Andrew Szajlai

Hi Dun,

I do agree with you, but technology not only creates newer threats, but also enables services to counter the same threats. Though at one hand resources might be limited, but there are always cost-effective solutions like the one imposed on manufactures to implement security while shipping. These measures might not be that effective, but can definitely curb threats to travel to users systems.

I agree to your statement Richard that the increase in scrutiny and imposing of fines will definitely reduce or to say the least, give more wings to cyber security specialist to implement counter measures. The case of Mirai is definitely going to be a larger cases where criminals were caught and this would serve as a lesson for other attackers as well.

Hi Matt,

That’s definitely an interesting article to read. One thing that I have noticed is that the pace of new technological development relative to considerations of building a fool proof security within is far larger. IoT companies and security agencies are already finding it a lot harder to prevent malware within these devices. As you pointed out, the industry will actually have to outpace the technological development before new consumers are roped in to use these machines.

Satwika,

The concept of IoT is still evolving and in fact I don’t see a lot of legislations that require these devices to have a standard protocol. The only thing that makes sense from the perspective of the government is to standardize security to the latest security standards used in the industry. Moreover, there needs to be regulations to monitor the interactions between devices. At this stage, there must hardly be companies around who could determine with 95% confidence on an IoT security breach.

Hi Vince,
I have to agree to your point that the nature and variety of data for building up such systems is going to be huge. Moreover, integrating security practices to existing problems can only be productive when a business would completely understand ML and its intricacies. In current stage, even AI has security flaws and speed alone cannot determine the effectiveness to eliminating malware or even predicting with 100% accuracy.

Brock,

I would also like to see these scanners, but playing the other side of the coin…

The users of these scanners are creating the database for them. Example: As a pentester, I use Chronicle to search for vulnerabilities of a specific IPAddress. It then scan’s the IPAddress for vulnerabilities. It does or doesn’t identify vulnerabilities and reports back to the user… as well as an internal database that neatly organizes the data for future reference.

We are Googles recon pentesters… Thoughts?

Since a large portion of these devices have no possible fix in sight. Scary but our months and years to come will transition into timeframes of equipment upgrades, failures and passing technology.

I would have to agree with you regarding the class action law suit. I would imagine it would be international law. That sounds like a nightmare of dead ends.

I think with the scope of the average consumer the responsibility of protection will fall on the manufacturer. Poor development or foresight is at fault here. There are IoT devices out there with out these weaknesses.

Hopefully responsible consumers in the future will buy the right product which should place strain on the business that have poor practices.

Wow, imagine the size of the botnet if printers became the zombies of a DDoS attack. It is a long list of manufactures out there and a lot of printers:
Canon, Fujitsu, HP, Konica Minolta, Lexmark, Xerox, Sharp, Kyocera Mita, Kodak, Brother, Samsung, Toshiba…

Are there any “Horror” movies about IoT devices killing people? Hummm….

Another online scanner you may want to check out is Censys.io. It uses Zmap and Zgrab to identify specific information about a network. It is glitchy sometimes and have to play around with how you search for mulitple IPAddresses or even a range, but it is a good and quick recon tool to identify how you may want to handle the pentest.

I am a fan of Nessus and OpenVAS. Nessus is free and available for Windows. You can download on local host and scan your home / small office network. Nessus / Tennable offers several plug-in’s for different types of scans. You could also do the basic scan, which we did in Ethical Hacking, but this won’t discover the Mirai vulnerability. You will have to use the Advanced Scan and select the proper plug-in. Here is a link to Tennable.

https://www.tenable.com/blog/reaper-iot-botnet

Hi Fred,

One of the biggest problems with Iot is that it just doesn’t affect organizations, they are now targeting homes. And we all know that the majority of home users take their router out of a box, plug it in, and it works. They are happy, and that is the end of it. They don’t change the default password, which is easily obtainable, and they open themselves up to so many attacks. In the old days, a hacker would have to sit outside of your house and hack your WiFi. No longer! With these Iot attacks, they can reach all of your Internet enabled devices from anywhere. To me, this is the biggest scare. Because most home users won’t even know how to fix it, or detect any problems!

I think you’re going to see a wave of new products for the home user. Norton is already jumping on this. https://www.theverge.com/2017/1/3/14124662/norton-core-router-announced-smart-home-security-ces-2017

It’s convenience. Joe and Suzie Smith (I apologize if this is you) want to be able to use their APP on their phone to turn off the lights in the house, or lower the heat while they are away. A convenience. The more we enable technology for users, the more criminals will go after it. A camera in my fridge, so I can see from my phone how much milk is left, and should I stop and buy more on my way home!? Maybe. But know that script kiddie in China is looking at your camera too!

Jason,

You have mentioned a very important point. I don’t think we should be underestimating these perpetrators to be a small group. These days there are even school students involved in such activities. Even, the men involved in the Mirai botnet were 20 and 21 years of age. So, when Nixon mentions, “These are incredibly deep skills developed over years.”, it alarms me how young these guys must have started off! Yes, and you have mentioned that these days we have even Nation State adversaries training individuals to carry out such attacks. I believe that various terrorist groups also do the same. With the advent of artificial intelligence and the process of virtualization that we are currently undergoing, and from what we have been seeing starting from Melissa to WannaCry, we don’t know what havoc these groups may bring upon. So, it would be a big mistake if we were to consider them to be a small group.

I thought this was a pretty good article too. I always love new products and services that companies like google and apple come out with. They take ideas others had a formalize it into a worthy product (most of the time). I can’t wait to see when Chronicle is out and how it’s going to use virus total and AI to give us an enhanced security tool that the industry can use. – Sev Shirozian

As security professionals that is in the industry or going to join the industry, we should always keep this in mind and drive vendors and product owners to stop hard-coding passwords in to their products. For example, I used to work for Comcast in my previous life and we would work with vendors for some of the hardware we would use in our customer’s locations or even in our data centers and would also push the vendor to update their firmware or code to stop including credentials in their product. If we all do this we can help drive products our companies use or work with to stop this terrible practice. – Sev Shirozian

You are right Mustafa. Although this Act is applicable only to the devices procured by the government agencies, may be in the long run manufacturers will adopt the same set of standards for the average customers as well.

Hi Fred,
Very interesting take on choosing IoT wisely. I have a Ring doorbell that we bought because solicitors are constantly coming to the door and I was concerned about family safety. I can’t choose to “unplug” this device, so I’ve accepted the risk that I have an IoT device that is always on.

I do periodically check the firmware of my device to make sure it is up to date and I’ve even run a network scan of my IoT devices using Nessus.

While I know that this does not eliminate the risk, I still choose to accept it because I do feel that the safety and convenience to my family outweighs the risk of an IoT bot attack. I also have many other layers of security on my network that would help prevent an attack.

Glad to hear Mustafa! How did the scan go for you? I have not had a chance to restart all devices and re-run the scan. Does anyone else have any suggestions on scanning your network for devices that are subject to Mirai?

Nice post Satwika,

I`ve looked at the IoT Cybersecurity Improvement Act of 2017. This legislation includes contractor responsibilities with respect to internet-connected device cybersecurity. The legislation requires vendor commitments: that their IoT devices are patchable, don’t contain known vulnerabilities, rely on standard protocols and don’t contain hard-coded passwords.

Wow. This is a concern. I wonder if Strava shares this information publicly by default or if the users turned on location sharing. I could see this as a very difficult problem to solve. I imagine it would be very difficult for the military track and monitor all potential mobile apps that track and share location data. Some possible solutions:

– Require government issued mobile devices at these facilities that control what apps are used by military personnel (preventative)
– Monitor the web for location sharing associated with cleared facilities (detective)
– Increase training and awareness to military personnel and enforce greater consequences for non-compliance (preventative)

It will be interesting to see the follow-up articles and stories related to this. Obviously Strata is not the only app that is sharing location data.

This reminds me of GPS, which was invented by the government in the 1970’s. When it start to become available for commercial use, there were security concerns. They didn’t want someone putting a GPS locator in a location and then being able to direct a missile directly to it! So, in its early form, GPS had built into it Selective Availability. In essence, the GPS signal had a built in variance of about 50 meters horizontally, and 100 meters vertically. As demand and use grew, this was phased out. In 2000, this Selective Availability was removed from the GPS signal. There is still a chance of error, but most of that is do to other conditions, not forced. But the pessimist in me still thinks that somehow, the government is controlling some of this. You would think they have to!

Mustafa-

Nice summary. One million file submission a day for Virus Total. Seems kind of low to be honest. Is the idea to get everyone using some sort of open standard for virus comparison to keep them from spreading? If so I can get on board with that – would need to be able to scrub any sensitive data however or have a trusted authority to do this.

This is very very dangerous. If any enemy plotters were to get ahold of this info and be able to put two and two together, it would essentially be like handing over the blueprints to our military installations, safe-houses, and even if you look deeper, you might even be able to track movement on ships and/or submarines to get a layout. For highly classified installations, it would be a good idea to not only turn off location tracking, but to have workers who work in these locations turn over devices while on the premises.

Nice summary Vince. The article was very interesting and I especially liked the commentary on how detrimental it was to the criminals that they released their source code.

I thought is was odd that Allison Nixon said “when you can ID them and attach behavior to the perpetrator, you realize there’s only a dozen people I need to care about and the world suddenly becomes a lot smaller.” I find that hard to believe. I think that was the case years ago with folks like Kevin Mitnick and Gary McKinnon, but nowadays we have Nation States training individuals to use very sophisticated open-source tools to conduct attacks, attribution can become much harder. Think about it – these fools released their code in the wild and it still took over a year to build a case against them and arrest them. And since the code for many of these attacks is released in the wild, it opens the door for many copy-cat attacks that make attribution even more challenging.

Thanks Scott – this was super helpful because I came across the same error and I was struggling with the solution. I like how you articulated the change in Windows 10 and why we now had to use a different approach to generate a static text file to view the logs.I really appreciate the video demonstration.

Nice post Jason,

After I had read your post, I visited the website of Virus Total. And I really agree with you, it seems like useful and user-friendly tool to analyze URL, IP address, domain or file hash. I`ve also tested some URLs and saw that Virus Total inspects items with over 70 antivirus scanners and URL/domain blacklisting service.

By the way, I`ve also checked mirai scanner that you mentioned under my post last week. I liked this scanner also. I am waiting your new recommendations. Thanks Jason.

The scenario you listed is a real risk, like you said, with today’s trigger happy world. News pundits, politicians, and conspiracy theorists with power could really bring the world to it’s knees if any mischaracterization of a specific attack occurs. I’m particularly worried of consequences if something like this would happen to the US and it is blamed on DPRK or vice-versa. Things could get very ugly very quickly.

I honestly had no idea about VirusTotal until I read this article. It seems like it is an extremely useful product for all of the security community and beyond. I’m actually going to try using it to see how it works over the next few days. To your point about the startups which seem to provide services to those wishing to do harm, I completely agree that it’s a really slimy thing to do. I’m not surprised though. With the level of greed and shadiness of some people these days, people will do anything for a buck.

Vince,
this is an interesting issue and it outlines the dangers of cyber warfare. The publicized data literally painted US bases in active deployment areas and made them vulnerable to mortar attacks etc. You are right in saying that the problem stems from lack of security awareness. I think that ultimately US soldiers on active deployment should not be using personal computers at all. However that is probably not enforceable as it would drastically cut morale. Now cyber warfare has become a situation that needs to trained for, or the rules for individuals need to be changed.

…follow-up to the initial story:

Pentagon reviews policy after fitness app reveals military locations
https://finance.yahoo.com/news/pentagon-reviews-policy-fitness-app-225200741.html

“US Defense Secretary Jim Mattis has ordered a review of the [fitness tracking smart phone] situation”,

‘In a statement, the Pentagon said, “We take matters like these very seriously and are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DOD personnel at home and abroad.” ‘

Hi Andrew,

Week 2 slides link opens week 1 slides.

Hi Professor,

It seems like you have uploaded week 1 slides instead of week 2.

Sorry, I click on the wrong file when I build the link, I fixed the link; should be working now.

…follow-up to the initial story:

Pentagon reviews policy after fitness app reveals military locations
https://finance.yahoo.com/news/pentagon-reviews-policy-fitness-app-225200741.html

“US Defense Secretary Jim Mattis has ordered a review of the [fitness tracking smart phone] situation”,

‘In a statement, the Pentagon said, “We take matters like these very seriously and are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DOD personnel at home and abroad.” ‘

Vince,
this is an interesting issue and it outlines the dangers of cyber warfare. The publicized data literally painted US bases in active deployment areas and made them vulnerable to mortar attacks etc. You are right in saying that the problem stems from lack of security awareness. I think that ultimately US soldiers on active deployment should not be using personal computers at all. However that is probably not enforceable as it would drastically cut morale. Now cyber warfare has become a situation that needs to trained for, or the rules for individuals need to be changed.

Hacked Cameras, DVRs Powered Massive Internet Outage
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

In October of 2016, a massive attack on the internet infrastructure company Dyn caused massive outages throughout the country. The source code of a malware strain called Mirai had previously been released by the hacker that created it. Following that, it was used by cyber criminals to form a botnet out of hacked IoT devices; mostly DVRs and IP cameras manufactured by XiongMai Technologies. This was cause for a deeper examination of the major vulnerabilities permeating the fast expanding realm of IoT. Many of the devices come with pre-loaded default passwords and firmware settings, which are not easily changeable to average users. Overall, the evolving landscape of IoT has meant fast-paced development and deployment, which has left little time or consideration for security to be built in. As the prevalence of IoT devices expands and threats continue to grow, the industry will have to adapt and devote more resources to properly securing these products and infrastructure.

I have gotten a couple of questions about the posts; I’m sorry if that caused some confusion. I have posted the items from the slides the night before class for the following weeks class. I’ll talk about that in this weeks class. Please with the update page as where to post. I have see a number of you have already started.

Please keep the great work with VMWare and helping me learn about the different versions about Hypervisors. I’ll have to try hyper-v on my Surface Pro as well as a few others have already done so. Remember it is not the specific hypervisor more the learning. Specifically for this week.

I have just finished editing and uploaded an updated video of installing Windows 10 in Fusion 10. I’m sorry that they changed the interface and had to a bit of homework are video editing to get and update video for the class. Please let me know if there are any question. It was placed into the same location as where the other videos have been placed in the OWLBox account I send everyone links.

I honestly had no idea about VirusTotal until I read this article. It seems like it is an extremely useful product for all of the security community and beyond. I’m actually going to try using it to see how it works over the next few days. To your point about the startups which seem to provide services to those wishing to do harm, I completely agree that it’s a really slimy thing to do. I’m not surprised though. With the level of greed and shadiness of some people these days, people will do anything for a buck.

The scenario you listed is a real risk, like you said, with today’s trigger happy world. News pundits, politicians, and conspiracy theorists with power could really bring the world to it’s knees if any mischaracterization of a specific attack occurs. I’m particularly worried of consequences if something like this would happen to the US and it is blamed on DPRK or vice-versa. Things could get very ugly very quickly.

Nice summary Vince. The article was very interesting and I especially liked the commentary on how detrimental it was to the criminals that they released their source code.

I thought is was odd that Allison Nixon said “when you can ID them and attach behavior to the perpetrator, you realize there’s only a dozen people I need to care about and the world suddenly becomes a lot smaller.” I find that hard to believe. I think that was the case years ago with folks like Kevin Mitnick and Gary McKinnon, but nowadays we have Nation States training individuals to use very sophisticated open-source tools to conduct attacks, attribution can become much harder. Think about it – these fools released their code in the wild and it still took over a year to build a case against them and arrest them. And since the code for many of these attacks is released in the wild, it opens the door for many copy-cat attacks that make attribution even more challenging.

Thanks Scott – this was super helpful because I came across the same error and I was struggling with the solution. I like how you articulated the change in Windows 10 and why we now had to use a different approach to generate a static text file to view the logs.I really appreciate the video demonstration.

Nice post Jason,

After I had read your post, I visited the website of Virus Total. And I really agree with you, it seems like useful and user-friendly tool to analyze URL, IP address, domain or file hash. I`ve also tested some URLs and saw that Virus Total inspects items with over 70 antivirus scanners and URL/domain blacklisting service.

By the way, I`ve also checked mirai scanner that you mentioned under my post last week. I liked this scanner also. I am waiting your new recommendations. Thanks Jason.

Hi Fred,
Very interesting take on choosing IoT wisely. I have a Ring doorbell that we bought because solicitors are constantly coming to the door and I was concerned about family safety. I can’t choose to “unplug” this device, so I’ve accepted the risk that I have an IoT device that is always on.

I do periodically check the firmware of my device to make sure it is up to date and I’ve even run a network scan of my IoT devices using Nessus.

While I know that this does not eliminate the risk, I still choose to accept it because I do feel that the safety and convenience to my family outweighs the risk of an IoT bot attack. I also have many other layers of security on my network that would help prevent an attack.

Nice post Satwika,

I`ve looked at the IoT Cybersecurity Improvement Act of 2017. This legislation includes contractor responsibilities with respect to internet-connected device cybersecurity. The legislation requires vendor commitments: that their IoT devices are patchable, don’t contain known vulnerabilities, rely on standard protocols and don’t contain hard-coded passwords.

Wow. This is a concern. I wonder if Strava shares this information publicly by default or if the users turned on location sharing. I could see this as a very difficult problem to solve. I imagine it would be very difficult for the military track and monitor all potential mobile apps that track and share location data. Some possible solutions:

– Require government issued mobile devices at these facilities that control what apps are used by military personnel (preventative)
– Monitor the web for location sharing associated with cleared facilities (detective)
– Increase training and awareness to military personnel and enforce greater consequences for non-compliance (preventative)

It will be interesting to see the follow-up articles and stories related to this. Obviously Strata is not the only app that is sharing location data.

https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/

After reading this article, I think there will always be these issues. With limited resources, there is no way for government agencies to keep up with enforcing new cybersecurity threats. Requirements or policies and procedures from these agencies often comes after threats or vulnerabilities has already been exploited. On the other hand, new devices and technologies are being rolled out in the masses without security being a priority. In my opinion, hackers will always have the upper hand since there will always be a gap between new tech and security.

Mustafa-

Nice summary. One million file submission a day for Virus Total. Seems kind of low to be honest. Is the idea to get everyone using some sort of open standard for virus comparison to keep them from spreading? If so I can get on board with that – would need to be able to scrub any sensitive data however or have a trusted authority to do this.

I thought this was a pretty good article too. I always love new products and services that companies like google and apple come out with. They take ideas others had a formalize it into a worthy product (most of the time). I can’t wait to see when Chronicle is out and how it’s going to use virus total and AI to give us an enhanced security tool that the industry can use. – Sev Shirozian

As security professionals that is in the industry or going to join the industry, we should always keep this in mind and drive vendors and product owners to stop hard-coding passwords in to their products. For example, I used to work for Comcast in my previous life and we would work with vendors for some of the hardware we would use in our customer’s locations or even in our data centers and would also push the vendor to update their firmware or code to stop including credentials in their product. If we all do this we can help drive products our companies use or work with to stop this terrible practice. – Sev Shirozian

Just a FYI

I use a Windows machine and post installation of Windows 10 using VMWare Workstation, when I tried to power ON the Virtual Machine I got an error prompt saying “This host supports Intel VT-x, but Intel VT-x is disabled”. However, once I enabled the VT settings in the BIOS, the Virtual Machine worked perfectly fine.

I am just curious to know if any of you encountered this situation on a MAC machine.

Wow so Google wants to start offering services (Chronicle) to increase cybersecurity intrusions ten fold. I wonder if this service is born of their own necessity much like AWS began to Amazon. To which Amazon is now the majority leader in cloud services. This is really interesting news but so much of it seems to be based on Alphabets best hopes and dreams or just speculation. I like the author and the rest of his references would like to know more…

Google is a juggernaut. With their capital and data horde failure is barely a possibility. Their is high hopes this will spawn a revolution in the industry from a one journalist referenced,

“Imagine if other companies spin out their tools…Netflix, Amazon, Facebook etc. That could be a fundamentally reshaped industry.”

Hell yes! I know I would like to see what Amazon’s version of Chronicle. Something is keeping their cloud safe.

Are there any “Horror” movies about IoT devices killing people? Hummm….

Since a large portion of these devices have no possible fix in sight. Scary but our months and years to come will transition into timeframes of equipment upgrades, failures and passing technology.

I would have to agree with you regarding the class action law suit. I would imagine it would be international law. That sounds like a nightmare of dead ends.

I think with the scope of the average consumer the responsibility of protection will fall on the manufacturer. Poor development or foresight is at fault here. There are IoT devices out there with out these weaknesses.

Hopefully responsible consumers in the future will buy the right product which should place strain on the business that have poor practices.

Wow, imagine the size of the botnet if printers became the zombies of a DDoS attack. It is a long list of manufactures out there and a lot of printers:
Canon, Fujitsu, HP, Konica Minolta, Lexmark, Xerox, Sharp, Kyocera Mita, Kodak, Brother, Samsung, Toshiba…

I agree to your statement Richard that the increase in scrutiny and imposing of fines will definitely reduce or to say the least, give more wings to cyber security specialist to implement counter measures. The case of Mirai is definitely going to be a larger cases where criminals were caught and this would serve as a lesson for other attackers as well.

https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
The article talks about how Hacked Cameras and DVRs caused internet outage on a large number of websites. The attacks have happened because of hacked IoT devices that hindered internet use for many users and caused problems for users trying to access websites such as Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. Investigations around the incident reveal that Mirai was the cause of the attack. This occurred largely because of spreading the source code of Mirai, enabling others to create their own version of Mirai virus. The way Mirai works is that it first targets the weak IoT devices protected only by factory username and password and then attacks with junk traffic until a point when these devices can no longer accept more legitimate visitors.

As mentioned by Zach Wikholm in the article, the issue with these particular devices is that a user cannot feasibly change this password and more worse is the fact that the web interface cannot even recognize that the credentials even exist. The need of the hour as mentioned is to have “Industry security association, with published standards that all members adhere to and are audited against periodically”.

https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/
IoT Botnets the Work of a ‘Vast Minority’

This article is basically a conversation between Brian Krebs and Allison Nixon, director of security research at Flashpoint. Allison shares his perspective on the IoT landscape and talks about the case of Mirai attack. Concerns over the rapid growth of IoT and the enormous amount of data generated as a result of interactions among several devices is a matter of concern.

The case under discussion is basically about Mirai virus which is a virus that attacks the less protected IoT devices to create a botnet around so that cyberattacks can be carried out. The 3 men who conducted the attacks pleaded guilty for their act and causing potential damage to over 6, 00,000 devices. Allison provides some really interesting examples and suggestions to strengthen security around IoT so that attacks like the one of Mirai do not happen again in the future. One possible suggestion given by Allison is to have proper regulations and well defined sentencing around such cases. The case though was witnessed in Alaska, Allison believes that in the future prosecution of such cases will become more defined and smooth. Allison also believes that with incidents like these, manufacturers of IoT devices will need to take appropriate measures to implement security aspects within these devices. Much of the mishaps around IoT, at least at such a nascent stage of development, has been seen around user problems and misuse. No matter how many recommendations are offered to turn off devices when not in use, users ultimately resort to their previous methods. Attacks of the nature of Mirai happened because of weak protection of the IoT devices that were connected. The best solution that I feel is to choose the devices carefully and use it in just the way one would protect sensitive information and not pass critical data across devices without double-checking.

Satwika,

The concept of IoT is still evolving and in fact I don’t see a lot of legislations that require these devices to have a standard protocol. The only thing that makes sense from the perspective of the government is to standardize security to the latest security standards used in the industry. Moreover, there needs to be regulations to monitor the interactions between devices. At this stage, there must hardly be companies around who could determine with 95% confidence on an IoT security breach.

Hi Vince,
I have to agree to your point that the nature and variety of data for building up such systems is going to be huge. Moreover, integrating security practices to existing problems can only be productive when a business would completely understand ML and its intricacies. In current stage, even AI has security flaws and speed alone cannot determine the effectiveness to eliminating malware or even predicting with 100% accuracy.

I attended a Risk Quantification Symposium last week and learned some fascinating things that are coming down the pipeline for enterprise risk.

One thing I found very interesting is the FICO Enterprise Security Score. http://www.fico.com/en/products/fico-enterprise-security-score

This is similar to a credit score everyone is familiar with, only it is for enterprises. The score is generated on a few factors, such as:
Threat landscape
Company Culture
Policies / Procedures
Industry
Ect.

This score can be used to gage “risky” vendors and eventually “risky” individuals. This may revolutionize the way organizations report

Gross Value at Risk
– Impact
——————-
Net Value at Risk

It is heavily focused on economic models, running Monte Carlo simulations to determine probabilities. There are several variables included in the function, but this is the basics.

Check it out. This may be the standard, just like our credit score.

Cisco’s Encrypted Traffic Analytics (ETA), which monitors network packet metadata to detect malicious traffic even if its encrypted, is now generally available.

https://www.networkworld.com/article/3246195/lan-wan/how-cisco-s-newest-security-tool-can-detect-malware-in-encrypted-traffic.html

I saw a demo of this technology a couple of months ago – it really is pretty cool.

In addition to ETA, couple of interesting things about this article to me. First, I thought the estimate that 55% of traffic on the web today is encrypted seemed somewhat high to me – I would have thought it to be much lower. Second, what I thought was *really* interesting was the fact that 41% of hackers are using encryption today. Third, Gartners estimate that 80% of web traffic will be encrypted by next year, (again, assuming it’s accurate) is an amazing growth rate.

An interesting read that I found talked about how Memcached servers can be quickly hijacked and compromised by to launch large DDoS attacks. Utilizing IT spoofing and a poorly implemented UDP causes the servers to be put at risk because attackers will send a packet to the server, which will in turn greatly increase the size and forward the attack to the intended target. The fix only involved disabling the UDP port, but the question is, how many servers are out there with this setting unknowingly enable and stand at a huge vulnerability.

https://www.networkworld.com/article/3258772/security/memcached-servers-can-be-hijacked-for-massive-ddos-attacks.html

https://www.npr.org/sections/thetwo-way/2018/03/28/597758947/time-is-running-out-for-atlanta-in-ransomware-attack

The city of Atlanta’s network has been disrupted for six days from a Ransomeware attack and time is running out to pay the six-bitcoin ransom payment by end of day today.

The attack was conducted by SamSam, who has collected nearly $850,000 of ransom since December 2017.

I found it interesting (but not surprising) that an audit of Atlanta’s IT department found a “significant level of preventable risk” and identified a number of long-standing issues that employees “didn’t have the time or resources to fix.”

Services impacted include municipal court systems, online bill pay, and police reporting/booking tools.

Governments and municipalities need to start taking this seriously and implement stronger controls to prevent these attacks. Otherwise, the number of attacks will increase and become more complex and sophisticated.

Nice analogy Fred! At least I know the logging and monitoring in North Philly is working because I get Temple text alerts every time there is an incident!

To me it is a no-brainer to provide free credit freezes to citizens. We trusted credit bureaus with our data, they make a ton of money off of it, and this breach shows the impact when their is a breakdown in security. The least these credit bureaus can do is provide us with a seamless and FREE capability to freeze our credit when are not planning to run inquiries against it.

https://news.sky.com/story/talktalk-urged-to-improve-cybersecurity-in-wake-of-worryingly-easy-web-system-flaw-11307730

UK telecommunications company TalkTalk has come under fire for a long-existing vulnerability in their websites. An anonymous hacker contacted news agencies about an easily exploitable function in many of their sites allowing a potential attacker to gain access to user’s information through simple cross-site scripting. By combining this vulnerability with basic social engineering techniques such as phishing, almost anyone could have compromised untold numbers of users. Although the issue has since been fixed this last week, it has been revealed that they were first alerted of the flaw in 2016, but made no effort to address it. This apparently follows a pattern of poor security management by the company who already suffered a major breach in 2015 resulting in a hefty fine. This is yet another example of why robust security measures and management are essential for any organization today.

Thanks for this, I’m going to have to check it out. I’ve personally only ever had my credit card information stolen once, however my friend seems to have it happen every few months or so. It would be interesting to find out what is out there on the dark web.

It would be wise for any financial services company such as banks and credit reporting agencies to have such offerings to their customers especially as attacks seem to be coming more and more common. If nothing else, it would help assist with consumer confidence in the business offering it.

I think this issue calls for a serious debate on the future of social media channels who collect user information. There is absolutely no transparency on why this data is used and where else it is sold to. With the recent Facebook breach, it is evident how data was misused. Post facto analysis of the issue does solve the data collection that was previously done. I believe all users have the right to share their personal information or not and this has to happen with an opt-out system in place.

Who Is Afraid of More Spams and Scams?

https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/

The new European privacy laws have posed a big challenge for security researchers who rely on data included in Web site domain name records to prevent attacks by scammers. The access to the data will however be lost for at least 6 months starting May 2018. Some of the experts believe that this will cause more spams and scams in the user’s inbox. The General Data Protection Regulation (GDPR) takes effect on the 25th May under which companies are required to get affirmative consent for any personal information they collect on people within the European Union. Companies that violate the rules will have to pay a penalty of 4% from their global revenues.

Fred,

I agree to your points Fred and this is to a large extent an issue that Equifax should have dealt much earlier. The information of all customers is out in the open and any breach here could significantly impact the financials of these customers. The question always would remain that, do customers always keep paying even for the mistakes of company’s false security infrastructures.

That sounds as if Microsoft has not done enough of many frontline products. First it was the messenger issue, then the window meltdown patch issue, and now the windows remote assistance. I wonder if organization are even protected in the case when the patch does has not been released and are informed beforehand. This is a strict case of information leak from my point of view. I believe more than 30% Fortune 500 companies use remote assistance and it would be great to see in the future how Microsoft treats this a case of lapse and releases patches much earlier in time.

That’s a pretty interesting solution to problems of email threat Fraser. This would actually make the process of digital forensic much easier as they will be able to track IP and org. from where the emails came. However I am still sceptical if the solution can read the content of the links in the email to see if they have any suspicious external links. In the last 3 years if you see, cyber criminals have started to play around with content that forces users to click on it. It would be interesting to see how this unleashes.

Matt,

Check this out…

http://www.fico.com/en/products/fico-enterprise-security-score

I wonder what these agencies “security score” is. Bad Credit.. LOL

The score is based on a few factors, but security posture and culture weighs on the number

Good article Matt. Personnel are always the weakest link in any security plan. You could invest resources into securing your infrastructure the best that you possibly can, but there is no way to force an employee to follow what you have implemented. Just one employee who, either intentionally or unintentionally, does not follow protocols, and you’re done for.

https://thehackernews.com/2018/03/amd-processor-hacking.html

This article really reinforces the need for more cyber awareness in both public and private sectors. I attended a round table this week that was focused on improving Cyber Awareness for financial institutions. There were a lot of creative ideas discussed and some programs were really impressive. We recently kicked off a Cyber Awareness Committee at my organization that is focused on promoting cyber awareness using engaging and innovative ideas. The best idea I’ve heard so far is a conference with key note speakers, from vendors and industry leaders that was extended to all employees. That’s a large investment of time and effort, but could be really impactful..

This looks like Android systems are more vulnerable to malware.and other attacks. Android systems should consider running a pre-installation security check to be part of their OS, This will help detect any malware or unwanted software to be part of their Operating System. Also, comparative studies with other OS like MAC OS will help them understand why Android ‘s are more vulnerable to insecure software.

Because of the way Google Play works, Android has a “bad app” problem. Google lets any developer upload an app to the Play Store, regardless of if it works, how it looks, or whether or not it can harm users. Malware scanning happens primarily after apps are uploaded, and though Google has recently taken steps to safeguard users with its Play Protect program, you don’t have to depend on them.

Below are the few tips to prevent malware attacks in Android systems :

Tip 1: Don’t Depend on Google Play Protect

“Google Bouncer” will help identify malware in the apps within the play store

Tip 2: Review App Permissions

By minimizing app access, protect yourself from hackers obtaining an unnecessary amount of information about you. This practice also protects you from malicious agents (such as hackers) who might compromise the app to attack your device.

Tip 3: switch Off Unknown Sources

disabling “Unknown sources” won’t deactivate the third-party apps. Instead, it will prevent unauthorized installation of non-Play Store apps from outside threats scheming to attack your device.

That’s really cool Vince. Nice work summarizing these technical details in simple terminology.

This is truly alarming to me as AMD captures almost 20% to 30% market share in the processor industry. Intel has been quite fast in picking up the new threats and releasing the patches before any serious business lapse occurs. If hijackers are able to gain access to Windows Credential Guard, TPMs, and virtualization, it would technically bring the entire network to a standstill and cause a breakdown. In fact, any nodes hacked in VMs could potentially lead to loss of critical data too. It is important for AMD to release the patches as soon as possible.

I think this is great news Sev. The vulnerability broke many security boundaries in the hardware systems and gave access to systems. While Intel has focused largely on the Hardware, Oracle too has released its new DB against Spectre and Meltdown attacks. It’s important to see if OEMs can be enforced to patch their hardware before shipping it to customers. Moreover, the question that will still daunt the customers is the release of Xeon processors, until when they would need to use advanced security patch to defend their network systems.

The article discusses spoofing, which occurs when the source IP address is faked to make a destination PC think the packet is coming from somewhere else, possibly a source IP which can get through a firewall if not protected for. This problem is not specific to IP addresses. There has also been a recent surge in Phone number spoofing. This is where fraudsters replicate a phone number similar to one in the target’s local region. They will usually spoof the first six digits of the phone number (including area code).

A common trend with all of these attacks which seem to be surfacing are due to malware being downloaded unknowingly via email phishing or by inappropriately downloading from non-company sites. The connection here is that employee training to not go to these types of sites and for what to look for in emails is key.

This article explains how easily it can affect hundreds of thousands of users.

It’s really fascinating/scary that these things can get so advanced to the point where they start camouflaging themselves whenever forensics are run on the infected pc, as the article states. We need to continue to develop and advancing our detection methodologies and applications to be able to keep up with these new types of malware. Unfortunately for us, we will always be playing catch-up.

I just tried with Webex player and didn’t have any luck with that either.

Oh.. Sorry about that. Let me try converting it into an mp4 and then shall upload back.

There was some version conflict with my WebEx recorder and that is why the previous video had some issue. Anyways, I have uploaded a new mp4 video. Please find the link below.

https://drive.google.com/open?id=1MVCg2-OvrQQGzuOl8HW5Zccwb-xKrDNz

Hope this one won’t have any issues.

Interesting Zirui. The Slingshot article that I posted also uses its own memory resident virtual file system – although it doesn’t attack or use Windows based operating systems (so it doesn’t exploit WMI or PowerShell tools described in your article as a means of attack).

I guess that one implication here may be that pure signature based software protection won’t be enough to truly protect a machine – it will need to be a combination of both behavior based and signature based security strategies for the entire system (again just my opinion here)

If that’s the case then its going to substantially increase computing costs and hardware performance requirements which in turn ultimately accelerates the need for the continuation of Moore’s law.

Just thinking out loud here but one potential way around that scenario (again in my opinion) might be for hardware manufacturers to start including ‘security co-processors’ in their architectures going forward – or – to start moving the security function down into GPU hardware. That’s,a strategy that would let the consumer decide which systems needed that level of added security.

Wow, definitely seems like Nation State espionage due to the sophistication of the attack and the limited targets. According to the Ars Technica article – https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/ – it hid in routers for six years and infected about 100 machines.

This seems to be referring to script-based malware which is becoming more and more popular these days. As it mentions in the article, a lot of these can be communicated through phishing emails. A combination of continuing employee training, firewall rules, and baselining can all be used to lower the risk of an attack as well as the severity of an attack.

Satwika-

Thanks for putting this up however I am not able to open it – some WRF file format that isn’t recognized.

What do you use to open these?

As per Professor’s suggestion, I am sharing a video on taking snapshots using vmrun, a utility tool to control virtual machines. You may access the video using the below link.

https://drive.google.com/file/d/1KmT9SUnYsF9-ugt_sMAhsqMcrnyE-M12/view?usp=sharing

Please let me know in case you have trouble playing the video.

Malware attack on 400k PCs caused by backdoored BitTorrent app

https://arstechnica.com/information-technology/2018/03/malware-attack-on-400k-pcs-caused-by-backdoored-bittorrent-app/

This article is about a supply chain attack on a BitTorrent product. called Mediaget. The malware used a backdoor in the software to install malware that was intended to mine crypto currency. It infected 400,000 machines in 12 hours, however the campaign was not successful.

Supply chain attacks are when an actor infects widely used hardware or software by using software backdoors. Recent examples include an attack on CC Cleaner and M.E. Doc (NotPetya).

The feasibility of these techniques have now extended from Nation State actors to common criminals and it reinforces the need to only install software from trusted sources and do not give local admin access to users in your organization!

Wow, definitely seems like Nation State espionage due to the sophistication of the attack and the limited targets. According to the Ars Technica article – https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/ – it hid in routers for six years and infected about 100 machines.

Intel has finally redesigned its processor architecture by using partitioning. The partitioning will create an extra barrier between applications and user privileges to prevent hackers from gaining access to sensitive data processed by the processor.

These updated processors will come out in their next-generation Xeon processors (Cascade Lake) and 8th generation Intel Core processors in the second half of the year.

https://www.pcauthority.com.au/news/intel-fixes-spectre-and-meltdown-vulnerabilities-with-updates-and-new-chips-487255

– Sev Shirozian

https://blog.cloudflare.com/the-root-cause-of-large-ddos-ip-spoofing/

This is a nice overview of the recent large scale DDOS attacks (github) that we discussed in class. This is from Cloudflares perspective and gives extra insight into how the attack was launched and mitigated. Worth a read.

This seems to be referring to script-based malware which is becoming more and more popular these days. As it mentions in the article, a lot of these can be communicated through phishing emails. A combination of continuing employee training, firewall rules, and baselining can all be used to lower the risk of an attack as well as the severity of an attack.

It’s really fascinating/scary that these things can get so advanced to the point where they start camouflaging themselves whenever forensics are run on the infected pc, as the article states. We need to continue to develop and advancing our detection methodologies and applications to be able to keep up with these new types of malware. Unfortunately for us, we will always be playing catch-up.

Breaking the Ledger Security Model by Saleem Rashid | Mar 20, 2018

https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

Saleem was able to break the Ledger Hardware Wallet by using a supply chain attack to modify the recovery seed. The recovery seed can be used to change or just extract the PIN. If the Ledger is used after the attack, any funds can be stolen when plugged into a compromised device. However this would require the attacker to physically access the Ledger, or to sufficiently compromise the target’s computer, twice.
I found it interesting that Saleem chose to publish this vulnerability instead of cashing in on the security bounty.
He says that he did so “… mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”

This is truly alarming to me as AMD captures almost 20% to 30% market share in the processor industry. Intel has been quite fast in picking up the new threats and releasing the patches before any serious business lapse occurs. If hijackers are able to gain access to Windows Credential Guard, TPMs, and virtualization, it would technically bring the entire network to a standstill and cause a breakdown. In fact, any nodes hacked in VMs could potentially lead to loss of critical data too. It is important for AMD to release the patches as soon as possible.

February Updates from Adobe, Microsoft

Microsoft delayed the release of its monthly update citing issues in the patches. While readers have inquired about the delay when Adobe has released patches for Flash Player, it is still not known why the patches have been delayed when there is a zero-day vulnerability in Windows going around. The company says that it will release it next month as part of the regular update. As per the statement issued by CERT Coordination Center at Carnegie Mellon University, ‘unpatched bug in a core file-sharing component of Windows (SMB) could let attackers crash Windows 8.1, and Windows 10 systems, as well as server equivalents of those platforms’.

CERT has already issued a warning that the exploit code for the bug is already available on the internet and this could cause serious consequences if not dealt at the right time.

https://www.techradar.com/news/no-new-security-updates-for-windows-7-users-without-up-to-date-antivirus

No new security updates for Windows 7 users without up-to-date antivirus

Microsoft recently announced that the latest security updates would only be for those who are running latest security software, causing a shock to many of its existing customers. Microsoft rolled out the new patches for the Spectre and Meltdown vulnerabilities in Windows 7 and 8.1. However, the patches would only be for those customers who are running compatible security software. For those customers who were not using the right security software, the antivirus programs installed in their computers caused the systems to crash.

To make a workaround to this problem, Microsoft suspended the security updates and informed the antivirus vendors to insert a registry key that would make the antivirus compatible to the new set of security updates.

Joseph,

I agree with you that the network system was poorly handled. What is even more surprising is that Newtek played unethically here by informing the customers about a domain changing activity when the actual problem was something else. The smartest way would have been to inform the customers right away so that they could have taken the necessary precaution and informed others too. I think risk response strategies are very important in any organization and the staff should be trained to know how to respond to external threats, without causing panic.

Patrick,

You should try Nessus Home scanner, it is free and includes scanner for all applications installed on a machine. You can take a look at the list and see which ones you want and uninstall the ones you want.

Then, most applications have an auto-update, as well as an ask me first update option. Just select the ask me option. Microsoft also allows you to manage updates with group policy manager, but the best way is to run a machine application audit tool. I believe OpenVAS has a plug-in as well, but haven’t used that one, only Nessus. You can check you entire home network to see if someone installed something that may be “hidden”.

Another issue with updating applications automatically deals with Availability. Sure, updates will help protect the Confidentiality and Integrity, but let’s not forget about the “A” in the CIA Triad. When an application is set to update automatically, and let’s say that patch is will be pushed down to all systems, but not compatible with Windows 7. Now, all windows 7 users will have issues with the application that worked just fine before the update, or the update may possibly crash the application, making it useless. I really don’t like auto-updates for this main reason, but do it on most because of the other two reasons, the C & I parts.

I agree with you Duy. Companies fear the outcome of releasing information that they were hacked. I think, unfortunately, that the government is going to have to step in and create laws around when/what/how a company informs clients of a data breach.

I work in K-12 education. There are laws in place already that I have to follow if we know that student data is breached. I think this is something you’re going to see becoming a topic as this becomes more and more prevalent.

Hi Satwika,
Great points. I do agree to your point that the company failed to take appropriate steps in resolving the issue. There is however no point in beating the bush after the attacks happened. On the other hand, the company should be quite grateful to the hijacker for at least giving them an indication of the imminent threat. Organizations should have proper plans in place, especially security communication, to its customers.

It’s really one of those “damned if you do, damned if you don’t” situations for businesses today. On one hand, if you have a minor security breach and are transparent about it, it’s quite possible that the media will pick it up and over-hype it and that will cause reputational harm that you were hacked, even if you fixed it and were transparent about it. On the other hand, if you have a minor breach and you aren’t transparent about it, you might be in the clear if no one finds out about it, HOWEVER, if people do find out about it, you will have an even larger reputational harm on your hands because you will have not only suffered a breach, but also tried to cover it up and hide it from the public eye. If you have a large breach, and still try to cover it up, then you’re just being stupid and negligent with your company in my opinion.

Here is the link to the SANS portion: https://isc.sans.edu/forums/diary/February+2018+Microsoft+and+Adobe+Patch+Tuesday/23341/

I too, like how they list the update out. Its quite concerning that these are such serious security flaws/bugs which are getting patched. It’s really making me rethink whether I want Auto-update on for my applications or not. On one hand, the applications could auto-download security patches, on the other hand they could be downloading new versions of my apps which may include bigger security holes than the current versions.

It’s really frustrating when this kind of thing happens as a customer perspective. I know if I was a client of Newtek’s, I would expect transparency for things like this breach. Even if they didn’t know what was going on or how to fix it, I would appreciate an email or message stating that there is an incident and that they are looking into it. Transparency and good communication is extremely underrated by many companies and often can make or break them when things get tough.

From a business perspective, I would always advise companies to disclose accurate and complete information to their stakeholders without giving away proprietary information. That being said, you need to ensure you are transparent enough that you retain your customers trust and confidence.

Hey all,

I was also a bit disturbed, but honestly not shocked at all. As Jason mentioned, if I were to make a guess, Newtek didn’t include this type of Breach or have a Breach Policy in their Incident Response Plan, which is what makes me “disturbed” because how can you not include an intruder taking over one, two, three, or more of your systems? Anyway…

If they did have this type of situation in their IR plan, didn’t conduct the proper training (Table Top Exercises) to outline the proper steps if something like this were to happen.

Here is my take:

They were notified of a vulnerability. They had their technical team look at the vulnerability and decided to review possible options over a few days. They also notified their legal council about the vulnerability and how they were going to contain / respond to the issue. The legal team may or may not know what to do, so the legal team starts to gather information about responding to a “whitehat hacker’s” information and reviews different cases with similar situations. This can take days to complete.

All in the mean time, this guy who thinks he is a hero by finding a vulnerability feels belittled because he doesn’t believe the legal team is acting quick enough by responding to his message, and possibly messages over an entire 5 days. Really?

He may also believe he is entitled to a “bounty” of some sort, which is known in the technology community as finding a security flaw and being rewarded for your efforts. He is probably checking his emails every few minutes to see if he gets the “You Da Man” email, but nothing.
He thinks on:
Day 1: They are busy
Day 2: Guess they are fixing it
Day 3: Must be fixing it, let me check… Nope. That’s odd?
Day 4: Probably can’t figure it out. Why won’t they just get back to me????
Day 5: Still not fixed and this is taking way too long. They aren’t getting back to me so they must not care.

He gets even more frustrated with the lack of communication and takes matters into his own hands.

Now, I am speculating this but my point is that it wasn’t a breach until he took the matters into his own hands. It was a vulnerability that could’ve been exploited but it wasn’t. This guy should’ve of never done this and maybe practiced a little patience.

With that said, I do believe Newtek should probably include this type of Breach policy to include “how to handle a whitehat hackers tip”.

I found out that a Cloud hosted Domain Controller is not possible unless a VPN is used.

Guys,
I totally agree! it is outrageous what these companies get away with. To Jason’s (rhetorical) question “When will companies learn that the most important response to a security incident is transparency and strong communication to stakeholder?”

That’ll happen on the day that it becomes too hard, expensive or too embarrassing not to learn that lesson. It’s infuriating that there is such a low level of accountability.! But unfortunately. I think it’ll be a cold day in H*ll before that happens.

Take the Equifax breach for example – you’d think that potentially ruining the lives of 145 MILLION Americans would cost the company everything. But actually the OPPOSITE is true – Equifax stands to make *millions* off of their own negligence!

According to;
http://time.com/money/4969163/equifax-hearing-elizabeth-warren-richard-smith/

It’s estimated that Equifax stands to make an additional $200 MILLION in credit monitoring revenue as a result of the breach, Do the math – 7.5 million people signed up for the firee monitoring after the breach. But that service is only free for a year. At $17 per month, its estimated that if even 1 million of those people keep the service after the free period ends then Equifax stands to make $204 * 1,000,000 = $204 Million in additional revenue. They will make almost ONE BILLION DOLLARS if half of those people stay with the service.

Equifax is also profiting from this disaster in another way as well. It turns out that LifeLock, a company that is Equifax’s COMPETITOR, actually buys credit monitoring services from Equifax! So Equifax gets paid at least TWICE for monitoring a potential problem that was caused by their own incompetence!

What’s really, REALLY sickening is the unbelievable hubris of the company. Richard Smith, former CEO of Equifax made the following statement;

“Fraud is a huge opportunity for us—it’s a massive, growing business for us,”

He made this statement last August – AFTER the breach!

Yes, companies often forget that communication is the most important factor in risk management. Proactive communication from Newtek’s end would have at least allowed their stakeholders to adopt protective measures and reduce the impact on their business operations. Perhaps maintaining their image was more important than containing the risk that was posed. They could have maintained an emergency kit (with contact details of POCs) for their stakeholders that could be used during such IT outages.

I agree that machine learning technology is critical in identifying malicious activity on a network and stopping malware. This is a very saturated market right now and all security products are pushing to incorporate machine learning algorithms into their solutions.

It’s key to remember, however, that human action is still typically required to respond to an incident. While some of these technologies can prevent malicious traffic from entering the network and/or spreading, many machine learning technologies detect this incidents and provide an alert for someone to action. It’s critical that a company has processes in place to respond and action these alerts.

The article also mentions that updates were released for individuals running Adobe Reader or Acrobat that address at least 39 vulnerabilities. Typically these products are installed on workstations, but quite frequently in my career I’ve seen these products installed on servers and showing up on vulnerability scans. This is usually because a developer installed it for some troubleshooting and then never removed the product and it doesn’t get updated with each release. The easiest fix is to uninstall it entirely.

The article and a few of the comments recommends using Sumatra PDF as a good, lightweight alternative to Reader/Acrobat. I’ll have to check that out. For many of my builds, I just use a web browser for reading PDFs, but Sumatra sounds like a good alternative.

This article was disturbing to me as well Satwika. The article explained that the company eventually sent e-mails to the customers, but this was not an adequate response because many customers lost e-mail access based on the attack.

I also found it disturbing that Newtek also performs many other outsourced functions beyond domain hosting. They also are responsible for critical business functions such as HR and Payroll. If I used this company for any of these services, I would be very concerned that they are not applying strong security practices to protect my employee and customer data.

When will companies learn that the most important response to a security incident is transparency and strong communication to stakeholder?. After the Equifax disaster and other major breaches, you would think that companies would start applying better practices for breach notification.

Here is a link that may help everyone on assignment 2 and 3. You will be able to see more information on the left side if you follow the tree. Also, you can search previous versions of windows group policy information for a step-by-step guide. The one I like is for Windows 2000. Keep in mind, the Windows 2000 guide is like version 1 of the series. The below link builds on the ideas outlined in version 1. If you get confused reading the information in the link below, you may want to skim through the Windows 2000 guide to group policy for a better explanation.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v%3dws.11)

This article was disturbing to me as well Satwika. The article explained that the company eventually sent e-mails to the customers, but this was not an adequate response because many customers lost e-mail access based on the attack.

I also found it disturbing that Newtek also performs many other outsourced functions beyond domain hosting. They also are responsible for critical business functions such as HR and Payroll. If I used this company for any of these services, I would be very concerned that they are not applying strong security practices to protect my employee and customer data.

When will companies learn that the most important response to a security incident is transparency and strong communication to stakeholder?. After the Equifax disaster and other major breaches, you would think that companies would start applying better practices for breach notification.

Last week we talked about some top applications that should be avoided if possible on your system due to the high volume of vulnerabilities with them. Here’s the post from adobe announcing that adobe flash is will be end-of-life by 2020.

https://theblog.adobe.com/adobe-flash-update/

I decided to try to host a Domain Controller in the cloud, using a public domain, so that the team can work on it anytime. This is a bad idea for many reasons, but I did not want to implement a VPN/routing service because that would have complicated things. Instead I looked at restricting all incoming connections using the built-in firewall. Powershell has a very powerful firewall configuration commandlet called advfirewall, found as a netsh submenu.
I used: netsh advfirewall set rule name=all dir=in new RemoteIP=”xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx”
This updates all firewall rules to only accept connections from the remote IPs specified. I used Temple’s main-campus IP range so that we can connect to it from school.

The netsh advfirewall commandlet has a lot more fidelity than the firewall GUI, I definitely recommend checking it out.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd734783(v%3dws.10)

The article also mentions that updates were released for individuals running Adobe Reader or Acrobat that address at least 39 vulnerabilities. Typically these products are installed on workstations, but quite frequently in my career I’ve seen these products installed on servers and showing up on vulnerability scans. This is usually because a developer installed it for some troubleshooting and then never removed the product and it doesn’t get updated with each release. The easiest fix is to uninstall it entirely.

The article and a few of the comments recommends using Sumatra PDF as a good, lightweight alternative to Reader/Acrobat. I’ll have to check that out. For many of my builds, I just use a web browser for reading PDFs, but Sumatra sounds like a good alternative.

https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/

After reading this article, the way Newtek responded seems to be in line with the way other organizations did after getting hacked. Most organizations never info customers in event of hacking unless it’s something critical. Target and Equifax both did not clearly inform customers until the very end, fearing loss of business and reputation. The only shocking part was that the vulnerability was reported and they did nothing about it until hacked.

https://globenewswire.com/news-release/2018/02/21/1372539/0/en/Cisco-2018-Annual-Cybersecurity-Report-Reveals-Security-Leaders-Rely-on-and-Invest-in-Automation-Machine-Learning-and-Artificial-Intelligence-to-Defend-Against-Threats.html

A recent survey has revealed that as cyber security needs keep growing and labor supply struggles to keep up, business leaders have been turning to machine learning and AI devices to help make up the gap. With the increasing use of encryption for a large portion of web traffic, the identification and classification of malicious threats has become more and more of a challenge to security personnel in all organizations. The use of machine learning has greatly enhanced security practices in light of this trend and is assisting security professionals in allowing for legitimate “normal” traffic and filter out potentially malicious data.

Here is the link to the SANS portion: https://isc.sans.edu/forums/diary/February+2018+Microsoft+and+Adobe+Patch+Tuesday/23341/

I too, like how they list the update out. Its quite concerning that these are such serious security flaws/bugs which are getting patched. It’s really making me rethink whether I want Auto-update on for my applications or not. On one hand, the applications could auto-download security patches, on the other hand they could be downloading new versions of my apps which may include bigger security holes than the current versions.

Article: Domain Theft Strands Thousands of Web Sites

After I read this article I searched some related keywords from Google. I found a report which was published by ICANN Security and Stability Advisory Committee. In general, this report is describing domain hijacking. You all can find some useful information regarding following:

– Risk and threats associated with domain hijacking
– Vulnerabilities observed from domain hijackings
– Recovery mechanism
– Security measures to protect domain names

In addition, some incidents are being analyzed in this report. I hope you all have time to look at this report. At least you can download and save to look later.

DOMAIN NAME HIJACKING: INCIDENTS, THREATS, RISKS, AND REMEDIAL ACTIONS

http://archive.icann.org/en/announcements/hijacking-report-12jul05.pdf

Hi Satwika,
Great points. I do agree to your point that the company failed to take appropriate steps in resolving the issue. There is however no point in beating the bush after the attacks happened. On the other hand, the company should be quite grateful to the hijacker for at least giving them an indication of the imminent threat. Organizations should have proper plans in place, especially security communication, to its customers.

Computer Security Firm “CrowdStrike” performed research and analysis of recent attacks (NotPetya, WannaCry) targeting U.S. organizations that caused million of dollars in losses. Especially, it has been found that U.S. administration as top intelligence group is most vulnerable as they can’t keep up with network security threats.

Next-Gen Firewalls with capabilities of Application layer inspection, SSL inspection, Identity Awareness, IDS/IPS, Application/URL Proxy functions play an important role in protecting not only perimeter of the organization but also internal resources by looking deep into malicious requests and traffic originated from either internal or external networks,

The United States is “vulnerable” to cybersecurity attacks said by the co-founder of the computer security firm CrowdStrike

Joseph,

I agree with you that the network system was poorly handled. What is even more surprising is that Newtek played unethically here by informing the customers about a domain changing activity when the actual problem was something else. The smartest way would have been to inform the customers right away so that they could have taken the necessary precaution and informed others too. I think risk response strategies are very important in any organization and the staff should be trained to know how to respond to external threats, without causing panic.

This technology is there and right now most banks in the US have the ability to enable PIN chip transactions, but they just have to roll it out on a card member level. I remember back in 2012, I was studying abroad in Shanghai and I went to Walmart and was asked for a pin when checking out. Fortunately I was able to just press Enter or enter 0000 to bypass the pin functionality there, or I would have been screwed. I do agree that ApplePay or other mobile wallets would be best, however they are still not accepted everywhere. It would be most effective against a lot of fraud if they started giving that functionality at gas stations as it seems like theres a lot of fraud originating from gas stations.

It’s always a good idea to check for skimmers whenever using a card swiper. I give you props for using the credit card as opposed to a debit card as gas stations can be a prime location for this type of fraud. I can’t wait for the day where AFDs (Automated Fuel Dispensers) begin allowing mobile wallet payments as they are much more secure than any types of physical cards. Someone really close to me continues to get his card skimmed at gas stations to the point where he had to have his issuing bank add an authorization rule to his account to require his authorization for any transactions over $50.

Scott, a friend of mine who works in InfoSec for a hospital here in Philly was mentioning that this happened to them a month or two ago (maybe we are thinking of the same thing). He told me that they noticed one of their servers was running at a very high capacity for a prolonged period. After they researched, they found that it was being used as a bitcoin miner.

If the hackers were smarter, like you said, they should have not had it run so heavily on that server, but just like wall street, greed can make people try to hard to the point where it gets them in trouble.

As someone who works for a large credit card issuer and who helped implement this chip technology, I can tell you that if a chip reader is working properly, you should not have to pull the card out and then swipe. If you have to do this, that would be called a fallback transaction where for some reason, the communication between the card and the chip reader is malfunctioning (could be a chip issue or a reader issue). In a magstrip transaction, there are only a few select types of data which get communicated between the card, merchant, and issuer. In a chip transaction, there are many more fields/data elements communicated including a specially generated cryptogram, chip transaction counter, and other types of data. All this data is used to analyze the transaction to better analyze potential fraud cases.

As far as the wait time, when chip was brand new, it did in fact take a lot longer to read the chip data than it was for a simple swipe of a mag stripe, however over the pst several years processing speeds have improved as the technology in the readers have improved along with it.

I would strongly suggest using an emerging technology, mobile wallets, with either your ATM/Debit cards or Credit Cards. The technology used with processing ApplePay, SamsungPay, AndroidPay, or other mobile wallets is far superior to even using chip cards themselves. These mobile wallets work with your bank and setup a token number to use and send between the phone, merchant, and issuer as opposed to sending a users personal details , such as account number, zip code, customer name, etc.

I agree Duy,

Related to which party is responsible for any fraud, there was a liability shift which happened back in October of 2015. Essentially, after Oct 2015, legally, between the merchant and credit card company, whichever party has the lesser security measures will be liable for any fraud which occurred on that account. If an issuer has chip cards, but a merchant doesn’t have a chip reader or their chip reader is non-functioning, the merchant assumes liability for any fraud on that account at their terminal. If it is the other way around and the merchant has a chip reader, but the bank has not issued a chip card, then the bank assumes responsibility and the cost of any fraud on that account. See this article: https://www.creditcards.com/credit-card-news/understanding-EMV-fraud-liability-shift-1271.php

That’s pretty useful information Mustafa. This malware list is definitely a worth noting information and most of it of which I have never heard before. CoinMiner as I see is pretty dangerous considering the fact that Bitcoins are the future of virtual payment systems. I came across this interesting article which pretty much says how to remove CoinMiner malware from systems. Might be useful to read. Link below:

JS/CoinMiner

I feel that this might not be of a great concern especially when Apple was never using iOS9 and had moved 2 generations ahead. However, this would have been a concern for users who have been using iOS9. I think the company did a great job in removing the code from the related website. It’s also surprising how the confidential source code for iBoot got leaked when Apple is known to have a far safer Operating System when compared to others OS.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FCoinMiner

Hey all,

Flash can be disabled in all popular internet browsers. Plus, you can set up office to not allow files with flash or any plug in.

To stop flash in group policy:

Search Group Policy editor –> Computer Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Security Features –> Add On Management –> Turn off Adobe Flash = Enabled.

Enable by clicking Turn off Adobe Flash –> click Edit Policy Setting –> Select Enable

No more flash for IE on you local computer. Do this in a networked environment too. You can use Powershell and run a script to do this quickly. We did this in Assignment 1

Very interesting article. Faraday cages have been around a long time. I read the article, twice in fact. I’m jammed up on the fact that they say in the article “Once a computer is infected”. So this is not really breaking into a computer that is protected by a Faraday Cage Air-Gap, it’s getting the data off of it.

If you do it right, how can you even get to it to get it off?

None the less, a very interesting concept and article. I’m sure, with this incentive, someone will solve the puzzle of how to get it on there.

I really don’t think that chipped based transaction take all that long. I would say that they feel to take the same time. Sometimes I wonder if this magnification of time measurement is due to the fact that people can’t handle “uncomfortable” silence. Have you ever had to trouble shoot a computer issue in front of an audience? Have you ever had to wait for a computer to reboot in front of an audience. You could time that reboot and know it takes only 90 seconds but you would swear it was 6 minutes. I think a lot of the “chipped cards take longer” phenomenon comes from misconceived time due to lacking comfort in a quite social scene and the resistance to change.

My gripe with the chipped systems is that they are not all the same. Based on how you owl like to process your transaction sometimes you are required to take the card out and then swipe. Other do not, why?

Brock,
this is an interesting topic. Some websites use a JavaScript based miner instead of running advertisement. I recently saw a Web Assembly miner, classified by Symantec as PUA.WASMcoinminer. Check out Remedy ticket 1198502 for that.

This sounds like something that would happen in Mission Impossible or in James Bond but working in the Defense industry this is definitely a real concern. Even if your working in a SCIF, they don’t want you to bring any technology, cell phones, laptops, pager, etc to avoid issues like this. Only the approved systems that are in that room are allowed to be used. And removing data from that room has to follow a specific process, with markings, classifications and specific directions. If it’s really possible to steal data via a wireless method its good that that the government has these requirements for classified areas.

– Sev Shirozian

Thanks Bilaal. Yes, finally going to see the end of Flash in 2020. It can’t come too soon. Recently Google announced that the Chrome Browser would default to HTML5 when possible, and Google has banned Flash from any of it’s display ads. The problem is that so much is built on flash that it just can’t be killed off! So many websites still use, and rely on Flash to run. I work at a school district. We have two very major software programs for our elementary students that are heavily flash based. The company is working to remedy that, but their time frame is sometime in 2019! They have to rebuild their software that they spend 7 years building!

A client that I help support actually got his with this CoinMiner Malware last week. They had contacted me telling me things were running real slow on one of the systems. I connected in, and after a few minutes found this .exe file that was consuming 80-90% of the system resources. Some research showed that it was a bit coin mining malware program. I removed the offending program and did some investigating. Turns out the person using the system was working on a presentation with a colleague. These guys are old school, and were sharing a USB key with the documents on them. The USB key had the trojan on it. Still trying to find ground zero, and how this got onto the USB key. Had this malware been smart, and taken up smaller amounts of resources, then this might have gone on for a long time. The CPU hog alerted someone to an issue. I thought hackers were smarter!

I think the biggest thing hurt here is Apple’s feelings! It’s iOS 9, and a bit old. I’m sure the code will give some insight into how Apple iOS is built and might allow hackers to hack later systems, but to me, Apple got a black eye on this. Their precious secrets are out in the open.

Interesting post Shi, thanks. It seems like a bit of a stretch thought don’t you think? It assumes the malware can be planted and then happily just sit there regulating/manipulating the workloads without being detected?

I guess you never know:)

Good point on wireless – I seem to recall that several of the early versions of Wireless NIC’s had features that allowed you to ‘tune’ down Tx power and beacon transmit frequency – wonder why they got rid of those tunability features?

CIS benchmarks are a great way for organizations to assess and improve the security of their networks. They are particularly strong because they have been founded by a group of other participating organizations and are based on defenses from actual attacks. I like how detailed and clear they are. Apart from the fact that they are public and free, what most interested me was that these can be adopted by anyone for even their personal devices as well. Another big advantage is that they cover a lot of standards right from the planning phase to audit phase. This can also help small organizations who often spend huge amount especially in consulting external auditors about fundamental audit and security practices.
However, it should be understood that these benchmarks are a set of base level or foundational level practices that all the organizations should incorporate into their best practices and that the risk levels for each organization will vary based on their operations, so it is still necessary to adopt other security measures to develop a robust and safe cyber infrastructure.

I don’t see this at too much of a security concern for IOS current OS or iBoot. As the article mentioned it is an older version for OS9. It is possible they are still using portions of iBoots OS9 code but generational changed to this type of code is a swift way to mitigate vulnerabilities.

Apple’s real problem lays with their employees ethics. If we assume this wasn’t stolen then it had to be leaked. That can only happen from the inside. Could this be an access control issue at apple? Or just a disgruntled employee?

I was wondering if we would see malware to assist in cryptocurrency mining. It’s brilliant really. I don’t have nougat computers to mine, nor enough money to acquire them… well just steal everyone else memory resources.

I always thought A library at a major education institution would make a good coin mining operation. Looks like I am not the only one.

Coin miner is likely being installed via the ever popular fake flash player update notice you get form visiting web pages. Here is an article I found with removal instructions:

https://www.pcrisk.com/removal-guides/12088-coinminer-malware

Scott,
you point out a great advantage for credit cards (besides the points you can earn). I feel that credit cards/ATM cards present a system that has to be secured like any other. Like you said, using a credit line for physical payments is a great way to limit risk. Separating your payment methods for physical transactions is also similar to security compartmentalization. Monitoring can be used to further limit your risk, in this case that could mean setting up email notifications for transactions over a certain amount. I think ultimately a credit card presents a system that needs to be secured, unfortunately –at least in my experience– that needs to be done by the end user who does not always know how to.

yes, just a Surface Pro 4. If you have Windows10 it comes with it. I did a write up on how to turn it on and configure VMs over the last couple of weeks – *EXTREMELY* easy to do and use!!!!

Obviously, all those .iso’s and VM files suck up a lot of disk space – but then you’ve got that problem anyway for any hypervisor,. I just didn’t want to have to install VirtualBox or another hypervisor when it was there anyway.

You did get me wondering now though, I wonder if the Hyper-V VM virtual disk images (the .vhdx files) have a smaller disk footprint than the same VM configured for VMW or Vbox?

I’ll check it out and let you know.

Good luck

Thanks for sharing Bilaal. I’ll bet this is one of the many reasons my work computer had so many updates pushed and installed over the past few weeks. I’ll need to check my personal devices to see if they are vulnerable.

Adobe Flash is like a zombie, but it looks like it will finally be sunset in 2020:

http://www.theverge.com/platform/amp/2017/7/25/16026236/adobe-flash-end-of-support-2020

This article mentions that a lot of gaming, education, and video sites will be impacted. They need to transition to HTML5 before 2020. They probably won’t though and us users will be the ones impacted. Hopefully browsers and tech companies will just block sites still using Adobe Flash.

If you have Windows 10 you can follow the following to install hyper-v (https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v). I added it to my Surface Pro. I’ll bring to class on Thursday.

Vince,
Curious, what are you running Hyper-V on? I’m using VM Workstation on Windows 2016, but I’m curious about your hardware setup. Also, do Temple students have access to a free copy of Hyper-V?

Great summary Frederic. I also found these benchmarks very useful and I was impressed with the level of detail and structure of these documents. I also think it’s great that they publish Cloud images for these main Cloud providers.

One of the greatest benefits of Cloud is to easily deploy hardened images. However, it’s essential that organizations formally document and maintain their baselines and monitor for configuration drift.

It’s also important to have an exception process. There will always be applications and systems that will require a deviation from baseline, so it is important that there is a formal process to document and request an exception, perform a risk assessment on the exception, gather approvals, and review the exception periodically (at least annually).

Hi Patrick,
This article is more alarming than the related ones. Some skimmers are installed in regular check out lines, this article reviews installation of skimmers in self-checkout lanes where security and supervision are at a minimal. Thus, making it even less challenging for thieves to install and receive the skimmer and skimmed data. I agree that some responsibility should be on the merchant to guarantee a safe transaction, but additional responsibility should be on the card companies as well. And yes, the card companies have responded with newer chip technologies making the transaction more secured. Now it’s just for the users to actually be alert and uses these new chip technology.

https://krebsonsecurity.com/2016/10/self-checkout-skimmers-go-bluetooth/

Hi Patrick,
This article is more alarming than the related ones. Some skimmers are installed in regular check out lines, this article reviews installation of skimmers in self-checkout lanes where security and supervision are at a minimal. Thus, making it even less challenging for thieves to install and receive the skimmer and skimmed data. I agree that some responsibility should be on the merchant to guarantee a safe transaction, but additional responsibility should be on the card companies as well. And yes, the card companies have responded with newer chip technologies making the transaction more secured. Now it’s just for the users to actually be alert and uses these new chip technology.

https://krebsonsecurity.com/2016/10/self-checkout-skimmers-go-bluetooth/

iOS 9 Leaked

https://www.technewsworld.com/story/85126.html

A portion of the source code for Apple’s iOS 9 mobile operating system has been leaked recently on GitHub. Apple has issued a copyright violation notice since then and maintained that the leak of this code should not compromise security, especially that of their more up-to-date versions which most users already have installed. While in theory the leak of source code should not necessarily enable an attacker to get into the system, it should be noted that the leaked portion was important for the secure iBoot process. While this news doesn’t warrant immediate alarm, it is possible that it could be used to find ways to jailbreak the tight security restrictions of iOS and find undiscovered vulnerabilities within the boot loader. This is definitely something for iPhone users to keep an eye on.

Great summary Frederic. I also found these benchmarks very useful and I was impressed with the level of detail and structure of these documents. I also think it’s great that they publish Cloud images for these main Cloud providers.

One of the greatest benefits of Cloud is to easily deploy hardened images. However, it’s essential that organizations formally document and maintain their baselines and monitor for configuration drift.

It’s also important to have an exception process. There will always be applications and systems that will require a deviation from baseline, so it is important that there is a formal process to document and request an exception, perform a risk assessment on the exception, gather approvals, and review the exception periodically (at least annually).

Vince,
Curious, what are you running Hyper-V on? I’m using VM Workstation on Windows 2016, but I’m curious about your hardware setup. Also, do Temple students have access to a free copy of Hyper-V?

Thanks for sharing Bilaal. I’ll bet this is one of the many reasons my work computer had so many updates pushed and installed over the past few weeks. I’ll need to check my personal devices to see if they are vulnerable.

Adobe Flash is like a zombie, but it looks like it will finally be sunset in 2020:

http://www.theverge.com/platform/amp/2017/7/25/16026236/adobe-flash-end-of-support-2020

This article mentions that a lot of gaming, education, and video sites will be impacted. They need to transition to HTML5 before 2020. They probably won’t though and us users will be the ones impacted. Hopefully browsers and tech companies will just block sites still using Adobe Flash.

Interesting post Shi, thanks. It seems like a bit of a stretch thought don’t you think? It assumes the malware can be planted and then happily just sit there regulating/manipulating the workloads without being detected?

I guess you never know:)

Good point on wireless – I seem to recall that several of the early versions of Wireless NIC’s had features that allowed you to ‘tune’ down Tx power and beacon transmit frequency – wonder why they got rid of those tunability features?

I don’t see this at too much of a security concern for IOS current OS or iBoot. As the article mentioned it is an older version for OS9. It is possible they are still using portions of iBoots OS9 code but generational changed to this type of code is a swift way to mitigate vulnerabilities.

Apple’s real problem lays with their employees ethics. If we assume this wasn’t stolen then it had to be leaked. That can only happen from the inside. Could this be an access control issue at apple? Or just a disgruntled employee?

I was wondering if we would see malware to assist in cryptocurrency mining. It’s brilliant really. I don’t have nougat computers to mine, nor enough money to acquire them… well just steal everyone else memory resources.

I always thought A library at a major education institution would make a good coin mining operation. Looks like I am not the only one.

Coin miner is likely being installed via the ever popular fake flash player update notice you get form visiting web pages. Here is an article I found with removal instructions:

https://www.pcrisk.com/removal-guides/12088-coinminer-malware

Scott,
you point out a great advantage for credit cards (besides the points you can earn). I feel that credit cards/ATM cards present a system that has to be secured like any other. Like you said, using a credit line for physical payments is a great way to limit risk. Separating your payment methods for physical transactions is also similar to security compartmentalization. Monitoring can be used to further limit your risk, in this case that could mean setting up email notifications for transactions over a certain amount. I think ultimately a credit card presents a system that needs to be secured, unfortunately –at least in my experience– that needs to be done by the end user who does not always know how to.

I really don’t think that chipped based transaction take all that long. I would say that they feel to take the same time. Sometimes I wonder if this magnification of time measurement is due to the fact that people can’t handle “uncomfortable” silence. Have you ever had to trouble shoot a computer issue in front of an audience? Have you ever had to wait for a computer to reboot in front of an audience. You could time that reboot and know it takes only 90 seconds but you would swear it was 6 minutes. I think a lot of the “chipped cards take longer” phenomenon comes from misconceived time due to lacking comfort in a quite social scene and the resistance to change.

My gripe with the chipped systems is that they are not all the same. Based on how you owl like to process your transaction sometimes you are required to take the card out and then swipe. Other do not, why?

This sounds like something that would happen in Mission Impossible or in James Bond but working in the Defense industry this is definitely a real concern. Even if your working in a SCIF, they don’t want you to bring any technology, cell phones, laptops, pager, etc to avoid issues like this. Only the approved systems that are in that room are allowed to be used. And removing data from that room has to follow a specific process, with markings, classifications and specific directions. If it’s really possible to steal data via a wireless method its good that that the government has these requirements for classified areas.

– Sev Shirozian

Thanks Bilaal. Yes, finally going to see the end of Flash in 2020. It can’t come too soon. Recently Google announced that the Chrome Browser would default to HTML5 when possible, and Google has banned Flash from any of it’s display ads. The problem is that so much is built on flash that it just can’t be killed off! So many websites still use, and rely on Flash to run. I work at a school district. We have two very major software programs for our elementary students that are heavily flash based. The company is working to remedy that, but their time frame is sometime in 2019! They have to rebuild their software that they spend 7 years building!

A client that I help support actually got his with this CoinMiner Malware last week. They had contacted me telling me things were running real slow on one of the systems. I connected in, and after a few minutes found this .exe file that was consuming 80-90% of the system resources. Some research showed that it was a bit coin mining malware program. I removed the offending program and did some investigating. Turns out the person using the system was working on a presentation with a colleague. These guys are old school, and were sharing a USB key with the documents on them. The USB key had the trojan on it. Still trying to find ground zero, and how this got onto the USB key. Had this malware been smart, and taken up smaller amounts of resources, then this might have gone on for a long time. The CPU hog alerted someone to an issue. I thought hackers were smarter!

I think the biggest thing hurt here is Apple’s feelings! It’s iOS 9, and a bit old. I’m sure the code will give some insight into how Apple iOS is built and might allow hackers to hack later systems, but to me, Apple got a black eye on this. Their precious secrets are out in the open.

Very interesting article. Faraday cages have been around a long time. I read the article, twice in fact. I’m jammed up on the fact that they say in the article “Once a computer is infected”. So this is not really breaking into a computer that is protected by a Faraday Cage Air-Gap, it’s getting the data off of it.

If you do it right, how can you even get to it to get it off?

None the less, a very interesting concept and article. I’m sure, with this incentive, someone will solve the puzzle of how to get it on there.

Hey all,

Flash can be disabled in all popular internet browsers. Plus, you can set up office to not allow files with flash or any plug in.

To stop flash in group policy:

Search Group Policy editor –> Computer Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Security Features –> Add On Management –> Turn off Adobe Flash = Enabled.

Enable by clicking Turn off Adobe Flash –> click Edit Policy Setting –> Select Enable

No more flash for IE on you local computer. Do this in a networked environment too. You can use Powershell and run a script to do this quickly. We did this in Assignment 1

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FCoinMiner

That’s pretty useful information Mustafa. This malware list is definitely a worth noting information and most of it of which I have never heard before. CoinMiner as I see is pretty dangerous considering the fact that Bitcoins are the future of virtual payment systems. I came across this interesting article which pretty much says how to remove CoinMiner malware from systems. Might be useful to read. Link below:

JS/CoinMiner

I feel that this might not be of a great concern especially when Apple was never using iOS9 and had moved 2 generations ahead. However, this would have been a concern for users who have been using iOS9. I think the company did a great job in removing the code from the related website. It’s also surprising how the confidential source code for iBoot got leaked when Apple is known to have a far safer Operating System when compared to others OS.

I would strongly suggest using an emerging technology, mobile wallets, with either your ATM/Debit cards or Credit Cards. The technology used with processing ApplePay, SamsungPay, AndroidPay, or other mobile wallets is far superior to even using chip cards themselves. These mobile wallets work with your bank and setup a token number to use and send between the phone, merchant, and issuer as opposed to sending a users personal details , such as account number, zip code, customer name, etc.

It’s always a good idea to check for skimmers whenever using a card swiper. I give you props for using the credit card as opposed to a debit card as gas stations can be a prime location for this type of fraud. I can’t wait for the day where AFDs (Automated Fuel Dispensers) begin allowing mobile wallet payments as they are much more secure than any types of physical cards. Someone really close to me continues to get his card skimmed at gas stations to the point where he had to have his issuing bank add an authorization rule to his account to require his authorization for any transactions over $50.

This technology is there and right now most banks in the US have the ability to enable PIN chip transactions, but they just have to roll it out on a card member level. I remember back in 2012, I was studying abroad in Shanghai and I went to Walmart and was asked for a pin when checking out. Fortunately I was able to just press Enter or enter 0000 to bypass the pin functionality there, or I would have been screwed. I do agree that ApplePay or other mobile wallets would be best, however they are still not accepted everywhere. It would be most effective against a lot of fraud if they started giving that functionality at gas stations as it seems like theres a lot of fraud originating from gas stations.