Temple University

Ruslan Yakush

Week 13 – Summary

Evasion Techniques – Reading

Even though IPS systems provide means to prevent malicious attacks from entering the network systems beyond secured perimeter, it is still possible to evade detection through bypass of IPS/IDS and perform an attack. IPS performs deep packet filtering to reveal abnormal content or traffic behavior based on various threshold values that trigger an alert/detection and then executes prevention mechanism if configured right. Possible evasion ways are done via obfuscation, encryption and tunneling, packet fragmentation, protocol violation. One of evasion tools is Evader and others. When data is captured, an analysis of payload is performed to reveal services, sources, destination, etc.. Various IPS are used for protection, such as Palo Alto, Cisco ASA and others. It is critical to constantly review configuration design for threshold values as well as always review all logs to find out of anything might be vulnerable.

Question for the Class: What IPS is greatest in all terms in the market today?

In the News:

Following the bloody terror attacks in Paris where over 130 people were killed, the hacktivist collective Anonymous has declared total war against the Islamic State (IS, formerly ISIS/ISIL).
Anonymous released a video message, posted in French, on YouTube Sunday announcing the beginning of #OpParis, a coordinated campaign to hunt down ISIS’s social media channels and every single supporter of the jihadist group online.
The combat mission #OpParis was announced as revenge for the recent ISIS terror attacks that took place in Paris on Friday, November 13, 2015.
Under the #OpISIS online campaign, an Anonymous group hacked, defaced, unmasked, and reported thousands of ISIS Twitter accounts.
The social network giant Facebook on Friday the 13th deleted an Anonymous group page, which has been exposing and reporting social media accounts linked to pro-ISIS, as well as banned all its administrators, without giving any prior warning
Details at:
http://thehackernews.com/2015/11/parisattacks-anonymous-isis.html
http://www.ndtv.com/world-news/isis-cyber-caliphate-hacks-over-54-000-twitter-accounts-1241901

Week 12 – Summary

Web Services

Web Services are components that proved web communications using major protocols, such as TCP/IP over HTTPS and others, thus replacing middleware protocols. Some components can request other components as part of overall service. Developers must use certain web service components architecture standards, such as: SOAP, WSDL, UDDI to create consistent web components interaction. Web Services are vulnerable to attacks, such as: DDoS, Integrity Check, Enumeration, SQL Injection, firewall break through via open ports, etc.  Mitigation would include Web Filters, Packet filters, Proxies, IPS/IDS over certain web traffic and open ports, web components integrity check, use of cryptography; certain languages provide high web security such as XML Web Services platforms if built right way with all security in mind.

Question for the Class: What are web services languages considered to be more sophisticated than XML platform?

In the News:

Personal information for 100 million people was accessed by cyber-thieves between 2012 and the summer of 2015.  Twelve institutions were victims of the hacking, including JPMorgan, and asset manager Fidelity.

US prosecutors said they were expanding charges against two Israeli men, Gery Shalon and Ziv Orenstein, as well as a US citizen, Joshua Samuel Aaron.

Charges against the three men were expanded to include computer hacking and identity theft among 21 other counts.

The men allegedly manipulated stock prices by selling shares of companies to individuals whose contact information they had stolen. They then dumped their own shares, causing the price to fall.

The men were also charged with running an illegal payment processing business that they used to collect $18m (£11.9m) in fees.

Ref. Reading: http://www.bbc.com/news/business-34782369

 

Week 11 – Summary

SQL Injection reading

SQL injections techniques are one of the most popular code injection methods used by hackers to attack websites. An attacker finds vulnerabilities in the target website or SQL-based application software. Then, an attacker exploits those vulnerabilities by issuing malicious SQL statements or by exploiting incorrect input. It is done by probing techniques so that using various variables in the web address allow to test whether target website is vulnerable. Once exploited, an attacker attempts to gain admin/root access rights to the server or SQL DB. When successful, the attacker is able to gather useful and valuable information such as user names, passwords, credentials, etc. that are used to access the databases, systems and other network resources.

Question to the Class: Is there any useful tool that allows to use predefined variables sql injection commands based on entered web site address?

In the News

A Security researcher in Germany has managed to hack ATM and self-service terminal from Sparkasse Bank that allowed him to reveal the sensitive details from the payment card inserted into the machine.

Read more at: http://thehackernews.com/2015/11/german-atm-hack.html

 

 

Week 10 – Summary

Reading

Proxy servers are used to intercept data between private and public networks for increased response time when querying domain names by caching data, masking origin’s Public IP Address to fake point of origin, redirect traffic to other servers and manage authentication for internet access. Proxy can also be used to intercept traffic between browser and target application allowing to execute man-in-the-middle attack when accessing non-encrypted destinations. Login credentials and target web application vulnerabilities may be discovered and exploited afterwards. SQL Injections and XSS attacks are some of examples.

Web Apps injection attacks are done by inserting improper characters or code into web form fields, which when processed by back end web server get accepted and malicious code is executed. Programmers must develop web form checkers to verify input data is correct and consistent within application logic.

Question for the Class: What Proxy server software, other than Burp, is the most effective and easy to use?

In the News

Electronic Frontier Foundation (EFF) received an approval from United States Copyright Office (DMCA) of their proposal to exempt restrictions from:

  1. Device unlocking
  2. Jailbreaking
  3. Ripping videos for remix

EFF Proposal: https://www.eff.org/document/eff-jailbreaking-exemption-request

Article: http://thehackernews.com/2015/10/jailbreak-phones.html

Week 9 – Summary

MALWARE

Malware, or malicious software, is a collection of malicious codes that have unique effect if executed on targeted system. Worms, spyware, rootkits, viruses, etc. are some of the examples of those codes. Malware compromises CIA security Triad. Malware are made by hackers – professional experts who develop certain threat to cause specific issue in order to achieve a particular goal, such as financial gain or possession of confidential data. Making a virus is the same as wring a program except it would for malicious intent. Any professional programmer can write a code to manipulate Windows or any other OS and cause serious issues. It is very important to have Incident Management strategy in place to plan and response to malware attacks.

Question to the Class: Has anyone experienced CryptoLocker infection and found a useful mitigation?

In the News

The personal email account of Central Intelligence Agency director John Brennan has allegedly been hacked. The hacker has released a contact list of email information for high-ranking intelligence officials.

Read More at: http://www.wsj.com/articles/cia-directors-personal-email-allegedly-hacked-1445290540

 

Week 8 Summary

Social Engineering, Encoding, and Encryption

Social Engineering can be described as human psychological or behavioral technique that allows to gain trust of a targeted victim. For example, pretending to be an employee of an organization can reveal certain information leading to a data compromise if proper behavioral techniques are used. To avoid such issues, proper CIA triage controls as well as thorough training must be implemented and revisited to ensure users are aware of potential attacks, able to sense a common pattern in attacker’s behavior, and have knowledge of dealing in this situations.

Question for the class

Do you think Phycology Courses as part of human behavior training would stop Social Engineering attacks?

In the News

Hillary Clinton’s private email server, which stored some 55,000 pages of emails from her time as secretary of state, was the subject of attempted cyberattacks originating in China, South Korea and Germany after she left office in early 2013, according to a congressional document obtained by The Associated Press.

Server was located at Clinton’s house in NY between 2009 and 2013. IPS got installed by SECNAP company in October 2013, so before that time a server was most likely vulnerable. In Feb 2014, SECNAP found a malicious software originated from China was running on server.

New revelations underscore the extent to which any private email server is a target, raising further questions about Clinton’s decision to undertake sensitive government business over private email stored on a homemade system

FBI is still investigating this issue.

Read details at: http://abcnews.go.com/Technology/wireStory/clinton-subject-hack-attempts-china-korea-germany-34327812

 

Week 7 Summary

Reading Summary: NETCAT

Netcat is very powerful tool that is similar to Nmap, but has ability to not only read, but also write data across network connections. The process involved using command lines with various command switches allowing to establish sessions and manipulate connections, such as: redirecting traffic, transferring files without any FTP servers via direct connection, execute remote Apps, scripts and procedures; scanning firewall for blocking source routes, and listen to ports. NetCat was designed to be network debugging and investigation tool, but given its capabilities can also be used as a Backdoor. Moreover, NetCat can pipe certain connections made to itself as being server to another service or destination by modifying local system’s scripts.

Additional Resource describes NetCat is verbose details:   http://nc110.sourceforge.net

Question to the Class: 

Given NetCat’s capabilities to read and write any type of TCP and UDP connections and manipulate data, should NetCat be considered as being the Best Tool when it comes to network scanning and vulnerability testing?

In the News:

More than 1 Billion Android devices are vulnerable to hackers once again – Thanks to newly disclosed two new Android Stagefright vulnerabilities

Read more at: http://thehackernews.com/2015/10/android-stagefright-vulnerability.html

Week 6 Reading Summary and In the News

Reading Summary: SNIFFERS

Sniffing techniques allows to eavesdrop on switched networks, meaning when appropriate tools are used it is possible to collect network traffic data frames and packets in order to discover information of interest such as MAC Addresses, IP Schema and addresses, TCP/IP protocols in use, Port Numbers. While Packet Sniffers were meant to be used for “good-will” purposes such as Administrative and Monitoring of data traffic, tools may be used by malicious users/attackers to harm or disrupt networks. Switched Packet Sniffing is more difficult to accomplish since managed switches normally send traffic directly on port-by-port basis and only “man-in-the-middle attack” would possibly sniff data. In contrast, non-switched sniffing is easy since all traffic is being transmitted across all switches without directed transmission, so when NIC is in “promiscuous” mode all data in network is visible. Sniffed data may reveal certain weaknesses in network communications such as weak port and protocol in use that can be exploited during hacking attacks. Sniffed data is broken down to PacketDataUnit (PDU) layers as per OSI model that would reveal precise data information from each layer up from Layer 7 down to Layer 1. One of sniffing techniques would be an ARP or IP spoofing, which allows an attacker to eavesdrop on network traffic, replace attacker’s MAC/IP Address with victim’s address and masquerade hacker as being legitimate user. However, certain firewalls such as Cisco ASA firewall have feature called ACL and Source Control of Ingress Traffic that would deny access to an attacker if internal MAC/IP is being used from outside of internal network. Encryption of data in motion would be ideal to have to prevent from sniffing attacks. Switch PortSecurity features are useful against sniffing attacks.

 

Question to the Class:

What is the best sniffing tool in terms of simplicity and quality?

 

In The News:

New Botnet Hunts for Linux — Launching 20 DDoS Attacks/Day at 150Gbps

http://thehackernews.com/2015/09/xor-ddos-attack.html

 

 

Week 5 Readings and In the News

Foot Printing and Enumeration

As the first steps in hacking process, Foot Printing/Reconnaissance is intended for information gathering of the target organization using publicly accessible information without being intrusive. It may include information such as: DNS information, DNS zones, IP ranges, host names, services/ports/protocols used, potential applications, email address aliases to reveal usernames, publicly accessible internal network resources, identifying potential resources and systems in the network, read HTML codes of target web site pages. Simply reading news and reading online articles about security postures related to targeted organization may reveal a lot of potential vulnerabilities. Collect as much as information as possible to find weaknesses and act upon them. Various tools should be used in order to obtain such information such as: google content hacking with certain commands, whois, dig, nslookup, ping, traceroute, usenet, Teleport Pro, wget, Foca for Windows, Linux Kali as greatest collection of hacking tools and commands.

As the next step, Enumeration process would involve scanning system and networks to reveal detailed information, such as: user accounts, host names, OS types. It is done by querying database of target’s Registrar, then Organizational Queries, Domain Queries, Network Queries and POC Queries.  Some of the tools used here are: nslookup, trace route, enum, finger, nmap, fping, hping, TCP and UDP Scans, Ping Sweeps, strobe, superscan, IPeye, SATAN, NetCAT, WArDialing tools, nbtstat, nbtscan, nltest, ruser, telnet, tftp, rpcdump, rpcinfo.

Gaining Access to targeted systems would involve using Vulnerability scanners such as Nessus or Armitage exploit analysis in KALI Linux. Crack passwords using hash crackers such as NghashCrack. Sniff Data using WireShark or TCP Dump tools.

Bottom line is that in order to maximally protect organization against different hacking threats it is important to design multi-layered enterprise architecture to create multi-leveled traffic filtering and access control approach.  Therefore, it is important to act and think as a “white” hacker!

Question to the Class:

What multilayered solution would be optimal for various types of businesses?

In the News:

The hackers embedded the malicious code in Apple apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.

http://www.cnbc.com/2015/09/20/apples-ios-app-store-suffers-first-major-attack.html

Week 4 Reading Summary and In the News

Reading Summary:

Many business in nowadays forget about critical asset of their business; that is, Protecting Business Data. Unfortunately, most owners and management take care only about customers and business processes that directly generate revenue versus enterprise network that only provides tools to support business. For so many years, vulnerabilities have become more and more sophisticated alerting many companies of required precautions, but despite thousands of hacks, only some business owners really understand the importance of protecting data at all costs. While auditors and external consultants may be expensive service to perform proactive vulnerability scans, there are many free tools, such as Nessus, Qualisys and a few others that are free and help to build a vulnerability report that would help to assess networks and help to create mitigation reports as well as build a baseline framework for all systems to improve security hardening. While Nessus would be a good choice for network scan, it reports only what it finds in its plug-in database. Therefore, vulnerability scan internally within local network using others tools such as MBSA, Nmap, RapidFire, Nexpose/Rapid7, OpenVAS and a few others would be important to have diversity of vulnerability reports.

Question to the Class:

What solution did you use in the past? Which tool you find most comprehensive?

In the News:

New Apple products released on Wednesday Sept. 9th, will include enhanced security feature by requiring dual-factor authentication: 6-digit code + Fingerprint scan to various Apps. This new security feature should lead Enterprise Businesses to upgrade their devices in order to minimize risk of attacks.

Posted by CNBC on Friday, 11 Sep 2015 | 1:16 PM ET

http://www.cnbc.com/2015/09/11/apple-ramps-up-its-cybersecurity-game.html