Craig Hays

You are here: Home / All Articles

All Articles

Threat Intelligence and Why Nobody Hacked My Hackable Website

By Leave a Comment

Reading Time: 5 minutes

I made my WordPress administrator’s password ‘admin’ for 2 weeks and nothing happened. This is why and why threat intelligence is useful.

insecure passwords and threat intelligence
Photo by iMattSmart on Unsplash

In my last experiment, What Happened When I Leaked My Server Password on Github.com, I configured a server with a very strong SSH password then ‘accidentally’ leaked it through a Github code repository. Within minutes people found the password and logged in. This time I tested a different approach and created a new WordPress site with the administrator username and password set to ‘admin’ for 2 weeks. Nothing happened. This is why nothing happened and why threat intelligence is important.

The Experiment

Prior to testing, I expected that any new WordPress server that appeared on the internet would be detected using an IP scanner within 7 days. Once discovered, brute-force attacks against the WordPress admin user would begin. Using the combination of admin:admin the site would be compromised very quickly.

To test that theory I created a honeypot installation of WordPress using a Docker container and a cloud hosting service unlinked to anything else I do online. Then I locked-down the host server and network to minimise the impact on others if the container was actually hacked. Next, I set the admin username and password to ‘admin’, then waited to see what happened. I didn’t give it a domain name, didn’t add it to any search indexes, and didn’t promote it in any way. I wanted to see if someone was actively looking for brand new servers that were vulnerable in this way.

[Read more…] about Threat Intelligence and Why Nobody Hacked My Hackable Website

3 Tips To Run The Best Phishing Tests In The World

By Leave a Comment

Reading Time: 3 minutes

If you want to run the best phishing simulation tests possible that actually make your people more risk-aware, do these three things.

best phishing test tips
Photo by Jonathan delange on Unsplash

1. Make Phishing Tests Real

Make your phishing tests as real as possible. As the military maxim goes, ‘train as you fight, fight as you train’. While training for the D-Day landings, soldiers were instructed to make pretend gunshot sounds instead of pulling the trigger to conserve ammo (blanks still need casings) for the real event. When the real event came, soldiers would occasionally revert back to their training and shout ‘Bang, Bang!’ instead of pulling the trigger.

Don’t send those awful phishing emails that so many vendors push on you. Forget the Microsift and Goggle emails and logos. Don’t be afraid to use all of the official logos, style guides, and trademarks. Criminals don’t care about trademark infringement. When organised crime comes after your colleagues it will be branded like the real thing.

The best phishing tests use either real emails from real companies and replace the original links with phishing links or real, high-quality phishing emails sent by actual criminals and run the same scenarios that criminals are running for real.

[Read more…] about 3 Tips To Run The Best Phishing Tests In The World

Why More Than Half of Email Phishing Leaks Happen on Mobile Devices

By Leave a Comment

Reading Time: 5 minutes

Over 60 percent of people who are phished by email are phished on mobile devices. This is why it happens and what you can do about it.

mobile phishing
Photo by Rasheed Kemy on Unsplash

Why Mobile Devices are More Prone to Phishing

I’ve sent a lot of phishing emails. All with good intentions I must add. While reviewing the results, one of the most surprising things that I discovered was that the majority of people who fall for phishing tests (and therefore real phishing attacks) are using mobile devices. In my experience, 60% of those who are successfully deceived are victims of mobile phishing.

These are my conclusions as to why this is true and recommendations on what we can do to help people stay safe online.

[Read more…] about Why More Than Half of Email Phishing Leaks Happen on Mobile Devices

What Happened When I Leaked My Server Password on GitHub.com

By Leave a Comment

Reading Time: 7 minutes

I deployed a honeypot and ‘accidentally’ leaked a valid SSH username and password into a GitHub repository. This is what happened over the next 24 hours.

Github SSH Honeypot
Photo by Arwin Neil Baichoo on Unsplash

Searching for juicy information in GitHub repositories is nothing new. In the past, I’ve written about mining GitHub for sensitive information and contributed to open source projects that help to automate this process. Having used this technique as an ethical hacker, I was curious to see what it looks like when criminals do it for real with malicious intent.

[Read more…] about What Happened When I Leaked My Server Password on GitHub.com

Save and Search Your Web Traffic Forever with elasticArchive for Mitmproxy

By Leave a Comment

Reading Time: 3 minutes

Log and perform full-text searches on all of your web traffic with Mitmproxy and ElasticArchive, a tool for bug bounty hunters, red teams, and OSINT.

elasticArchive
Photo by Max Langelott on Unsplash

Introducing ElasticArchive – a Mitmproxy Add-on to Store Everything in Elasticsearch

I was looking for an easy way to record all of my web traffic in elasticsearch so that I could search full requests and responses for cookie names, parameter names, strange URLs, and short-lived content but I couldn’t find one. So I made one – elasticArchive.

[Read more…] about Save and Search Your Web Traffic Forever with elasticArchive for Mitmproxy

Craig Hays