API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 22nd, 2023
180
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.99 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. Welcome to the second installment of the weekly opsec discussion! The aim of these weekly posts is to raise awareness to various opsec related topics. DYOR.
  2. In this session we will discuss file verification. This may seem like an obvious task to some, it is largely unused in the wider scope, and is essential to protecting our data.
  3.  
  4.  
  5. >Previous Weeks Discusison
  6. pastebin.com/K5uK4vvg
  7.  
  8.  
  9. >What is File Verification/Hashing?
  10.  
  11. File verification is a way for end users to verify that the files we download are identical to the intended source. This process is achieved by utilizing "Hashing" to create a very random looking, but very specific fixed length string of text. This hash, which we will later create can be compared to the hash provided by the file originator, if we compare the two hashes and they are an exact match, we can be certain that the file we have downloaded is authentic and has not been altered, falsified or otherwise tampered with by an outside malicious actor.
  12.  
  13.  
  14. >Why Is File Verification Important?
  15.  
  16. Downloading content from the internet can be an extremely dangerous endeavor, anyone who accidentally blew up their computer in the 2000's while trying to download free music from limewire would agree. For a malicious actor, the most effective way into your network/home pc is to be invited in, and by invited in, I mean downloading their malware. While hash signatures may not be available to every item we download, signature verification is in increasing demand on providers to include this option so that we the end users can better protect ourselves and we will cover a few useful tips to avoid malicious providers.
  17. Please note: If you download a malicious file, with a malicious signature, this will not save you, always do due diligence to verify the source, pay attention to URL's and lookout for falsified providers.
  18.  
  19.  
  20.  
  21.  
  22.  
  23. <newpost>
  24.  
  25.  
  26.  
  27.  
  28.  
  29. >Hashing CONOPS
  30. https://www.sentinelone.com/cybersecurity-101/hashing/
  31. In last weeks discussion, we briefly covered hashes, and how they fit into PGP verification signatures, you will notice that the two concepts are similar in the way they work. Simply put, hashes are the text output of data that has been processed by an algorithm ex:SHA/MD5. The output hash is created by taking a file or piece of data, which can be represented in binary form, and running a complex mathematical algorithm on it. By running this algorithm on the data, we can expect to always return the identical output hash or checksum, no matter how many times we run it through the algorithm, This is the key principal behind file hash verification, if the file being verified is altered, even in the smallest way, the output hash of that file will not match that of the original.
  32.  
  33.  
  34.  
  35.  
  36. <newpost>
  37.  
  38.  
  39.  
  40.  
  41.  
  42. >How To
  43.  
  44. For this post, i will use kleopatra, a GUI that makes storing, maintaining and using our various keys simple, even for new users. To show the basic steps, lets download and verify a copy of Tails OS (see picrel)
  45. 1.The first step to the process is to identify the target file(s), and the verification signature(s)
  46. 2.open kleopatra and import the signature - this is the trusted signature we will compare against the download checksum
  47. 3.select "Decrypt/Verify" from the toolbar and open the img file
  48. 4.once the process is complete, you will be presented with the results of the verification
  49.  
  50. Either the file will run through the algorithm and the output will match that of the signature, or it wont,simple as.
  51. if you have followed along in picrel, you will see the end state is a successful verification.
  52. >https://www.youtube.com/watch?v=LWC5D47BDDo
  53.  
  54.  
  55. >Additional Safety Measures
  56. File hash verification is a powerful tool, however, you could still be fooled by a malicious site which pretends to be authentic. Always double check the URL of the site you are downloading from, beware of phishing, take the time to be check the spelling of the url, the context of which you arrived to that link (did you follow a link from an email to the site), and be wary of simply "googling" and choosing the first link, which can be a vector of attack by malicious advertisements.
  57. >https://www.techradar.com/news/this-painful-malware-targets-new-victims-through-google-ads
  58. By remaining diligent in verifying the source of our downloads, we can minimize (not eliminate) the chances of downloading malicious files.
  59.  
  60.  
  61.  
  62.  
  63.  
  64. <newpost>
  65.  
  66.  
  67.  
  68.  
  69.  
  70. >Closing Words
  71. This was a relatively short session, and some might think this is an overly basic topic, considering many sites provide a tutorial on how to verify their files, but this is an underused tool. Many people simply wont take the time to bother, they think, well, i trust (i think i trust) the source, why bother taking the extra steps? As i said in the previous weekly discussion, good opsec is about attention to detail over time. Some steps may seem trivial, but these trivial steps can often be the figurative "straw that broke the camels back".
  72. Practice dose not make perfect, practice makes habit. Good practice makes good habits.
  73.  
  74.  
  75.  
  76.  
  77.  
  78.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!