DoD is about to be under siege from hackers – and it plans to pay – New Department of Defense Bug Bounty kicks off April 18, by Michael Morisy, WindowsIT Pro, March 31, 2016

The military is seeking the help from hackers between April 18 and May 12, and will offer bounties from a $150k budget to those who find vulnerabilities in specifically identified DoD websites. Other “Critical, mission-facing computer systems will not be involved in the program.”  The program is being run by a startup Hackerone.com which provides a “vulnerability coordination & bug bounty platform” and claims to support 132 public programs, with ‘$6.81M bounties paid’ and ‘20,411 bugs fixed’, and ‘2,554 hackers thanked’.

http://windowsitpro.com/security/dod-about-be-under-siege-hackers-and-it-plans-pay-them

Reading: Aircrack-ng Tutorial: Getting Started,  I followed this tutorial, and Tutorial: Is My Wireless Card Compatible referenced, did some additional research and confirmed that my old LINKSYS WUSB600N was compatible with Kali Linux.  Referencing our KISMET class notes I was able to access the card from Kali Linux and searched for WiFi access points – and could not find any.  This is likely a result of my use of more modern WiFI access points running the WAP2 protocol, and my lack of forethought to purchase a more powerful WiFi antenna like the Alfa cards introduced in class which might have enabled me to find other WiFi access points in my neighborhood.  I did run through the injection test and followed the Simple WEP Crack Tutorial, but without a WiFi access point my progress was blocked.

In the News: Node Package Manager (npm) Fails to Restrict Actions of Malicious npm Packages
The CERT Division of Carnegie Mellon University’s Software Engineering Institute reports that a new security vulnerability in the default node package manager (npm) for the Node.js JavaScript runtime server-side web application environment allows packages to take actions that could enable a malicious npm package author to create a worm that can spread as users install node packages and compromise the majority of the npm ecosystem. CERT Vulnerability Note VU#319816 (March 25, 2006) describes the security issue, how the worm works, and provides reference to Sam Saccone’s original research into the vulnerability. While a practical solution to the problem has not yet been formulated, three risk-reduction workarounds are provided which should be considered by application developers using npm in node.js based web application systems they are developing for their clients or organizations.
http://www.kb.cert.org/vuls/id/319816

Question for Class:  Does someone with some relevant work experience have interest in helping me develop and deliver a 1/2 day workshop for the Urban Regional Information Association introducing Cybersecurity to managers of Geographic Information Systems at their October conference in Toronto?

Readings:  Microsoft’s Technet Library: How 802.11 Wireless Works, March 28, 2003. Provides a detailed overview of the elements of the IEEE 802.11 protocol architecture and associated technologies.  The article provides a top down view of how the protocol works and delves into the format details of the 802.11 media access control (MAC) sublayer of the data-link layer, and  further detailing the format of the Frame Control field, which contains information on whether or not WEP encryption is used.  This dated article provides an overview of the workings of WEP encryption and decryption and explains the security issues and vulnerabilities of WEP and the need for WPA, but does not cover the more secure WPA2 security protocol which replaces WPA in 2004.

Wikipedia’s IEEE_802.11, provides details, history, and evolution of the IEEE 802.11 specifications for the media access control (MAC) and physical layer (PHY) for implementing wireless local area network communication in a number of frequency bands.

In the News: One in Five Employees Would Sell Work Passwords: Survey, Eduard Kovacs, SecurityWeek March 21. 2016.  SailPoint conducted a market survey of 1,000 people working at large organizations in US, Europe, and Australia and found employees’ poor password security, hygiene and ethics exposing their employers to cybersecurity risks. 65% of respondents admitted to using 1 password for multiple applications, ~33% share passwords with coworkers, ~20% would sell their work passwords to a 3^rd party and ~10% would sell their work passwords for less than $1,000.  The respondents cited their decision to bypass IT to streamline their work, and 33% of employees indicated that they purchased SaaS applications without their IT department’s knowledge, and 25% uploaded sensitive information to cloud applications with the specific intent to share the files outside the company.  40% of respondents said they still have access to a variety of corporate accounts from their previous jobs.   While many did not seem concerned with the need to help protect their employer’s data from breaches, 40% indicated they would stop doing business with a firm that suffered such a breach.

http://www.securityweek.com/one-five-employees-would-sell-work-passwords-survey

Question for Class: Why do you believe information security hygiene is so poor in so many companies?

DROWN Vulnerability Still Unpatched by Most Cloud Services, SecurityWeek News – March 11, 2016

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) enables man-in-the-middle attackers to intercept, crack and modify encrypted traffic.  DROWN enables attackers exploiting HTTPS servers still using SSLv2 protocol to encrypt connections to gain access to the SSL secret encryption key, which may be reused within more secure TLS services running on the same machines (17% of HTTPS servers) as well as within HTTPS services running on additional servers (another 16% of HTTPS servers).   The threat to SSL and TLS encryption is thought to affect 2.3 million HTTPS servers (1/4 of the top 1 million HTTPS domains, and 1/3 of all HTTPS websites.)   Cloud providers appear to be slow in patching the DROWN vulnerability.

http://www.securityweek.com/drown-vulnerability-still-unpatched-most-cloud-services

https://drownattack.com/

WireShark-Introduction: WireShark is an open source network packet capture, display and analysis tool that runs in many versions of Linux, UNIX, and Windows.  It can be used to achieve many positive outcomes, including: troubleshooting network problems, examining security problems, debug protocol implementations and learn internal details and functioning of network protocols.  It also can be used for nefarious purposes that breach the confidentiality of network data exchanges by observing the users as they interact with systems within intranets and across wide-area networks. Confidentiality breaches include: extracting usernames and passwords; identifying data stores, servers, services and applications, and determining how users access and use them directly and indirectly them through browser based screens, pages, applications and services.

WireShark-Using: This reading introduces how Wireshark works, including how to capture, view, filter, and analyze data packets exchanged over an IT network via a number of different computer, telephony, internet, and web data interchange protocols.

In The News: c|net Not in my house: Amazon’s unencrypted devices a sitting target, cybersecurity experts say: Amazon Fire tablet device latest OS5 upgrade removes device encryption for the product line. Encryption for data in transit and data stored in the cloud is still protected, but personal or sensitive data stored on the Fire tablet will no longer be encrypted with the latest update.   Amazon claims that their latest upgrade to the Fire’s OS removes features users did not take advantage of.  OS5 ships with new devices, and the OS upgrade removes encryption existing in prior OS’s running on users’ Fire tablet devices. Industry watchers suggest removal of encryption was implemented to speed the OS.

http://www.cnet.com/news/not-in-my-house-amazons-unencrypted-devices-a-sitting-target-cybersecurity-experts-say/

Question for class: Is there a way to control the Kali Linux font and screen resolution to make Wireshark more usable?

It looks like I may be confused about what’s expected this week…

Reading: Metasploit Unleashed – MSF Extended Usage and Metasploit GUIs. This weeks’ reading introduced us to a broad range of tools and techniques for working with and extending the Metaploit Framework to conduct and improve penetration testing during pre-exploitation, exploitation, and post-exploitation activities.  I am particularly intrigued by the exploit presented where msfvenom is used to create an EXE file, which when inadvertently run by a user, compromises their Apple computer’s OS X and takes over the camera for unexpected picture taking of the user.

Question for the Class: Which language is Mimikatz using to communicate with the user in the screen and on the command line?

In The News:  “Export Treaty to Get Rewrite in Win for Security Industry”, by Phil Muncaster, Feb. 4, 2016. Good news for white hats this week after US Department of Commerce stepped back from a rule agreed to in the Wassenaar Arrangement among 41 countries to prevent export of dual-use technologies to criminal organizations and repressive regimes.  The Government will now seek public comment on a revised draft rule pertaining to a controversial clause in a weapons export pact which threatens to severely limit the use of legitimate security testing tools for finding software flaws.

http://www.infosecurity-magazine.com/news/export-treaty-get-rewrite-win/

Reading: MSF Post Exploitation, Meterpreter Scripting, Maintaining Access  This week’s reading covered a broad array of penetration testing techniques, tools, and capabilities available within the Metasploit Framework that can be directly used and extended to support identifying opportunities and implementing advanced persistent threats within individual computers and IT networks. The readings covered post exploitation techniques for escalating user privileges, maintaining access, and hiding a breach and exploitation related activities.

Question for Class: Can you explain what more is going on beyond the “screengrab” command in Metasploit Unleashed’s section on “Screen Capture in Metasploit”?

In The News: “Oil and Gas Industry Increasingly Hit by Cyber-Security Attacks: Report”, The Tripwire 2016 Energy Survey: Oil and Gas study compiled questionnaire responses from 150 IT professionals in the energy, utilities, and oil and gas industries.  69% of respondents were not confident in their organizations cyber-attack detection abilities. 82% of oil and gas industry respondents identified “an increase in successful cyber-attacks over the past 12 months. 53% indicated that cyber-attack rates have increased 50-100% over the past month (the study was conducted in November 2015.) 72% of respondents indicated that a single executive was responsible for securing both the IT and SCADA/ICS environments of their organizations.

http://www.tripwire.com/company/research/tripwire-2016-energy-survey-oil-and-gas/

http://www.securityweek.com/oil-and-gas-industry-increasingly-hit-cyber-attacks-report

Reading: Metasploit-Unleashed: The Ultimate guide to the Metasploit Framework, Offensive Security

The Metasploit Framework is a stable platform for executing information security exploits providing a base for developing and automating new discovery techniques and attack methods for compromising the confidentiality, integrity, and availability of IT infrastructure. Coded in Ruby, Metasploit’s capabilities can be further extended with new components written in Ruby, assembly language and C.  IT network security professionals and researchers use Metasploit to conduct a wide variety of penetration tests and exploits. System administrators use it to very patch installations, and product vendors use it to perform regression testing.  The Metasploit Framework is a modular system that will enable us to learn how to combine exploits with payloads within the following workflow:

• Identify and understand the configuration and vulnerabilities of the target system including its operating system version and available network services
• Choosing an exploit to use in taking advantage of the target system through a bug/vulnerability in one of its components
• Choosing and configuring a delivery mechanism and payload code to execute on the target system
• Choosing the encoding technique to get by the IDS/IPS without detection
• Executing the exploit, accomplishing objectives and covering tracks

Question for Class:

While intended by founder H.D. Moore and corporate provider Rapid7 to be used by white hackers to support offensive information security workers, what are the ethical implications of making Metasploit’s capabilities equality available to criminals for nefarious purposes?

In The News: “Endpoint Exploitation Trends 2015, Bromium Labs Research Brief” January 14, 2016, Bromium.com.

In 2015: exploitation for hire came under public scrutiny with breach and exposure of techniques used by Hacking Team, malvertising – spread of malware through online advertising networks found in 27% of the top 1,000 internet advertising websites, and while overall vulnerabilities increased by 60% – those specifically targeting Adobe Flash increased by 333%. The number of exploit kits available with capabilities to bypass standard malware detection techniques also rose in 2015, as did the use of IPS evading malware containing Word documents in phishing emails, and the crypto-ransomware business.  http://www.bromium.com/sites/default/files/rpt-bromium-threat-report-2015-us-en.pdf