Category: cybersecurity

What is multi-factor authentication (MFA)?

~ Tom's IT Cafe ~ Leave a comment

Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction1. It is a security enhancement that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN2. The factors fall into three categories: something the user knows (such as a password or PIN), something the user has (such as a smart card or a security token), and something the user is (such as a fingerprint or other biometric data).

MFA is a security measure that can help protect against unauthorized access to your data and applications. It is recommended to use MFA for all our accounts that support it, especially for our sensitive accounts such as banking, email, and social media.

Continue reading “What is multi-factor authentication (MFA)?”

What is two-factor authentication (2FA)?

~ Tom's IT Cafe ~ Leave a comment

Two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. It is an identity and access management (IAM) security method that requires two forms of identification to access resources and data. 2FA gives businesses the ability to monitor and help safeguard their most vulnerable information and networks.

Continue reading “What is two-factor authentication (2FA)?”

How to brute force a web application password with Burp Suite? Basic dictionary attack in practice!

~ Tom's IT Cafe ~ Leave a comment

With Burp Suite we can initiate dictionary attacks against a website. This time in this simulated attack we will brute force the login field of the Juice Shop web application. We already know the email address of an admin user, so we have to make sure to find the right password.

Important note: hacking in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!

Continue reading “How to brute force a web application password with Burp Suite? Basic dictionary attack in practice!”

How to brute force FTP users and passwords with Hydra? Ethical Hacking in real life!

~ Tom's IT Cafe ~ 1 Comment

In this article we will investigate other functionalities of the Cyber Security test tool Hydra. In one of the previous articles we cracked a user password on a Linux system through SSH. In this example we do not know the exact username of any FTP user. We will create a list of possible usernames along our password list. All of these operations happen in a personal lab.

Important note: hacking in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!

Continue reading “How to brute force FTP users and passwords with Hydra? Ethical Hacking in real life!”

How to break in web applications using Burp Suite? Real web hacking in practice as a Penetration Tester!

~ Tom's IT Cafe ~ Leave a comment

The OWASP Top 10 is a standard awareness document that lists the most common weaknesses of modern web applications. Burp Suite will help our application security testing along the Developer Mode of the browser. We will break in to the OWASP Juice Shop, the most modern and sophisticated insecure web shop.

Important note: hacking in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!

Continue reading “How to break in web applications using Burp Suite? Real web hacking in practice as a Penetration Tester!”

How to brute force and crack SSH passwords with Hydra? Ethical Hacking in real practice!

~ Tom's IT Cafe ~ 2 Comments

In this presentation we will crack the password of a general Linux user via SSH in our personal lab. The machine from which we start the attack is a Kali Linux box, and the attacked machine is an ordinary Debian Linux on which a user set a weak password. Unfortunately the security settings are weak on the target host, so we have a great chance for success. We already know the name of the user.

Important note: cracking passwords in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!

Continue reading “How to brute force and crack SSH passwords with Hydra? Ethical Hacking in real practice!”

Password Manager upgrade: I switched to KeepassXC

~ Tom's IT Cafe ~ Leave a comment

I’ve been using the Keepass password vault for years. I don’t remember when I started to keep my secrets in it, but it can be easily a decade ago. Though I always liked Keepass, and its features are strong, times have changed and I looked for something fresher and more elegant. My choice is KeepassXC. Read more to see why!

Continue reading “Password Manager upgrade: I switched to KeepassXC”

Password Manager 101

~ Tom's IT Cafe ~ Leave a comment

In 2022 there is no excuse to do not use a reliable password manager. Period!

In the age of passwordless authentication, IoT, smart devices and high speed internet connection data breaches are more common than usual, mostly because of the insecure password usage. Remembering long and difficult passwords is really counter productive but luckily there is the solution: password managers! The era of post-its attached to the display with corporate or private secrets must be over. Even the corporate security starts with the individual level safety. Today’s cyber world demands strong and thorough security considerations even in our personal lives. We have bank account credentials, paid subscriptions and other stored card informations on different websites and mobile devices. So, do YOU use weak or shared passwords? Do you have any default passwords in your devices? Think about it a bit!

Continue reading “Password Manager 101”