Introduction to Ethical Hacking

Week 3 Reading Summary Takeaways:

In the world of hacking, attackers start with reconnaissance process which has the objective to collect intelligence about the target. This is often accomplished through port scanning, DNS zoning, web searches for any information regarding the company, social network searches, etc. When attackers collect enough information and identify the weakest links, then they begin the manual attacks. The weakest link in the security chain is often an outdated system, with a vulnerable version where publicly known exploits already exist. Other weak links also include not proper configuration of certain systems, disclosing unnecessary information, etc. The trick is for attackers to bypass security controls, (i.e.: intrusion detection/prevention systems, firewalls, etc.). Automated tools cannot adapt their attack scripts for sophisticated evasion techniques. Therefore, there exist various tools for information security teams to verify the likelihood of risk materializing and to adapt mitigation controls. But most importantly, good vulnerability assessment tools highlight gaps from security standards and industry best practices.

Article:

Researches at IBM are now aware of a new malware called “CoreBot” which is designed to steal sensitive information from infected computers. This threat targets FTP clients, email clients, private certificates, etc. In addition, it is able to download and execute other threats using Windows PowerShell. Even though this is a dangerous malware, IBM believes that organizations can be proactive and defend themselves by providing employee awareness with security solutions that can block CoreBot at the launch stage. In addition, there are various products on the endpoint from exfiltrating data.

If you’re interested in reading more about this article, you can do so here.

Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment (Young, S., 2014) . This article began with a warning about the legal risks of assessing the vulnerabilities of websites and servers used by prospective and current business partners, and went on to provide an informative discussion of a number of public information sources and non-intrusive open source reconnaissance tools that can be used to conduct vulnerability assessments.

The Art of Reconnaissance – Simple Techniques (Bhamidipati, S. 2001). This article presented reconnaissance as a straight forward three-step process.  The first step is reconnaissance and focuses on obtaining basic information about a target entity’s internet presence, including domain names, servers and IP addresses, network connection to the internet.   The second step uses pings and  port scanning via a series of commands to determine the nature and configurations of the entity’s machines including Operating Systems,  open ports and services that are open, running, and available. The third-step is a more detailed reconnaissance focused on finding out the software and versions supporting available services.  While the author does not actively mention it, it seems that the logical next step is to follow up and assess the vulnerabilities of the software versions being used.

Question for class:  Are any of the techniques described in the articles safe to use on my work computer, or would I be smarter to first set up “totally” anonymous accounts and non-work personal computer before delving into hands on reconnaissance and penetration testing?

 In the News Article –  BlackHat2014: Airport Scanners Riddled with Security Flaws (Rashid, F.Y. 2014-08-08).  Security researchers report that scanners used in many US airports are “riddled with security flaws.”   Flaws cited included storing baggage X-Ray machine user credentials in plain text, hardcoded passwords providing vendors backdoor access for maintenance and testing are vulnerable, and time clock system used to synchronize RSA security passwords is available from Internet.  http://www.infosecurity-magazine.com/news/airport-scanners-riddled-with/

From the reading:

I think the big takeaway I got from the reading is that no matter what there is always information that will be publicly available about a company that could be pieced together into a larger picture of vulnerabilities. I liked the example of how you can find out the software that a website runs on through the website banner but a detail as simple as keeping the version off the banner can be the difference maker between harmful and safe public data to be disclosed.

A question for the class or just general question would be:

Is there a way that a company can set up a fake server with public information like the information found in our readings as a way to divert attention away from the actual systems the company uses for day to day operations?

In the news:

http://www.zdnet.com/article/avast-qualcomm-tag-team-to-protect-devices-at-the-kernel-level/

Qualcom and Avast are teaming up to hopefully be ahead of the game with mobile device security. Qualcom is releasing a new Snapdragon Smart Protection system that learns from the behaviors of the machines it is on. From this information and use patterns it is able to detect what is normal vs abnormal activity on a device. The goal is to block malicious applications from being installed onto devices. The article mentions that as of now malicious app activity on mobile devices isn’t nearly as prevalent as with PCs but it draws a comparison to Mac computers and how malicious activity on their systems increased with market share. This is an attempt to avoid a similar issue with mobile devices.

Intro to Ethical Hacking Week 2

At a high level, Chinese hackers executed a sophisticated attack that gave them “administrator privileges” into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems

Their ultimate target:
1 million or so federal employees and contractors who have filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance.

How they did it:
They began siphoning out a rush of data after constructing what amounted to an electronic pipeline that led back to China

Why was it easy for them:
Much of the personnel data had been stored in the lightly protected systems of the department of the interior, because it had cheap, available space for digital data storage

What’s being done to prevent future incidents:
Administration is urgently working to determine what other agencies are storing similarly sensitive information with weak protections

My takeaway from Chapter 2 – Enterprise Data Center Topology:  It seems that a good network architecture structurally decomposes incoming and outgoing traffic into n-tier functional service areas (i.e. client facing web tier, application tier, and database tier) to enable matching the placement of appropriate traffic-oriented defense mechanisms to the risk.  It is interesting to learn that load balancers can be equipped to serve as better DoS defense mechanisms than firewalls.

Question: Do the specialized defense mechanisms of individual CISCO appliances clearly reflect unique functions and complementary capabilities, or do they have both unique and overlapping capabilities that make understanding how to best combine them more of an alchemy and art than an engineering discipline and science?

In The News

New analysis method discovers eleven security flaws in popular Internet browsers – August 14, 2015, Homeland Security News Wire (http://www.homelandsecuritynewswire.com/dr20150814-new-analysis-method-discovers-eleven-security-flaws-in-popular-internet-browsers)  Facebook and USENIX awarded the second ever $100,000 Internet Defense Prize to researchers at Georgia Institute of Technology’s College of Computing for their techniques and tool that discovers security vulnerabilities in C++ data structure management functions used in popular web browsers – including  Chrome and Firefox.  Their research paper, “Type Casting Verification: Stopping an Emerging Attack Vector”, employs an innovative metadata inventory system that models the user of inheritance trees in polymorphic C++ code. The researchers’ discovered vulnerable programming techniques used to achieve fast browser runtime speeds in a trade-off for a “flow of control hijacking” vulnerability that can lead to execution of malicious code.  The main culprit, brought to light by Professor Wenke Lee and his research team, is the coding practice of runtime “down-casting” – an otherwise efficient programming technique that changes data types in real-time to support polymorphic data processing, which they found in nine areas of the GNU libstdc++ library used in Chrome and two areas in Firefox. Experimentation in developing the CAVER tool, led the research team to analyze object-oriented type hierarchy techniques used in internet browser enabling C++ code-bases, and discover “dozens of previously unknown bad-casting bugs.”  Their receipt of the Internet Defense Prize recognizes this accomplishment, and is intended to encourage further research into harder and more difficult high-impact areas of cybersecurity.

Summary:

The enterprise Data Center Topology contains the intranet for the internal network, the extranet for supporting business to business functions, and the internet, which allows users to reach out and communicate with the world wide web. Each main portion contains its own firewalls and servers that provide mail and web services to clients.

Question to ask the class:

How do different network topologies affect the physical and logical structure of the Data Center Topology?

News article:

http://www.wired.co.uk/news/archive/2015-09/01/nca-website-hacked

The National Crime Agency, a law enforcement agency in the UK, had their website hacked in revenge for them arresting six people for conspiring to take websites offline.

Intro to Ethical Hacking

Welcome to MIS 5211.001