv you happen to take decisions on your own: on the cob of a new attack, anti-viruses can appear marvelous, the shards of new addresses of updates to sites have not yet been squandered in the black lists. To that, be aware, if they need to reach you by electronic mail, or through the messenger, the next step is to protect. Phishing lists look like this: One should not ask banks, payment systems, social media and other legitimate services not to ask you for a password at the top of the sheet, or for a direct request from the sheet. If you need to work, if your profile has an official list, you will independently open the official website of the service in the browser and add these chi іnshі dії - without long direct messages from the yakіs internal distribution. If you have a letter on your page, your email address can actually receive official sheets, which can be sent directly - but in these sheets it may be clearly slandered, as your page on the website called out a letter (for example, you asked for a password). Tse means that you didn’t ask anyone about anything, but you need a sheet, it hardens more, you should ignore it. Divne zvernennya Fishermen often raise awareness of the masses, restoring the popularity of the target service. Such leaves are taken as a coristuvach service, and people, as if they were not small in any way, on a new oblіkovogo record. If you took away the leaf as a service, it doesn’t corrode, it’s an obvious sign of a pasta leaf. It may be so, that the fishermen may be able to give some data about the corystuvacs of the central service, so that the leaves grow vibrantly. However, it does not mean that the evil-doers may have special data for the coristuvachs. As if in the official lists of the service, they call you by the name you entered during registration, and you will immediately accept the sheet, there is no special mailing, otherwise just email addresses are mailed to you, better for everything, pasta. suspicious domain In the most important cases, we send a message to the phishing list to the site, which can not be used for the right service of the same day. Make sure you pay attention to the addresses on the sheets. How to go, for example, about the eBay auction, you should look right: https: //<поддомен>.ebay.com/<страница >. Fisher messages will lead to another domain: either ".ebay.com.customer.service.com/" or ".ebay.com-customer-service.com/" or ".customers-ebay.com/" or go ".eaby.com/". Particularly suspect the fault of viklikati vipadki if the domain name vikorivuyuetsya just IP-addresses, then digital sequence on the kshtalt "100.17.234.1". For sheets in HTML format, the text is sent and the real address is sent - there are two independent understandings. This means that even though the words in the sheet say "https://www.ebay.com/", then after pushing on such a force, it may be called another page. In order to reconcile, it’s not obov’yazkovo on the strength of the onslaught - it’s enough to point a bear at her and give hints. Trapleyatsya, if the message seems to be correctly navigated to the address bar of the browser, but in fact leads to the updated page. It rarely traps, shards of vimagaє in the form of fishermen's addendums, caused by hacking the official website of the service or hacking the domain name server. Prote, tsyu mozhlivist sled vrakhovuvat, so remember the rules 1 and 2. Regardless of the clumsy security rules, a lot of people still give their passwords to phishers. Prote, the situation can be corrected, so that you can quickly recognize the problem. Signs that you have become a victim of phishing: As you have realized that you have become a victim of phishers, it is necessary to viconate so:Cookie stealing (cookie)
1. Authorization details
2. Forwarding through the hosts file
3. Programs for pressing on the keyboard (kiloger)
Why is it insecure
Signs of phishing lists
How to fix the problem
More detailed information - at the article.