Week 14: Review of all topics

burp-suit-exercise burp-suite-exercise

Quest Diagnostics, a company based in Madison, New Jersey that provides laboratory services came out on November 26, 2016 and said that a breach leaked patient information for 30,000 clients.  They stated none of the information was credit cards or social security numbers.

 

Source: Article

Security experts have warned that patient data is at risk after it was revealed that 90% of NHS Trusts in England are still running the unsupported Windows XP operating system. A Freedom of Information Act request from Citrix also found that just over half are not sure when they’ll upgrade to a newer system, while 14% think they’ll do so by the end of the year and 29% said the migration would happen some time in 2017. Unless these systems are being protected by virtual patching, they’ll be far more exposed to the threat of attack as Microsoft stopped issuing security updates for government PCs in April 2015. Many healthcare organizations have single purpose devices that don’t require network connection for their main purpose.

Windows XP operating system is a legacy system in my mind, support for Windows XP was ended on April 8, 2014. According to Microsoft, there will be no more security updates or technical support for the Windows XP operating system after this date. So Windows XP is very easy to be hacked today. But a lot of healthcare organizations didn’t update the systems yet. All the patients’ information remain risky before they update their operating system.

http://www.infosecurity-magazine.com/news/nine-in-ten-nhs-trusts-still-on/

Researchers from the UK’s Newcastle University have developed a so-called Distributed Guess Attack that essentially circumvents all security features for protecting online payments to steal card number, CVV and expiration date of any Visa card. The attack takes advantage of the manner that different online merchants request different types of information for processing a credit or debt card payment, even though most of them at a minimum require the card number or and expiry date. In addition, there is no mechanism currently in place to detect multiple invalid payment request made on the same card yet from different online merchant sites. Therefore, it is possible that a hacker to make unlimited times of guess on a card’s CVV or expiration date by spreading the guesses across multiple sites. Based on these two manners, an attacker can obtain full card details by automatically generating and verifying different combinations, and the process can be done through 1,060 and 60,000 attempts and takes only six seconds. The guessing attack worked only on Visa’s network. MasterCard’s network would quickly detect the guessing attack.

I was surprised that Visa would have such a great vulnerability in its credit and debt card payment process. As one of the world largest financial service corporation, Visa processed 100 billion transactions with a total volume of US $6.8 trillion. Over 1.5 billion credit cards are Visa cards. With such a large number of users and transaction volume, this vulnerability is an great challenge to Visa that it has to figure out an appropriate solution to improve this security issue and protect its customer information.

 

Link: http://www.darkreading.com/vulnerabilities—threats/frighteningly-easy-hack-guesses-full-credit-card-details-in-6-seconds/d/d-id/1327632

Powerpoint: burp-suite-presentation-Fecondo

Write-up: burp-suite-report-fecondo