All Articles

Phishing with Worms – The Greatest Password Theft I’ve Ever Seen

September 29, 2020 By Craig Hays 4 Comments

Reading Time: 6 minutes

I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

Photo by **Miguel Á. Padriñán** from **Pexels**

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage that had been caused. Applications used, data downloaded, emails sent, etc.

The second report came in at 10:10 am. This wasn’t uncommon. Emails that made it through the filtering rules tended to hit a number of people at the same time. If you land enough phishing emails of reasonable quality it’s almost inevitable that one or two people will fall for them.

The third report came in at 10:14. As did the forth, the fifth, and the sixth. Now, this was unusual.

[Read more…]

Five Life Lessons Learned by Learning to Cook

September 22, 2020 By Craig Hays Leave a Comment

Reading Time: 4 minutes

Cooking is a tough teacher and a harsh critic. Either your food is delicious, or it isn’t.

Five Life Lessons Learned by Learning to Cook — Photo by **Lukas** from **Pexels**

I used to be a terrible cook. Insert your stereotypical bad home cooking annecdote here… that was me. Then my wife and I signed up for a popular cook at home subscription box and suddenly things started to change.

Having struggled with cookbooks for years, being handed a Lego-style assembly kit for restaurant-quality food just seemed to click with me for some reason. The barrier of entry, preparing a shopping list and not forgetting anything while at the supermarket, was gone. I had everything I needed in order to start.

Over the coming months, I gradually learned how to cook. I developed knife skills. I learned the fundamentals of combining ingredients to enhance the overall flavour. Patterns started to emerge. Not only did I learn some valuable lessons about cooking, but cooking taught me some valuable lessons about life.

So here they are.

Table of Contents

1. Prepare Everything Before Food Meets Heat

Mise en place is a beautiful French culinary term which quite literally means “put in place”. Everything a chef needs to cook a delicious meal is prepared in advance and positioned ready to be used at just the right time. Salmon is sliced. Herbs are picked, washed, and chopped. Potatoes are peeled. Knives, frying pans, oils, and seasonings are all where they’re supposed to be.

For a meal to turn out right every time you cook it, you can’t be hunting through drawers looking for a lemon zester while your sauce burns on the hob.

For years I refused to do this. “Why should I waste extra time before I start cooking when I can do all of that while I’m waiting for…”. I was missing the point. It was very short-term thinking.

Trying to prepare ingredients while jostling pots and pans is like trying to put on a parachute after you’ve already jumped out of the plane. Yeah, it’s possible to pull it off, but why take the risk?

Cooking when you’re fully prepared, when your ‘mise en place’ is just right, is rewarding, relaxing, and even enjoyable. There will be times when you can pause and reflect, watching what you’re creating take shape. Pour yourself a glass of wine. Enjoy a fresh cup of coffee. Check Facebook… whatever makes you happy. When you’re prepared you can enjoy your experiences.

Cooking while unprepared is like commuting to the office after you’ve slept in and missed your usual train. The whirlwind performance of a TV chef is food-theatre. Fun to watch but stressful to recreate.

Now when I cook I take time to prepare. I’d rather spend 5 extra minutes before starting to ensure I get it right than save the 5 minutes and waste the next hour as my evening goes up in smoke.

2. Figure Out the Bigger Picture

Whatever it is you’re doing, it’s important to know how your current task fits into the end result. If you understand what you’re trying to achieve, when things go wrong you can adapt and improvise within the constraints of the goal and still make it work.

Following a recipe step-by-step like a robot following instructions might result in a delicious meal but you probably won’t take much away from the experience. Unless you step back and look at what is going on you risk missing the lessons that are right in front of you.

As Chuck Palahniuk said, “the trick to forgetting the big picture is to look at everything close-up.”

3. Understand The Whole Process

Something I try to do when cooking a new recipe or attempting a new task for the first time is to read through all of the instructions from start to finish a couple of times before doing anything at all. At first, it can be a daunting set of instructions that are impossible to remember, but in time, especially with cooking, you’ll start to detect common patterns between recipes.

As you gain experience you will be able to condense instructions into sequences of ‘another one of those things I’ve done before’. Separate leaves and stems then roughly chop the herbs. Cube the root vegetables for faster cooking. Make a rue for the sauce with fat and flour then add flavour. Cookbooks don’t usually break cooking down into common themes. Every recipe is a standalone set of instructions. The bridge between them all is in your own understanding.

Only when you detach and review the whole process in full will reusable learnings become clear.

4. Sometimes Things Burn

We all make mistakes. We apply our attention to the wrong thing at the right time. Dishes burn. We try and we fail. Things go in the bin.

That’s part of learning. The takeaway here is to reflect on why it burned. What were we doing that we shouldn’t have, and what should we have been doing instead? How can we improve next time?

5. Creativity is a Risk, But One You Should Take

Sometimes you tweak a recipe and magic happens. Other times it sucks and everything goes in the bin. Taking risks is fine, essential even, as long as you do it at the appropriate time with the right risk mitigation in place.

Add a squeeze of lemon if you feel like it might work, just don’t do it in Christmas day when the in-laws are on their way. Save your failures for when it’s OK to fail and learn when to play it safe.

Why Hackers Love User Accounts and How They Hack Them

September 4, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

User accounts are still the number one target for criminals. This is why they are so desirable and how hackers hack user accounts every day.

Why hackers love and hack user accounts — Photo by Kelly Sikkema on Unsplash

When we think of cyber attacks we often think of scenes resembling those from Hollywood movies. Cybercriminals, slouched over a keyboard, furiously typing, and hunting for vulnerabilities in a piece of software exposed to the internet.

Security vendors leverage this perception in their marketing efforts. I still find it amazing how much fear selling takes place from companies like Tenable, Rapid7, and Qualys, to name a few. Granted, they’re selling software designed to detect known vulnerabilities in other pieces of software, but they exploit the common perception that the sky is falling and that hackers are seconds away from compromising your IT systems.

In reality, most of the cybercrime committed today is done through legitimate user accounts. Real user accounts belonging to real people which have been taken over by hackers with criminal intent. Why is this the case?

Table of Contents

Hacking People is Easy. Hacking Software is Hard

People are vulnerable by design. Human nature makes us susceptible to being hacked in any number of ways.

When we use software and computer systems we typically login using a unique username and password that identifies us, proves that we are who we say we are (authentication), and confirms that we’re permitted to do what we’re asking to do (authorization). When a hacker logs in with our user account they instantly get access to do all of the things we are allowed to do.

Software, on the other hand, can be very difficult to manipulate. Even once you’ve found a vulnerability and created an exploit to gain access to something you shouldn’t, you still need to figure out a way to make it do what you want. This is a very time consuming and expensive process. The question hackers ask themselves all the time is ‘why would I waste all of that effort hacking into a computer system when I could just log in as a legitimate user instead?’

This is why user accounts are such a big target. The right account in the wrong hands can move millions of dollars between banks in a few minutes. Trying to do the same thing with a software exploit could take months or even years and isn’t always possible.

Three Ways Hackers Steal Your User Accounts

1. Guessing Your Password

The first way for hackers to break into one or more of your user accounts is to simply guess your password.

The top 10 password s for 2019, based on publicly known password breaches, are:

123456
123456789
qwerty
password
1234567
12345678
12345
iloveyou
111111
123123

Based on these passwords it is a reasonable assumption to state that most of these have been created on mobile devices. The top 10 passwords has changed over the last decade from common words to common number patterns as the ubiquity of smartphones has steadily increased.

Do you use any of these passwords for any of your accounts? Do you have anything similar?

For anyone not using one of the most commonly used passwords, with a little research into an individual it is easy to guess other password formats that people use. Combinations of the following make up the vast majority of the passwords in use today: names of partners, children, pets, football teams, cities, countries, dates of birth, seasons, years, and colours.

I’ve cracked a lot of passwords in my career and I’ve analyzed 1.4 billion clear-text passwords to improve my understanding of how people think about password creation. With a good enough wordlist, you don’t even need to find a Facebook page to guess most people’s passwords.

2. Finding Your Password In Someone Else’s Data Breach

As mentioned in the previous point, there’s a publicly available list of 1.4 billion usernames and passwords on the internet for anyone to download. That’s just one list out of many out there. Every day, additional websites are hacked and new username and password combinations are leaked to buyers on the black market.

Just as your web browser offers to remember and fill in your passwords for you, there’s a password completin g browser extension that criminals can use to makes life easier for them when taking advantage of your stolen passwords.

3. Asking You For Your Password (And You Giving It To Them!)

Phishing is an attack where criminals send you an email or SMS text message pretending to be someone else. Typically a company, organisation, friend, or some authority figure that would convince you to do as they say. The message will contain a link to a website asking you to log in, or it could include an attachment. The attachment will then take you to a website, again asking you to log in, or it will run something harmful on your device which could allow it to steal your personal data, including passwords.

Linking to a login form is the most common. It’s surprising how many people still fall for phishing emails today, but phishing emails are often well written and designed specifically to invoke an emotional response in the reader. Emotions overpower logic and reason. People do strange things in a panic.

What Can We Do To Fight Back?

Here are a few things we can do to defend against password theft.

Use Multi-Factor Authentication

Multi-Factor Authentication, or MFA for short, is the use of something in addition to your password to prove that you are who you say you are. In order for multi-factor you need to use a combination of two or more of the following:

Something you know (your password)
Something you have (your smartphone)
Something you are (your fingerprint)

Smartphone apps or SMS text messages are the most commonly used form of the second factor. While it is possible to bypass MFA protected logins that use SMS messages, it takes a lot more effort and involves contacting your mobile phone provider and convincing them that you’ve lost your phone. Without a second authentication factor, as soon as someone has your password, they’re in and your account has been hacked.

Use Strong Passwords

The stronger your password is, the harder it is to guess. Google recommends:

“Long passwords are stronger, so make your password at least 8 characters long. These tips can help you create longer passwords that are easier to remember. Try to use:

A lyric from a song or poem
A meaningful quote from a movie or speech
A passage from a book
A series of words that are meaningful to you
An abbreviation: Make a password from the first letter of each word in a sentence”

Use Different Passwords on Every Website

As shown in the 1.4 billion usernames and password list, as soon as one website is hacked, any other accounts on other websites you use with the same username and password are vulnerable to a takeover by a hacker.

We’ve all done it in the past, including me. We pick a handful of memorable passwords and use them across a range of sites. If you ever forget which one you’ve used you can always try them all until you get in. Eventually, it works. This is what hackers do too.

Use a different password on every website. That way, if your password ever gets leaked, it won’t be usable on any other website. As a bonus, if you know which site a password was used on, you’ll know which site’s have been hacked when your passwords do become public.

Use a Password Manager

Let’s be realistic… Having a separate password for every account is unmanageable for most of us. We can’t remember that many unique password combinations. Instead, use a password manager to store unique, strong passwords for all of your accounts.

Modern web browsers have password managers built-in. Companies like 1Password, LastPass, and Dashlane all offer free or paid-for alternatives. There are many options out there and you’re free to choose whichever you prefer. But please, use one and you’ll only need to remember one, very, very strong password to keep all your accounts safe.

How to Sell Counterfeit Cash on Instagram in 7 Easy Steps

August 22, 2020 By Craig Hays Leave a Comment

Reading Time: 7 minutes

How scammers sell fake ‘counterfeit’ cash on Instagram for big profits at the expense of the needy and greedy.

how to sell counterfeit cash on instagram

I encountered a counterfeit cash seller on Instagram. Naturally, I tried to purchase £4,000 in fake bills for just £300. What a steal. Here’s what I learned.

[Read more…]

How I Built And Launched A Web App In Under 8 Hours

July 21, 2020 By Craig Hays Leave a Comment

Reading Time: 9 minutes

A walkthrough of my rapid web app minimum viable product (MVP) development. Talking you through idea creation, design, build, test, and deployment.

rapid web app development 8 hours — Photo by Oladimeji Ajegbile on Unsplash

Table of Contents

Summary

I designed, built, and launched a minimum viable product (MVP) web application in under 8 hours. While it could have been done in a single day, I did this over several evenings and a weekend or two. (This might be important as you can often solve difficult problems in your head, away from the keyboard while doing other chores).

The app, myFeedium.com, is a twitter-like timeline of stories for Medium.com. This is functionality missing from the core Medium.com product and something I wanted, so I made it myself. If you find it useful or have any feedback please get in touch!

Email: [email protected]
Twitter: @craighays
Or leave me a comment at the bottom of this article

Try the web app: https://myFeedium.com

Generating a Web Application Idea

Like many product creation stories, the idea for myFeedium came from a moment of my own need. I sat down with a cup of coffee and the intention to read the latest posts from people I follow on medium.com. I opened the Android app and realised there was no way to view a timeline of posts from the people I follow. Then, doing the same thing on my laptop, I realised there was no native functionality within the Medium website.

Medium.com generates a story feed for users based on people they follow, their interests, past reading history, current trends, and all sorts of other factors. The feed you get isn’t the latest set of stories that have been published but Medium’s curated list of things they want to show you. What I wanted wasn’t there so I decided to create it myself. Find a gap and fill it.

Basic Design

In my head, I came up with a basic design based on work I’d done in the past. The site would be a static HTML page with javascript that would pull data from my own API and render it inside the page. The API would grab a list of people a user follows from https://medium.com/@craighays/following (or whichever username was entered) then fetch all of their recent posts via the RSS feed https://medium.com/feed/@craighays. Once all of the posts have been gathered they would be sorted by time and displayed to the end-user.

Simple. In theory…

I spent a few minutes poking around inside the Medium.com website to see how data was gathered. There are few different ways to get data including a graphql API but I found those two links have the best performance.

Time spent – 5 minutes.
Total time – 5 minutes.

Picking a Domain Name

As with any project, the first thing I did was spend 20 minutes on a domain registration site trying to find a .com domain name for a name that wasn’t awful. I failed. I settled on myFeedium.com, a name-smash of ‘my feed’ and ‘medium’. It will do for now.

If I was launching a company I’d also want to register Twitter, Facebook, youtube, Instagram, Snapchat, Pinterest, Medium, and other usernames to go with the company brand. As I just wanted to build a tool for myself, I didn’t feel the need to grab any of them.

Time spent – 20 minutes.
Total time – 25 minutes.

Creating a Basic Webpage for my App

With my basic single-page design in mind, I knew that I would fetch data from medium.com and ajax it into the page with jQuery. Therefore, I needed a static web page to work with. I’m an awful web designer at the best of times so I always use templates from people who actually know what they’re doing. And for an extension to the Medium.com website, what better than to view their source code and tailor it to my needs.

I went to the Medium.com homepage, right-clicked the page, hit view-source and copied and pasted the HTML, CSS, and javascript into my own index.html page. Now I had a static, responsive web page that looked exactly like Medium.com.

Using the Chrome developer tools to inspect the source code and highlight elements as I moused over them, I identified bits of the page I didn’t want and removed them from my index.html page. I took out all of the non-functional code that Medium uses for other stuff like click tracking and javascript events that I wouldn’t implement, then I added my own banner, some welcome text to describe the app and how to use it, then a form to submit data. I liked the placeholder lines for articles so I left them in place as filler to show where the content would eventually go after a page load. It looked something like this:

My basic HTML page for my single-page web app

Time spent – 1 hour
Total time – 1 hour 25 minutes

Creating A Logo For My Web App

My static page now needed a logo. What I left out of that screenshot was the Medium logo at the top of the page. While I can justify adapting their HTML code, I can’t justify stealing their logo. That’s not cool. So I Googled ‘what font does Medium use’ and discovered that they’re currently using ‘Noe Display Medium‘. Another quick Google later and I discovered that the developers of the Noe Display font have their own website.

Their site lets you demo the font in action. I typed myFeedium into their demo tool and took a screenshot and that was the logo created:

myFeedium.com logo

Medium actually uses SVG rendering for their logo but I didn’t feel the need for that complexity yet. I wanted to spend my time on getting something working instead of being fancy – an image will work just fine for day one.

Next, I needed a favicon to go with the logo so I opened it in photoshop, dropped the ‘my’ and ‘eedium’, and then inverted the colours. Favicon done:

myFeedium.com favicon

Time spent – 5 minutes
Total time – 1 hour 30 minutes

Creating My Web App’s API

While it would be great to use the client’s browser to fetch data from Medium.com, I would then be forcing users to carry out excessive and repeated cycles of downloading data and processing it in javascript. This isn’t nice on mobile bandwidth or battery usage. I knew I needed to do everything in an API and return the computed answer to end-users in order to give them the best experience. I needed a simple API, so I wrote one in PHP.

The Best Programming Language for Creating Web App MVPs

I’ve been writing PHP since I first got access to the internet. I don’t even know why. At college, they taught us Visual Basic. At University I learned Java, Javascript, C, Perl, and C++. Somewhere I picked up PHP and it’s been my goto web language ever since. The best programing language to use for any MVP is the one that you know inside out. Pick a language you can achieve almost anything with, without resorting to Google or the language documentation every 30 seconds.

For an MVP, speed of development is critical. Your greatest enemy is boredom. Without the gratification of seeing something working soon after you start the project you risk losing interest in the idea. How many half-started projects do you have saved in your Github account? I know I have a lot. Most will never see the light of day. Hundreds of hours of effort gone to waste because I got bored. Don’t get bored.

When speed of development is important, familiarity with the language is key. Don’t try to create an MVP while learning Rails or Django for the first time. Use what you know, even if it sucks. (I don’t actually think PHP sucks, I think it’s awesome, but that’s another article.)

Getting Data And Returning It To The User

My web app has one API call: getFeed.php. When you provide a username it grabs all of the accounts they follow from https://medium.com/@username/following. Then, for each username it finds, it grabs their RSS feed from https://medium.com/feed/@username, cleans up the data, then adds it to a big array. Finally, it sorts the array by publication date and returns HTML to render into the static page. Simple really.

Except I soon discovered that medium.com has a rate limit on the RSS feed. After a few requests, I started getting HTTP 429 responses. I had two choices: add a delay between requests which would make the API really slow, or add some form of caching of responses to minimise the number of requests per minute. I opted for the latter and added a Redis cache.

During testing, I discovered most people follow the same writers. The more traffic the site gets that warmer the Redis cache will remain (in theory). We’ll see how that plays out in practice. Finally, I added some error handling to mask 429s on feeds that weren’t yet in the cache knowing they would be picked up next time around. As for staleness of data, each cached value is set to expire after X minutes so that new author posts will be gathered within a short period of time after publishing without degrading the user experience by removing the feed from the Redis cache to quickly. I still need to tweak the value of X but for now, it feels right.

This was pretty challenging as there were lots of little issues, edge cases, problems, and usability issues that needed fixing. I think I spent most of my time here just trying to get it right.

Testing

Testing is really important. Without proper testing, you risk releasing an awful product that people will hate. That said, my app is so simple I didn’t bother creating any code-based tests, I just did it all by hand. I tested the main functionality, what happens if too many accounts are followed, what happens if none are, what happens if the user doesn’t exist, what if I add bad characters to the username, etc. As I found bugs on my local environment I fixed them and retested. I repeated this until it worked 99% of the time. Occasionally there might be an error due to some unforeseen edge case but overall it’s not that bad.

Time spent – 5 hours
Total time – 6 hours 30 minutes

Deployment to Production

I deployed my application into the Amazon AWS platform using an Elasticache Redis cluster and EC2 instances. I’ve been an Amazon AWS user since it was released to the general public. Each year it gets better and better with more and more features and it’s so easy to use. For this project I only needed:

An Elasticache Redis cluster
A loadbalancer
A EC2 image

I knew that I could deploy and use all of these really quickly. While I would have loved to have wrapped the code in a container and deployed it through ECS or Fargate, or even compiled it to a binary and deployed it to Lambda with an API gateway, they all take too long and time was one of my top priorities. I wanted an MVP I could launch as fast as possible. I can do all of the nice shiny stuff later if I need a better way to scale than EC2 servers. For now, simple is best. Launched is better than perfect.

I managed to get AWS configured quite quickly and fronted it with a Cloudflare reverse proxy for handling DDoS, content caching and distribution, DNS, and all the other good stuff they do. Once that was working everything was good to go.

Time spent – 1 hour
Total time – 7 hours 30 minutes

Post Deployment Fiddling

Once I had a working version online I did some mandatory post-deployment fiddling. I added Google Analytics to measure if anyone was actually using the app or not, I fixed a few formatting issues and some typos and did some general housekeeping.

Time spent – 20 minutes
Total time – 7 hours 50 minutes-ish..

Launching the Web App

It’s difficult to know when to stop. There’s always more to add. Since I first deployed a working version and started using the app myself I started to notice and add more features. I’ve since added a button below each post to view that author’s own feed. Now you can shift the myFeedium point of view from person to person to person. This is another rabbit-hole of content I keep finding myself getting lost in.

I know that I want to add functionality so that I can link directly to a username such as myFeedium.com/craighays and view that person’s feed, but I haven’t done it yet. It’s simple to do but it all takes time. Instead, I decided to leave it as is and start promoting it through articles like this one. I know I’m finding it useful already, I just hope you will too.

Wrapping Up

Once you have an MVP that works, the most important thing to do next is to launch. Stop tweaking it… just launch it. Tell the world, see if really fits the gap you found or if it’s nonsense. Until you launch it you’ll never know.

Try the web app: https://myFeedium.com