Last Seen Blogs
home-fanfic
Home Fanfic
bloosoms
REVEL
strictlyhayley
kawaii rebel (ㆁᴗㆁ✿)
louisemustwine
Untitled
fishwink
Decidedly not a morning person
Text
Time Management
Time management has been tough this semester, I’m having bad insomnia problems which has caused me to miss out on lectures 5, 6 and 8. Despite missing out on lectures, I still managed to attend all my tutorials as they are 3pm in the afternoon. My solution is to recover last minute and get as much work done as possible. Catching up on lectures with my fellow peer’s lecture notes, and writing as much security as I can! I have decided that the most important thing is not consistency, but to get a decent amount of work done.
0 notes
Text
Found a counterfeit note!
During a lecture, I made a deal with Richard to find him a counterfeit note from work. I found a $100 fake note! (This is not really good news, but is to Richard, he seems very excited to finally have a fake note.) I will be giving the note to Richard during the next lecture.
Please read the post I made on how to spot counterfeit notes! Sadly, I am pretty experienced in this field.
This note that I found failed 2 of the tests I mentioned. It is indeed a fake note and has been checked by a professional machine.
It failed:
- White patterns on the side could be scratched off.
- Digit 100 was not transparent and imprinted, instead it was directly printed.
0 notes
Text
Counterfeit notes
When Richard talked about counterfeit notes in the lecture, I seemed to be the only one that knew much about it in the lecture. As I was the only person with their hand up that has seen a counterfeit note. Its very important to be able to spot a counterfeit note and know how to deal with it safely.
How to spot/test a note:
- Try to tear it. Most counterfeit notes are made out of paper, and can be teared easily. Some fake notes are indeed made of plastic, but there are other ways to test it.
- Scratch the white patterns on the side. For $50 note, the pattern should be stars. If it scratches off, then it is fake.
- Check the imprint on the side where the patterns are. If you look at the side, the digits should be transparent, but if you look at it through some light, you should be able to tell the digits. (Digits = value of note, $50 note will have the digits 50)
- Check the colour of the note. If the colour is off, there is a chance the note is fake. This method is used for notes like $5, $10, where there is no special transparent corners.
How to deal with it:
Who ever you receive it from, whether its from work or from a store, simply ask for a new note. They have no reason to reject your request. Depending on the person, it could be dangerous exposing the truth about the fake note. If it is a friend, you can calmly advise them to report about the note.
0 notes
Text
Internet Security - WPS pin
My Something Awesome Project about man in the middle attack made me curious about other forms of internet hacking methods.
I did some research and found out a big vulnerability in our routers today. In modern day routers, we have access to a WPS (WiFi Protected Setup) pin that allows easy access for users that are not very good with wireless technology.
The pin is a 8 digit number with the last digit being the checksum of the previous digit. The checksum has the disadvantage of reducing the entropy (randomness) of the pin. The 7 previous digits are split in half, into a group of 4 and 3 with 11 thousand different possibilities. This pin can be cracked or brute forced easily with tools such as Pixie Dust and be used to find the password.
This attack will however, only work on models released during 2006 and early 2012, as the flaw was discovered in 2011. Nowadays, some people are still using old models, so this attack can still be done.
Make sure to check your routers today, and disable WPS pin! For the safety of your internet.
0 notes
Text
Teaching my friends about internet security!
After I uploaded my man in the middle attack tutorial video, I shared it amongst my friends and a few took interest to watch my video. They found it useful and interesting and left a like on my video as they had no prior knowledge about security or internet security.
I explained to them different ways hackers can attack their internet, such as cracking the WPS pin and getting access to their router. I also advised them heavily to check their router model and disable WPS pin as it is a big single point of failure vulnerability that can be exploited easily.
0 notes
Text
Something Awesome Reflection
After completing my Something Awesome Project, perform a man in the middle attack, I’ve learnt just how easy it is for us to give away our private information on the internet.
In my attempt, I cloned a fake website, the login page of facebook, and captured all the data (username, password) that was sent through.
This made me realise just how careful I need to be from now on, when facing situations where I need to type in important private informations such as my login and password.
I’ve thought of many ways for someone to open up the fake website I cloned. I could social engineer my way into the victims life, then pretend to share a facebook video with a link that leads to the fake website. Or email the victim, pretending to be from facebook, asking them for a survey that requires the victim to login. And many more.
If I can think of some on the top of my head, I am sure a professional hacker can think of way more. And from now on, I will be so much more careful dealing with my private information online, always check and make sure the website or email or survey etc is from a proper source before doing anything. If I can’t prove it is from a proper source, I won’t take the risk of entering any private information.
0 notes
Text
Stargate Ghost Problem
In this week’s case study, we were given the Stargate Ghost Problem.
Suppose you are the friendly Major M from the base who can see the alien A but who cannot see the invisible man X.
What would you M do to get from X his report on the Alien's (A's) planet?
We were left with very short time due to the Something Awesome Presentation, but as a group, we still came up with a possible strategy to this question.
Context:
First, we considered the alien to be non-trustworthy.
Now we would call X into a different room, and tell him the protocol and password we will use to communicate the report. We will encrypt every message and decrypt it upon receiving it. This way, the alien will not understand the questions and answers being asked between M and X. This will reduce the chances of the alien changing the questions/answers based on their context. This also eliminates the risks of possible torture and manipulation the alien has done to X prior to arriving on Earth, as the protocols were set up after they have arrived.
After discussion:
In the class discussion, a few drawbacks of our protocol was mentioned. There is a chance that the alien can set up his own encryption and decryption keys from the beginning. If the alien decides to mess with the encryption we will be sending the wrong messages around and doing RSA in the head is extremely difficult.
Reflection:
Authentication is hard. Coming up with flawless protocols is extremely difficult, there are always drawbacks to the protocols that we came up during the class. It is difficult to come up with a protocol with or without considering the context, such as “the alien can read minds” or “the alien has super hearing” etc.
0 notes
Text
Something Awesome Update
Week 8 Update
The extension criteria, the man in the middle attack tutorial is complete!
It is up on Youtube under this link.
https://www.youtube.com/watch?v=M48nGYEksJk&t=13s
Here is a summary of my something awesome project.
- Successfully performed a man in the middle attack on my own machines (so it is legal).
- Successfully cloned a website.
- Tested the method on different machines and found that it causes internet problems on certain machines such as my PC at home. This fails the “Do it quietly” criteria, as it is not quiet 100% of the time. If someone’s internet stopped working, they will notice something’s wrong.
- I did not end up using Pixiedust like I said in my criteria, however, I still achieved the same goal of a successful attack.
More to improve on?
- I couldn’t get DNS spoofing to work properly, so the fake website link ended up being just my own IP address where I will receive the captured login details. It could’ve been something less suspicious like www.faceboook.com.
0 notes
Text
Debate: Privacy, more or less?
In this week’s case study, we were given a topic to debate on as a class, privacy. Should the government collect and have more access to your data for good purposes, or should citizens have a right to stop them?
We were given the choice to choose a side and discuss in a group to come up with ideas to debate for. I had a hard time choosing, but I chose the more side. However, right before the debate started, we were told to switch sides to debate for.
I was debating against the person on the opposite side, his opinions were:
- Add more security everywhere, to catch criminals.
- Add security inside people’s houses, to stop malicious acts such as making drugs.
- Provide more personal information, but limit what is given to the government.
And this is the main points I argued for:
- Even if the government was using it for good purposes, no one can guarantee that they will in the future.
- Giving more information to someone means giving them more power, and more power means it’s easier to corrupt. When the government corrupts, it impacts the entire country on a much larger scale than if it was a single company’s corruption.
- Giving more personal information increases the chance of discrimination due to different social standards. If more security cameras are added to prevent criminals from entering a certain place, then what defines a criminal? Someone can be innocent but is considered a ‘criminal’ because of discrimination.
- People will feel more pressured because they are being watched 24/7, not only in public places, but in private places as well. Adding security cameras into people’s home is way out of line. When people are stressed and pressure, it will increase mental illness and hugely decrease a person’s wellbeing.
- When people are under pressure, stress, and the strong feeling of oppression, they will likely have a desire to overthrow the government. This will cause chaos, brutality and sacrifices.
After debate:
There were a few good points that other people have mentioned that I didn’t consider.
- Money is a big issue. Increasing security everywhere on such a large scale will cost the government tons of money, and this money will all come from tax payers. Increasing tax will decrease worker’s satisfaction and that is the main cause in many work related accidents.
Reflection:
After debating for the less side, despite taking in and respecting everything that was said from the more side, I realised that I agree more with less side than the more side that I originally chose. Before any discussion began, I hesitantly put my hand up for more security, however, by the end of the class, my hands were confidently down for that option.
I have recently stopped using social media such as facebook, snapchat etc, and I think I will delete personal information off it or completely wipe away the account to prevent data leakage on the internet. I’ve being bothered by spam calls everyday and it certainly supports my less side argument personally.
0 notes
Text
Something Awesome Update
Week 6 Update
I have successfully made a man in the middle attack where I placed myself in the middle of my own Mac machine and my router at home.
- I successfully placed myself in between the machine and the router.
- I successfully cloned a fake website, which is the login page of facebook.
- I successfully captured the fake login credentials I entered in.
I have tested the hack on different machines, but I came across a few problems when performing the attack.
- After cloning the website, I opened up the fake facebook website with chrome on my Mac machine, entered in fake details, and despite me successfully capturing the fake details, chrome logged me into my actual Facebook account. This did not happen when I opened the fake website on Kali Linux.
- The man in the middle attack did not work on my PC at home. Everything was set up properly, but once the man in the middle connection was made, I could not access internet on my PC. This proves that the reusability of the attack method is not high.
- DNS spoofing did not work when I tried to change the fake website’s link (my IP address) into a more convincing name (www.faceboook.com).
Now I have to move onto my extension criteria, the tutorial video.
0 notes
Text
Cyber War
In this week’s case study, we were asked to consider the main threats we, Australia, face in the cyber domain of war against a powerful country such as Russia. Me and my group came up with a few threats and some recommendations to deal with them.
Insiders (Insiders can gain direct access to all data and potentially shut down everything): Run full background checks and track people’s communication records without invading the privacy of the contents of the communication.
Man in the middle (Hackers can listen in between computers and routers and grab and change information without us noticing): Upgrade cryptography methods, security measures and tools to detect any man in the middle attempts. Be extra cautious entering private details online, making sure the website is safe, as an easy way for hackers to grab login details is fake websites.
Exploiting media attention (Media can post fake information and completely ruin someone/something’s reputation): Make official laws to prevent news outlets to post fake information without original and concrete proof and validation.
DDOS (Hackers can send millions of requests to aim to break a website or service): Detect a DDOS by looking out for a lot of regular incoming traffic, and limit the amount of requests accepted in a period of time.
Since we didn’t have enough time to discuss more amongst ourselves, I noted down some interesting ideas during the class discussion.
News: Utilise the media attention to threaten Russia back and establish that we will fight back if anything happens; “If you nuke us we will nuke you back.”
Hire a group of professionals to hack Russia, gain advantages by knowing how they will attack us first and prepare a solution or prevent it.
0 notes
Text
Electronic Self Drive Cars
In this week’s tutorial, our case study focused on the concept of complete electronic self driving cars from the company’s perspective. We had to consider the following:
1. Listing the assets of the company you are concerned about.
2. Listing the top risks you are concerned about.
3. What the company should do to address each risk.
4. Your recommendation: should the company proceed with this project YES/NO and brief reason.
We were given 20 mins, and I came up with the following.
1. The most important assets that needs to be protected are the people’s safety and the company’s reputation. Whether the person is a consumer or not, self driving cars should be safe for everyone on the road. The company’s reputation plays a huge role in gaining people’s trust with the product.
2. a. The auto-pilot system can fail and lead to serious road accidents. This can be caused by various factors such as weather and strength of signal at certain places. This can then lead to further problems such as when the cars do crash, it’s very hard to figure out who is responsible as no humans operated the cars.
b. No manual handling in the car means if an accident does occur, there is nothing that can be done manually to prevent/minimise it.
c. Everything being electronic also means there’s a chance people can hack into the auto-pilot system and overwrite it, sometimes without the passengers realising.
3. Hire professionals to perform penetration testing on the car’s navigation and driving system. Use dummies to test the car for test user safety, as there is no need for humans to test self driving cars.
4. My recommendation would be that the company shouldn’t proceed with this project. Reason being the risk overpowers the benefits of this project. Benefits includes completely wiping out human errors in road accidents such as fatigue, drug, alcohol and bad driving skills. However, cars can’t process ethical problems such as the trolley problem.
After discussion:
There was some interesting points that was made in the discussion from the government’s perspective that the company would not consider.
An asset the government would protect are the people who’s job is dependent on cars such as Uber driver, ambulance driver. Taking away millions of jobs would cost greatly for the country.
0 notes
Text
Something Awesome Update
Week 4 Update
I have finished my researches on the man in the middle attack, and I will be moving onto trying the actual hack soon. Here’s a quick summary of what I need to do.
Pre-attempt:
- Download and install Kali Linux as that will be where I perform the attack.
- Install all necessary tools and programs that will assist me, such as arpspoof, apache2, setoolkit.
Attempt:
- Connect myself in-between my test-machines and their router.
- Make/clone a fake website.
- Enter in login credentials on the fake website on the test-machines and capture the data in a file.
- Test on different machines to test the reusability of this method of hacking.
1 note
·
View note
Text
Physical Security at Google Office
In this week’s tutorial, the case study was a practice for the final exam where we only had 20 mins, and the topic was coming up with physical security procedures for a Google office near UNSW.
1. No matter how secure a system is, any occurrences of human error can break the security system. Social engineering is a very common way of security breach, and to prevent against it, introduce security training on all workers, with simulations of different social engineering attacks. A lot of workers tend to ignore security measures when they are unaware of it being ‘training’. Therefore, add in random training attacks every once in a while to assess the workers under situations where they are unaware they are undergoing security training. Give detailed feedback to the workers on their training result, in the case of a bad/failed result, instead of firing or penalising the workers, have their manager sit down with them and talk about how to improve the mistakes made. Improving worker’s satisfaction will greatly reduce human errors.
2. In order to prevent intruders accessing restricted areas, introduce biometric scanning at entrances to the building. All workers would have to go through an eye and fingerprint scan before entering the building. All workers will be assigned a special worker’s ID badge with a hash that needs to be matched with the hash of the worker’s biometric scan. This way, stealing the worker’s ID badge will not get anyone pass the gates. The ID badge will be destroyed along with the hash if the worker resigns from the job. Visitors will undergo a full background check with purpose of visit, then they will be granted a temporary visitor badge with a random hash that is only valid for their registered time of stay, and will be destroyed afterwards.
3. A way to social engineer inside the building is to pretend to be the delivery person, or exploit people’s instincts by holding something heavy at the door so people will open it for them. A way to prevent this is to introduce an automatic window outside the building that accepts any deliveries. The delivery item has to pass a valid delivery scan, then it will be accepted by the window.
After discussion:
After discussing with my group, there were a few interesting ideas that I haven’t considered.
- Grant workers access to only their designated working area levels and communal area levels. This will prevent people from stealing information from other departments.
- Workers work in a no internet environment, everything that needs to be done on the internet will be done on one central machine. This way, it will eliminate any internet related security breach.
0 notes
Text
Time Management
I have been struggling to blog consistently recently, and I am fully aware of my lack of performance in time management. However, from now on I will try my best to post on time and consistently! I plan to blog every Tuesday after the lectures, every Wednesday after the tutorial, every weekend for homework and every now and then some cool new updates on security I find in the world. Have the week’s work done within the week is my goal.
1 note
·
View note
Text
First cipher solved!
Took me a while but yay!!! :DD
1 note
·
View note
Text
Doors on Planes
This week’s case study was focusing on the accidents that has happened on planes in the past.
Accidents on planes are devastating, pilots being locked out of the control room and forced to emergency land, crew members accidentally turned off the auto-pilot switch, and pilot unable to stop the mentally ill co-pilot from crashing the plane as the pilot was locked out of the cockpit door, was all examples of incidents in the past.
Our task was to produce a prioritised shortlist of recommendation for actions to be taken to prevent future disasters.
1. Implement double authentication of functions inside the plane:
- When one of the pilot leaves the cockpit, have another crew go inside to ensure there are always two people inside the cockpit.
- Two people’s authentication is needed to lock the cockpit from the inside, and the key is far enough that one person cannot undergo this action.
- In the case that a pilot is locked outside the cockpit door, the pilot and another crew can authorise the door to be opened from the outside.
- Two people’s authentication is needed to switch auto-pilot on and off. This prevents accidental switches that may lead to tragedy.
2. Implement biometric scanning for functions such as the cockpit door, and the auto-pilot switch. Only authorised people (flight crew) will be allowed to open, close or lock the cockpit door, or switch the auto-pilot system.
3. Introduce regular counselling for the flight crew as this job can be stressful and tiring. Mental health is extremely important and play a heavy role in preventing human errors. Whether alerting the others of the crew’s current state of mental health or not comes down to privacy contracts between the crew and the airline.
4. Introduce heart-rate monitors for the pilot and co-pilot. In the case of extreme emergency, where all pilots are unable to control the plane, other crew members has to confirm the situation, then let ground control take over the plane.
5. Strict training for the flight crew on aircraft information and emergency aircraft takeover simulation. This will reduce the risk of letting crew members take over the plane when all of the pilots are down. Airlines should also place strict checks for crew members to prevent terrorists from becoming an insider.
0 notes