IT security misbeliefs – third IT security meetup by BitNinja
Eniko Toth

IT security misbeliefs – third IT security meetup by BitNinja

We like attending meetups because we believe that great ideas are created when we share our experience and knowledge. That’s why we decided to organize regularly an IT security meetup in our town, Debrecen. On 24th August, we held our third meetup and we are so happy that the number of the attendees is increasing.

Not only did the cold beer and the delicious pizza attract participants, but so did the interesting topics we were discussing. The most recent topic was: IT security misbeliefs.

1.“If I’m using a strong password, everything is OK.”

Most people believe that if they have a strong password, they don’t have to worry anymore. The first question is: what is a strong password? Here is the typical answer: It contains upper case, lower case, numbers, other symbols and it should be at least eight characters long. Some may think: “OK, that’s not a big deal. I can create a strong password from the date of my birthday which suits these requirements and I can easily memorize it.” But is it enough? Do you think 1987September7 would be a tricky one for hackers? We don’t think so…

So instead of spending hours thinking about what your strong password, there’s an easier way. Let’s generate one! There are many tools which can create a generated password. For example, this is a randomly created password: 2qZ,B@vwqx{m
This is a bit more challenging than 1987September7, isn’t it? :)

OK, you have a strong password now and here comes the second big mistake that people usually make. They are using this only one strong password in every platform. There’s no problem until your password is really in secret. But what if the hacker figures it out? The consequences are obvious: the hacker will be able to login to all of your accounts.

If you’d like to avoid it, it’s recommended to use different passwords on each platform. You could ask: „But how I’m going to remember to all of these passwords?”. The answer is Password Manager Apps. The most popular tool is the LastPass, but you can find different alternatives.

During discussing this topic, some other ideas came up as an alternative of generated passwords:

  • Passphrase: It’s known for a while that passphrases are better than passwords because they are longer, harder to guess, but you can remember them easily. For example: ThisIsMy1stPASSPHRASE!
  • Password from a passphrase: You can also create a password from your passphrase. It’ll be something similar to a generated password, but you can memorize it thanks to your passphrase. Create a sentence and, for example, use the first letter of every word. Then, mix it with numbers, upper and lower cases. For example, This is my first(=1) passphrase! For(=4) you(=u), it can be really though. -> tIm1Pp!4u,IcBrT
  • Using a formula: If you have to choose a PIN number, for example for your credit card, there’s a clever way to create it. Let’s create a custom formula: (X+1)*2-3
    Let’s assume that your PIN is 3854 and you don’t want to forget it. Here comes your formula! Create your reminder: 2    4.5    3    2.5. If you run your formula on each number, you’ll get your PIN: 3854. ;)
    This was only an example; of course you can create any other logical formula and use it for any number, not just your PIN.

And last but not least, if there’s an option for 2-factor authentication, don’t hesitate to enable it in order to increase the level of protection.

There are also new trends in this field to avoid hacking attempts:

  • Passwordless login: Some companies (e.g., Slack) have already introduced a passwordless login. But without a password, how would you log in? They send you a ‘magic link’ to your inbox, and by clicking on it, you’ll be instantly signed in. But of course, even this method cannot be 100% safe. If someone gains access to your email’s account, they can easily log in to your account with the magic link.

  • AI technology: Facebook has already started to use AI technology in order to block unauthorized logins. For example, if you log in from the U.S. and then someone wants to log in from Italy five minutes later, she/he won’t be able to. Why not? The AI concludes that it’s physically impossible to travel at such a huge distance within 5 minutes, so it’ll block the login.

2.“VPN offers full anonymity.”

A lot of people use VPN, and for various purposes; for example when they want to watch a video which is blocked in their home country. Unfortunately, there are other reasons, which involve illegal activities. You may think that you can hide behind the VPN and your activities won’t ever come to light. But it’s not true. VPN providers store logs about your activities, and in the case of a court order, they must provide the requested data to the authorities.

3.“I don’t own important information, so I’m not a target of cyber attacks.”

Nowadays most attacks are not targeted. According to our logs, 90-95% of the incidents come from botnets. A botnet doesn’t care about the kind of information you store. And you may think that you don’t own important data, but for others, everything can be important. Let’s just think of the custom advertisements. In the marketing field, anything can be useful. Did you mention to your friend on a chat that you’d like to buy a cross-country car than you start to see cross-country car advertisements everywhere on the internet? Wondering how is it possible? As we mentioned, any small detail can be important, even if you don’t think it is.

Another example: Before World War II, there was a population survey where the religion was registered too. Everyone knows what Hitler did two years later. So we can never know how our data will be used against us in the future.

Furthermore, if you believe that your server doesn’t contain sensitive data, hackers and bots can still upload phishing content to your websites. We are sure that you don’t want to be a part of a botnet.

4.“If my device is hacked, I will notice it immediately.”

This statement was true years ago. If your device was hacked, there were visible signs: pop-up porn sites, falling letters, and other strange things appeared on your screen. But nowadays, when there can be 1500 domains per server, you won’t notice one single file upload quickly. Malware on your servers can hide from you for months or even years.

5.“ HTTPS is always safe.”

It’s almost true. Fortunately, it’s rare that HTTPS isn’t safe. But there’s a vulnerability which was unknown by many people for a long time: LOGJAM. This attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. Huzaifa Sidhpurwala held a presentation about this topic in the DevConf as well.

6.“If we move our SSH login from port 22 to another, it’ll be safer”

The default port for login via SSH is 22. If you decide to use another port instead, it makes things more difficult, but not for the botnet because the “smarter” botnets check not only port 22. It will still find the port used for login and only you and/or your team will have more difficulty remembering the exact port you are using.

Other topics

After discussing the most frequent IT security misbeliefs, we continued talking about other interesting topics. Let me give you a little insight about them, in a nutshell ;)

Before BitNinja

We were in a nostalgic mood, so we talked about events which happened before we created BitNinja. Then, they were nightmares, but now, we were laughing at them. There was a case when our servers were hacked and we could see that the hacker was crawling in our database. It was really annoying to see it but we couldn’t do anything about it. We also saw on a map where these actions are coming from. It was easy for the police to find the attacker, but as it turned out, they were zombie servers.

Analyzing the User Agent

The user agent can tell a lot sometimes. There are lazy botnet writers, who leave the “python request” in the user agent:

If we analyze the User Agent a bit deeper, we can figure out that in many cases the user agent is spoofed. Last year, there was a botnet which used the following user agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1. It looks normal but if you do a little research, you’ll figure out that it’s not a valid one because there is no 40.1 version of FireFox.

Importance of AI

We talked a lot about how the importance of AI is increasing from day to day. It looks like this is the future. We are going to use this technology in our upcoming developments, but they are top secret so we can’t share a spoiler about them. ;)

Changing trends (typical incident types)

There are always some trends which rule in the cyber attack field. Nowadays, IoT botnets are rising up, but there are some old attack types which never will go out of fashion:

  • wp-login brute force

  • registration form scan

  • forum spam: our favorite is the Canadian pharmacy

Besides the well-known attacks, two funny incidents came up as well:

  • Hello Peppa botnet (which was a revolt because the Peppa Pig tale was forbidden in China)
  • When a whole novel was sent through a forum spam.

Linux vs. Windows

Windows is an easier target for the hacker and of course, there is more malware for them. However, just because Linux doesn’t have a concept like “.exe” in Windows, it is not necessarily safer than Windows. Let’s just think to Shellshock or Linux kernel vulnerabilities…

We could talk a lot about the Linux – Windows comparison, but it’s another long story, so we are going to publish an article about it.

Do you have to be an expert in order to be a hacker?

The answer is “no.” Nowadays a lot of things are available to the public (e.g., Github) so it’s not so difficult to become a hacker. Just an example: there was a scriptwriting competition for kids where the voting systems were cloned and one of the meetup’s participants read somewhere that seven out of 10 participants could hack them.

Social engineering

The weakest point is always the people. Businesses should put more focus on educating their customers because sometimes really silly actions from their end result in them getting hacked. Hopefully, in the next 15-20 years, a new generation will consider IT security as a basic necessity.

It’s normal for people not to care about security until something bad happens. But a reactive attitude is not the best solution. We believe in proactive protection and encourage everyone to do the necessary actions in order to be safe.

Next meetup

As you can see we talked about many important things and the success of our meetups are obvious. This event already appeared in our town’s (second-biggest one in Hungary) newspaper and the interest to the next meetup was high from the attendees. Thanks to these great outcomes we decided that we are going to organize the meetups more frequently. Instead of quarterly, there will be meetups every two months. We’d also like to invite a guest presenter to our next meetup.

Share your ideas with us about this article

Previous posts

The Most Famous Vulnerabilities: SQL injection
As a member of the BitNinja Development Team, one of our most important tasks is to develop the protection of BitNinja. When we deal with such a process we can see how an attack works or how a botnet can exploit a vulnerability. It's almost like watching these events behind the scenes. That's why this blog series started—because there are some vulnerabilities we need to talk about. The first patient is SQL injection. My previous blog article which was about the Hackerone also encouraged me to make this blog series. On this platform, there is a lot of public report for SQL injection...
Road to success with Sweden's fastest growing Hosting Company
Are you curious how can a web hosting company speed up their business’ growth? The answer is really simple: they have time to work on different projects and develop new features. Besides that, they can guarantee a reliable service to their customers. But where is BitNinja in this story? We tell you! Miss Group is Sweden's fastest growing hosting company and they had the same problems as many other companies. After the many cyber attacks, the WordPress sites became compromised, customers began to complain, the load of the support team has increased, and the technical team spent lots of ti...