• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • HomePage
  • About
  • Structure
  • Schedule
    • First Half of the Semester
      • Week 1: Overview of Course
      • Week 2: TCP/IP and Network Architecture
      • Week 3: Reconnaissance
      • Week 4: Vulnerability scanning
      • Week 5: System and User enumeration
      • Week 6: Sniffers
      • Week 7: NetCat, Hellcat
    • Second Half of the Semester
      • Week 8: Social Engineering, Encoding, and Encryption
      • Week 9: Malware
      • Week 10: Web application hacking, Intercepting Proxies, and URL Editing
      • Week 11: SQL injection
      • Week 12: Web Services
      • Week 13: Evasion Techniques
      • Week 14: Review of all topics and wrap up discussion
  • Assignments
    • Analysis Reports
    • Quizzes & Tests
  • Webex
  • Harvard Coursepack
  • Gradebook

ITACS 5211: Introduction to Ethical Hacking

Wade Mackay

Week 05: System and User Enumeration

Krebs back online after massive DDoS

October 1, 2016 by Noah J Berson 3 Comments

After KrebsOnSecurity covered vDOS for being a DDOS hack seller their site was hit with a historic DDOS. While DDOS mitigation has been discussed previously, this attack was nearly impossible to stop. The site was given pro-bono access to Akamai’s mitigation service but due to the size of the attack, Akamai had to sever ties. They predicted that protection of this one site would’ve cost millions of dollars and disruptive protection of their other clients.  Diagnosis of the DDOS shows that a lot of attacks came from compromised IoT (internet of things) enabled devices. It was also the second largest DDOS that Akamai ever dealt with.

Google has stepped in with a new program called Google Shield. Its purpose is to prevent free speech from being silenced by malicious attackers.  Google Shield protects news As this case proved it is cost-prohibitive to protect a small site from attacks so Google is trying to provide backup.  Protection at a high level can cost $150,000 to $200,000 a year even if it is just a blog.  The author fears of state sponsored actors also using this kind of DDOS power on individuals.

 

 

Computer Scientists Close In On Perfect, Hack-Proof Code

October 1, 2016 by Mauchel Barthelemy 2 Comments

Are mathematical formulas the best answer to date against hacking? This is what Wired’s Kevin Hartnett explains in “Computer Scientists Close In On Perfect, Hack-Proof Code,” an article he posted on Huffington Post. Several computer scientists are experimenting on a coding method that would make it “impossible” to hack. It’s a sign of relief to learn that a great deal of effort is being put together to make hack-proof code a reality. Perhaps this is possible, but I’m almost certain attackers will eventually figure out a way to break into the system.

Tests are now being conducted using a helicopter code named as “Litte Bird.” Kevin reports that a team of hackers could have taken over the helicopter almost as easily as it could break into a home Wi-Fi. However, engineers from the Defense Advanced Research Projects Agency had implemented a new kind of security mechanism software system that couldn’t be commandeered. The writer goes further to add that key parts of Little Bird’s computer system were unhackable with “Existing technology, its code as trustworthy as a mathematical proof.” I’m looking forwards to see whether this coding method will emerge as unhackable as intended.

 

http://www.huffingtonpost.com/entry/computer-scientists-close-in-on-perfect-hack-proof_us_57e93bf1e4b05d3737be6460?section=us_technology

37-Year-Old ‘Syrian Electronic Army’ Hacker Pleads Guilty in US Court

September 30, 2016 by Scott Radaszkiewicz 2 Comments

Click for Article

Peter Romar, one of the FBI’s most wanted hackers has been captured and plead guilty to federal charges.   One of the points from the article that really made me pause was what Romar did with two accomplices.   In March of 2016, Romar hacked the Associated Press Twitter account and posted that the White House had been bombed and President Obama was injured.  This posting caused a temporary dip in the stock market.

It’s so very scary that the hacking of a Twitter account could cause such a ripple through the financial system.  Scarier yet is the fact that, like lambs, we take as Truth what the news media reports, and whatever else we read online.  A dip in the stock market, just off the posting that the White House was bombed.  Very scary to think what a coordinate attack, that posted the same information on multiple sites would do!  Would people then believe it?  How long could the charade go on?

Knowledge is power, but it seems like Social Media is giving it a run for it’s money!

 

 

 

 

 

Google Chrome To Flag Non-HTTPS Logins, Credit Card Info ‘Not Secure’

September 28, 2016 by Roberto Nogueda 2 Comments

 

So we will be getting the touch and feel of the newest Google browser that will flag “not secured” any non-HTTPS sites that transmit credit cards information and passwords, as of January 2017, called Google’s Chrome 56 browser.

Hypertext Transport Protocol Secured (HTTPS) is a converter for the Web’s lingua franca hypertext transport protocol with encryption from Transport Layer Security (TLS) or secure Socket Layer (SSL) to guarantee the authenticity of a website, it also protects communication between client and server, and obviate man-in-the-middle attacks says Terry Sweeney from InformationWeek Dark Reading magazine.

When a website is loaded over HTTP, someone else on the network can look at or modify the site before it gets to you, since currently Chrome delivers HTTP connections with its neutral indicator, which Google says that it doesn’t reflect the real lack of security.

Net Market Share mentions that Google Chrome is the most widely used browser in the world, with nearly 54% of the combined desktop and mobile user segments as of the month of August.

The main change to users is that eventually the plan is to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that they use for broken HTTPS pages.

http://www.darkreading.com/vulnerabilities—threats/google-chrome-to-flag-non-https-logins-credit-card-info-not-secure/d/d-id/1326921?

Rapid-7 -The Attacker’s Dictionary

September 28, 2016 by BIlaal Williams 1 Comment

This paper summarizes a year’s worth of credential scanning data collected from Heisenberg (Breaking Bad fan’s anyone?), Rapid7’s public-facing network of low-interaction honeypots. Instead of focusing on the passwords that end users typically pick, this data contains what opportunistic scanners are using in order to test— and likely compromise— Internet connected point of sale (POS) systems, kiosks, and scamware-compromised desktop PCs which offer the Remote Desktop Protocol (RDP) service for remote management. Heisenberg honeypots are custom-engineered, low-interaction honeypots that are distributed geographically across several regions. There’s a lot of interesting statistics in this paper such as the frequency of scans from certain geographical areas, the most common usernames and passwords used in scans against the honeypots, and how these usernames passwords are associated with each other in the attack. The surprising detail uncovered was just how weak the passwords were (the most common username and password combination used was username: administrator – password: x). Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security. Sobering stuff!

Rapid 7 Attacker’s Dictionary  

Punish Companies for Cyber Security Failures, Directors Say

September 28, 2016 by Anthony Clayton Fecondo 5 Comments

This article was focused on the financial repercussions for failing to meet cyber-security requirements in the EU. Currently, failing to meet legal requirements for cyber-security results in a fine of 500,000 pounds. The author cites a recent study that showed 7 out of 10 board members believed this punishment to be too lenient. However, by 2018 new data protection rules will increase penalties up to 20 million pounds.

This article illustrates the growing recognition of the importance of proper cyber security practices among executive management. The high number of directors that are calling for heftier punishments and stricter standards shows that these directors recognize the threat posed by a lack of cyber security and the immediate need for proper cyber security precautions.

Article: http://www.telegraph.co.uk/technology/2016/09/26/punish-companies-for-cyber-security-failures-directors-say/

Week 5 Presentation

September 28, 2016 by Wade Mackey Leave a Comment

intro-to-ethical-hacking-week-5

Student legally hacks airline and earns $300,000 of miles

September 27, 2016 by Jason A Lindsley 3 Comments

Link: http://www.businessinsider.com/student-legally-hacks-united-airline-earns-frequent-flyer-miles-ryan-pickren-2016-9

This is an interesting short video/article on a Georgia Tech student that has been participating in United Airlines bounty program and has been rewarded in $300,000 worth of miles as a reward for findings security flaws.  He’s donated a third of his miles back to Georgia Tech.

It wasn’t always sunshine and rainbows for Ryan.  He got into some trouble with the law when he hacked a rival school’s calendar before a big football game.  He was charged, but completed a pretrial  diversion program and the charges were dropped.

He began the United Airlines bounty program to earn miles to visit his girlfriend and became the most successful contributor.

I find it interesting when highly technical individuals such as Ryan are given an avenue to utilize these skills in an ethical manner (especially when they are caught doing something unethical).  For some folks, the technical part is very easy and the ethical part is challenging.  For myself, I’ve always had strong ethical principles and business acumen, but the desire to be more technical is what got me interested in the Temple ITACS program and ethical hacking.  How about the rest of you all?

“FAA Advisory Body Recommends Cybersecurity Measures”

September 26, 2016 by Mengqi He 3 Comments

Recently, the RCTA developed drafting guidelines for the security performance standards in the aviation industry. With the guidelines, the Federal Aviation Administration aimed to ensure that cybersecurity protections will be incorporated into routine activities and day-to-day operation from the air to the ground on manufacturers, carriers, maintenance facilities and airports. Cyber issues in aviation industry ware elevated to such a high priority for the first time. I think it is important that the FAA pay attention on the cyber security in aviation industry. It will be super dangerous if terrorists hacked into a flying plane or airport control tower. From the articles I found through the past 5 weeks, I realized that cyber security is not only about confidential information to business to privacy to individuals, it also relates to our safety.

Article: http://www.wsj.com/articles/faa-advisory-body-recommends-cybersecurity-measures-1474587049

F.B.I. Impersonate Journalist and media organizations call foul

September 26, 2016 by Brent Easley 2 Comments

This article is about the F.B.I. impersonating a journalist in 2007 and using a tracking software to locate the individual.   The media organizations did not approve of these methods that were used stating that it would taint the media’s credibility.    The D.O.J. Office of the Inspector General report that was released stated that the F.B.I. did not violate any policies that were in place at the time ,but now as of June 2016 an agent has to get high-level approval pose as a journalist.

http://www.nytimes.com/2016/09/17/business/media/fbi-impersonation-of-journalist-did-not-violate-undercover-policies-federal-watchdog-says.html?_r=0

  • Page 1
  • Page 2
  • Go to Next Page »

Primary Sidebar

Weekly Discussions

  • Uncategorized (133)
  • Week 01: Overview (1)
  • Week 02: TCP/IP and Network Architecture (8)
  • Week 03: Reconnaisance (25)
  • Week 04: Vulnerability Scanning (19)
  • Week 05: System and User Enumeration (15)
  • Week 06: Sniffers (9)
  • Week 07: NetCat and HellCat (11)
  • Week 08: Social Engineering, Encoding and Encryption (12)
  • Week 09: Malware (14)
  • Week 10: Web Application Hacking (12)
  • Week 11: SQL Injection (11)
  • Week 12: Web Services (10)
  • Week 13: Evasion Techniques (7)
  • Week 14: Review of all topics (5)

Copyright © 2025 · Magazine Pro Theme on Genesis Framework · WordPress · Log in