Beware of COVID-19 Scams and Attacks

 

claudio-schwarz-purzlbaum-Zh-btVpBcdw-unsplashPhoto by 🇨🇭 Claudio Schwarz | @purzlbaum on Unsplash

 

The global outbreak of the COVID-19 disease has offered cybercriminals an avenue in which they are using to exploit and defraud unsuspecting people. As the epidemic continues, scams and attacks will continue to evolve and attempt to exploit people’s fear and needs.

Some examples of COVID-19 exploits and scams include:

Phishing

 Scammers posing as health authorities, such as the Centers for Disease Control and Prevention (CDC), or the World Health Organization (WHO), are sending emails intended to trick recipients into providing personal information, financial details, or spreading malware. Some of the phishing emails contain attachments such as Word documents or PDF’s that often claim to provide vital information but contain malicious code that can infect the computer. 

  • Check the senders’ email address very carefully, as a phishing email address can closely resemble a legitimate address. If ever in doubt, delete the email.
  • Never respond to an email with your personal or financial information. Government agencies will not request that information in an email. 
  • Don’t click on links in an email. Instead, navigate to the website to check for any relevant information. 
  • Avoid any email that insists that you act now. This technique attempts to create a sense of urgency and convince you to click on a link or provide information. 

Products

 Scammers are defrauding consumers by claiming to sell products that are currently scarce, and in high demand, such as personal protective equipment and home goods, with no intent to deliver the product.

  • Only purchase from reputable companies. If a deal appears to be too good to be true, or a seller has a large amount of something otherwise difficult to locate, beware.
  • Review the sellers’ customer reviews if available to verify that prior customers have received the products, and they were satisfactory.

Charity

 As more and more people are affected by COVID-19, the solicitation of donations will increase. Be aware of solicitations that request donations in cash, money wires, or gift cards – they are usually scams.

  • Research any organization or crowdfunding sites before donating, and keep a record of that donation. 
  • Review the ‘How to donate wisely and avoid charity scams’ on the Federal Trade Commission (FTC) website.

Computer and mobile applications

  Cybercriminals are exploiting users that are interested in tracking COVID-19. They display a map loaded from a legitimate source, and trick users into downloading a malicious app designed to steal sensitive information, such as the users’ credentials, and credit card numbers, sometimes selling them on the dark web.

  • Only download applications from reputable sources.
  • Keep your computer, mobile device, and anti-virus software up to date.

Phone scams

 There have been reports of scammers using phone calls, text messages, and robocalls to offer bogus things such as free COVID-19 tests, miracle cures, preventative products, and medical insurance. Some callers are pretending to be health care providers or facilities that have treated someone you know for COVID-19 and demand payment for treatment. 

  • Do not reply to or click on any links within a text message from an unknown number. 
  • Scammers can easily spoof phone numbers. If the call or text seems out of character for the sender or asks for information or money, hang up or do not reply.
  • Don’t press any buttons that claim to be responding as ‘no’ or claim to remove the number from a call list – instead, hang up.

Stimulus Checks

 Most people have heard about the $2.2 trillion stimulus bill that the federal government passed from the news and social media. The scammers have as well and are using multiple tactics to ask for personal and financial information. Taxpayers don’t have to sign up to get the money, and the federal government will not call, text, or email you requesting information.

  • Do not share any personal or financial information with anyone claiming that it is required to receive the stimulus check.
  • Report any calls, emails, or text messages received that claim to be about the stimulus checks to the FBI at www.ic3.gov.

Setup SSH With Public-Key Authentication on Kali Linux

What is an SSH key?

While an SSH key is an access credential, it is technically a cryptographic key. SSH uses public-key cryptography (or asymmetric cryptography) and challenge-response authentication as a more secure method of authentication. Using SSH keys allows you to be authenticated to the remote server without sending your password over the network.

lock-and-key

SSH keys are generated in pairs (public and private), that are mathematically related, but not identical. They work together to authenticate when logging into an SSH server. The public key is used to encrypt and the private key is used to decrypt. When the client attempts to connect to the remote server, the server will verify that the client has a private key that corresponds with the authorized public key. If the private key is verified to match the public key, the client is authenticated and a shell session is launched.

The public key can be shared, because it is infeasible to compute the private key based on the public key.

The private key is not shared, and must be secured, so it is advisable to store it in encrypted form. This will require that a passphrase is entered when the private key is required. The passphrase is not transmitted over the network because it is only needed to decrypt the private key on the local system.

*Note: While setting a passphrase is an optional step, it is strongly recommended. If the private key was compromised, the unauthorized user would be able to assume that identity on the SSH server.


Key generation: Windows and Linux


[Windows]

Since Windows doesn’t have a native SSH client, PuTTygen will be used to generate the keys.

*Note:  PuTTy and PuTTyGen can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

 To create the key pair, follow these steps:

Open PuTTygen and select the desired parameters:

Type of key to generate: SSH-2 RSA [recommended]

At least 2048 for the number of bits in a generated key

Click on the “Generate” button

pg1

In the area below the progress bar, move the mouse around to generate random data needed to generate the key, until the process completes

pg2

In the next step, enter and confirm a passphrase

*Note: Set this to something memorable, because you will need it to log in.

pg3

Save the Keys

Click on the “Save public key” button and the “Save private key” button and select a secure location to save them


[Linux]

To create the key pair, use the following command:

ssh-keygen -b 2048 -t rsa

[-b 2048] is used to specify the desired key length

[-t rsa] specifies that RSA keys are to be generated (Use powers of two if you choose to increase the key length

When prompted, enter the location to store the keys, or press enter to accept the default location:

Enter file in which to save the key (/home/user/.ssh/id_rsa):

 At this point, you will be prompted to enter, and confirm a passphrase:

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

*Note: Set this to something memorable, because you will need it to log in.

The SSH keygen will complete, and display the locations of the keys, the key fingerprint, and the keys random art image.

complete-keygen


[Configure the server]


Now that the keys are created, we will configure OpenSSH on the Kali system, and save the public key.

As root, issue the following command:

apt-get install openssh-server

 To enable the ssh server, issue:

service ssh start

To prevent changes after restart, issue the following commands to alter the runlevels, in this order:

update-rc.d ssh remove

update-rc.d -f ssh defaults

service ssh restart

service ssh status

reboot-config.PNG

Next, create the following directory, set permissions, and copy the key.

Issue the following commands:

mkdir ~/.ssh

chmod 700 ~/.ssh

 nano ~/.ssh/authorized_keys

Copy the public key that was created in PuTTygen to this file, as one line:

That file must be write/readable only by that user, so enter

chmod 600 ~/.ssh/authorized_keys

copykey 


[Put it all together]


Attach and use the key

Launch PuTTy and specify the destination, and port:

connection

Under category on the left, select “SSH”, then “Auth”, and click the “Browse“ button

Navigate to the location of the private key, and select it

usingkey

Test login

Click “Open”

A PuTTy Security Alert will popup, indicating that the host key is not cached in the registry.

alert

*Note: It is a good idea to quickly compare the keys before adding it to the cache.

Click “Yes”

Enter the passphrase for the key

You should now be connected

in