Intrusion Prevention System examines data and flow of network traffic to detect or prevent vulnerabilities or exploits. The reading for this week discusses different ways and methods to bypass different flavors of IPS from various vendors.  The mentioned methods in the reading are Obfuscation (making something unreadable), Encryption and tunneling (sending attack through SSH),  Fragmentation (splitting malicious packets into fragments; reassembly is tricky; delaying packets) and Protocol Violations.  In some cases, a combination of the methods were required to get through the IPS.  Decoy trees and big-endian evasion techniques were also shown to help with making the attack successful. IPS are not meant to be the be-all and end-all in protection and also need to be configured or tailored to your environment.

In the news:

Self-encrypting drives are little better than software-based encryption

If a laptop using a self-encrypted drive is stolen or lost while in sleep mode, the security of its data can’t be guaranteed. Companies relying on self-encrypting drives (SEDs) to secure data stored on their employees’ laptops should be aware that this technology is not immune to attack and should carefully consider whether they want to use this rather than software-based approaches.

Web Services explanation:

Web services  describes a standardized way of communication and data transfer between Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone, usually HTTP.

XML is used to tag the data, SOAP  (Simple Object Access Protocol) is used to transfer the data, WSDL (Web Services Description Language)  is used for describing the services available and UDDI ( Universal Description, Discovery and Integration) lists what services are available in an online repository for other applications to find.

Web services allows for different software systems to exchange data with each other by using XML tags for data exchange instead of a particular language. The “rules” that are needed to facilitate the communication is contained in the WSDL.  UDDI  also defines which software system should be contacted for which type of data, similar to a phone book or directory. Once the software system finds out which other system it should contact, it would then contact that system using SOAP.

In the news:

OmniRat Allows Cyber Criminals Hack Mac, Linux, Windows PC and Android Phones

RAT stands for Remote Access Trojan. When the OmniRAT was analyzed for its way of getting into the system it was found that it gets into the devices via a client component that starts communicating with a server counterpart which allows hackers to make the phone do things they want it to. It is usually used for testing and is downloaded as an apk file on mobile devices.

Reading: Full SQL Injection Tutorial

SQL injection is a technique that uses code injection via malicious statements and commands to attack applications with the goal to dump the database contents to the attacker. The tutorial goes into lengths explaining each line of code, with expected results and variations. While it involves a fair amount of guessing, the article also provided the most common names of tables and columns.

A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete) and issue commands to the operating system.

Mitigation options include Parameterized statements, escaping, pattern check, hexadecimal conversion and limiting permissions on the database. Parameterized statements treats the injection as a strange parameter value and does nothing to it.

In The News:

$1 million bounty for hacking iPhone has been claimed

Apple devices are widely considered extremely secure and hard to hack. But as the internet adage says, everything can be hacked—even the new iPhone…..the challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad , allowing the attacker to install any app he or she wants with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message.

Web-application hacking highlights the importance of sanitizing data. This is all made possible due to how the application can accept unexpected values as input. It is through this method that malicious code is injected into the web application via the input field box.  The reading also describes the Burp Suite, which is a collection of tools used for doing security testing of Web applications. The tools are Burp Proxy, Burp Sitemap & site scope, Burp spider, Burp intruder  (used for SQL injections) , Repeater, Sequencer, Decoder and Comparer.

In The News:

TalkTalk ransome, Hacker demanded 80k GBP

TalkTalk has confirmed that they did have a security incident. It looks like the attacker used SQL injection to steal the database on the website. Now it looks like the website might have stored the information of 4 million customers or so…

..it started with the CEO talking about getting a ransom letter, the letter basically said if you don’t pay up to 80,000 pounds or 120,000 dollars in Bitcoin, we are going to release all your information and they also included a sample of the information, that was stolen…

Malware  today stands for malicous software. This encompasses viruses, trojans, root kits, worms, logic bombs,etc. The reading article defines and explains the differences between those examples above, including backdoors, spyware,bots and botnets. It also talks about replication mechanisms and highlights how viruses require hosts while other types of malware do not.  The SANS 6 Step Handling Process was mentioned in the reading and suggests the following steps in chronological order: Preparation – Identification – Containment – Eradication – Recovery – Lessons Learned. For IT Security professionals, the preparation step is key because new methods and ways to circumvent or bypass anti-virus software are always being created. Since this is a cat and mouse game, this highlights how important it is to keep systems updated so the anti-virus software is patched and contains the latest definitions so it can detect the newly-cooked or discovered attacks or means of attack.  This is the only way it can stand a chance against malware.  If it is a step behind, it has no way of catching new threats.  Viruses are usually classified based on Memory Operation, Target , Obfuscation Technique and Payload.  There are multiple methods for each classification that show both the complexity and how resiliency and adaptabilty are designed into these malicious programs.

Cyber-Security News:

How a criminal ring defeated the secure chip-and-PIN credit cards

Hackers were able to do a classic man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card’s original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, “making insertion into a PoS somewhat uneasy but perfectly feasible,”.

Netcat was originally designed to be a backend tool that can test, create, read & write to connections using TCP or UDP. It can be used directly or run by programs or scripts. It was originally designed for Unix and Linux and has since been ported over to other platforms.  It is a must-have for any hacker and their tool box. It was created in 1995 by Hobbit as a network debugging and exploration tool. Besides the ability to make connections to and from any port, it can also do file transfer, port scanning and port listening.

In the news:

Recent studies show that besides hacking or malware, device loss are also a leading problem.

http://www.networkworld.com/article/2988643/security/device-loss-data-breach-malware-hacking-trend-micro-report.html

1 Key Point:

The reading for this week discusses Packet Sniffing in both switched and non-switched environments. It explained ARP Spoofing that is done mainly through the main in the middle attach where the attacker poisons the ARP cache with their own information, intercepting data between the target machines. Tools such as ettercap and cain were also mentioned, specifically how they highlight sensitive areas of sniffed traffic, specifically usernames and passwords.

Steps to mitigate threats from packet sniffing mentioned include detection of packet sniffers (using software), locking down the network environment (ie. vlan) and encryption or IPsec. The latter is the most viable.

Question:

Why is replacing insecure protocols not feasible in some settings? Do the benefits of using insecure protocols weigh more than the security risk it poses?

Article:

Security firm discovers Linux botnet that hits with 150 Gbps DDoS attacks

http://www.engadget.com/2015/09/29/linux-botnet-hits-with-150-gbps-ddos/

Linux-based botnet spreads via malware through embedded devices and gains SSH access. It will then pull down botnet software and propagate.

The botnet is capable of driving very high volume of  traffic every minute at its targets, bringing it down as a result. Linux machines need to be hardened more than ever.