Jason A Lindsley

Update on Mirai (Krebs DDOS)

October 11, 2016 by Jason A Lindsley 2 Comments

Last week, Noah posted about an here about a DDoS attack that was triggered by a botnet that compromised enough Internet of Things devices to generate 600 Gigabits per second of bogus internet traffic.

Fast forward one week and the code for this DDoS is now publicly available, has a catchy name (Mirai), and has compromised devices in as many as 177 countries. It is very simple code that targets insecure routers and devices with simple default passwords.

I was at a Cybersecurity panel discussion last week and one of the presenters said that he discovered that one of his zwave devices was recently compromised and was hogging all of the bandwidth on his network. It made me think of this story and start to wonder about my own network. So far things seem normal on my network, but has anyone else experienced any of the Mirai symptoms?

http://motherboard.vice.com/read/internet-of-things-mirai-malware-reached-almost-all-countries-on-earth

Make Your Password Hack-Proof By Sending It Through Your Body

October 2, 2016 by Jason A Lindsley Leave a Comment

This is an interesting concept that is taking biometrics to the next level. This article describes an authentication mechanism that uses fingerprint sensors to generate signals that travel through the users’ body to authenticate the user. There is no need to send this signal over a network to authenticate the user.

It sounds like this mechanism is more complex and more difficult to hack than a normal fingerprint scan, but I would call it a stretch to say it is hack-proof. As with any authentication mechanism, an algorithm is still required to perform the logic to authenticate the user and make a decision as to whether the user is who they say they are. This feature may make that algorithm more complex, but hack-proof Probably not.

link: http://www.vocativ.com/363636/hack-proof-password/

Student legally hacks airline and earns $300,000 of miles

September 27, 2016 by Jason A Lindsley 3 Comments

Link: http://www.businessinsider.com/student-legally-hacks-united-airline-earns-frequent-flyer-miles-ryan-pickren-2016-9

This is an interesting short video/article on a Georgia Tech student that has been participating in United Airlines bounty program and has been rewarded in $300,000 worth of miles as a reward for findings security flaws. He’s donated a third of his miles back to Georgia Tech.

It wasn’t always sunshine and rainbows for Ryan. He got into some trouble with the law when he hacked a rival school’s calendar before a big football game. He was charged, but completed a pretrial diversion program and the charges were dropped.

He began the United Airlines bounty program to earn miles to visit his girlfriend and became the most successful contributor.

I find it interesting when highly technical individuals such as Ryan are given an avenue to utilize these skills in an ethical manner (especially when they are caught doing something unethical). For some folks, the technical part is very easy and the ethical part is challenging. For myself, I’ve always had strong ethical principles and business acumen, but the desire to be more technical is what got me interested in the Temple ITACS program and ethical hacking. How about the rest of you all?

Recon on Beneficial Bank

September 23, 2016 by Jason A Lindsley 1 Comment

I performed my Reconnaissance exercise on Beneficial Bank in Philadelphia, PA. They operate 57 branches across PA and NJ and hold ~$5 billion in assets.

Please see video, executive summary, and PowerPoint presentation below.

Beneficial Reconnaissance Video

Executive Summary

PowerPoint Presentation

How did FBI hack terrorist’s iPhone? News groups sue to find out

September 18, 2016 by Jason A Lindsley 4 Comments

When the government was able to unlock the San Bernardino shooter’s iPhone, they backed off of their demands that Apple assist with the breaking into the device. They did not, however, provide Apple with details into how they were able to unlock the iPhone. In my opinion, and apparently the opinion of the Associated Press, Gannett Satellite Information Network (”USA TODAY”), and Vice Media, this is a disservice to the millions of taxpayers that use iOS devices. These organizations are suing the FBI for not disclosing how they were able to break into the phone. This leaves potentially millions of iOS devices exposed to the vulnerability that allowed the FBI to obtain access to a locked iPhone.

The NIST Cybersecurity Framework, a government published set of standards, encourages information sharing about vulnerabilities and threats between private and public organizations. I am a strong advocate of this principal because as companies work together to share information to protect against cyber threats, the benefits of increased security extends beyond the walls of the organization that identified the cyber threat. It also helps us to collectively solve for vulnerabilities that are identified and shared.

In this case, however the FBI appears to be withholding information about the vulnerability for their own benefit. If they publicly share the method in which they were able to unlock the device (or even privately with Apple), the folks in Cupertino will almost certainly address the security flaw immediately.

There is a fine balance between strong security and enabling our law enforcement to investigate, however I am not in favor of providing back doors to law enforcement and withholding security flaws that leave millions exposed.

Article links:

https://www.cnet.com/news/fbi-sued-over-apple-iphone-hack-by-vice-ap-gannett/

https://www.documentcloud.org/documents/3109606-16-Cv-1850-Dkt-No-1-Complaint.html

Federal Judge: Hacking Someone’s Computer Is Definitely a ‘Search’

September 13, 2016 by Jason A Lindsley 5 Comments

A federal judge ruled that hacking someone’s computer, for purposes of an investigation, constitutes a fourth amendment search. Therefore, law enforcement and the FBI would require a warrant to hack and search an individuals computer for purposes of an investigation.

This seemed obvious to me, but apparently it’s been debated in the court of law for years. I agree in theory that individuals should have a reasonable expectation of privacy with their IP address, but in reality, anything you do on the Internet has the potential to become public. Regardless of whether hacking someone’s computer for an investigation requires a warrant, I’m glad they caught the people referenced in this article.

http://motherboard.vice.com/read/hacking-is-a-search-according-to-federal-judge

Hacker takes down CEO wire transfer scammers

September 6, 2016 by Jason A Lindsley 2 Comments

This article is about an ethical hacker that is fighting fire with fire. Florian Lukavsky is working with police using a technique called “whaling” to obtain criminal identities and credentials. These criminals targeted CEOs and financial controllers at large and small corporations with requests to urgently wire funds for overdue invoices. This social engineering scam has resulted in an estimated $2.2 Billion of fraud losses in 14,000 reported cases.

Florian flipped the script and began replying to the criminals with malicious PDF documents that were disguised as transaction confirmations. The malware helped to obtain twitter handles, user names, and identity information that is being used to apprehend the criminals.

I thought this was a great example of an ethical hacker collaborating with authorities to expose these cyber criminals.

http://www.theregister.co.uk/2016/09/06/hacker_hacks_ceo_wire_transfer_scammers_sends_win_10_creds_to_cops/