Online Banking – The Safe Way

If you’ve got teens, then no doubt you’ve received the SOS texts. ‘Mum, I need a haircut, can you just spot me $30?’ or ‘I’ve just finished footy and I’m starving, can you transfer me some money?’. Where would the modern parent be without online banking? How did our non-digital forefathers ever cope??

Online banking is just so convenient and basically a necessity of modern life. If you’ve recently tried to conduct a transaction at a branch, then you’ll know exactly what I mean. One of my boys recently tried to set up a new account at a local banking branch and they were told to come back the following day. Instead, we went home and did it online in less than 20 minutes!

Aussie banks are world class at implementing a range of security measures to keep our banking safe however there are still things we can do to avoid our banking details getting into the hands of hackers. But many of us just assume that ‘all is well’ – our banking apps work seamlessly, so why do we need to worry? And that’s where many come unstuck. If it doesn’t appear to be broken, why do we need to fix it? Well, being ahead of the risks is how you keep yourself safe, my friends. So, here are my top tips to ensure all your family members are banking online in the securest way possible.

1. Ensure You Are Using Legit Banking Apps

If you’re changing banks or helping your child set up their online banking, it’s essential that you download your bank’s official app. Imitations do exist! Ideally, download the app from the bank’s website however if this isn’t an option use a genuine app store like Apple’s AppStore or Google Play for Android devices. And always verify the app is legitimate by checking the developer details and reading the reviews.

Budgeting or financial management apps are an incredibly popular way to help manage finances, but you need to be cautious here too as many will require you to share your banking logins. Always check the app’s reviews, its history of data breaches and its security policies before you download.

2. Ensure your Passwords are Long, Strong and Unique

Using the name of your puppy, your kids or worse still, your birthday, is one of the fastest ways of getting your banking details into the hands of hackers. Passwords need to have no connection to any part of your life, should never be stored in your banking app or anywhere on your phone and NEVER, EVER written on the back of your debit card!! Here are my top tips:

Make them long – choose a phrase instead of just 1 word. I love a nonsensical sentence with at least 10 characters.

Always include lower and uppercase letters, a number or 2 and a few symbols.

Every online account needs its own unique password – no exceptions.

Put a reminder in your calendar to update your passwords regularly – at least every 3-6 months.

All sounds too hard? Try a password manager that will not only create complex passwords that no human could ever think of, but it will also remember then for you. Check out McAfee +,  complete no brainer!

3. Say No to Public Wi-Fi

Geez, public Wi-Fi is convenient, particularly if you are travelling. But, using it to undertake any banking or financial dealings is just too risky in, my opinion. Why? I hear you ask. Well, there are many ways hackers can hack public Wi-Fi, let me share a few:

‘Evil twin’ attack. This is when hackers set up malicious hotspots with seemingly logical and trustworthy names eg ‘Free Café Wi-Fi’. But as soon as you connect, they can easily get their hands on your data.

Man-in-the-middle attack (MitM). This is when hackers break into a network and eavesdrop on data as it travels between connected devices and the Wi-Fi router. For example, your online banking password!

Password cracking attack. Scammers use software that automatically tries a huge volume of usernames and passwords so they can control the router. And once they’ve gained control, they can dupe you into downloading malicious software (that could steal your identity) or redirects you to a webpage that phishes for your personal information.

If you don’t think you can possibly survive without public Wi-fi then you need to invest in a VPN that will ensure everything you share is protected.

4. Activate Two Factor Authentication

If your bank offers two-factor authentication to its customers, then your answer needs to be ‘yes please’! Two-factor authentication or multi factor authentication adds another layer of verification to your banking which minimises the chances of hacker causing you harm. If you’ve activated it, you’ll be asked to provide another piece of information after you’ve entered your login details. Usually a special code, this may be delivered to you via an app, text message or even an automated phone call.

5. Request Alerts From Your Bank

It will take just a few minutes to ring your bank and request to be notified when an activity occurs on your account. Every bank will manage this differently, however most banks can alert you on request via email or text if the following occur:

• Low or high balances
• New credit and debit transactions
• New linked external accounts
• Failed login attempts
• Password changes
• Personal information updates

And if anything at all seems a little fishy, contact your bank immediately!

Unfortunately, few things are guaranteed in life and that includes your online safety. And whether you’re an online banking fan or not, opting out isn’t really an option. So, take some time to tighten up your online banking. Only use legit apps; change your passwords so they are long, strong and complex; invest in a VPN so you can use public Wi-Fi and say yes to two-factor authentication. You’ve got this!

Happy banking!!

Alex

The post Online Banking – The Safe Way appeared first on McAfee Blog.

Awesome-Password-Cracking - A Curated List Of Awesome Tools, Research, Papers And Other Projects Related To Password Cracking And Password Security

A curated list of awesome tools, research, papers and other projects related to password cracking and password security.

Read the guidelines before contributing! In short:

• List is alphabetically sorted
• If in doubt, use awesome-lint
• If you think an item shouldn't be here open an issue

Books

• Hash Crack: Password Cracking Manual (v3) - Password Cracking Manual v3 is an expanded reference guide for password recovery (cracking) methods, tools, and analysis techniques.

Cloud

• Cloud_crack - Crack passwords using Terraform and AWS.
• Cloudcat - A script to automate the creation of cloud infrastructure for hash cracking.
• Cloudstomp - Automated deployment of instances on EC2 via plugin for high CPU/GPU applications at the lowest price.
• Cloudtopolis - A tool that facilitates the installation and provisioning of Hashtopolis on the Google Cloud Shell platform, quickly and completely unattended (and also, free!).
• NPK - NPK is a distributed hash-cracking platform built entirely of serverless components in AWS including Cognito, DynamoDB, and S3.
• Penglab - Abuse of Google Colab for cracking hashes.
• Rook - Automates the creation of AWS p3 instances for use in GPU-based password cracking.

Conversion

• 7z2hashcat - Extract information from password-protected .7z archives (and .sfx files) such that you can crack these "hashes" with hashcat.
• MacinHash - Convert macOS plist password file to hash file for password crackers.
• NetNTLM-Hashcat - Converts John The Ripper/Cain format hashes (singular, or in bulk) to HashCat compatible hash format.
• Rubeus-to-Hashcat - Converts / formats Rubeus kerberoasting output into hashcat readable format.
• WINHELLO2hashcat - With this tool one can extract the "hash" from a WINDOWS HELLO PIN. This hash can be cracked with Hashcat.
• bitwarden2hashcat - A tool that converts Bitwarden's data into a hashcat-suitable hash.
• hc_to_7z - Convert 7-Zip hashcat hashes back to 7z archives.
• hcxtools - Portable solution for conversion of cap/pcap/pcapng (gz compressed) WiFi dump files to hashcat formats.
• itunes_backup2hashcat - Extract the information needed from the Manifest.plist files to convert it to hashes compatible with hashcat.
• mongodb2hashcat - Extract hashes from the MongoDB database server to a hash format that hashcat accepts: -m 24100 (SCRAM-SHA-1) or -m 24200 (SCRAM-SHA-256).

Hashcat

Hashcat is the "World's fastest and most advanced password recovery utility." The following are projects directly related to Hashcat in one way or another.

• Autocrack - A set of client and server tools for automatically, and lightly automatically cracking hashes.
• docker-hashcat - Latest hashcat docker for Ubuntu 18.04 CUDA, OpenCL, and POCL.
• Hashcat-Stuffs - Collection of hashcat lists and things.
• hashcat-utils - Small utilities that are useful in advanced password cracking.
• Hashfilter - Read a hashcat potfile and parse different types into a sqlite database.
• known_hosts-hashcat - A guide and tool for cracking ssh known_hosts files with hashcat.
• pyhashcat - Python C API binding to libhashcat.

Automation

• autocrack - Hashcat wrapper to help automate the cracking process.
• hashcat.launcher - A cross-platform app that run and control hashcat.
• hat - An Automated Hashcat Tool for common wordlists and rules to speed up the process of cracking hashes during engagements.
• hate_crack - A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
• Naive hashcat - Naive hashcat is a plug-and-play script that is pre-configured with naive, emperically-tested, "good enough" parameters/attack types.

Distributed cracking

• CrackLord - Queue and resource system for cracking passwords.
• fitcrack - A hashcat-based distributed password cracking system.
• Hashtopolis - A multi-platform client-server tool for distributing hashcat tasks to multiple computers.
• Kraken - A multi-platform distributed brute-force password cracking system.

Rules

• clem9669 rules - Rule for hashcat or john.
• hashcat rules collection - Probably the largest collection of hashcat rules out there.
• Hob0Rules - Password cracking rules for Hashcat based on statistics and industry patterns.
• Kaonashi - Wordlist, rules and masks from Kaonashi project (RootedCON 2019).
• nsa-rules - Password cracking rules and masks for hashcat generated from cracked passwords.
• nyxgeek-rules - Custom password cracking rules for Hashcat and John the Ripper.
• OneRuleToRuleThemAll - "One rule to crack all passwords. or atleast we hope so."
• pantagrule - Large hashcat rulesets generated from real-world compromised passwords.

Rule tools

• duprule - Detect & filter duplicate hashcat rules.

Web interfaces

• crackerjack - CrackerJack is a Web GUI for Hashcat developed in Python.
• CrackQ - A Python Hashcat cracking queue system.
• hashpass - Hash cracking WebApp & Server for hashcat.
• Hashview - A web front-end for password cracking and analytics.
• Wavecrack - Wavestone's web interface for password cracking with hashcat.
• WebHashCat - WebHashcat is a very simple but efficient web interface for hashcat password cracking tool.

John the Ripper

John the Ripper is "an Open Source password security auditing and password recovery tool available for many operating systems." The following are projects directly related to John the Ripper in one way or another.

• BitCracker - BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker.
• johnny - GUI frontend to John the Ripper.

Misc

• hashID - Software to identify the different types of hashes.
• Name That Hash - Don't know what type of hash it is? Name That Hash will name that hash type! Identify MD5, SHA256 and 300+ other hashes. Comes with a neat web app.

Websites

Communities

• hashcat Forum - Forum by the developers of hashcat.
• Hashmob - A growing password recovery community aimed towards being a center point of collaboration for cryptography enthusiasts.
• Hashkiller Forum - A password cracking forum with over 20,000 registered users.

Lookup services

• CMD5 - Provides online MD5 / sha1/ mysql / sha256 encryption and decryption services.
• CrackStation - Free hash lookup service supplying wordlists as well.
• Hashes.com - A hash lookup service with paid features.
• Hashkiller - A hash lookup service with a forum.
• Online Hash Crack - Cloud password recovery service.

Wordlist tools

Tools for analyzing, generating and manipulating wordlists.

Analysis

• PACK - A collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics.
• pcfg_cracker - This project uses machine learning to identify password creation habits of users.
• Pipal - THE password analyser.

Generation/Manipulation

• common-substr - Simple tool to extract the most common substrings from an input text. Built for password cracking.
• Crunch - Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. Crunch can generate all possible combinations and permutations.
• CUPP - A tool that lets you generate wordlists by user profiling data such as birthday, nickname, address, name of a pet or relative etc.
• duplicut - Remove duplicates from MASSIVE wordlist, without sorting it (for dictionary-based password cracking).
• Gorilla - Tool for generating wordlists or extending an existing one using mutations.
• Keyboard-Walk-Generators - Generate Keyboard Walk Dictionaries for cracking.
• kwprocessor - Advanced keyboard-walk generator with configureable basechars, keymap and routes.
• maskprocessor - High-performance word generator with a per-position configureable charset.
• maskuni - A standalone fast word generator in the spirit of hashcat's mask generator with unicode support.
• Mentalist - Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
• Phraser - Phraser is a phrase generator using n-grams and Markov chains to generate phrases for passphrase cracking.
• princeprocessor - Standalone password candidate generator using the PRINCE algorithm.
• Rephraser - A Python-based reimagining of Phraser using Markov-chains for linguistically-correct password cracking.
• Rling - RLI Next Gen (Rling), a faster multi-threaded, feature rich alternative to rli found in hashcat utilities.
• statsprocessor - Word generator based on per-position markov-chains.
• TTPassGen - Flexible and scriptable password dictionary generator which supportss brute-force, combination, complex rule modes etc.
• token-reverser - Words list generator to crack security tokens.
• WikiRaider - WikiRaider enables you to generate wordlists based on country specific databases of Wikipedia.

Wordlists

Laguage specific

• Albanian wordlist - A mix of names, last names and some albanian literature.
• Danish Phone Wordlist Generator - This tool can generate wordlists of Danish phone numbers by area and/or usage (Mobile, landline etc.) Useful for password cracking or fuzzing Danish targets.
• Danish Wordlists - Collection of danish wordlists for cracking danish passwords.
• French Wordlists - This project aim to provide french word list about everything a person could use as a base password.

Other

• Packet Storm Wordlists - A substantial collection of different wordlists in multiple languages.
• Rocktastic - Includes many permutations of passwords and patterns that have been observed in the wild.
• RockYou2021 - RockYou2021.txt is a MASSIVE WORDLIST compiled of various other wordlists.
• WeakPass - Collection of large wordlists.

Specific file formats

PDF

• pdfrip - A multi-threaded PDF password cracking utility equipped with commonly encountered password format builders and dictionary attacks.

PEM

• pemcracker - Tool to crack encrypted PEM files.

JKS

• JKS private key cracker - Cracking passwords of private key entries in a JKS fileCracking passwords of private key entries in a JKS file.

ZIP

• bkcrack - Crack legacy zip encryption with Biham and Kocher's known plaintext attack.
• frackzip - Small tool for cracking encrypted ZIP archives.

Artificial Intelligence

• adams - Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries. - Code for cracking passwords with neural networks.
• RNN-Passwords - Using the char-rnn to learn and guess passwords.
• rulesfinder - This tool finds efficient password mangling rules (for John the Ripper or Hashcat) for a given dictionary and a list of passwords.

Research

Papers

• Generating Optimized Guessing Candidates toward Better Password Cracking from Multi-Dictionaries Using Relativistic GAN (2020)
• GENPass: A General Deep Learning Model for Password Guessing with PCFG Rules and Adversarial Generation (2018)
• Password Cracking Using Probabilistic Context-Free Grammars (2009)
• Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries (2020)
• Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks (2016)
• PassGAN: A Deep Learning Approach for Password Guessing (2017)

Talks

• DEF CON Safe Mode Password Village - Getting Started with Hashcat
• DEF CON Safe Mode Password Village - Jeremi Gosney - Cracking at Extreme Scale
• Tailored, Machine Learning-driven Password Guessing Attacks and Mitigation at DefCamp
• UNHash - Methods for better password cracking
• USENIX Security '21 - Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries
• USENIX Security '16 - Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks