5,300 Wells Fargo employees fired over 2 million phony accounts

This article is about a vulnerability found in Linux kernel versions since 3.6 that allows hackers to perform a side-channel attack. At a high level, a side-channel attack allows someone to passively monitor a system through indirect channels, hence side-channel. An example of this would be watching the power supply rate of a system to determine its work-load. In this case, an attacker is not actively watching the server but can still draw conclusions as to what it is used for. Another example of this would be determining the amount of time a machine sends a response packet or how long it took to process a packet. A feature of TCP is windowing. Professor Mackey described this during our last lecture when he described TCP connections to be secure in that they will confirm or deny a remote machine’s acceptance of packets. Linux kernels since 3.6 have a feature built in that forces the machine to send “ACK” (acknowledgement) packets to a remote server it is communicating with when it thinks it is receiving bad packets. It’s basically Linux’s way of saying, ‘hey, these packets don’t look correct, can you confirm?’. In theory, this is a good thing in that it prevents attacks such as man in the middle. What hackers have found though is that they can force a Linux machine to send ACK packets by sending “spoof” (fake packets) once a connection has been made. The hacker will then watch the number of ACK packets sent out. If the number of ACK packets the hacker receives is less than the number of allowed ACK packets, the hacker knows there is a valid connection between the server and a client somewhere. The math for the next part is rather complex but it is possible to determine the TCP 32 bit sequence numbers for that specific connection and inject malicious packets into the valid connection (This video describes how this is done when RSA encryption methods are used: //www.youtube.com/watch?v=AZkDGaISXq8). This article greatly illustrates how hackers use TCP/IP to gain entry to or disrupt systems.

http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communications/

This is an interesting article which talks about 7 cases where compromised ransomware victims paid to regain access to their data. The victim’s vary from police department’s to a Nascar race team. Payment was made via bitcoin, and in one of the cases, the attacks continued even after the ransom was paid. The attacks were made via DDoS attacks on an email service, and via infected computers from successful phishing scams. This article stresses the importance of security awareness training for employees, and backing up data in separate locations. Payment of ransom only encourages more ransomware campaigns so proactive solutions are imperative. The article also briefly talks about an anti-ransomware site  ‘No More Ransom’‘ which was created to assist Internet users by recovering their files for absolutely free to stop them from paying ransom to criminals.

https://www.hackread.com/top-7-cases-of-ransom-payments/

I found the article below more interesting than the others I happened to read primarily for reasons dealing with competitive advantage and the fact that it is discussing a proactive and cheaper solution to IT security.  As the number of ways an individual can attack a system increases, as should our number ways to defend against those attacks.  In my opinion, IT security or cyber security seems to always be reactive in nature or “damage control” as other articles point to a speedy reaction time as being key to mitigating a business’ loss.  Imagine a world were intrusions and attacks can be predicted and avoided as opposed to hardening a system with the hope that an attack or intrusion is unsuccessful.  From an enterprise risk management perspective having a predictive approach to IT security on top of solid detective and compensating controls could be the solution to better mitigating loss to the business.  What does this mean with regards to competing in the market?  It means margin; if two companies are competing directly in the e-commerce market place and one company has an automated machine learning approach to IT security, that means it doesn’t have the expense that comes with hiring humans, even if it is one less human.  One less human means one less employee benefit package and salary, which means decreases expenses and increases margins.  The long-term viability of the firm that implements a Machine Learning approach to IT security is greatly increased.  Implementing cheaper more efficient means of doing any business function almost always means more profits and better share performance.

At my firm we are working on such Machine Learning algorithms, and most of the executives say, “it won’t work…” but that is because they don’t understand the math behind the algorithms or the applications of Machine Learning.  Pattern recognition and response time to the n’th degree and at levels far beyond that of a human.  I’ve heard and have been involved in many debates around combining Machine Learning and Cyber Security.

So I pose a question, should this type of technology be used as a decision support tool within the business or should it be used as a stand-alone IT tool with minimal human interaction?  To play devil’s advocate, on May 6, 2010 the ‘Flash Crash’ was said to have been caused by a trader spoofing the algorithm.  Could this happen in this case?

 

http://insidebigdata.com/2016/08/26/machine-learning-making-better-security/

I came across this article that discusses how information security professionals should be adding a data driven approach to complement other techniques while attempting to mitigate the risk of attacks. Traditional defense preparation such as penetration testing is great for identifying specific weaknesses and exposures but there can be more creative and pro-active ways to finding where in your network is attracting potential hackers.

The author mentions that malicious hackers may be using rapidly changing techniques and advanced tools but they are using these tools with the same strategies and motives that have allowed them to analyze a target network and develop solutions in the past. If we can analyze our own networks in this same way that a hacker does it can allow us to focus in on key weaknesses.

It’s also interesting that the article mentions that organizations are beginning to task additional teams along with penetration testing to handle a role of analyzing the tactics and thinking process of the penetration testers. By reviewing this analysis and data you can possibly uncover thinking or trends that a malicious hacker may come across but perhaps the penetration testing missed.

http://www.darkreading.com/analytics/the-new-security-mindset-embrace-analytics-to-mitigate-risk/a/d-id/1326812?

This article is about an ethical hacker that is fighting fire with fire.  Florian Lukavsky is working with police using a technique called “whaling” to obtain criminal identities and credentials.  These criminals targeted CEOs and financial controllers at large and small corporations with requests to urgently wire funds for overdue invoices.  This social engineering scam has resulted in an estimated $2.2 Billion of fraud losses in 14,000 reported cases.

Florian flipped the script and began replying to the criminals with malicious PDF documents that were disguised as transaction confirmations.  The malware helped to obtain twitter handles, user names, and identity information that is being used to apprehend the criminals.

I thought this was a great example of an ethical hacker collaborating with authorities to expose these cyber criminals.

http://www.theregister.co.uk/2016/09/06/hacker_hacks_ceo_wire_transfer_scammers_sends_win_10_creds_to_cops/

During the week 1 lecture Professor Mackey made the comment that and I am hoping I am quoting correct, “I do not run antivirus on any of my computers at home”. I am not a fan of antivirus or encryption software because it takes system resources away from the user experience however, this statement caught my attention. No matter what the operating system may be, it can still catch a virus. Granted that the virus has to be tailored to the OS that the user is using which will greatly reduce by the OS that you are using, Microsoft vs. Ubuntu as an example. I have always felt that antivirus is a necessary evil for a system to exist and it’s an insurance policy that catch a certain percentage of viruses and will stop known virus signatures. What I found interesting was that the industry standard is saying that traditional antivirus is dead however it’s still remains useful to a security approach. I would agree from a business and consumer of computer products perspective having antivirus will save hours of headaches. I like Professor Mackey’s home setup where running everything in a VM is a safer approach so not using an antivirus a bonus and we are starting to build this environment for this and other classes. The computer industry has been trending in that direction where we will have dumb terminals to access the internet, maybe I should redesign my home network?

 

http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

http://www.networkworld.com/article/2919111/security/traditional-anti-virus-is-dead-long-live-the-new-and-improved-av.html

Logicaly removed and physically separated from unsecured public networks, “Air Gapping” a system is way to ensure security on a system. The idea being if the system is not connected to the public network it is considered less risky and thus less vulnerable to get a threat. But as technology advances that is becoming more of a pain and work to achieve. Researchers at the Cyber Security Research Center in Israel have found a way to transmit data from an “air-gapped” computer using software installed on an USB drive and a nearby receiver with a radio frequency (RF) antenna. The software on the USB drive (USBee, created by the CSRC) can generate controlled RF emissions from a data bus of a USB connector and send data to a nearby receiver at 80 bytes per second. This is interesting to me because they were able to use the internal resources of the computer to pretty much create a transmitter out of a simple portable storage device using code, that’s impressive! Protecting “air-gapped” systems not only requires separating it from unsecured networks but also shielding the containing room in a location away from antennas and quite possibly removing USB ports or creating systems with the minimum amount of hidden USB ports that would be available to only those that need access.

 

http://www.darkreading.com/vulnerabilities—threats/air-gapped-systems-foiled-again-via-usb-drive-/d/d-id/1326803

http://in.bgu.ac.il/en/Pages/news/datastolen_usb.aspx