GDPR third countries

 

The GDPR regulates the transfer of personal data to third countries. In order to be authorised, the transfer must be based on either an adequacy decision, an adequate level of data protection, or one of the exceptions provided for in the GDPR.


Recital 101 provides guidance on the rules for transferring personal data to a third country

  • A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

 

Article 45 « Transfers on the basis of an adequacy decision » is invoked by the European Commission to determine whether a third country has an adequate level of protection or not.

The adoption of an adequacy decision based on Article 45 of the GDPR involves

  • A proposal from the European Commission
  • An opinion of the European Data Protection Committee
  • An approval by the representatives of the EU countries
  • Adoption of the decision by the European Commission 


At present only a limited list of third countries are considered to have adequate protection and are allowed to transfer personal data to their country.

The list of countries currently authorised by the European Commission is as follows.

  • Andorra,
  • Argentina,
  • Canada (commercial organisations),
  • Faroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Japan,
  • Jersey,
  • New Zealand,
  • Republic of Korea,
  • Switzerland,
  • United Kingdom under the GDPR and LED.
  • Uruguay as offering adequate protection.
  • With the exception of the UK, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680). »


In the absence of an adequacy decision under Article 45 of the GDPR, Article 46 « Transfers subject to appropriate safeguards » provides a list of « appropriate safeguards » on which a transfer to a third country may also be based


T
hese appropriate safeguards can be of various kinds:

  • Binding Corporate Rules (Article 47 of the RGPD): These are internal binding corporate rules relating to transfers of personal data to countries outside the European Union. They therefore constitute an internal « Code of Conduct » within a company group, defining the data transfer policy strategy for each of the entities that make up the group, including employees
  • Standard Contractual Clauses (Article 93(2)) adopted by the European Commission, which have very recently been recast as described below
  • Codes of conduct approved under Article 40
  • International agreements or administrative commitments

 

In the absence of an adequacy decision and appropriate safeguards given by Articles 45 and 46 of the GDPR, there is only one solution, and that is the exceptions provided for by Article 49 of the GDPR « Derogation for special situations ».


These exceptions are as follows

  • The data subject has given his/her explicit consent to the transfer
  • The transfer is necessary for the performance of a contract between the data subject Data subject and the RT / implementation of pre-contractual measures (or concluded In his or her interest if he or she is not party to the contract)
  • The transfer is necessary for important public interest reasons
  • The transfer is necessary for the establishment, exercise or defence of legal claims rights in a court of law
  • The transfer is necessary to protect the vital interests of the data subject
    and other persons
  • The transfer is made from a register which is intended to provide information to the public and is open to the public. information to the public and is open to consultation by the general public

Without an adequacy decision, appropriate safeguards, or derogations, the GDPR does not allow the transfer of personal data to a third country.


This article is only a short and incomplete one, but it aims to give you an idea of what the RGPD requires in certain situations. As non-compliance with the RGPD can lead to very heavy fines, I strongly advise you to ask your DPO or your RGPD consultant for advice and much more complete information
.

GDPR European Union representative

 

All companies, societies (or associations), wherever they are located in the world, whatever their size, whatever their sector of activity, whether they are public or private, must, as long as they deal with personal information of individuals located in Europe, comply with the GDPR regulation, otherwise they could be asked to pay large fines in case of control.

One of the obligations of the GDPR for companies based outside the EU, which deal with personal data of individuals located in Europe, is to appoint a GDPR representative in Europe. This is an obligation and not an option. However, there are circumstances where it is possible to be exempt from this obligation. There are therefore exemptions.

Let’s start with the definition of a GDPR representative as set out in Article 4(17).
What is a representative under the GDPR?

 

The first source I will share with you is Recital 80, which is part of the full GDPR, along with 172 other recitals and 99 articles. This recital 80/172 explains in detail the obligations regarding the appointment of a RGPD representative for a non-EU entity

The following is a brief summary of Recital 80 of the GDPR for ease of reading and understanding of what is the representative, how it will designed and what is role of the representative.The first source I will share with you is Recital 80, which is part of the full GDPR, along with 172 other recitals and 99 articles. This recital 80/172 explains in detail the obligations regarding the appointment of a RGPD representative for a non-EU entity

 

The second source I will share is Article 27 of the GDPR, which concerns the obligation to appoint a representative of the « controller » in Europe, if the company is based outside the EU and deals with personal data of individuals located in Europe. This article also explains what the exemptions are regarding the appointment of a GDPR representative in Europe.

 

Here I will focus on the exemption from the appointment of a European GDPR representative, for entities based outside the EU.The second source I will share is Article 27 of the GDPR, which concerns the obligation to appoint a representative of the « controller » in Europe, if the company is based outside the EU and deals with personal data of individuals located in Europe. This article also explains what the exemptions are regarding the appointment of a GDPR representative in Europe.

According to the GDPR, the following cases allow to be exempted from the appointment of a representative in the European Union.

These exemption possibilities are not cumulative. Only one of the cases needs to be present, and the exemption is not possible. This is most often the case for non-occasional processing. This is the end of this short article about the obligation for any entity located outside the European Union to process personal data of persons located in Europe, but also about the possibility of exemption from such designation.

That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.

 

Re-use of personal data in the context of the GDPR

 

I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So first of all, what is personal data in the sense of the GDPR? Because many people don’t really know what personal data is and think that it is limited to names, surnames and addresses. But don’t worry, Article 4 gives the official definition of personal data.

 

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

The European Commission website provides a non-exhaustive list with examples of personal data.

 

  • A first and last name.
  • A personal address.
  • An e-mail address such as personalname@company.
  • An identity card number.
  • Location data (e.g. location data function on a mobile phone)*.
  • An Internet Protocol (IP) address.
  • A cookie identifier*.
  • Your phone’s advertising ID.
  • Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

 

This same site also gives a small list, also not exhaustive, of what is not personal data.

 

  • A business registration number.
  • An email address as info@company.com.
  • Anonymised data.

 

Having settled this, let‘s get back to the problem at hand: « I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So what elements do we have to answer:

 

  • Collection of personal data.
  • Collected before the GDPR, i.e. before May 2018
  • Collected for a specific purpose.

 

Whereas the GDPR requires a legal basis for the processing of personal data.
Whereas the GDPR requires a time limit for the retention period.
Whereas the processing has received consent for a specific purpose.

The elements of the answer obviously count for all types of personal data

Let us ask ourselves different questions:
What is the legal basis for the retention period? Is the retention period compatible with Article 5.e of the GDPR which states that personal data must be :

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

 

Is post-consent processing compatible with Article 5.b which requires that :

 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

 

And the answers to the questions we have asked ourselves will determine whether we can legally re-use the data collected.

 

  • If the retention period has been set to be compatible with Article 5.e of the GDPR, we have a first element that allows us to re-use this data. If the retention period is not compliant, we will not be able to re-use the data legally.
  • Then, if the retention period is compliant AND the purpose for re-using the personal data is respected and therefore remains the same as the initial consent, there is nothing to prevent the re-use.
  • On the other hand, if the retention period is compliant BUT the purpose for re-use of the data does not correspond to the purpose of the initial consent, then re-use is not allowed for this new purpose.

 

BUT it is a bit more complex than that, and the European Commission gives more guidance on the re-use of data for a new purpose.

 

If your company/organisation has collected data on the basis of a legitimate interest, contract or vital interests, it may be used for another purpose but only after checking that the new purpose is compatible with the original purpose.

Attention should be paid to the following points:
– the link between the original purpose and the new or future purpose
– the context in which the data were collected (What is the relationship between your company/organisation and the data subject?)
– the type and nature of the data (Are they sensitive?);
– the possible consequences of the envisaged further processing (What impact will it have on the data subject?);
– the existence of appropriate safeguards (such as encryption or pseudonymization).

If your company/organisation wishes to use the data for statistical or scientific research purposes, there is no need for a compatibility test.
If your company/organisation has collected data on the basis of consent or in compliance with a legal requirement, no further processing beyond the areas covered by the original consent or legal provision is possible. Further processing would require a new consent or legal basis.

Examples
Further processing is possible.
A bank has a contract with a customer to provide a bank account and a personal loan. At the end of the first year, the bank uses the customer’s personal data to check whether he or she is eligible for a better type of loan and a savings plan. It informs the customer of this. The bank may process the customer’s data again because the new purposes are compatible with the original purposes.

Further processing is not possible.
The same bank wants to share the customer’s data with insurance companies, based on the same contract for a bank account and a personal loan. This processing is not allowed without the explicit consent of the customer as the purpose is not compatible with the original purpose for which the data were processed.

References
– Articles 5(1)(b), 6(4), 89(1); Recitals 39, 50
– Article 29 Working Party. Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203)

 

The outcome of the questions of re-use of personal data are therefore not so simple, and you will have to ask yourself different questions before knowing whether it will be possible or not to re-use personal data for a new purpose.

That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.

 

 

Sources :
https://gdpr-text.com/ 
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/purpose-data-processing/can-we-use-data-another-purpose_en

 

 

 

 

GDPR accountability

 

In this article, I will explain the different things you need to know about accountability, which roughly means that you as a data controller are obliged under the GDPR to document your compliance, in order to clearly demonstrate your compliance to a supervisory authority.

 

The CNIL, which is the official French supervisory authority, as well as the ICO for the UK, gives the following definition for accountability.

 

Accountability refers to the obligation for companies to implement internal mechanisms and procedures to demonstrate compliance with data protection rules.

 

The principle of accountability is enshrined in Article 5(2) of the GDPR, which dictates the principles for processing personal data.

 

Article 5 – Principles for processing personal data

1. Personal data must be:
(a) Processed lawfully, fairly, and transparently with respect to the data subject (lawfulness, fairness, transparency);
(b) Collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes shall not be considered, in accordance with Article 89(1), as incompatible with the original purposes (purpose limitation)
(c) Adequate, relevant, and limited to what is necessary for the purposes for which they are processed (data minimization)
(d) Accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. (accuracy)
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be kept for longer periods insofar as they are processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject are implemented. (limitation of storage)
(f) Processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by means of appropriate technical or organizational measures (integrity and confidentiality);

2. The controller is responsible for compliance with paragraph 1 and is able to demonstrate compliance (accountability).

 

Recital 75 of the RGPD clarifies the notion of accountability in relation to its responsibility and documentation obligation

 

Recital 74 Responsibility and Liability of the Controller

The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established.
In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.
Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

 

The GDPR indeed provides for different things that will allow the creation of a documentary folder. So what type of documents is provided for in the GDPR to be able to demonstrate its good compliance.

The CNIL in its practical sheet « documenting your compliance » lists the different things to insert in your documentary folder

 

Documenting your compliance (CNIL)

The documentation on your personal data processing

1. The register of processing operations (for data controllers) or categories of processing activities (for processors),
2. Data Protection Impact Assessments for processing operations that are likely to generate high risks for the rights and freedoms of individuals
3. The framework for data transfers outside the European Union (in particular standard contractual clauses or BCRs).

Information to individuals

1. Information statements,
2. Models for collecting the consent of the persons concerned.
3. The procedures put in place for the exercise of the rights of individuals.

Contracts that define the roles and responsibilities of the actors

1. Contracts with subcontractors
2. Internal procedures for dealing with data breaches,
3. Evidence that data subjects have given their consent when their data is processed on that basis.

 

Accountability will be complete when your documentation file contains all the elements that demonstrate that you are in compliance with your obligations regarding the GDPR.

The elements constituting your documentation file will have to be checked regularly and updated if necessary.

 

This is a brief introduction to GDPR accountabilty .
I invite you to contact a RGPD consultant or a DPO for more information and help for the implementation

Christian

 

GDPR Privacy and data protection by design & data protection by default

 

According to the European Data Supervisor, « “privacy by design” is used to designate the broad concept of technological measures for ensuring privacy as it has developed in the international debate over the last few decades. »

This concept is not new. In fact, according to Wikipedia, «Ann Cavoukian, former Information and Privacy Commissioner of Ontario, developed the »privacy by design » approach to systems engineering. This approach was formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority and the Dutch Organization for Applied Scientific Research in 1995. The Privacy by Design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. »


A
ccording to this framework, Privacy by Design is based on seven « core principles ».

1. Proactive, not reactive; preventive, not remedial.
2. Privacy as a default setting
3. Privacy built into the design
4. Full functionality – positive sum, not zero sum
5. End-to-end security – full life cycle protection
6. Visibility and transparency – stay open
7. User privacy – stay user-centric


T
he concept of « privacy by default » foresees that the application of the seven core principles put in place at the design stage are also active by default without the user having to intervene.

Still according to the European Data Protection Supervisor, «the ”data protection by design” and “data protection by default” to designate the specific legal obligations».

«Established by Article 25 of the GDPR 9. While measures taken under these obligations will
also contribute to achieve the more general objective of “privacy by design”, considering.
that a wider spectrum of approaches may be taken into account for the objective of “privacy
by design” which includes a visionary and ethical dimension, consistent with the principles
and values enshrined in the EU Charter of Fundamental Rights of the EU. »

Article 25 of the GDPR details the concepts and mandatory measures to be implemented by the data controller regarding data protection by design and data protection by default.

 

Art. 25

GDPR Data protection by design and by default

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
  3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

 

Recital 78 provides additional information and context for completing Article 25

 

Recital 78

Appropriate Technical and Organisational Measures

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

 

This is a brief introduction to privacy by design, data protection by design and data protection by default.
I invite you to contact a RGPD consultant or a DPO for more information and help for the implementation.

Christian

 

 

Sources :
wikipedia privacy by design
edps preliminary opinion on privacy by design
edpb guidelines on dataprotection by design and by default
gdpr

 

Google dorks in recognition phase

 

Google is often used by hackers to search for various sensitive informations. This same technique is used along with other tools by IT security professionals to gather preliminary data or information about a target (a customer), in order to prepare a penetration test. The use of certain keywords that enter in association with your search will give surprising results in some cases. Avoid certain searches as they could get you into a lot of trouble, always check the legality of your actions. This tutorial is only intended to be used for personal research and especially as one of the different tools in phase 1 of an intrusion test, either through the different sites that offer to train you legally, or within the framework of an intrusion test that you will have previously validated by a contract with your client. It is obvious that in the case of a penetration test for a client, all the information and techniques that you have used must be included in the final report to inform your client, who will take the necessary measures to prevent malicious people from finding this information in the future, who can in some cases be very sensitive. Here is a small list of some of these keywords called «Google dorks»

 

inurl is used to search for any text inside a url.

intext is used to search for any text within the body or source code of the website.

filetype is used to search for any type of file you want to locate within a website or on a particular topic. You can search for any type of file.

intitle is used to search for web page titles.

site is used to narrow the search area to a particular website.

link is used to check other websites containing links to a website.

 

Here are some examples of the use of these google dorks. Not to be too long I would not put more, but you can of course do a search on Google to have more information and examples when using this search technique, or directly click on the following link: http://www.googleguide.com/advanced_operators_reference.html

 

An example to find the keyword « cybersecurity » in the title of a website would be to enter the following dork in the search bar:

  • intitle:cybersecurity

Another example with the same dork but a little more complex will allow you to access all sites where there is index.of in the title:

  • intitle:index.of

Another example with the same query but even more perfidious this time to find sites with a specific type of server which would norlamly be Apache version 2.0

  • « Apache/2.0 Server at » intitle:index.of
  •  intitle:index.of “Apache” “server at”

Thats is for this simple and short tutorial. Use it wisely and in legality.

 

 

Clarification about penetration testing

 

The terms penetration testing and vulnerability assessment are often confused and used interchangeably, when in fact the two terms have distinct meanings.

Penetration testing, also known as penetration testing or simply pentesting, is a continuous cycle of searching for and attacking a target in order to identify vulnerabilities within a computer system, network, or web application that an attacker could exploit and then attempt to gain potential access to various confidential data and information about the system under a test.

Vulnerability assessment is the process of defining, identifying, and classifying potential security vulnerabilities in the target system.

Penetration testing can be automated with software applications or can be performed manually. In both cases, the process includes collecting information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (virtual or real), and reporting the results.

When a penetration test is performed correctly, the results allow professionals to make recommendations to solve the problems detected during the test. The main objective of penetration testing is to improve the security of the computer system, network, or web application and to provide protection for the entire network and connected devices against future attacks.

There are three types of penetration testing, depending on the company‘s expectations:

Black box: The tester puts himself completely in the shoes of a hacker. He does not have any information.
Grey box: The tester has a limited amount of information.
White box: The tester has all the information he needs.

I can’t stress the fact enough that you should always make sure that you are in the right by either going through specialized sites or by concluding a proper contract with your client before starting.

0

Configurer le fichier config.inc de Mutillidae dans Metasploitable

Un problème commun qui apparaît avec Mutillidae dans Metasploitable2, est une erreur de configuration du fichier « config.inc » qui empêche tout simplement le bon fonctionnement de l’application web. Elle affichera a chaque tentative d’utiliser l’application le message suivant  » La table ‘metasploit.tableName’ n’existe pas ». Le soucis étant simple a régler il ne faudra pas plus de 2 minutes pour l’arranger. Il faudra simplement ouvrir un éditeur de texte, dans notre cas nous utiliseront Nano qui est déjà installé dans Metasploitable2 et modifier une simple ligne.

Pou commencer juste un petit détail que Metasploitable me fait a chaque fois. c’est qu’il veut absolument garder le clavier en Anglais et que moi biens sur j’ai un clavier Français. Donc on va régler le problème vite fait. Juste une ligne a entrer après vous être connecté a Metasploitable avec l’identifiant et le mot de passe habituel qui est indiqué a l’écran au démarrage de la machine.

Alors pour mettre le clavier en français (le mot de passe est toujours celui  que vous avez utilisé avant)

[pastacode lang= »markdown » manual= »sudo%C2%A0loadkeys%C2%A0fr » message= » » highlight= » » provider= »manual »/]

Le message suivant s’affichera pour vous indiquer que le changement c’est bien effectué.

[pastacode lang= »markup » manual= »Loading%20%2Fusr%2Fshare%2Fkeymaps%2Ffr.map.bz2″ message= » » highlight= » » provider= »manual »/]

Voila ceci étant fait nous allons nous atteler au réglage de la base de donnée en entrant les commandes suivantes dans le terminal de Metasploitable pour modifier le comportement de Mutillidae et enlever cette erreur.

[pastacode lang= »markup » manual= »cd%20%2Fvar%2Fwww%2Fmutillidae%0Asudo%20nano%20config.inc » message= » » highlight= » » provider= »manual »/]

La fenêtre de Nano s’affichera avec le contenu du fichier config.inc

 

Il suffira maintenant de remplacer ‘metasploit’ par ‘owasp10’

 

Et pour finir

[pastacode lang= »markup » manual= »ctrl%20x%20%2C%20puis%20y%20et%20appuyer%20sur%20entr%C3%A9e » message= » » highlight= » » provider= »manual »/]

 

Si tout c’est bien passé, vous avez maintenant un Mutillidae prêt a l’emploi!

0

Recherches de vulnérabilités

Dans cet article je vais expliquer comment faire une recherche manuelle de vulnérabilités. Avant tout il faudra utiliser un outil de type NMAP, lequel permettra de scanner les différents ports d’une cibles. J’utiliserais pour illustrer cette recherches de vulnérabilités, les informations contenues dans cet article, que j’avais rédige pour faire une démonstration d’un scan de Metasploitable.

En commençant par la lecture du rapport final du scan de Metasploitable. J’utiliserait simplement le premier port ouvert découvert par NMAP durant le scan, et je vous laisserais le soin de continuer vos recherches par vous même pour les autres ports.

Voici une copie du rapport final.

 

Le premier port ouvert est: le port 21/tcp utilisant le service FTP dans sa version VSFTPD 2.3.4

Grâce a ces informations Il est maintenant possible de vérifier la présence d’une vulnérabilité en faisant une recherche manuelle sur le site https://www.exploit-db.com avec comme terme de recherches la version du service: VSFTPD 2.3.4.

 

Exploit-db nous retournes un résultat. Cliquez dessus pour afficher les détails.

 

 

Une vulnérabilité est présente dans la version VSFTPD 2.3.4 et elle est exploitable par l’intermédiaire d’un script, qui après inspection indique:

<<This file is part of the Metasploit Framework and may be subject to
redistribution and commercial restrictions. Please see the Metasploit
Framework web site for more information on licensing and terms of use.
http://metasploit.com/framework/>>

Qui veut dire que ce script fait partie du framework metasploit qu’il sera possible d’utiliser en phase d’exploitation.

Il est aussi indiqué dans le même script que:

<<This module exploits a malicious backdoor that was added to the VSFTPD download
archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
June 30th 2011 and July 1st 2011 according to the most recent information
available. This backdoor was removed on July 3rd 2011.>>

Ce qui veut dire q’un backdoor a été ajouté à la version vsftpd 2.3.4 entre le 30 juin 2011 et le 1er juillet 2011. il aurait été supprimé le 3 juillet 2011.

En continuant la recherches d’information concernant la faille présente dans VSFTPD 2.3.4, il sera judicieux d’utiliser Google avec les termes suivants: vsftpd 2.3.4 vulnérabilité (en n’omettant pas d’activer l’option « recherche en français uniquement »).

Le premier lien qui devrait s’afficher devrais être: https://vigilance.fr/vulnerabilite/vsftpd-backdoor-de-la-version-2-3-4-10805

 

 

Une brève lecture de la description de la vulnérabilité retournera des informations très inintéressantes.

Description de la vulnérabilité
Le code source du serveur FTP vsftpd est hébergé sur le site vsftpd.beasts.org. Cependant, entre le 30 juin 2011 et le 3 juillet 2011, un backdoor a été ajouté dans ce code source. Ce backdoor détecte si le nom de login commence par « 🙂 », et ouvre un shell sur le port 6200/tcp. Un attaquant distant peut donc employer ce backdoor, afin d’accéder au système.

La constatation est sans appel. Cette vulnérabilité permettrait donc grâce a quelques simples manipulations d’accéder au système ainsi que de passer en mode root afin de prendre le contrôle total de la machine…

Tentez maintenant de trouver quelles sont les autres services qui sont vulnérables, et n’oubliez pas que plus vous trouverez d’information il vous sera facile d’exploiter les différentes failles. Pour vous aider vous pourrez utiliser différents sites web dont (liste non exhaustive):

https://www.exploit-db.com
https://cve.mitre.org
https://nvd.nist.gov
https://www.rapid7.com/db/search
https://www.cert.ssi.gouv.fr
https://www.cvedetails.com
https://www.google.com/

 

ATTENTION: utilisez toujours ces informations et ces techniques dans un cadre légal. Toute entrave a cette régle pourait vous étre tres douloureuse. les amendes et les peines de prison étant trés lourdes

0

Comment et pourquoi créer un mot de passe complexe

Grâce a différents outils pour tester la solidité des mots de passe mis a disposition par Kaspersky a cette adresse : https://password.kaspersky.com/fr/ et le site web howsecureismypassword a cette adresse https://howsecureismypassword.net. Je vous propose de vous exposer le temps pris pour venir a bout de différents types de mots de passe, puis ensuite vous expliquer comment améliorer leur qualité afin d’augmenter le délai pour éventuellement forcer un potentiel pirate à abandonner son attaque et passer a une cible suivante. La durée pour venir a bout d’un mot de passe en utilisant un ordinateur de bureau standard peut varier selon sa longueur et sa complexité. Cette durée pouvant drastiquement réduite par l’utilisation de différentes techniques ainsi que de matériel plus performant.

Temps de crackage estimé par Kaspersky

1234                                              Environ 1 seconde
password                                          Environ 1 seconde
motdepasse                                        Environ 2 minutes
jean-pierre                                       Environ 11 jours
M8*o,3t%=d5E                                      Environ 4 siecles

 

Temps de crackage estimé par howsecureismypassword

1234                                              Immédiat
password                                          Immédiat
motdepasse                                        Environ 59 minutes
jean-pierre                                       Environ 5 mois
M8*o,3t%=d5E                                      Environ 485 mille années

 

Comme vous pouvez le constater les deux sites ne retournent pas les mêmes temps, car ils utilisent surement des méthodes de calcul alternatives. Il est tout de même intéressant de voire comment les deux méthodes de calcul nous confortent dans l’idée que plus le mot de passe est long et plus il comporte de caractères spéciaux, plus la durée prévue pour en venir a bout augmente. Je vais donc ci dessous vous dévoiler quelques astuces pour créer un mot de passe un peu plus sécurisé. Je vous inviterais a tester vous même la solidité des mots de passe que vous aurez crée grâce a cette simple technique grâce aux outils décrits en début d’article.

Comment creer un bon mot de passe:

1 – N’utilisez jamais un mot isolé qui existe dans un dictionnaire
2 – N’ utilisez pas de Prénom, Nom de famille, seul comme mot de passe
3 – N’utilisez pas de suite de chiffres, comme une date de naissance comme mot de passe

4 – Trouvez vous une phrase ou un mot assez long et notez le  en enlevant les espaces (mélangez des majuscules et des minuscules aléatoirement)
5 – Notez en dessous une série de chiffres
6 – En dessous ajoutez une ligne avec des caractères spéciaux
7 – Mélangez le tout
8 – TRÈS IMPORTANT: Utilisez un mot de passe différent pour chaque compte

exemple:

4 - MoNMotDePasSe
5 - 45821
6 - @-/<ù*

 

j’utiliserais le mélangeur de lettres online http://www.maxi-pedia.com/word+letter+mixer+disorganizer pour créer mon mot de passe en entrant sur une seule ligne nos trois entrées comme suit:

MoNMotDePasSe45821@-/<ù*

 

En cliquant ensuite sur « Disorganize the text » l’application nous affichera un mot de passe de type :

7 - M-oN8@eMe/SD1<24ùosa5Pt*
7 - MùMo1@eSP2ea8N-Ds45t/<o*
7 - Mo</5P-a8eM@4ùSN21stDeo*

 

Ces trois mots de passe on été générés avec la même base, j’ai juste cliqué plusieurs fois pour avoir des résultats différents. Testons maintenant leur solidité.

Temps de crackage estimé par Kaspersky

M-oN8@eMe/SD1<24ùosa5Pt*                               + de 10000 Siècles
MùMo1@eSP2ea8N-Ds45t/<o*                               + de 10000 Siècles
Mo</5P-a8eM@4ùSN21stDeo*                               + de 10000 Siècles

 

Temps de crackage estimé par howsecureismypassword

M-oN8@eMe/SD1<24ùosa5Pt*                               Undecillion (1 suivi de 66 zéros) d'années
MùMo1@eSP2ea8N-Ds45t/<o*                               Undecillion (1 suivi de 66 zéros) d'années
Mo</5P-a8eM@4ùSN21stDeo*                               Undecillion (1 suivi de 66 zéros) d'années

 

en réduisant de moitié la longueur vous arriverez a une estimation de temps raisonnable pour la longueur

Temps de crackage estimé par Kaspersky

M-oN8@eMe/S                                            33 ans
MùMo1@eSP2e                                            33 ans
Mo</5P-a8eM                                            33 ans

 

Temps de crackage estimé par howsecureismypassword

M-oN8@eMe/S                                            5 mille ans
MùMo1@eSP2e                                            5 mille ans
Mo</5P-a8eM                                            5 mille ans

 

Vous constatez comme avant que les résultats différent selon la méthode de calcul. Il en ressort néanmoins a nouveau que plus le mot de passe est long et complexe, plus le temps de calcul est long. Voila j’espère que ces petites astuces vous aideront dans votre choix pour vous futurs mot de passe en n’oubliant pas de tester leur résistance grâce aux outils cités !

0

Testez la sécurité de votre ordinateur sous Linux

Lynis est un utilitaire open source d’audit de la configuration sécurité des systèmes d’exploitation basés sur UNIX (Linux, Max, etc…). Son utilisation se fait par le terminal en lignes de commande. Il permet par la mise en place de multiples tests, d’évaluer la sécurité de votre système. En générant un rapport final Lynis vous permettra de consolider les poins faibles découverts en affichant des alertes « warnings », des suggestions et un index de sécurisation « Hardening index ». Dans ce mini tutoriel je vous propose de vous guider dans l’utilisation de ce logiciel grâce a un audit d’un système d’exploitation Ubuntu.
Avant tout vous devrez installer Lynis, grâce a la commande suivante que vous entrerez dans le terminal: sudo apt-get install lynis
Ensuite je vous propose de faire connaissance avec les différentes options offertes par Lynis en affichant l’aide grâce a la commande: lynis -h

lynis -h

Je vais maintenant vous faire la démonstration d’un audit système de Ubuntu en mode  » NON-PRIVILEGED SCAN MODE  » en entrant la commande: lynis audit system.
Pour auditer en mode « PRIVILEGED SCAN MODE » il suffira d’ajouter « sudo » devant la commande « lynis audit system ».

lynis audit system

 

A la fin du processus d’audit vous pourrez constater qu’il n’y a aucune alerte chez moi, mais des diverses suggestions.

 

Vous aurez remarqué différentes références derrière les diverses suggestions. Elles vont servir a afficher plus de détails grâce a la commande: lynis show details TEST-ID
Par exemple pour la référence « PROC-3612 » il faudra entrer la commande:  lynis show details PROC-3612

 

Vous verrez aussi le fameux « Hardening index » qui vous permettra de vous faire une idée globale de la bonne configuration de votre Système d’exploitation. Plus l’index est haut mieux c’est.

 

Voila ce mini tutoriel est maintenant termine je vous laisse essayer par vous même en espérant vous avoir aidé un peu a sécurises votre système basé sur UNIX!

 

0

9 astuces pour protéger votre ordinateur sous Windows

Si vous faites partie de la majorité des utilisateurs d’un ordinateur ayant comme système d’exploitation Windows, vous serez sûrement intéressé par la sécurisation de votre PC. En effet la multiplication des diverses attaques informatiques ces dernieres années on un impact non négligeable pour la securité de nos données, de notre portefeuil, mais aussi pour notre sécurité voire meme notre santé! Par ces quelques gestes simples, je vous propose d’utiliser différentes techniques que j’appellerais plutôt du bon sens ! Vous serez ainsi en mesure de créer un environnement qui vous permettra de lutter efficacement pour sécuriser votre ordinateur. Sachez néanmoins qu’aucune technique ne permet à ce jour de sécuriser un ordinateur a 100%.

Voici sans attendre une liste de choses a faire pour vous protéger contre différentes attaques :

  1. Mettez des que possible et a chaque fois que disponible a jour votre système d’exploitation avec Windows update.
  2. Installez un antivirus, gratuit ou payant. En gardant a l’esprit que les deux se valent, avec quelques options supplémentaires pour les antivirus payant. Pour ma part j’utilise un antivirus gratuit et qui fait très bien son affaire.
  3. Faites une mise a jour régulière de votre antivirus.
  4. Installez une pare-feux (si votre antivirus n’en intègre pas).
  5. Faite en sorte de créer un point de restauration régulièrement
  6. Vérifiez et sauvegardez régulièrement vos documents importants sur un support externe, genre une clef USB ou un disque externe. pour plus de sécurité stockez sur un support qui n’est pas relié a internet.
  7. Portez une attention particulière a ce que vous faites sur votre ordinateur. Vérifiez bien sur quels sites web vous visitez et sur quels liens vous cliquez (surtout venant d’un mail)
  8. Scannez manuellement avec votre antivirus chaque pièce jointe et chaque logiciel que vous auriez téléchargé AVANT de l’ouvrir. Faites pareil pour chaque document et logiciel venant d’un support externe (clef USB, CD/DVD, Disque dur externe…) que vous souhaitez installer sur votre ordinateur.
  9. Utilisez des mots de passe complexes et suffisamment long, en évitant d’utiliser des mots existant dans des dictionnaires, en évitant les dates de naissance, les prénoms. Utilisez de préférence un mélange de chiffres, de lettres (minuscules et majuscules), et de caractères spéciaux du type « é!:%$* »  dans un ordre désordonné!
0

Phishing

Le mot « phishing » est compose des mots anglais « password » qui signifie « mot de passe » , « harvesting » qui signifie « récolte » et «fishing » qui signifie « péche ».

Le phishing ou en français hameçonnage est une technique de piratage par fraude d’émail et de sites web. Les mails se présentent sous la forme de fausses notifications provenant de banques, de fournisseurs, de systèmes de paiement électronique et d’autres organisations. Les mails renvoyant en général vers des sites web, étant habituellement une copie exacte de sites web officiels…. Le message invitera le destinataire pour des motifs urgents à entrer ou à mettre à jour ses informations personnelles.Il peut s’agir, par exemple, d’accéder à des mots de passe de différents sites , d’accéder a des données de comptes courriel, ou aux données d’accès à la banque électronique. Les raisons  sont généralement liées à (faussement) la perte de données, aux pannes de système et à des choses similaires.

Quelques techniques de contre mesures.

En premier lieu. Si vous recevez un émail vous demandant des renseignements confidentiels, dites vous bien qu’aucun organisme ne vous demandera ce genre d’informations par mail. Vérifiez donc toujours quel est le véritable expéditeur (comment trouver l’expéditeur) , ne donnez simplement pas ce genre d’informations et contactez votre organisme pour les mettre au courant en leur fournissant une copie du mail (et de son expéditeur) et ou de l’adresse du site .

Deuxièmement. Si jamais vous aviez cliqué sur un lien provenant d’un mail de ce type. Vérifiez l’URL dans la barre d’adresse, vous remarquerez que celle ci n’est pas tout a fait pareil que l’original . ça veut tout dire c’est un site frauduleux.

Troisièmement. Les mails et les sites frauduleux sont souvent remplis (mais pas toujours) de fautes d’orthographe et diverses petites erreurs. Ça devrait aussi vous mettre la puce a l’oreille.

Quatrièmement. Faites des recherches sur votre moteur de recherche préféré concernant l’expéditeur du mail ou / et l’adresse (l’URL) du site concerné . Pour l’URL vous pourriez aussi trouvez des informations intéressantes en faisant un WHOIS. Faites un essai avec un site que vous connaissez et regardez bien les informations disponibles

Cinquièmement. Si vous avez un doute , changez immédiatement le mot de passe en allant sur le site officiel (n’oubliez pas de vérifier l’URL a chaque fois et d’utiliser les autres techniques pour être sur)

Un dernier point de sécurisation. Si disponible, activez TOUJOURS la double vérification qui existe par exemple sur Facebook et Gmail , mais aussi sur d’autres supports. Cela vous permettra de ne pas perdre l’accès a vos données sur les support proposant cette option au cas ou on aurait quand même réussi a vous soutirer un mot de passe , car la double vérification se fait par mot de passe ET par un SMS contenant un code de vérification qui change a chaque connexion que vous devrez entrer en supplément de votre mot de passe