Uncategorized

This article is about a vulnerability found in Linux kernel versions since 3.6 that allows hackers to perform a side-channel attack. At a high level, a side-channel attack allows someone to passively monitor a system through indirect channels, hence side-channel. An example of this would be watching the power supply rate of a system to determine its work-load. In this case, an attacker is not actively watching the server but can still draw conclusions as to what it is used for. Another example of this would be determining the amount of time a machine sends a response packet or how long it took to process a packet. A feature of TCP is windowing. Professor Mackey described this during our last lecture when he described TCP connections to be secure in that they will confirm or deny a remote machine’s acceptance of packets. Linux kernels since 3.6 have a feature built in that forces the machine to send “ACK” (acknowledgement) packets to a remote server it is communicating with when it thinks it is receiving bad packets. It’s basically Linux’s way of saying, ‘hey, these packets don’t look correct, can you confirm?’. In theory, this is a good thing in that it prevents attacks such as man in the middle. What hackers have found though is that they can force a Linux machine to send ACK packets by sending “spoof” (fake packets) once a connection has been made. The hacker will then watch the number of ACK packets sent out. If the number of ACK packets the hacker receives is less than the number of allowed ACK packets, the hacker knows there is a valid connection between the server and a client somewhere. The math for the next part is rather complex but it is possible to determine the TCP 32 bit sequence numbers for that specific connection and inject malicious packets into the valid connection (This video describes how this is done when RSA encryption methods are used: //www.youtube.com/watch?v=AZkDGaISXq8). This article greatly illustrates how hackers use TCP/IP to gain entry to or disrupt systems.

http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communications/

This is an interesting article which talks about 7 cases where compromised ransomware victims paid to regain access to their data. The victim’s vary from police department’s to a Nascar race team. Payment was made via bitcoin, and in one of the cases, the attacks continued even after the ransom was paid. The attacks were made via DDoS attacks on an email service, and via infected computers from successful phishing scams. This article stresses the importance of security awareness training for employees, and backing up data in separate locations. Payment of ransom only encourages more ransomware campaigns so proactive solutions are imperative. The article also briefly talks about an anti-ransomware site  ‘No More Ransom’‘ which was created to assist Internet users by recovering their files for absolutely free to stop them from paying ransom to criminals.

https://www.hackread.com/top-7-cases-of-ransom-payments/

I found the article below more interesting than the others I happened to read primarily for reasons dealing with competitive advantage and the fact that it is discussing a proactive and cheaper solution to IT security.  As the number of ways an individual can attack a system increases, as should our number ways to defend against those attacks.  In my opinion, IT security or cyber security seems to always be reactive in nature or “damage control” as other articles point to a speedy reaction time as being key to mitigating a business’ loss.  Imagine a world were intrusions and attacks can be predicted and avoided as opposed to hardening a system with the hope that an attack or intrusion is unsuccessful.  From an enterprise risk management perspective having a predictive approach to IT security on top of solid detective and compensating controls could be the solution to better mitigating loss to the business.  What does this mean with regards to competing in the market?  It means margin; if two companies are competing directly in the e-commerce market place and one company has an automated machine learning approach to IT security, that means it doesn’t have the expense that comes with hiring humans, even if it is one less human.  One less human means one less employee benefit package and salary, which means decreases expenses and increases margins.  The long-term viability of the firm that implements a Machine Learning approach to IT security is greatly increased.  Implementing cheaper more efficient means of doing any business function almost always means more profits and better share performance.

At my firm we are working on such Machine Learning algorithms, and most of the executives say, “it won’t work…” but that is because they don’t understand the math behind the algorithms or the applications of Machine Learning.  Pattern recognition and response time to the n’th degree and at levels far beyond that of a human.  I’ve heard and have been involved in many debates around combining Machine Learning and Cyber Security.

So I pose a question, should this type of technology be used as a decision support tool within the business or should it be used as a stand-alone IT tool with minimal human interaction?  To play devil’s advocate, on May 6, 2010 the ‘Flash Crash’ was said to have been caused by a trader spoofing the algorithm.  Could this happen in this case?

 

http://insidebigdata.com/2016/08/26/machine-learning-making-better-security/

I came across this article that discusses how information security professionals should be adding a data driven approach to complement other techniques while attempting to mitigate the risk of attacks. Traditional defense preparation such as penetration testing is great for identifying specific weaknesses and exposures but there can be more creative and pro-active ways to finding where in your network is attracting potential hackers.

The author mentions that malicious hackers may be using rapidly changing techniques and advanced tools but they are using these tools with the same strategies and motives that have allowed them to analyze a target network and develop solutions in the past. If we can analyze our own networks in this same way that a hacker does it can allow us to focus in on key weaknesses.

It’s also interesting that the article mentions that organizations are beginning to task additional teams along with penetration testing to handle a role of analyzing the tactics and thinking process of the penetration testers. By reviewing this analysis and data you can possibly uncover thinking or trends that a malicious hacker may come across but perhaps the penetration testing missed.

http://www.darkreading.com/analytics/the-new-security-mindset-embrace-analytics-to-mitigate-risk/a/d-id/1326812?

This article is about an ethical hacker that is fighting fire with fire.  Florian Lukavsky is working with police using a technique called “whaling” to obtain criminal identities and credentials.  These criminals targeted CEOs and financial controllers at large and small corporations with requests to urgently wire funds for overdue invoices.  This social engineering scam has resulted in an estimated $2.2 Billion of fraud losses in 14,000 reported cases.

Florian flipped the script and began replying to the criminals with malicious PDF documents that were disguised as transaction confirmations.  The malware helped to obtain twitter handles, user names, and identity information that is being used to apprehend the criminals.

I thought this was a great example of an ethical hacker collaborating with authorities to expose these cyber criminals.

http://www.theregister.co.uk/2016/09/06/hacker_hacks_ceo_wire_transfer_scammers_sends_win_10_creds_to_cops/

During the week 1 lecture Professor Mackey made the comment that and I am hoping I am quoting correct, “I do not run antivirus on any of my computers at home”. I am not a fan of antivirus or encryption software because it takes system resources away from the user experience however, this statement caught my attention. No matter what the operating system may be, it can still catch a virus. Granted that the virus has to be tailored to the OS that the user is using which will greatly reduce by the OS that you are using, Microsoft vs. Ubuntu as an example. I have always felt that antivirus is a necessary evil for a system to exist and it’s an insurance policy that catch a certain percentage of viruses and will stop known virus signatures. What I found interesting was that the industry standard is saying that traditional antivirus is dead however it’s still remains useful to a security approach. I would agree from a business and consumer of computer products perspective having antivirus will save hours of headaches. I like Professor Mackey’s home setup where running everything in a VM is a safer approach so not using an antivirus a bonus and we are starting to build this environment for this and other classes. The computer industry has been trending in that direction where we will have dumb terminals to access the internet, maybe I should redesign my home network?

 

http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

http://www.networkworld.com/article/2919111/security/traditional-anti-virus-is-dead-long-live-the-new-and-improved-av.html

Logicaly removed and physically separated from unsecured public networks, “Air Gapping” a system is way to ensure security on a system. The idea being if the system is not connected to the public network it is considered less risky and thus less vulnerable to get a threat. But as technology advances that is becoming more of a pain and work to achieve. Researchers at the Cyber Security Research Center in Israel have found a way to transmit data from an “air-gapped” computer using software installed on an USB drive and a nearby receiver with a radio frequency (RF) antenna. The software on the USB drive (USBee, created by the CSRC) can generate controlled RF emissions from a data bus of a USB connector and send data to a nearby receiver at 80 bytes per second. This is interesting to me because they were able to use the internal resources of the computer to pretty much create a transmitter out of a simple portable storage device using code, that’s impressive! Protecting “air-gapped” systems not only requires separating it from unsecured networks but also shielding the containing room in a location away from antennas and quite possibly removing USB ports or creating systems with the minimum amount of hidden USB ports that would be available to only those that need access.

 

http://www.darkreading.com/vulnerabilities—threats/air-gapped-systems-foiled-again-via-usb-drive-/d/d-id/1326803

http://in.bgu.ac.il/en/Pages/news/datastolen_usb.aspx

This article discussed about how vulnerabilities of automotive system enable car hacking. As the car becomes increasingly computerized, many accidents due to system and software flaws are exposed to the public. Therefore, the security of car’s system and internal network should one of the top concern of car manufacturers. However, I think just few auto manufacturers have placed enough emphasis on developing secure vehicle information system. Back to 2014, it was approved that Jeep could be remotely took over, and therefore, Fiat had to recall all the affected cars to fix the problem. Even though the car manufacturer is keeping improving their systems, researchers still find vulnerabilities that enable hackers to access the car’s internal network through the entertainment system. Hackers are able to seize the control of the car by turning the steering wheel, hitting the brake or slamming on the accelerator. Researchers are currently focusing on the potential attacks related to sensors and radar that enable self-parking and self-driving.

 

I think this article is interesting because when people talk about information security and hacking, I would first think about privacy. However, it is much more than privacy, it also relates to people’s safety and health especially for vehicles and medical devices. The most common interconnected system connecting different systems in most of cars is called CAN bus. One of the greatest vulnerabilities is the lack of encryption on the CAN bus. A weakness of any one of the system could enable attackers access the the rest of the systems and even take control of the car. This would become the one of the greatest challenges to car manufactures, as most of them are focusing on developing self-parking and self-driving car.

 

https://www.theguardian.com/technology/2016/aug/28/car-hacking-future-self-driving-security

http://thevarguy.com/information-technology-events-and-conferences/hacker-wisdom-top-three-takeaways-black-hat-2016

I was curious on what this year’s Black Hat conferences were all about, other than a bunch of people getting together in numerous seminars and presentations for about a week, so here are “The Top Three Takeaways from Black Hat 2016” by Allison Francis from The Var Guy.com.

• Would you pick up a random USB drive and plug it into your personal computer?

Google researcher Elie Bursztein explains the enduring theory among cybersecurity experts that people will pick up and use random USB thumb drives that they find, and potentially take the risk of infecting their systems, which is not a rare case among unaware computer users all over.

Bursztein and his team had distributed 297 USB drives as “bait” at various strategic-ish locations, such as parking lots, building hallways, classrooms and outdoor areas around the University of Illinois campus.

He added that each drive houses tracking software that would “call home” if plugged in. those drives also included several different messages like “final exam results,” or “confidential,” among others.

The results were issued by eWeek (article), revealing a stoning 46 percent of the distributed drives “phoned home”, so Bursztein suggested that awareness and security training is highly important, and warned organizations and individuals to be mindful of what they plug into their machines. “You don’t pick up food from the floor and eat it because you may get poisoned”, so don’t pick up random USB drives either,” Bursztein said.

• The mounting threat of attacks in the VoIP and UC space

Fatih Ozavci, a managing consultant with Context Information Security, presented the lack of understanding and awareness of modern voice over internet protocol (VoIP) and unified communications (UC) security. This gap leaves providers and organizations extremely vulnerable to attacks, due to the ever-increasing and rapidly-growing number of threats.

During the conference Ozavci mentioned the various awareness that services providers and business are leaving themselves at risk to threat actors repurposing and exposing infrastructure for attacks such as botnets, malware distribution, vishing, denial of service attacks and toll fraud.

Also Ozavci touched on the weaknesses in messaging platforms and IC products suites since those vulnerabilities make it easy for hackers to sneak past security measures and spread malicious content. Once those vulnerabilities are exploited, attackers could gain unauthorized access to client systems or communications services such as conference and collaboration, voicemail, SIP trunks and instant messaging.

Last, Ozavci presented awareness and how he planned to get the word out and revealed his newly developed open sources tools Viproxy and Viproy which can be used for VoIP penetration testing.

• Information sharing and public work

Dan Kaminsky, the co-founder and chief technologist of the cybersecurity firm White Op highlighted the importance of making the internet a safe place for everyone by calling for more information sharing as a way to improve security and deal with and combat cyberthreats faster and more efficiently.

I have strong interest in this story because, one you probably never heard of this happening with an employee from a sport franchise, and two, I am a baseball fan.  This article is about an employee of the St. Louis Cardinals hacking the internal network of the Houston Astros.  Chris Correa, who was a former scout for the St Louis Cardinals was sentenced to almost four years for hacking into the Houston Astros player database. Correa was able to hack the internal network of the Houston Astros and gain access to statistics, and projections that were gathered by the front office of the Astros. Corrrea was able to do this by getting the old password from a former employee who is now the general manager for the Houston Astros.  The federal government estimated that this information was worth 1.7 million dollars.  In my opinion, cases like this is why companies enforce complex passwords, changing passwords often, and telling clients not to give their password out to anyone.

https://consumerist.com/2016/07/19/former-st-louis-cardinals-exec-sentenced-to-46-months-for-hacking-houston-astros/