Uncategorized

Click for Article

This article is about a flaw in iOS 10 which allows the execution of malicious code if your view a JPEG, font files or PDF file through a website or email.  The good news is that Apple has released iOS 10.1 to correct this issue.  In fact, the iOS 10.1 update addresses 11 security flaws.

This announcement is fresh of the heels of a DD0S attack last week that used some non-conventional technologies such as cameras, routers and DVR’s to perform that attack.   It’s only a matter of time before hackers turn to other avenues to perform their attacks as other avenues are closed off.   Everyone thinks phones, cameras, etc are safe from this, but the truth is, anything that is connected to the Internet can, and most likely will, be a target for hackers.

 

 

 

 

We’ve talked briefly at MD5 collision in the last class, and some people has some questions about it.  The two links provided below; the first is explaining what MD5 collision is and the second will let you create your own collision.

Basically, collision occurs when two completely different files have the same digest.  When you use a hash algorithm: 1st you take the original message (plaintext), add some padding, run it through the hash algorithm (in this case MD5), and then it returns a message digest (ciphertext).  Each file, if not exactly the same, should have a different digest.  Nat McHugh has found a way to add prefixes to the plaintext (files: jpg, txt, etc) that would make the hash algorithm return the same hash even if the files were different.

He has created a Amazon Web Service (AWS) image that would allow you to download and run the script for about 7 cents an hour.  I’ve tried it and it took about a day to create a collision.  So I was able to create a MD5 collision for less than 2 bucks.  If you are interested you can try it out:

http://natmchugh.blogspot.com/2015/09/md5-collisions-in-ssh-keys.html

http://natmchugh.blogspot.com/2015/02/create-your-own-md5-collisions.html

 

 

https://youtu.be/XK5W05tX624

vulnerability_summary

nessus-vulnerability-scan

Major websites were inaccessible to people across wide swaths of the United States on Friday after a company that manages crucial parts of the internet’s infrastructure said it was under attack.

Users reported sporadic problems reaching several websites, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

Dyn, whose servers monitor and reroute internet traffic, said it began experiencing what security experts called a distributed denial-of-service attack just after 7 a.m.

http://www.reuters.com/article/us-usa-cyber-idUSKCN12L1ME

https://community.mis.temple.edu/itacs5211fall16/2016/10/21/3717/

It’s gonna be busy the next few weeks for IT Security Professionals and Linux administrators. A vulnerability that uses the copy-on-write function to perform privilege escalation can potentially allow any installed application, or malicious code, to gain root-level access and completely hijack the device.

There is also a exploit already available in the wild that makes this vulnerability even more concerning.

The fix for this is simple and can be easily addressed with two lines of code that are installed with an apt-get command.  However, many organizations will need to update this in non-production environments to test before moving to production. In addition, organizations will also want to reach out to all of their suppliers to confirm that they are doing the same. Similar efforts were required for the BASH, Poodle, and Heartbleed vulnerabilities.

Lastly, make sure you update those IoT devices!  Linux is a common operating system for connected home devices. They will also be vulnerable if they are not patched.

Link – http://www.theregister.co.uk/2016/10/21/linux_privilege_escalation_hole/

 

This is a great article about infamous Social Engineering attacks throughout history. The author’s tongue-in-cheek tone makes light of the intrusions, yet the damages each caused were anything but humerus. What’s very interesting about the article is that the attacks are mostly technologically based, meaning, inevitably, a hacker broke into a computer system and stole something or corrupted something but there are a few that are not. The first hack in the list dates back to the 1960s when the infamous Frank Abignale (Catch Me If You Can) used different characters to trick people into thinking he was something he wasn’t-a Trojan Horse of sorts. The article also discusses how a man was able to rob a bank without any technology at all. The only thing he deployed to obtain millions of dollars worth of jewelry was his charm. I think this is relevant to what Wade was mentioning with mingling with smokers outside of a company’s office so as to gain information. The article goes on to discuss several large hacks and how social engineering paved the road into the corrupted systems. A security analyst is quoted at the end of the article saying in so many words, “if you want to stay safe, engage end users”. Information systems are comprised, essentially, of computers, data, and end users. This article certainly suggests end users are the weakest link of the three when it comes to security.

http://www.darkreading.com/the-7-best-social-engineering-attacks-ever/d/d-id/1319411

After reading Jason’s post on the Mirai botnet I decided to look up the source code to get an idea of the coding involved with a botnet. They have it posted on GITHUB, and the link below is to Forum.txt, a post which was allegedly made by the botnet designer, who goes by the handle Annai-senpai. The comments are interesting, particularly when he comments on the lack of skills of his adversaries. He also gives a description of the setup used to administer and control the botnet.

Mirai comments

A dangerous banking Trojan, named Acecard,  asks android users to send a selfie holding their ID card.This threat tricks users into installing the malware by pretending to be an adult video app or a codec/plug-in necessary to see a specific video.The moment the app is executed by the user, it hides itself from the home launcher and then asks for device administrator privileges, in an attempt to make its removal, difficult and tedious.Once validated, the phishing tactic asks for super-personal information such as the cardholder’s name, date of birth, phone number, credit card expiration date and CCV as well.

 

http://www.dnaindia.com/scitech/report-android-hack-malware-acecard-selfie-id-card-2264336

This article talks about how important encryption is in today’s internet-driven economy.  Any attempt to circumvent encryption measures will eventually leave systems vulnerable to unwarranted attack by malicious actors.  Companies, organizations, ethical hackers, and software developers who leaves back doors in their systems or programs are potentially giving the threat agents another vector to attack the system.

Read More on the Article here: http://www.darkreading.com/attacks-breaches/encryption-a-backdoor-for-one-is-a-backdoor-for-all/a/d-id/1327177?

Hi everyone,

I found a few helpful courses on Lynda.com if you wanted to get more training on some of the tools we are using and I wanted to share:

Introduction to Kali Linux – https://www.lynda.com/Linux-tutorials/Introduction-Kali-Linux/455715-2.html?org=temple.edu

Practical Cybersecurity (covers Nessus, Wireshark, nmap, and ncat) – https://www.lynda.com/N-Stalker-tutorials/Practical-Cybersecurity/164982-2.html?org=temple.edu

Troubleshooting Your Network with Wireshark – https://www.lynda.com/Wireshark-tutorials/Troubleshooting-Your-Network-Wireshark/366447-2.html?org=temple.edu

Has anyone else found any helpful Lynda.com courses or additional training resources for the tools we’re using?