VSHG – Hardware resistance & enhanced security for GnuPG

VSHG aims to provide a memory / hardware resistant reinforcement to GnuPG’s standared s2k key-derivation-function + a simplified interface for symmetric encryption .About VSHGVSHG ( Very secure hash generator ) is a standalone Addon for GnuPG ( Gnu privacy guard ) . It is written as a shell script and is designed around the Unix/Linux filesystem and commands. VSHG uses the sha384 and the Argon2 hash function for the password and AES-256-CFB + CAST5-128-CFB in cascade for the final encryption.And also a standard sha384 iteration count of 800 iterations + 15 & 500 iterations for Argon2i + dIt uses True random 12 byte salts . So even if your passphrase is very weak , it will reinforce it so that you don’t have to worry about that anymore.VSHG uses the last hash of the Iteration as session key for Gnupg. It also provides an Autodetection function for each file so that you don’t have to remember either the salt or the iteration count.Optionally you can use a key-file as authentication method.Why is VSHG so secure ?VSHG uses a true random salt for each encrypted file, so your Passphrase will always have a minimum of 12 bytes in strength. You could even use the same password twice for different files. The thing that makes VSHG so secure are the iterations. 800 iterations mean the output of the string is hashed 800x with its output. The more iterations the more security there will be. Even if you have the correct passphrase, but not the correct amount of iterations it will not be able to decrypt.VSHG uses some of the most advanced forms of memory hard Key derivation functions which are Argon2i and Argon2d. The already iterated key will be passed through Argon2 a total of 515 times and therefore ensure the resistance against the biggest threats of Key derivation functions Namely: Graphical Processing Units, Field programmable gate arrays and Application specific integrated circuits ( GPU , FPEGA , ASIC ) .The actual encryption is performed with the highest level of security possible in Gnupg.-The string to key ( s2k ) hash algo ( which is the KDF of Gnupg ) was reinforced from sha1 to sha512.-The s2k mode was set to 3 which means that an 8-bit salt is applied and then iterated.-The s2k count was set to 65011712 which is the highest possible number of iterations.-The s2k algo was set to AES256 and CAST5 in cascade.The AES 256 encrypted file is securely deleted so that only the AES256(Cast5()) encrypted file is put out.Why should I use VSHG ?It is easier to use than GnuPG core.Can encrypt folders by turning them into Zip files.Someone that doesn´t have VSHG does not really have a chance of cracking the password.True random 12 byte saltchoosable Iteration count.choosable Salt.choosable Keyfile.True random Keyfile.Very good resistance to side channel attacks ( e.g: timing attacks ).Very resistant towards GPU based attacksCan guarantee security even with relatively weak passwords ( > 5 characters ) ( if you have enough Iterations )Autodetection of Salt + Iteration count for each file.Military standard AES-256 encryption + the gpg standard CAST5 encryption.Uses the gpg s2k mode 3 + sha512 with the maximum count of 65011712.Erases Original file securely.Download & InstallationDownload as tarballsudo wget https://github.com/RichardRMatthews/VSHG/archive/1.4.tar.gzOr clone the repositorygit clone https://github.com/RichardRMatthews/VSHG.gitCompile it yourselfsudo git clone https://github.com/neurobin/shc.gitcd shcsudo ./shc -f -r /etc/VSHG/executable/src/VSHG_1.4.shsudo gcc /etc/VSHG/executable/src/VSHG_1.4.sh.x.c -O /usr/bin/VSHGsudo VSHGRunsudo tar -xf VSHG-1.4.tar.gzsudo chmod +x VSHG_1.4.shsudo ./VSHG_1.4.shDownload VSHG

Link: http://feedproxy.google.com/~r/PentestTools/~3/6L_0uMuwloY/vshg-hardware-resistance-enhanced.html

No One is Safe: the Five Most Popular Social Engineering Attacks Against Your Company’s Wi-Fi Network

Your Wi-Fi routers and access points all have strong WPA2 passwords, unique SSIDs, the latest firmware updates, and even MAC address filtering. Good job, networking and cybersecurity teams! However, is your network truly protected? TL;DR: NO! In this post, I’ll cover the most common social engineering Wi-Fi association techniques that target your employees and other […]
The post No One is Safe: the Five Most Popular Social Engineering Attacks Against Your Company’s Wi-Fi Network appeared first on Blog.

Link: http://feedproxy.google.com/~r/Imperviews/~3/eVh7AYME6aw/

Safer Internet Day: Security vs. Convenience

It isn’t easy to be secure all the time — this is especially true if you are new to cybersecurity. A well-formed security plan takes deliberate effort at the very least, and constant vigilance at most. Even the top experts have room to improve because cybersecurity is a constantly moving target.
Unfortunately, most internet users aren’t using best practices.
The top two [passwords] have been left unchanged for the fifth year in a row.
Continue reading Safer Internet Day: Security vs. Convenience at Sucuri Blog.

Link: https://blog.sucuri.net/2019/02/safer-internet-day.html

Modlishka – An Open Source Phishing Tool With 2FA Authentication

Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).Enjoy :-)FeaturesSome of the most important ‘Modlishka’ features :Support for majority of 2FA authentication schemes (by design).No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).Full control of “cross" origin TLS traffic flow from your victims browsers.Flexible and easily configurable phishing scenarios through configuration options.Pattern based JavaScript payload injection.Striping website from all encryption and security headers (back to 90’s MITM style).User credential harvesting (with context based on URL parameter passed identifiers).Can be extended with your ideas through plugins.Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.Web panel with a summary of collected credentials and user session impersonation (beta).Written in Go.Action"A picture is worth a thousand words":Modlishka in action against an example 2FA (SMS) enabled authentication scheme:Note: google.com was chosen here just as a POC.InstallationLatest source code version can be fetched from here (zip) or here (tar).Fetch the code with ‘go get’ :$ go get -u github.com/drk1wi/ModlishkaCompile the binary and you are ready to go:$ cd $GOPATH/src/github.com/drk1wi/Modlishka/$ make# ./dist/proxy -hUsage of ./dist/proxy: -cert string base64 encoded TLS certificate -certKey string base64 encoded TLS certificate key -certPool string base64 encoded Certification Authority certificate -config string JSON configuration file. Convenient instead of using command line switches. -credParams string Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex) -debug Print debug information -disableSecurity Disable security features like anti-SSRF. Disable at your own risk. -jsRules string Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. -listeningAddress string Listening address (default "127.0.0.1") -listeningPort string Listening port (default "443") -log string Local file to which fetched requests will be written (appended) -phishing string Phishing domain to create – Ex.: target.co -plugins string Comma seperated list of enabled plugin names (default "all") -postOnly Log only HTTP POST requests -rules string Comma separated list of ‘string’ patterns and their replacements. -target string Main target to proxy – Ex.: https://target.com -targetRes string Comma separated list of target subdomains that need to pass through the proxy -terminateTriggers string Comma separated list of URLs from target’s origin which will trigger session termination -terminateUrl string URL to redirect the client after session termination triggers -tls Enable TLS (default false) -trackingCookie string Name of the HTTP cookie used to track the victim (default "id") -trackingParam string Name of the HTTP parameter used to track the victim (default "id")UsageCheck out the wiki page for a more detailed overview of the tool usage.FAQ (Frequently Asked Questions)Blog postCreditsThanks for helping with the code go to Giuseppe Trotta (@Giutro)Download Modlishka

Link: http://feedproxy.google.com/~r/PentestTools/~3/Z2CV9SS3UmA/modlishka-open-source-phishing-tool.html

Spam Injector Disguised as License Key in WordPress Website

Here at Sucuri, we clean WordPress websites every day. There are various types of common malware, but when we stumble upon a different scenario, our research team likes to dig deeper and conduct a complete investigation.
A license key is a place where a webmaster might not expect to find an infection, however, in this particular case, this is where we found one.
A Spam Injector Resembling a License Key
A client opened a malware removal ticket reporting some weird spam URLs injected onto their WordPress website.
Continue reading Spam Injector Disguised as License Key in WordPress Website at Sucuri Blog.

Link: https://blog.sucuri.net/2019/01/spam-injector-disguised-as-license-key-in-wordpress.html

Hyatt, El Chapo’s IT, and Amazon Key – Paul’s Security Weekly #589

    Why Hyatt Is Launching a Public Bug Bounty Program, Amazon Key partners with myQ, Web vulnerabilities up, IoT flaws down, enterprise iPhones will soon be able to use security dongles, and how El Chapo’s IT manager cracked his encrypted chats and brought him down! Paul’s Stories Why Hyatt Is Launching a Public Bug […]
The post Hyatt, El Chapo’s IT, and Amazon Key – Paul’s Security Weekly #589 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/psQ5mm-ZOJ0/