Week 04: Vulnerability Scanning

While updating its Phone Breaker software for iOS 10, Elcomsoft, a Russian cybersecurity firm, discovered a security flaw where encrypted backups can be hacked fairly easily. Apple’s chosen password verification method contains a flaw that makes it possible to bypass some security checks. In the past, iOS 9 limited the amount of password attempts that could be made even when with GPU acceleration at 150k times a second. With iOS10, the flaw allows 6 million times a second. By allowing more attempts in a second, the risk of hackers successfully entering the phone has increased tremendously. Elcomsoft says at that speed “hackers would only need to leave their software running for 2 days until the odds of success approached 90 percent”. But, the real risk is the local encrypted backup done through iTunes. With a full backup, a user’s keychain, Apple’s storage system for passwords,cc numbers and other personal info, is encrypted and stored on the local PC/machine. With the possibility of being able to retrieve the password fairly easy, hackers can gain access to the PC/machine containing the backup and decrypt it as well the keychain to gain access to personal information.  
http://www.techrepublic.com/article/beware-ios-10-security-flaw-makes-cracking-encrypted-backups-2500-times-easier/

reconnaissance-report

trillium-technologies-inc_-by-roberto-nogueda

reconnaissance-report

Apparently, the latest development on the Wells Fargo controversy takes interesting new twists.

Last Tuesday (9/20/16), John Stumpf, CEO of Wells Fargo, spoke to the Senate Banking Committee to apologize for the bank’s opening as many as 2 million bogus customer accounts to generate fees for the lender. “I accept full responsibility for all unethical sales practices,” CEO John Stumpf told a congressional panel. Another ripple effect of Wells Fargo’s scandal includes John’s resignation from a national panel that discusses financial matters with the Federal Reserve. These are perfect examples of what an organization can face by simply failing to apply strong policy controls and business processes. Poor risk evaluation to describe potential business impact can also lead to such unfortunate outcomes. See below for articles’ links.

http://www.huffingtonpost.com/entry/wells-fargo-hearing_us_57e02afee4b0071a6e08b170?

http://www.usatoday.com/story/money/2016/09/22/wells-fargo-ceo-leaves-bank-panel-wake-fraud/90862240/

This news couldn’t have hit yahoo at a worse time, with already falling stock prices and currently in negotiation with Verizon for its purchase. Yahoo’s market value just took another big hit. Yahoo was made aware of the breach in July and at that time it was speculated that 200 million accounts were compromised. Yahoo should have started damaged control then, two months later an additional 300 million accounts are added.

http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/index.html

 

 

 

 

Reconnaissance Report of ForManMills

 

Scope:

Reconnaissance is the first crucial step to launch a successful hacking attack. It enables an attacker to become familiar with basic, or not so basic information about a company. For example, information such as: Corporate culture, terminology, employee information, trading secrets, technology, and so forth. Conversely, reconnaissance can also be utilized as a wakeup call to help companies protect confidential information online. It is in the same line of idea that I develop the following reconnaissance findings about ForManMills or www.formanmills.com, one of Philadelphia’s largest local retail stores, using search bar commands.

 

The following report is divided into two parts:

Part I – Reconnaissance Information and Part II – Mitigation Strategy Recommendations.

 

Part I – Reconnaissance Information

First, a simple WHOIS search via http://www.networksolutions.com/ reveals an array of network information about FMM. Information such as: Registry Domain ID 720897_DOMAIN_COM-VRSN, corporate headquarters: 12808 Gran Bay Parkway West, Jacksonville, FL 32258, Admin Email: p32ep7r49gy@networksolutionsprivateregistration.com, domain creation date 1997-12-31T05:00:00Z,name of servers: NS1.NXLKHOST.COM and NS2.NXLKHOST.COM.

Next, DNSstuff.com confirms servers and IP information such as: Created date :1997-12-31T05:00:00Z, updated date :2015-01-28T23:42:27Z and WHOIS server:whois.verisign-grs.com.

Moreover, http://www.ip-tracker.org/ helps uncover additional material about FMM’s DNS server, IP Addresses and server names. See below.

IP Address: 156.154.64.25 [IP Blacklist Check] Reverse DNS: 25.64.154.156.in-addr.arpa Hostname: ns1.hostingsvcs.com Name servers: ns3.hostingsvcs.com >> 156.154.66.25 ns1.hostingsvcs.com >> 156.154.64.25 ns2.hostingsvcs.com >> 156.154.65.25 ns4.hostingsvcs.com >> 156.154.67.25

Furthermore, analyzing www.formanmills.com domain through http://www.accessify.com/f/formanmills.com discloses page size, programing languages and other poor results of technology resources that FMM relies upon (More detailed information are shared via slides).

Lastly, a Google hack of Site:formanmills.com -www.formanmills.com of the company unveils several more critical data. For example, people can understand that FMM is utilizing Monster.com and Indeed.com for recruiting purposes. This is something that can help determine when the retail store is experiencing shortage in staff in a certain area. In addition, this hacking query can help identify the type of personal information FMM collects from job applicants via http://formanmills.com/corporatecareers/apply-page.htm. Other websites that FMM either owns or associates with are also publicly displayed with this Google search command.

“Google Cache” would beat FMM’ website security to successfully access Formanmills.com’s text format without leaving a footprint in the hosting server logs. This is something that would make it difficult to track down an attacker after hacking into the website.

 

Part II – Mitigation Strategy Recommendations

A good analysis report constitutes of not only finding potential problems, but at least offer good mitigation methods too. The following are essential steps managerial decision-makers at FMM can take to ensure an effective first line of defense of its website. First, it would be a clever idea to think like a hacker. In other words, study and use the similar methods as attackers, but in an ethical fashion. Secondly, it would be critical that the company evaluates and tests its systems regularly. Next, FMM should rely on multiple systems such as Intrusion Detection Systems (IDS), Firewalls, apply vulnerability scanner programs (Nessus would be a good choice), etc. in order to maintain safer online presence. Last of all, make it a FMM culture to consider IT Security as a vital part of its network because refrain from doing so would lead to catastrophic problems. The clear advantage of applying these is to ensure a better first line of defense and safer online presence against hackers. On the other hand, implementing these are associated with disadvantages such as: Give up critical network or PII information to third party testers, systems could be difficult and costly to maintain, also systems crash or failure of production environment.

mis-5211-analysis-report-1-pp

mis-5211-analysis-report-1

 

 

 

As we venture further into ethical hacking and network scanning, I think we begin to enter the gray area of where ethical and non ethical hacking meet. Port scanning, I believe, is right in the middle of this gray area as tools like nmap do not cause any damage to a system but is very revealing of how someone “could” cause damage. The comparison I have seen people make to explain the ethics of port scanning is it’s like going up to someone’s house and checking which windows and doors are unlocked. Could you necessarily go to jail for this? Maybe in some county in some state. Would the home owner be happy you came on to their property and started opening doors? Definitely not. Port scanning may technically not be illegal but it’s probably not ethical. There have been numerous court cases in which scanning was not found to be illegal. The article references Moulton v. VC3 to highlight this. The article also references the Computer Code of Conduct at Rochester Institute of Technology which makes no mention of scanning. As Professor Mackey stressed in the beginning of the course, it is best to get permission before any scanning/hacking activities!

https://www.sans.org/reading-room/whitepapers/legal/ethics-legality-port-scanning-71

The article I read was title Vulnerability Management Technique: Managing Asset Exclusion to Avoid Blind Spots. The article can be viewed at:

https://community.rapid7.com/community/nexpose/blog/2016/09/09/managing-asset-exclusion-avoiding-blind-spots?CS=social

The author opens the article by discussing recent advances in the maturity of vulnerability management programs, but suggests that one area that needs further development is avoiding asset risk blind spots. One way to do this is to manage excluded assets better. Some assets are excluded from vulnerability scan for various reasons (an example being, the asset has a known vulnerability and vulnerability scanning will cause damage to the system) and as a result, organizations neglect to manage the risks associated with these assets. In fact, many times organizations will put an asset on an exclusion list and practice ‘set it and forget it.’  However, vulnerability management is meant to be a cyclical process. In order to eliminate the blind spot associated with forgotten excluded assets, the author suggests a four step process:

1.       Assessment – identify assets to be excluded

2.       Reporting – run periodic reports on excluded assets

3.       Remediation/mitigation – Try to find a solution to the problem that prompted an asset to be excluded.

4.       Verification – Reassess assets to determine if they still need to be excluded

I found this article interesting as it explores an important niche of vulnerability scanning. While programs/sites that need to be excluded from vulnerability scanning are the minority, it is still important to have a means of managing those assets rather than taking the set it and forget it approach. Moreover, the cyclical process the author suggests doesn’t just accept that an asset has to be excluded from vulnerability scanning, but rather attempts to find a solution to the root problem necessitating the exclusion. Even if a solution can’t be found, the author’s process will revisit the asset in case new technology or a new approach can lead to a solution. This article takes a valuable approach to vulnerability scanning by advocating the development of the process to be adaptive and as inclusive as possible.

Recently, tech companies including Uber, Dropbox, Twitter, and Docker have joined farce to create the Vendor Security Alliance (VSA) for improving internet security. With the VSA, security experts and compliance experienced officers will team up to release a yearly questionnaire to benchmark its members’ risks. The questionnaire will measure risks based on policies, procedures, privacy, vulnerability management and data security. By sharing the expertise and practices across businesses, VSA will create standards and scoring processes to assess the security level of its members, and ensure appropriate controls are in place to improve security.  The first questionnaire will be available on Oct. 1 free of charge.

I think this article is interesting that some tech leaders decided to team up to standardize the cybersecurity practices. I think it is a good thing that the VSA takes advantages of collective expertise across different industries to improve the security practices. With the standards, companies belonging in the VSA are able to evaluate and measure their own risk levels and determine their vulnerabilities and strengths without additional audits.

Article: http://www.darkreading.com/vulnerabilities—threats/vulnerability-management/uber-dropbox-other-tech-leaders-team-up-to-boost-vendor-security-/d/d-id/1326926