Week 05: System and User Enumeration

After KrebsOnSecurity covered vDOS for being a DDOS hack seller their site was hit with a historic DDOS. While DDOS mitigation has been discussed previously, this attack was nearly impossible to stop. The site was given pro-bono access to Akamai’s mitigation service but due to the size of the attack, Akamai had to sever ties. They predicted that protection of this one site would’ve cost millions of dollars and disruptive protection of their other clients.  Diagnosis of the DDOS shows that a lot of attacks came from compromised IoT (internet of things) enabled devices. It was also the second largest DDOS that Akamai ever dealt with.

Google has stepped in with a new program called Google Shield. Its purpose is to prevent free speech from being silenced by malicious attackers.  Google Shield protects news As this case proved it is cost-prohibitive to protect a small site from attacks so Google is trying to provide backup.  Protection at a high level can cost $150,000 to $200,000 a year even if it is just a blog.  The author fears of state sponsored actors also using this kind of DDOS power on individuals.

Are mathematical formulas the best answer to date against hacking? This is what Wired’s Kevin Hartnett explains in “Computer Scientists Close In On Perfect, Hack-Proof Code,” an article he posted on Huffington Post. Several computer scientists are experimenting on a coding method that would make it “impossible” to hack. It’s a sign of relief to learn that a great deal of effort is being put together to make hack-proof code a reality. Perhaps this is possible, but I’m almost certain attackers will eventually figure out a way to break into the system.

Tests are now being conducted using a helicopter code named as “Litte Bird.” Kevin reports that a team of hackers could have taken over the helicopter almost as easily as it could break into a home Wi-Fi. However, engineers from the Defense Advanced Research Projects Agency had implemented a new kind of security mechanism software system that couldn’t be commandeered. The writer goes further to add that key parts of Little Bird’s computer system were unhackable with “Existing technology, its code as trustworthy as a mathematical proof.” I’m looking forwards to see whether this coding method will emerge as unhackable as intended.

http://www.huffingtonpost.com/entry/computer-scientists-close-in-on-perfect-hack-proof_us_57e93bf1e4b05d3737be6460?section=us_technology

So we will be getting the touch and feel of the newest Google browser that will flag “not secured” any non-HTTPS sites that transmit credit cards information and passwords, as of January 2017, called Google’s Chrome 56 browser.

Hypertext Transport Protocol Secured (HTTPS) is a converter for the Web’s lingua franca hypertext transport protocol with encryption from Transport Layer Security (TLS) or secure Socket Layer (SSL) to guarantee the authenticity of a website, it also protects communication between client and server, and obviate man-in-the-middle attacks says Terry Sweeney from InformationWeek Dark Reading magazine.

When a website is loaded over HTTP, someone else on the network can look at or modify the site before it gets to you, since currently Chrome delivers HTTP connections with its neutral indicator, which Google says that it doesn’t reflect the real lack of security.

Net Market Share mentions that Google Chrome is the most widely used browser in the world, with nearly 54% of the combined desktop and mobile user segments as of the month of August.

The main change to users is that eventually the plan is to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that they use for broken HTTPS pages.

http://www.darkreading.com/vulnerabilities—threats/google-chrome-to-flag-non-https-logins-credit-card-info-not-secure/d/d-id/1326921?

This paper summarizes a year’s worth of credential scanning data collected from Heisenberg (Breaking Bad fan’s anyone?), Rapid7’s public-facing network of low-interaction honeypots. Instead of focusing on the passwords that end users typically pick, this data contains what opportunistic scanners are using in order to test— and likely compromise— Internet connected point of sale (POS) systems, kiosks, and scamware-compromised desktop PCs which offer the Remote Desktop Protocol (RDP) service for remote management. Heisenberg honeypots are custom-engineered, low-interaction honeypots that are distributed geographically across several regions. There’s a lot of interesting statistics in this paper such as the frequency of scans from certain geographical areas, the most common usernames and passwords used in scans against the honeypots, and how these usernames passwords are associated with each other in the attack. The surprising detail uncovered was just how weak the passwords were (the most common username and password combination used was username: administrator – password: x). Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security. Sobering stuff!

Rapid 7 Attacker’s Dictionary  

This article was focused on the financial repercussions for failing to meet cyber-security requirements in the EU. Currently, failing to meet legal requirements for cyber-security results in a fine of 500,000 pounds. The author cites a recent study that showed 7 out of 10 board members believed this punishment to be too lenient. However, by 2018 new data protection rules will increase penalties up to 20 million pounds.

This article illustrates the growing recognition of the importance of proper cyber security practices among executive management. The high number of directors that are calling for heftier punishments and stricter standards shows that these directors recognize the threat posed by a lack of cyber security and the immediate need for proper cyber security precautions.

Article: http://www.telegraph.co.uk/technology/2016/09/26/punish-companies-for-cyber-security-failures-directors-say/

Recently, the RCTA developed drafting guidelines for the security performance standards in the aviation industry. With the guidelines, the Federal Aviation Administration aimed to ensure that cybersecurity protections will be incorporated into routine activities and day-to-day operation from the air to the ground on manufacturers, carriers, maintenance facilities and airports. Cyber issues in aviation industry ware elevated to such a high priority for the first time. I think it is important that the FAA pay attention on the cyber security in aviation industry. It will be super dangerous if terrorists hacked into a flying plane or airport control tower. From the articles I found through the past 5 weeks, I realized that cyber security is not only about confidential information to business to privacy to individuals, it also relates to our safety.

Article: http://www.wsj.com/articles/faa-advisory-body-recommends-cybersecurity-measures-1474587049

This article is about the F.B.I. impersonating a journalist in 2007 and using a tracking software to locate the individual.   The media organizations did not approve of these methods that were used stating that it would taint the media’s credibility.    The D.O.J. Office of the Inspector General report that was released stated that the F.B.I. did not violate any policies that were in place at the time ,but now as of June 2016 an agent has to get high-level approval pose as a journalist.

http://www.nytimes.com/2016/09/17/business/media/fbi-impersonation-of-journalist-did-not-violate-undercover-policies-federal-watchdog-says.html?_r=0