Episode: 3719
Title: HPR3719: HPR News
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3719/hpr3719.mp3
Transcribed: 2025-10-25 04:37:35

---

This is Hacker Public Radio Episode 3,719 for Thursday, the 3rd of November 2022.
Today's show is entitled HPR News.
It is hosted by some guy on the internet and is about 10 minutes long.
It carries a clean flag.
The summary is Infosic, the language of security.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet.
I've made some adjustments to the news with Scotty and I'm going to be calling it HPR
News.
That way it's a little bit more in line with the branding.
It's still early days and I'll be making more adjustments to it trying to figure out
what feels good and what not, but this segment I'll call Infosic, the language of security.
Our first topic, typo squatting.
What is typo squatting and how do scammers use it?
The attack known as typo squatting uses modified or misspelled domain names to trick users
into visiting fraudulent websites.
The heart of this attack is domain name registration.
Attackers will employ typo squatting to defraud users by mimicking login pages, redirecting
users to fraudulent websites, then downloading malware, and then eventually following up
the attack with extortion or theft.
In a previous episode, my co-host and I, Archer72, had a discussion on typo squatting.
I forgot to post a few links in that show, giving some examples of it, but we discussed
it in certain libraries like Rust libraries, the Rust crates that were affected by typo squatting,
also the Python libraries that were affected by typo squatting, here I've provided those
examples down below.
I've done this to inform the user that typo squatting isn't just posting a fraudulent domain
to trick you into revealing your credentials so that the attacker can defraud you, but also
if you're a developer, someone who codes for a living.
There's normally target popular coding libraries, because if they can fool the developer, the
developer will then pass the attack on to the users.
So as you read through the articles below, I don't want you to think that these languages
are unsafe to use because of these attacks, but I want you to understand that the attacks
are going to happen no matter what, no matter where you are online, the attacks will be present.
Fortunately for you, there's some guy on the internet providing you with solutions that can
help you fight typo squatting. In my personal experience, a good security focus font like the
Ubuntu font family is perfect for fighting typo squatting. Think of a security focused font
as a font with the least amount of indistinguishable characters. What I mean by this is some fonts will
use the same character model for multiple characters, where the character data is different,
but the model is identical to other characters. For example, if you have an iPhone,
open your phone, go to a web browser, or just pull up the keyboard, and type in
lowercase l capital i. You'll notice that both characters look identical.
In other fonts, like the Liberation Sans font, if you open up LibreOffice and just type in a
lowercase l in a capital i, highlight and change the font to Liberation Sans, the models are technically
different, but visually you can be tricked into believing they're the same model because they're
slightly different. Attackers rely on this resemblance in order to prey on users. Another method
of fighting against typo squatting is using check sums. Check sums will allow users to check the
integrity of a file once downloaded. So even if the file appears to be the exact file and it looks
and spells the same, if it's been modified in any way past with the developer who originally
created it or packaged the file, it will show up in the check sum. Most freedom-based operating systems
like Linux and BSD comes with this capability built-in. So you basically open up a terminal,
generate the files hash, compare it with what the developer told you it should be from the website
or wherever, and if it matches, it's good, if it doesn't, it's probably been tampered with.
When compatible squatting with websites, DNS is also a very good measure.
Setting a pie hole is basically the extent of my knowledge on DNS, so you may want to check some
of the articles if you wish to self-host your own DNS, but pie hole has some wonderful documentation
available for everyone. There's also some great websites out there like DNS Twister Report,
and who wears look up? They're great for identifying fraudulent websites.
For example, if you go on DNS Twister Report, type in Bitwarden, it'll give you a list of
just fraudulent websites that type of squatters are using to try and trick users and to,
you know, give up their credentials to their password vaults. Using a tool like DNS Twister Report
is a very good practice for users. You'll learn more about the common type of squatting techniques
used against you by visiting DNS Twister and just looking up certain websites that you visit
frequently. The who wears look up is also very important because a lot of these businesses
like the legitimate ones will register their websites for multiple years. They're, I mean,
the DNS registration for multiple years, but a fraudulent website normally on the registers
for like one year. Having only one year's registration time isn't enough to call you a fraud,
but it's something to look out for. So, posting your own DNS may even give you the ability to use
like community-based block lists, something like CrowdSec. Now, last but not least,
your password manager is your best friend when fighting against type of squatting because you
store the valid links in the password manager so you never have to worry about misspelling a link,
you'll have the valid link, the credentials, and two-factor all in the password manager.
That takes us directly into the next topic, two-factor and multi-factor authentication.
First, let's talk about authentication. This is the process of verifying the validity of something,
usually your username and password. Having this alone is just called single-factor authentication,
and it's not enough to stop attackers this day and age. Two-factor authentication
increases the difficulty for attackers by providing users with an additional layer of security
to accomplish authentication. So, you'll have the first factor or single-factor, which is the
username and password, followed by the second factor of a TOTP or OTP, which is the one-time password
that six-digit code that you normally get sent to you, either by SMS or email or however you
receive it. Your authenticated apps will also help you with TOTP, so bitwarden, keep Asexy, etc,
they'll help you with TOTP codes as well, and security keys like Ubike.
In short, two-fay works a lot like going to an ATM. You have your bank card and your ATM pen,
so that's something you have a physical object and something you know, which is the bank pen,
that's how you authenticate. There's also multi-factor authentication, which is very similar to
two-fay, except you can include things like biometrics, which are like the fingerprint scans,
your retina scans, your facial recognition, or voice recognition. So, now in an attacker,
with multi-factor authentication, it's going to have to not only know the username and password,
they'll probably have to intercept a TOTP key or possess a physical object like a Ubike,
as well as try and navigate the inheritance factor, which is your fingerprint or your retina
or your voice or whatever, and they'll have to do that usually within a limited amount of time,
and if they fail, they can only fail a certain amount of times, and you know, all sorts of other factors.
So, in short, use two-fay. It really, really makes it difficult for attackers to come after you,
taking you out of the low-hanging fruit category, and if you can, or if you're willing to, use
multi-factor, I personally don't go toward the biometrics, because you can be compelled to use those
to unlock devices, especially in airports and things of that nature. Example, if you were stop
and detained in an airport, and your facial recognition was used to unlock your device,
they can simply hold the phone at your face and unlock the device without your permission.
So, even though it's great against attackers, it does have its drawbacks.
I've provided links in the show notes to all of the different things talked about in the show,
Bitwarden Keypad, Sexy, Ubike, as well as some other information for things like the
phytoalign specifications, and a guide on using two-factor authentication, or two-step login.
I imagine one day with all these different security layers that we're constantly employing
to write off attackers will one day have like a thousand different measures that we'll have to
employ, but I think it'll be okay just as long as we have an open standard, as well as open
technology and open software to support that technology, because I truly believe nothing can
innovate like open source, with more eyes, more minds, and more innovation, all piled in on the
same objective, we can't help but succeed. That or will throw the biggest failure party the world
has ever seen. All right, ladies and gentlemen, that wraps it up for InfoSec, the language of security.
I'm some guy on the internet, also known as Scotty, doing the HPR news. I'll see you in the next episode.
You have been listening to Hacker Public Radio at HackerPublicRadio.org. Today's show was
contributed by a HPR listener like yourself. If you ever thought of recording podcasts,
you can click on our contribute link to find out how easy it really is. Hosting for HPR has been
kindly provided by an honesthost.com, the internet archive, and our sings.net. On this
otherwise status, today's show is released under Creative Commons, Attribution 4.0 International
License.