Below is my Burp Suite analysis:
Nessus Scan Analysis
Slide Deck: nessus-scan-analysis-mw-ppt
Executive Summary: nessus-scan-analysis-executive-summary-mw
‘Root’ Of More IoT-Based DDos Attacks
This article discusses the details around the distributed denial-of-service (DDoS) attack that occurred on Friday morning using a large number of Internet of Things devices such as webcams, DVRs, and other smart devices that have minimal security features. Attackers were able to successfully impact the DNS provider Dyn for several hours while interrupting many large sites such as Amazon and Twitter. The attack is being labeled as an easy and non-sophisticated attack using simple devices and easily attainable malware.
The attackers used a botnet program called Mirai to gain control of all these devices. Mirai uses simple telnet commands to search for available devices and cycles through default login information until it is able to successfully gain access. Unlike normal servers, a majority of the IoT devices broadcast their version and model number once you connect to them.
With a large volume of IoT connected devices being added everyday, it raises the new concern of the lack of security in IoT devices. As showed on Friday, we now have to be concerned with a relativity easy attack that criminals can use to disrupt the internet.
http://www.darkreading.com/vulnerabilities—threats/root-of-more-iot-based-ddos-attacks/d/d-id/1327281?
Biometric Skimmers Pose Emerging Threat To ATMs
I came across this article today that discussed how banks are aggressively moving towards bio-metric authentication methods while cyber criminals are already coming up and testing ways to defeat these. For the last few years banks have been trying to find another authentication method to protect their pin authenticated ATMs from skimmers. The banks have started to install fingerprint, facial, and palm nerve scanners on ATMs to provide an additional layer of security. Criminals are already implementing ways to fool these scanners. It can be very concerning if your bio-metric security is compromised since you cannot just change it like a password.
It’s a perfect example of how difficult it is to stay ahead of the cyber crime. Bio-metrics technology has been around for quite some time but is just beginning to be rolled out for this use and we already have to determine what’s next from here.
Reconnaissance Analysis – Under Armour
Data Manipulation: An Imminent Threat
Hackers that are looking to cause more chaos than financial gain are nothing new, but this article reminded me how scary it can be.
The article describes a potential scenario where a hacker gains access to a bank’s internal network using traditional methods such as a stolen password, malware infection, etc. This is followed by getting privileged access into the customer database where detailed account balances and personal information is held. Over a three month period the hacker begins to alter and manipulate the data that is linked to customer transactions. Once the banks and customers realize what has happened it could take months for the data to be manually recalculated to the correct amounts. During this time customers are are wondering if they’ll have the correct and accurate balances, when, if ever, they’ll be able to make a withdraw, and if there is a safe place to place their money besides their mattress.
This reminds me of the story line in season 1 of Mr.Robot…
It’s easy to think that the financial sector has the best network and database security but I’m sure there are vulnerabilities. The large corporations may be better protected but some of the smaller financial companies may not have the same security luxuries to prevent an attack like this. The article points out a research survey of 200 organizations (average work force of 22k) and 47 % acknowledged that no individual or functional group is responsible for monitoring databases for unauthorized activity. This is alarming considering how much critical financial data is kept in these databases.
http://www.darkreading.com/attacks-breaches/data-manipulation-an-imminent-threat-/a/d-id/1326864?
The New Security Mindset: Embrace Analytics To Mitigate Risk
I came across this article that discusses how information security professionals should be adding a data driven approach to complement other techniques while attempting to mitigate the risk of attacks. Traditional defense preparation such as penetration testing is great for identifying specific weaknesses and exposures but there can be more creative and pro-active ways to finding where in your network is attracting potential hackers.
The author mentions that malicious hackers may be using rapidly changing techniques and advanced tools but they are using these tools with the same strategies and motives that have allowed them to analyze a target network and develop solutions in the past. If we can analyze our own networks in this same way that a hacker does it can allow us to focus in on key weaknesses.
It’s also interesting that the article mentions that organizations are beginning to task additional teams along with penetration testing to handle a role of analyzing the tactics and thinking process of the penetration testers. By reviewing this analysis and data you can possibly uncover thinking or trends that a malicious hacker may come across but perhaps the penetration testing missed.
http://www.darkreading.com/analytics/the-new-security-mindset-embrace-analytics-to-mitigate-risk/a/d-id/1326812?