How can the market players play with security vulnerabilities of different firms…Ill share the news
There is always a pact between a cybersecurity researchers and the companies that when a cyberSec. firm finds a vulnerability in an organization they will report it to the organization directly and get the money in reward or as per the deal.
But a strange thing somehow happened a Cybersecurity Firm- MED SEC found alleged bug in the St. Jude Medical company implantable heart equipment.
MedSec rather than approaching the medical company it went to the shortseller firm MUDDY WATER.
The investment firm Muddy Water would make the vulnerabilities public in exchange for giving the cybersecurity firm a cut of the profits Muddy Waters made from betting against the medical device maker’s stock.
http://www.denverpost.com/2016/09/04/cybersecurity-strategy-insecure-companies-wall-street/
Week 03: Reconnaisance
Google Launches Android Hacking Contest
Here you go hackers, if you want to make up to $200 k, here is the way.
The project Zero Prize is a way for participants to find a full exploit that will allow them to achieve remote code execution on up-to-date Nexus 6P and Nexus 5X devises, by knowing only their email address and phone number, with a few conditions.
The first prize is a juice $200,000 and $100,000 for the second place, how about that?
Natalie Silvanovich is Google’s Project Zero team lead and explained that their “main motivation is to gain information about how these bugs and exploits work”
This article also talks in detail on how to play and other rewards offered by the giant search engine.
http://www.securityweek.com/google-launches-android-hacking-contest
Federal Judge: Hacking Someone’s Computer Is Definitely a ‘Search’
A federal judge ruled that hacking someone’s computer, for purposes of an investigation, constitutes a fourth amendment search. Therefore, law enforcement and the FBI would require a warrant to hack and search an individuals computer for purposes of an investigation.
This seemed obvious to me, but apparently it’s been debated in the court of law for years. I agree in theory that individuals should have a reasonable expectation of privacy with their IP address, but in reality, anything you do on the Internet has the potential to become public. Regardless of whether hacking someone’s computer for an investigation requires a warrant, I’m glad they caught the people referenced in this article.
http://motherboard.vice.com/read/hacking-is-a-search-according-to-federal-judge
How much of a risk is BYOD to network security?
With the growing demand for BYOD (Bring Your Own Device) as a possible cost saving measure for many companies, IT networking and security groups have to properly plan for this new IT model. To the untrained eye this might look like a great idea to cut IT costs but in the long run it could cost a company much more than what they saved on pc hardware. Some things to consider: 1) how to properly ensure all pc’s have some form of virus protection, 2) are pc’s being kept up to date with security patches and updates, 3) will BYOD be centrally managed.
Even though this is a novel idea, it’s also a hacker’s playground for mischief once the door is open for them to gain access to your network. This article gave great pointers on processes one should consider if choosing to go down this path. For instance: 1) Create a structured network segmentation strategy, 2) Limit access to systems through a single point and apply fine-grained access controls, 3) Increase authentication to corporate resources, 4) Manage your devices.
I’m currently at this same crossroad in my current position as Director of Desktop Support and Systems Administration. We are seeing the push for people to work from home and also bring those same mobile devices into work to gain access to network resources. The work from home part isn’t new. We currently use VPN tunneling and depending on network access required a RSA token is assigned. What is new is if we will allow BYOD on to our physical network.
Note: Deleted graphic to eliminate authentication request
Question for this week
First let me say that I have no right or wrong answer for this, just want to see each of you weigh in.
In light of the news around an Israeli company developing malware to facilitate the UAE snooping on human rights activists, how far would you be willing to go if you ran the IT Security company that created this malware?
Here’s a link to the story in case you don’t recall. http://foreignpolicy.com/2016/08/25/the-uae-spends-big-on-israeli-spyware-to-listen-in-on-a-dissident/
Article: “Crimeware-as-a-Service Hack Turns Potential Hackers into Victims.”
Hacking now is so easy that hackers don’t even have to be a technically sophisticated hacker with hacking skills and knowledge, and to deal with the technical challenges to run their own crimeware. Instead, they can just buy a hacking service that will do most of hacking works for hackers, enables them to automate the hacking online and gain access to sophisticated network easily. Obviously, the Crime-as-a-Service (CaaS) offering is contributing to the increasing volume and sophistication of cybercrime and the increasing difficulties of tracking malicious hackers. The victims are not only the targets under attacks, but also those attackers, customers of the CaaS offerings. For example, a newly discovered crimeware service is using Facebook hacking tools hosted on Google Drive. It requires users/customers to provide their Facebook login credentials before they can hack other accounts. It steals aspiring hackers’ account information and tricks them that they can hack into other accounts. This crimeware service makes money by selling stolen account information in the underground market. This also put enterprise user accounts under at risk. Hackers can steal business users’ credentials and develop a botnet for stealing a company’s intellectual property, damaging software or conducting other future attacks, while it is hard to track back and find the real attackers. They can also make money by selling the credentials to the highest bidder. Therefore, to prevent this kind of attacks, IT managers are suggested to prevent employees from using business accounts for personal use, open suspicious link or downloading unauthorized files, and ensure to have fast response to attacks.
This article made me think about the security of social media sites, like Facebook, Twitter and LinkedIn. As most trusted communication channels to most of people, many social media sites even cannot secure their own environment. It makes social network a hotbed of CaaS and other cyber crime that allow hackers to manipulate users and develop botnet easily. It is weaponized, and makes hacking more effective and less trackable. To companies, social media attacks are not only about reputation damage, it also leads to big data breaches. According to research, eighth companies suffered a security breach due to social media-related cyber attacks. However, companies can hardly prevent employees from using social network because it has become part of our lives. Instead, companies should identify their social assets, develop an effective social media security plan, educate employees, and be almost prepared to for social media attacks.
Data Manipulation: An Imminent Threat
Hackers that are looking to cause more chaos than financial gain are nothing new, but this article reminded me how scary it can be.
The article describes a potential scenario where a hacker gains access to a bank’s internal network using traditional methods such as a stolen password, malware infection, etc. This is followed by getting privileged access into the customer database where detailed account balances and personal information is held. Over a three month period the hacker begins to alter and manipulate the data that is linked to customer transactions. Once the banks and customers realize what has happened it could take months for the data to be manually recalculated to the correct amounts. During this time customers are are wondering if they’ll have the correct and accurate balances, when, if ever, they’ll be able to make a withdraw, and if there is a safe place to place their money besides their mattress.
This reminds me of the story line in season 1 of Mr.Robot…
It’s easy to think that the financial sector has the best network and database security but I’m sure there are vulnerabilities. The large corporations may be better protected but some of the smaller financial companies may not have the same security luxuries to prevent an attack like this. The article points out a research survey of 200 organizations (average work force of 22k) and 47 % acknowledged that no individual or functional group is responsible for monitoring databases for unauthorized activity. This is alarming considering how much critical financial data is kept in these databases.
http://www.darkreading.com/attacks-breaches/data-manipulation-an-imminent-threat-/a/d-id/1326864?
2 Israeli teens have been arrested for allegedly running a huge hacking tool
A pair of 18-year-old Israeli teens were arrested for operating a hacking tool, that created a DDoS (Distributed Denial of Service) attack, and would flood sites with so much malicious internet traffic that they would crash. The teens were accused of running vDOS, a “booter” service which allows people to pay to use it to attack other websites and services. The two were exploited when their own server was hacked, leaking their information. The pair refused to attack any Israeli-based sites. These “booters”, allow people without any technical skills engage in DDoS attacks. This is fairly interesting, because now, if you have a grudge, you can pay to have someone cyber-attacked. These DDoS attacks were generally for ransom, and publications state, roughly $600,000 was earned by its operators.
Owners of attack for hire website arrested
Alleged vDOS Proprietors Arrested in Israel
On some corners of the internet, you can pay for services that attack legitimate websites to try to disrupt their service. One of these sites, vDOS, was recently busted up by authorities in Israel. They arrested the alleged owners, two 18 year olds who have been running the site for four years. The site is accused of running DDOS attacks that earned the owners over half a billion dollars. They were found out through multiple sleuthing methods. They refered to each other on facebook by their hacker call signs. Their phone number was set up to receive texts from customer service notifications.
The database of who had been paying for the hacks also became publicly available. The data contains attempted DDOS’s that weren’t wiped from their logs. It shows what site was targeted by what username, when, and for how long.
Interestingly, after the site went down the site domain was hacked through a BGP hijack. The company responsible said it was in response to their servers being attacked by vDOS and hoping that would lessen the traffic. The company CEO said this was just a defensive maneuver but I would still classify this as offense.
It seems a lot of fighting is going on all the time on the internet and the only defense might be to stay educated on all the new ways hackers are attacking system. Sometimes, going on the offense may pay off too if done correctly.
https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
Oh, It’s On Sale! USB Kill to Destroy any Computer within Seconds.
Article link: http://thehackernews.com/2016/09/usb-kill-computer.html
Wow! Talk about your Super Spy type stuff. (Queue Mission Impossible Theme Music now: https://www.youtube.com/watch?v=XAYhNHhxN0A).
So now do we not only have to worry about the digital data that can be stolen or compromised, but now comes this new item that will basically destroy the internal components of your computer.
This killer USB stick, once plugged into a USB drive, will charge capacitors within it and then release a deadly charge back into the system that will destroy internal components. The company claims they developed the device for companies to test their devices for USB power surge attacks.
You’ve been hacked and now, destroyed. Trying to piece together what information has been compromised from a functional machine can sometimes be impossible. Now, you might be left trying to figure out what happened without even having the machine available to you.
It’s mind boggling that any person can get one of these devices for $49.95 over the Internet. How do we combat hacking and theft, and now destruction, when the tools necessary to wreak havoc come so cheap! Just another item in the constant dance to keep us on our toes!