Kenya Programmers Foundation

16/10/2021

FREE HOSTING 2 YEARS:

Vultr Global Cloud Hosting - Brilliantly Fast SSD VPS Cloud Servers. 100% KVM Virtualization

11/09/2021

Nulled & Pirated Website Software
One extremely common method hackers use to trick website owners is to leverage nulled (or cracked/pirated) website software — especially premium third-party components. These might exist in the form of a WordPress plugin or theme, or perhaps a Magento extension.

Since these types of software usually require a fee to use or install, providers offer nulled or cracked versions that are “free” to download. What users might not realize is that “free” might come with a security price tag, and bad actors might be inclined to include a few malicious files or code snippets in a pirated version.

While not all nulled or cracked software have backdoors hidden within the code, attackers often consider this an excellent opportunity to distribute their malware. Using these components come with a lot of serious security implications, and backdoors can be difficult to detect until it’s too late.

20/11/2020

On August 9, 2020, Torum’s administrator announced the forum is shutting down. What was this forum, and will its users find alternatives? KELA explored various darknet sources, as well as Torum itself, to find out. Here is a summary of our findings:

Torum was an English-speaking underground forum that posed as a nonprofit cybersecurity website. While both its members and users of other forums agreed Torum was a good place to discuss cybersecurity and learn hacking methods, the site was overwhelmed by newbies and scammers who damaged its reputation.
Torum’s administrator announced he is closing the forum because he lost interest in supporting it.
Torum was an active, stable community, which will likely be missed by users. The forum has a few alternatives in the darknet, including CryptBB, which recently became public. This post will explore what distinguished Torum and what darknet chatter reveals about possible alternatives.
As users struggle to find new forums with a decent community, it is crucial to continue tracking these sources to understand new trends and TTPs, and proactively mitigate potential risks emerging from them.

18/10/2020

Hacktoberfest 2020 and wisdom from around the Metasploit water cooler. Keep an eye out for more info on the next Metasploit community CTF (coming soon).

12/09/2020

Learning a programming language is like learning to become a chef or learning to play a musical instrument. All three require direct interaction with the tools. You cannot become a good chef just by reading recipes. Similarly, you cannot become a musician
by reading books about musical instruments. The same is true of programming. You must have a fundamental knowledge of the language, and you must test your programs on the computer to make sure that each program does what it is supposed to do.

12/09/2020

Suppose you need to teach someone how to become a chef. How
would you go about it? Would you first introduce the person to good food, hoping that a taste for good food develops? Would you have the person follow recipe after recipe in the hope that some of it rubs off? Or would you first teach the use of tools and the nature of ingredients, the foods and spices, and explain how they fit together?
Just as there is disagreement about how to teach cooking, there is disagreement about how to teach programming.

12/09/2020

A recipe is also a program,
and everyone with some cooking experience can agree on the following:
1.It is usually easier to follow a recipe than to create one.
2.There are good recipes and there are bad recipes.
3.Some recipes are easy to follow and some are not easy to follow.
4.Some recipes produce reliable results and some do not.
5.You must have some knowledge of how to use cooking tools to followa recipe to completion.
6.To create good new recipes, you must have a lot of knowledge and a good understanding of cooking.

09/09/2020

How to Set Up Automatic Kernel Updates on Ubuntu

Canonical Livepatch is a service that patches the running kernel without having to reboot your Ubuntu system. Livepatch service is free to use, up to three Ubuntu systems. To use this service on more than three computers, you’ll have to subscribe to the Ubuntu Advantage program.

Before installing the service, you need to get a livepatch token from the Livepatch Service site .

Once you have the token install and enable the service by running the following two commands:

sudo snap install canonical-livepatch
sudo canonical-livepatch enable
To check the status of the service, run:

sudo canonical-livepatch status --verbose

Later if you want to deregister a machine, use this command:

sudo canonical-livepatch disable
The same instructions apply for Ubuntu 20.04 and Ubuntu 18.04.

09/09/2020

Canonical Releases New Ubuntu Kernel Update to Fix a Vulnerability, Patch Now

07/12/2019

Re: why exactly is it bad to use VPN + TOR?

One of the core tenets of building secure systems is that you minimize the attack surface, and resist additional components and features wherever possible to keep in line with this. As such, if one cannot identify a strong reason to include a component in the system, and quantify that reason against the threat model, the additional component should not be included. This question is worded in a way that assumes that the VPN provides some benefit, and that removing it is what should be questioned, when in fact the inverse is true: the correct question should be whether adding a VPN layer to Tor provides any tangible benefit. Only when such a benefit has been affirmed should we entertain including it.

This depends on your threat model, local laws, OS setup, behaviour, and a number of other factors.

For example, let's assume you're a journalist trying to keep your identity quiet because you're studying a police corruption case. If your country's ISPs are protected by common carrier rules (i.e. the messages sent are legally protected in the same way that physical mail is) then transmitting content via the VPN is risky - the VPN provider isn't a common carrier and therefore doesn't have the same legal protection, but certainly does have information about you (billing information).

You've also got the problem that you're adding an additional point of failure. Your security relies upon both the VPN and Tor being safe - compromising one of the two means you're identifiable. Additionally, by connecting to a VPN you usually have routing rules which send LAN traffic through the VPN. This means that non-Tor data (e.g. NetBIOS, WINS discovery packets, DNS, OS / application update queries, etc.) might get sent through that same VPN channel, resulting in a log of your Tor and non-Tor behaviour occurring at the same time through the same endpoint.

The other problem is that commercial VPNs marketing themselves as privacy tools are obvious targets for threat actors. This means that by using the VPN, you might actually end up in a situation where someone has already compromised the server - it's not like you've got annual pentest reports from the VPN provider to take a look at and check they're running sensible and up to date systems. The benefit of Tor, in this regard, is that the communications are decentralised and distributed, which makes it much more difficult to focus attacks and traffic analysis from a logistics perspective.

I'd argue that the benefits of running Tor over a VPN are tenuous at best. The promise of additional privacy or security isn't backed by anything tangible or measurable, aside from the perception that complexity adds security.

Regarding your edit, if the person is using Tails and safely uses Tor, it makes no difference whether you just use Tor or use a VPN with Tor through it really. Which comes down to the crux of it: what does adding a VPN give you? I can't see any case where it provides any additional anonymity, particularly against a nation state, and then you've got the problem that if you're connected to some open WiFi somewhere (e.g. a cafe) you're then potentially tying your identity (from the VPN billing details) to your location, and the fact that you're using a VPN plus Tor. Not ideal if you're a journalist in an oppressive state, or a drugs trafficker trying to keep himself hidden.

Regarding your comment below as to why the VPN might be an addition point of failure, consider that some states would consider you in violation of a law if you simply used Tor. If you only use Tor, it becomes quite difficult to identify who you are if you're using public infrastructure like open WiFi or municiple networks. Once you add the VPN in, you add a direct purchase record back to your name and address. Not ideal.

At the end of the day, designers of secure systems should be resistant to adding additional components and features, due to the additional complexity and potential for unforeseen problems. This means that you should consider what benefit is added by including a VPN in your chain. I can't really see one, aside from a situation where use of Tor would be illegal but use of a VPN to another country would not be illegal (I'm unaware of such a case existing).

One additional potential issue, which I forgot to mention above, is the increase attack surface against the client-side. By adding in a VPN client on top of the Tor client, you've got another piece of software which may contain bugs (e.g. remote code ex*****on).

As an aside, I'd also like to point out that VPNs are not and never were designed to be privacy or anonymity tools. They are marketed as such by people who sell VPN services, but any anonymity or privacy you gain from them is incidental rather than purposeful. They cover but a fraction of the threat landscape in this space; mostly they're only useful as a tool for avoiding ISPs' blocking of certain sites (e.g. torrents). Nobody who is serious about anonymity and privacy, particularly in a situation where their safety, freedom, or even life is on the line, should ever use a VPN as their privacy solution.

Additional edit: There is one very specific circumstance where adding a VPN does provide additional security, and that's when VPN traffic won't draw attention but Tor traffic would. This is the only case where a VPN offers a benefit, at the potential cost of increased identifiability should someone actually take a look at what was sent through the VPN.

03/12/2019

On August, Google announced a plan to “build a more private web.” The announcement post was, frankly, a mess. The company that tracks user behavior on over ⅔ of the web said that “Privacy is paramount to us, in everything we do.” Google not only doubled down on its commitment to targeted advertising, but also made the laughable claim that blocking third-party cookies -- by far the most common tracking technology on the Web, and Google’s tracking method of choice -- will hurt user privacy. By taking away the tools that make tracking easy, it contended, developers like Apple and Mozilla will force trackers to resort to “opaque techniques” like fingerprinting. Of course, lost in that argument is the fact that the makers of Safari and Firefox have shown serious commitments to shutting down fingerprinting, and both browsers have made real progress in that direction. Furthermore, a key part of the Privacy Sandbox proposals is Chrome’s own (belated) plan to stop fingerprinting.

But hidden behind the false equivalencies and privacy gaslighting are a set of real technical proposals. Some are genuinely good ideas. Others could be unmitigated privacy disasters. This post will look at the specific proposals under Google’s new “Privacy Sandbox” umbrella and talk about what they would mean for the future of the web.
The good: fewer CAPTCHAs, fighting fingerprints

Let’s start with the proposals that might actually help users.

First up is the “Trust API.” This proposal is based on Privacy Pass, a privacy-preserving and frustration-reducing alternative to CAPTCHAs. Instead of having to fill out CAPTCHAs all over the web, with the Trust API, users will be able to fill out a CAPTCHA once and then use “trust tokens” to prove that they are human in the future. The tokens are anonymous and not linkable to one another, so they won’t help Google (or anyone else) track users. Since Google is the single largest CAPTCHA provider in the world, its adoption of the Trust API could be a big win for users with disabilities, users of Tor, and anyone else who hates clicking on grainy pictures of storefronts.

Google’s proposed “privacy budget” for fingerprinting is also exciting. Browser fingerprinting is the practice of gathering enough information about a specific browser instance to try to uniquely identify a user. Usually, this is accomplished by combining easily accessible information like the user agent string with data from powerful APIs like the HTML canvas. Since fingerprinting extracts identifying data from otherwise-useful APIs, it can be hard to stop without hamstringing legitimate web apps. As a workaround, Google proposes limiting the amount of data that websites can access through potentially sensitive APIs. Each website will have a “budget,” and if it goes over budget, the browser will cut off its access. Most websites won’t have any use for things like the HTML canvas, so they should be unaffected. Sites that need access to powerful APIs, like video chat services and online games, will be able to ask the user for permission to go “over budget.” The devil will be in the details, but the privacy budget is a promising framework for combating browser fingerprinting.

Unfortunately, that’s where the good stuff ends. The rest of Google’s proposals range from mediocre to downright dangerous.
The bad: Conversion measurement

Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised? Currently, third-party cookies do most of the heavy lifting. A third-party advertiser serves an ad on behalf of a marketer and sets a cookie. On its own site, the marketer includes a snippet of code which causes the user’s browser to send the cookie set earlier back to the advertiser. The advertiser knows when the user sees an ad, and it knows when the same user later visits the marketer’s site and makes a purchase. In this way, advertisers can attribute ad impressions to page views and purchases that occur days or weeks later.

Without third-party cookies, that attribution gets a little more complicated. Even if an advertiser can observe traffic around the web, without a way to link ad impressions to page views, it won’t know how effective its campaigns are. After Apple started cracking down on advertisers’ use of cookies with Intelligent Tracking Prevention (ITP), it also proposed a privacy-preserving ad attribution solution. Now, Google is proposing something similar. Basically, advertisers will be able to mark up their ads with metadata, including a destination URL, a reporting URL, and a field for extra “impression data” -- likely a unique ID. Whenever a user sees an ad, the browser will store its metadata in a global ad table. Then, if the user visits the destination URL in the future, the browser will fire off a request to the reporting URL to report that the ad was “converted.”