Getting a head start. intro-to-ethical-hacking-week-3
Week 3 Presentation
Security Startup Cato Networks Raises $30M to Expand Globally
The article I read was about Cato Networks which is a startup company that emerged early on in 2016. The company provides software-based networking solutions to businesses through a cloud overlay. Essentially, Cato’s business plan revolves around providing networking solutions without requiring companies to purchase any complex hardware. Instead, Cato’s software can be downloaded and it will make the necessary changes to pre-existing networking devices (routers and switches). The company recently raised $30 million to fund global expansion.
Reading this article brought several things to mind. First, although I know the move to cloud-based technologies and the prevalence of software over hardware is a growing trend, I never thought of its application to networking. I think the success of Cato Networks shows the diversity of the application of cloud based technologies, but it also raises a few questions. For example, what problems might arise over Cato’s software being incompatible with network devices? Additionally, what precautions does Cato have to detect these scenarios? Will different risks arise due to software and hardware incompatibilities? Cato’s implementation of the cloud is interesting and has been lucrative so far, but I’m interested to see how this company and other similar companies fare as cloud technologies continue to mature.
Article: http://www.eweek.com/security/security-startup-cato-networks-raises-30m-to-expand-globally.html
Federal Judge: Hacking Someone’s Computer Is Definitely a ‘Search’
A federal judge ruled that hacking someone’s computer, for purposes of an investigation, constitutes a fourth amendment search. Therefore, law enforcement and the FBI would require a warrant to hack and search an individuals computer for purposes of an investigation.
This seemed obvious to me, but apparently it’s been debated in the court of law for years. I agree in theory that individuals should have a reasonable expectation of privacy with their IP address, but in reality, anything you do on the Internet has the potential to become public. Regardless of whether hacking someone’s computer for an investigation requires a warrant, I’m glad they caught the people referenced in this article.
http://motherboard.vice.com/read/hacking-is-a-search-according-to-federal-judge
How much of a risk is BYOD to network security?
With the growing demand for BYOD (Bring Your Own Device) as a possible cost saving measure for many companies, IT networking and security groups have to properly plan for this new IT model. To the untrained eye this might look like a great idea to cut IT costs but in the long run it could cost a company much more than what they saved on pc hardware. Some things to consider: 1) how to properly ensure all pc’s have some form of virus protection, 2) are pc’s being kept up to date with security patches and updates, 3) will BYOD be centrally managed.
Even though this is a novel idea, it’s also a hacker’s playground for mischief once the door is open for them to gain access to your network. This article gave great pointers on processes one should consider if choosing to go down this path. For instance: 1) Create a structured network segmentation strategy, 2) Limit access to systems through a single point and apply fine-grained access controls, 3) Increase authentication to corporate resources, 4) Manage your devices.
I’m currently at this same crossroad in my current position as Director of Desktop Support and Systems Administration. We are seeing the push for people to work from home and also bring those same mobile devices into work to gain access to network resources. The work from home part isn’t new. We currently use VPN tunneling and depending on network access required a RSA token is assigned. What is new is if we will allow BYOD on to our physical network.
Note: Deleted graphic to eliminate authentication request
Question for this week
First let me say that I have no right or wrong answer for this, just want to see each of you weigh in.
In light of the news around an Israeli company developing malware to facilitate the UAE snooping on human rights activists, how far would you be willing to go if you ran the IT Security company that created this malware?
Here’s a link to the story in case you don’t recall. http://foreignpolicy.com/2016/08/25/the-uae-spends-big-on-israeli-spyware-to-listen-in-on-a-dissident/
Finally an indicator that you’re on an unsecure site
Finally an indicator that you’re on an unsecure site.
I was looking for an article that would provide me the most secure browser in today’s market. In my research, I came across this article about warning users that you are not on a secure site and I thought I wished this was implemented a few years ago. This article caught my where chrome will be notifying you that the site you are on is not secure. I ran into a situation a few years ago where I had purchased tickets on a website (small local business) and it was only using http for its logon and purchasing the tickets. It was only after the purchase I had realized that that the site was not secure and had become blind looking at the trusted security certificates. I called the business and it took a few people to get me to the right person and me threating that I would report them to the best business bureau if nothing was done. I took a few days but they were able to provide https and a valid certificate to the site. I only hope this idea catches on with other browsers moving forward.
http://money.cnn.com/2016/09/08/technology/google-chrome-flag-non-secure-sites/
Article: “Crimeware-as-a-Service Hack Turns Potential Hackers into Victims.”
Hacking now is so easy that hackers don’t even have to be a technically sophisticated hacker with hacking skills and knowledge, and to deal with the technical challenges to run their own crimeware. Instead, they can just buy a hacking service that will do most of hacking works for hackers, enables them to automate the hacking online and gain access to sophisticated network easily. Obviously, the Crime-as-a-Service (CaaS) offering is contributing to the increasing volume and sophistication of cybercrime and the increasing difficulties of tracking malicious hackers. The victims are not only the targets under attacks, but also those attackers, customers of the CaaS offerings. For example, a newly discovered crimeware service is using Facebook hacking tools hosted on Google Drive. It requires users/customers to provide their Facebook login credentials before they can hack other accounts. It steals aspiring hackers’ account information and tricks them that they can hack into other accounts. This crimeware service makes money by selling stolen account information in the underground market. This also put enterprise user accounts under at risk. Hackers can steal business users’ credentials and develop a botnet for stealing a company’s intellectual property, damaging software or conducting other future attacks, while it is hard to track back and find the real attackers. They can also make money by selling the credentials to the highest bidder. Therefore, to prevent this kind of attacks, IT managers are suggested to prevent employees from using business accounts for personal use, open suspicious link or downloading unauthorized files, and ensure to have fast response to attacks.
This article made me think about the security of social media sites, like Facebook, Twitter and LinkedIn. As most trusted communication channels to most of people, many social media sites even cannot secure their own environment. It makes social network a hotbed of CaaS and other cyber crime that allow hackers to manipulate users and develop botnet easily. It is weaponized, and makes hacking more effective and less trackable. To companies, social media attacks are not only about reputation damage, it also leads to big data breaches. According to research, eighth companies suffered a security breach due to social media-related cyber attacks. However, companies can hardly prevent employees from using social network because it has become part of our lives. Instead, companies should identify their social assets, develop an effective social media security plan, educate employees, and be almost prepared to for social media attacks.
Obama signs two executive orders on cybersecurity
This article is about two executive orders President Obama signed to strengthen The United States government defensed against cyber-attacks and to protect the personal information the government keeps about the citizens of the country. The article also include information about how a budget was passed to upgrade the country’s technology, one example was how one social security department system were still using COBOL. The article also mentions that President Obama created two new entities, Commission on Enhancing National Cybersecurity, made up of business technology, national security and law enforcement leaders and Federal Privacy Council, which will include chief privacy officers from 25 federal agencies. These moves will be used to help the private and public sector deal with the increasing cyber security threats that companies and government deal with every day.
http://www.usatoday.com/story/news/politics/2016/02/09/obama-signs-two-executive-orders-cybersecurity/80037452/
Data Manipulation: An Imminent Threat
Hackers that are looking to cause more chaos than financial gain are nothing new, but this article reminded me how scary it can be.
The article describes a potential scenario where a hacker gains access to a bank’s internal network using traditional methods such as a stolen password, malware infection, etc. This is followed by getting privileged access into the customer database where detailed account balances and personal information is held. Over a three month period the hacker begins to alter and manipulate the data that is linked to customer transactions. Once the banks and customers realize what has happened it could take months for the data to be manually recalculated to the correct amounts. During this time customers are are wondering if they’ll have the correct and accurate balances, when, if ever, they’ll be able to make a withdraw, and if there is a safe place to place their money besides their mattress.
This reminds me of the story line in season 1 of Mr.Robot…
It’s easy to think that the financial sector has the best network and database security but I’m sure there are vulnerabilities. The large corporations may be better protected but some of the smaller financial companies may not have the same security luxuries to prevent an attack like this. The article points out a research survey of 200 organizations (average work force of 22k) and 47 % acknowledged that no individual or functional group is responsible for monitoring databases for unauthorized activity. This is alarming considering how much critical financial data is kept in these databases.
http://www.darkreading.com/attacks-breaches/data-manipulation-an-imminent-threat-/a/d-id/1326864?
2 Israeli teens have been arrested for allegedly running a huge hacking tool
A pair of 18-year-old Israeli teens were arrested for operating a hacking tool, that created a DDoS (Distributed Denial of Service) attack, and would flood sites with so much malicious internet traffic that they would crash. The teens were accused of running vDOS, a “booter” service which allows people to pay to use it to attack other websites and services. The two were exploited when their own server was hacked, leaking their information. The pair refused to attack any Israeli-based sites. These “booters”, allow people without any technical skills engage in DDoS attacks. This is fairly interesting, because now, if you have a grudge, you can pay to have someone cyber-attacked. These DDoS attacks were generally for ransom, and publications state, roughly $600,000 was earned by its operators.