Wade Mackey

Readings – Key point

To secure web applications is very important to consider the way data input is handled by the system. Software should be developed using standard frameworks and input validation libraries in order to reduce risk.

In-the-news article

Web Attacks Increasingly Launched from Amazon Infrastructure

Web application attacks are growing in volume and duration, and are increasingly being launched from cloud IaaS platforms

Malicious traffic is on the rise – notably SQL Injection attacks, which jumped 10%, and Remote File Inclusion (RFI), which increased by a quarter.

Longer attacks hint at the determination of attackers, willing to invest more resources through longer time to succeed.

Cybercriminals are increasingly using IaaS to launch attacks, which makes it easier for them to carry out longer campaigns.

In fact, 20% of all known vulnerability exploitation attempts originated from Amazon Web Services.

WordPress was named-and-shamed as the platform of choice for web attacks – targeted 24% more times than any all other CMS platforms combined – while PHP apps were hit three times as much by cross-site scripting attacks than .Net.

The US was pegged as the biggest source of web application attacks globally and only topped when it comes to cross site scripting, of which the UK was the main source.

This is the link:

http://www.infosecurity-magazine.com/news/web-attacks-launched-from-amazon/

Is your smartphone spying on you?

This news report reveals that the flashlight app on many smartphones is really a piece of malware which may be exfiltrating some of your confidential data.

Apple’s iCloud targeted in man-in-the-middle attack in China

http://www.pcworld.com/article/2835995/apples-icloud-targeted-in-maninthemiddle-attack-in-china.html

Following launch of the IPhone 6 in China, their ICloud service began facing a
man-in-the-middle attack in the country. According to a watch dog group it was reported
that there an attempt to steal username and password information. It is assumed by the
the group which monitors China’s censorship practices.

Key Point From Readings
It is very important to cleanse input data of unwanted characters like those that can escape anticipated input whereby commands can be added to the data which may let the hacker be able to communicate with the database and very possibly cause serious data integrity issues. A programmer may want to check for non alpha/numeric characters and either strip the data of them before processing or notify the user that the input is invalid and in order to continue the fields must be in a proper format. One may even check the input data for words that may act as commands like “Delete, Update, Insert, Select and Truncate” – jut to name a few.

http://www.scmagazine.com/white-houses-network-shut-down-for-two-weeks/article/380062/

This article speaks about the breach at the White House. It is just interesting to see what is being targeted currently in our society. What does it say for the future?

http://www.chicagotribune.com/business/breaking/chi-dairy-queen-hacked-20141010-story.html
http://www.americanbanker.com/issues/179_149/how-backoff-malware-works-and-why-banks-should-care-1069180-1.html

One key point you took from each assigned reading. (One or two sentences per reading)

Most companies take the attitude of it could not happen to me when it comes to being hacked. The largest point of failure is going to be people for a myriad of reasons. Cybercriminals seem to use variations of the Backdoor virus on retailers POS systems to steal data. Dairy Queen seems to be the most recent in the list of companies compromised at this time. Surprisingly, they have a site that assists customers in identifying the store locations that were known to be compromised.

b. One question that you would ask your fellow classmates that facilitates discussion.

If some POS systems provide the ability to encrypt traffic or send traffic through VPN, why are so many retailers failing to implement small deterrents?

Exfiltrating data by using video upload
http://www.darkreading.com/attacks-breaches/in-plain-sight-how-cyber-criminals-exfiltrate-data-via-video-/a/d-id/1316725
This article explains a clever way stolen data is sent out of a system. After a system is breached, the sensitive data is encrypted, divided into packets, and each packet is wrapped in a video file and uploaded to a video sharing service. Then it can be downloaded, unwrapped, and decrypted. This is hard to catch, since it is common to have large video files sent out of a system.

What is Malware
———————-
Anyone can be a potential Malware creator not just the usual amateur hackers. there are professionals out there who make it their livelihood to bring havoc to anyone anywhere. Reasons include but not limited to: disgruntled employee, data for ransom, stealing from competition’s data for financial. Protecting ones self, one must know how the potentials that malware has on an organization and how they make their way from the ‘infector” to the “infected”. Knowing this, one is more likely to become more cautious in their everyday online/computer tasks.

Malware 101 – Virus
————————–
Malware is any program inserted into a system, usually without anyone knowing it until it’s already done it’s duty, which can cause data integrity issues, stop or slow down a system an/or modify and/or delete programs being run within the system/network itself. The most common type of malware is the “virus” which acts as a parasite and duplicates itself to other programs. Many times malware comes through attachments in emails and can release itself onto a system upon the attachment being opened. There are different types of virus’s that create havoc each in their own way. Either way, knowing of a malware’s potential and how it is packaged gives one the knowledge of what to look for so the malware can either be stopped or mitigated before the issue becomes too critical

Staples On Alert After Card-Theft Hack Attack
————————————————————
Link: https://uk.news.yahoo.com/staples-alert-card-theft-hack-attack-123510760–finance.html#yhPw4Ke

Staples is the next of many big corporations that have had credit card theft. The cause this time, malware. Fraudulent transactions of some cards used at many stores in New Jersey, New York and Pennsylvania. This information was traced by a number of banks. It seems that Staples is taking the necessary steps in notifying the public as well as it’s customers though it doesn’t give much detail on what they are doing as far as future prevention and getting themselves back to a “business as usual” state.

Questions to Ask the Class
————————————

1. Do you think that Social Engineering is the harder to control over hardware/software malware issues and in the near to late future do you see these difficulties getting easier or harder as systems become more and more technically oriented?

2. Do you think this is just an isolated incident that the attacks have occurred just in the North East region of the U.S. or do you think that Staples just hasn’t found the existence of this malware on their other systems throughout the rest of the U.S. . . . . . . . yet?

In news: Dropbox used for convincing phishing attack: http://www.cso.com.au/article/557732/dropbox-used-convincing-phishing-attack/

Article: FCC Slaps Telecos With $10M Fine for Data Breaches
FCC just fined two companies in the US, the reason: “for not properly securing information for 305,000 consumers.”

http://goo.gl/as1SYz

http://www.fool.com/investing/general/2014/09/28/home-depot-vs-target-diy-centers-data-breach-was-w.aspx
http://www.scmagazine.com/reports-suggest-home-depot-was-hit-by-the-mozart-malware/article/373976/

One key point you took from each assigned reading. (One or two sentences per reading)

Lawsuits are rolling in and the word is that the malware was designed specifically to penetrate the Home Depot systems, although there seems to be a disagreement over the uniqueness of the software. Analysts discuss the difference in rebounding stock between the Target breach and Home Depot: Response to the incident and the loss of PIN data.

b. One question that you would ask your fellow classmates that facilitates discussion.?

Are we really starting to become accustomed/numb to having our data stolen?

Week 6 – Readings (Sniffing)

Switched networks are not immune to sniffing. There are different techniques to eavesdrop traffic such as ARP spoofing or MAC flooding and replication. All of the them are based on the “man-in-the-middle” principle. The best protection against network spoofing is encryption.

In-the-news article (Forbes):

Hewlett-Packard Designates Printing A First-Class IoT Security Platform

The author says that when we think Internet of Things (IoT), the first thing that probably comes to our mind are FitBits and Nest thermometers, not printers. However, Hewlett-Packard has announced several additions to their printer security platform because this service poses risks to organizations.

The note is split in three topics:

1) Printer security matters: printing is an often overlooked segment of IoT that has great potential risks.

2) Printers now more like PCs and servers: Printers and Multi-Function Devices (MFDs) now have more in common with PCs and servers than the printers of old.

3) HP “gets” security: HP says that it believes that printers, data and documents all need to be addressed as part of an overall corporate security strategy.

Companies are not thinking about all the potential holes that the new IoT economy are about to unleash. Printers, as a mainstay of the corporate workflow for years to come have to be secured against both malicious and accidental security breaches.

This is the link:

http://www.forbes.com/sites/patrickmoorhead/2014/09/29/hewlett-packard-designates-printing-a-first-class-iot-security-platform/

IN THE NEWS:
Bash Code Injection Vulnerability
https://access.redhat.com/announcements/1210053

The Bash code injection vulnerability could allow arbitrary code execution allowing attacker to bypass imposed environment restrictions. Certain services and applications allow remote unauthenticated attackers to exploit this vulnerability by providing environment variable.

Improved patch tackles new Shellshock Bash bug attack vectors
http://www.pcworld.com/article/2688932/improved-patch-tackles-new-shellshock-attack-vectors.html

A patch was released, but researchers found a new method to bypass it, so another patch was released.

http://www.itnews.com/exploits-vulnerabilities/84263/six-key-defenses-against-shellshock-attacks?source=ITNEWSNLE_nlt_itndaily_2014-09-30
The number of attempts by hackers to compromise computers through the Shellshock vulnerability is rising, but companies have options for defending against attackers.

Shellshock is the name given to a set of at least six vulnerabilities in GNU Bash, the default command shell found in Linux, Unix and Mac OS X. The flaws in Bash, which stand for Bourne Again SHell, include CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278

take away:
“Don’t allow proprietary, insecure application protocols or legacy clear text protocols on your network”

This week’s reading talks about switched and non-switched network environments and packet snipping.
Packet snipping tool is a very useful tool to use in tracing and analysing network transmissions and application issues, but in the hands of an intruder attempting to break-in to the company’s network it is a very dangerous tool.
As the article mentions, various methods of attack can be used against the company’s network once the attacker has gathered enough information about the network and devices on the network. IP, ARP table can be spoofed, DNS can be poisoned, all can be used for eavesdropping or launching more (destructive or stealth) attacks on the company’s network.

Packet Sniffing In a Switched Environment:
It seems no matter how sophisticated a system is, someone always seems to find the smallest flaw in the infrastructure and expose it for all to see as well as doing considerable amounts of damage. Packet sniffing is just one of these methods which allows a hacker to intrude unnoticed. A hacker has the capability of playing “the man in the middle” pretending they are part of a legitimate communication transmission without the other participants finding out. When a hacker does this he/she intercepts the transmission and can either “read” it and then pass it on to the intended receiver, like a spy, or manipulate the transmission and send the intended receiver invalid data. There are a number of tools to use to detect packet sniffing from the time this article was written, many having several weaknesses. The most viable tool according to this article is encryption. IPSec is an example of one of these encryption tools.

This is an article which explains the importance of including “air space” to the long list of security threats. Fully equipped drones can sore through the air collecting data emitted from mobile devices serving as entry point wireless networks as well as shoot videos and still pictures.
http://defensesystems.com/articles/2014/08/15/drones-can-hack-wifi-networks.aspx

It is interesting that I read about packet sniffing on switched and non-switched environment after tinkering with an unmanaged switch. The article talks about the tools used to perform packet sniffing and ways to mitigate the risk of packet sniffing. It tries to give you both ends of the stick so that a penn.tester or an auditor is aware of what to expect when working to test the environment. As Nelson pointed out, packet sniffing tools can be a boon and a curse at the same time, depending on who is using it. One of the ways to mitigate is to use encryption.

Based on info. from our Secure Digital Infrastructure class, I am wondering what kind of encryption would best mitigate the threat. Would it be a symmetric encryption or asymmetric encryption?

In news: Hackers charged with Call of Duty theft: http://www.joystiq.com/2014/09/30/hackers-charged-with-xbox-one-valve-call-of-duty-data-theft/

Self-protecting Java applications

http://www.darkreading.com/application-security/how-a-major-bank-hacked-its-java-security/d/d-id/1316216?
http://www.waratek.com/Waratek/media/SiteMedia/Documentation/DataSheet-Waratek-Application-Security-vs-3.pdf

By implementing a protocol of Runtime Application Self Protection (RASP), Deutsche Bank is able to protect its Java applications, even the ones which are old and cannot be upgraded or patched. The tool they used runs within the Java Virtual Machine (JVM), making an application level defense which protects all the varieties of Java applications they use.

Sniffing
A common misperception is that a switched environment is more secure than a non-switched environment against packet sniffing attempts. This article details the methods and tools used in both environments.
The key technique used in a switched environment is to implement a ‘man-in-the-middle’ machine which pretends to be the machine which each of the other machines is talking to. It does this by changing the MAC address in the sending and receiving machines to its own MAC address. It then intercepts and sends on the messages from each machine.

Question:
It was stated in the article that the ultimate solution to network sniffing is encryption. What is the cost (implementation and in performance) of encrypting everything in the network?

http://www.scmagazine.com/international-hacking-group-members-charged-with-stealing-xbox-and-apache-helicopter-secrets/article/374880/

My article was about a group of hackers that utilized an SQL injection to get into U.S. Army databases and Microsoft. What worries me about this type of news is that the information they stole was worth about $100-200 Million dollars, but look to sell this information on Ebay for $5,000. Three of the hackers were under the age of 22. It seems that attackers are becoming younger and smarter. As age groups that can conduct attacks against such high profile targets as Microsoft and the Army become younger what does the future hold? Most of the next generation growing up now will have never lived in a world without a computer. So if are having trouble handling small groups of people, what is to come when much larger groups begin to form.

What could the future of cyber-security begin to look like with the number of people with access to a computer growing in large volumes, and how far are we from it?

http://www.infosecurity-magazine.com/news/android-flaw-spells-privacy/

o a. One key point you took from each assigned reading. (One or two sentences per reading)
Google seems to be a little lax with their response to a known vulnerability in their phone OS. Pre Android 4.4 OS’s are susceptible to the possibility of having an open email session hijacked.
o b. One question that you would ask your fellow classmates that facilitates discussion?
Our phones are becoming an integral part of the way we live and do business in our daily lives. Is it acceptable for a company to ignore the security of our private information when they know there is a vulnerability in their operating system?

Key point from readings:

Enumeration 1:

Footprinting is a preventive control that, like scanning, should be performed by the Info Sec staff of the enterprise to identify risks and weaknesses before being targeted by a hacker.

Enumeration 2:

If the reconnaissance or scanning outcome is not solid hackers use enumeration techniques to get specific information about network resources, user profiles and applications.

Question

What kind of information should only provide external name domain servers ?

Article

Google dorks – FBI warning about dangerous ‘new’ search tool

This article is related to the search methods we saw in recent classes when talking about reconnaissance. The warning refers specifically to ‘Google dorks’ or “Google dorking”, the use of specialized search syntax such as “filetype:sql”.

A simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.

This is the link:

http://www.welivesecurity.com/2014/08/28/google-dorks/

Footprinting:
Before many hackers perform threatening attacks, they research their victims by either gathering information, usually available to the public and easy to obtain, or simply appearing to be a simple user. Such tools such as “WhoIs” and NsLookup which are fairly easy to use.

Battle for the Internet: The War is On:
By putting yourself “in the shoes” of a hacker, and thinking of different ways an attacker could/would expose and harm your system is one of the best first steps to securing a system. By discovering the flaws before “the bad guys” do, you have the advantage of securing them up before attackers have a chance to make their move. According to this article, there are many known flaws with several operating systems, though since this article was written over 10 years ago, there have been many upgrades and patches put into place to fix these vulnerabilities. But that doesn’t mean new vulnerabilities don’t exist. Constantly “staying on top” of the vulnerabilities for your system can only help protect and quite possibly avoid a lot of future grief.

Article:
Massachusetts Institute of Technology website hacked by Indian hacker
An Indian hacker going by the name of SaHoo broke into the Massachusetts of Institute of Technology, one of the most prestigious
education institutions of it’s kind in the World. It is thought that hacker simply just wanted to show the weaknesses, though no serious damage was reported.
This is the link:
http://binlu.scripts.mit.edu/calendar/login.php

In the news:
Apple ships a sevenfold security surprise, including iOS 8 and OS X 10.9.5
http://nakedsecurity.sophos.com/2014/09/18/apple-ships-a-sevenfold-security-surprise-including-ios-8-and-os-x-10-9-5/

Is This Free Wi-Fi Safe? Search the Map of Dangerous Networks
http://securitywatch.pcmag.com/networking/327309-is-this-free-wi-fi-safe-search-the-map-of-dangerous-networks?mailingID=70FFE831A418DD37A51C6EC54F27F470

https://maps.skycure.com/

The first article “Footprinting: What Is It, Who Should Do It, and Why?” is related and can be a subset of the second article “Battle for the Internet: The War is On!”
Footprinting provides the company information about its resources and can help identify where weaknesses are develop processes to remediate them or minimize the potential risks from an outsider’s successful attack. A company that knows what information about the itself is exposed to the outsiders is in better position to safeguard its resources.

One takeaway from the first article is:
“”No longer is it reasonable to rely solely on the installation of antivirus
products to protect the on-line environment. …..””

The second article discusses some of the methods and tools the outside attackers use. The security professionals should have the same knowledge, if not more knowledgeable than attackers, to be able to thwart successful attacks. The article relates the ongoing battle between the security professionals and the attackers to the principle and philosophy of Sun Tzu’s “The Art of War”.

Free webinar:

CYBERSPACE AS BATTLESPACE
DATE: Thursday, October 9, 2014 2pm-3pm EDT

Registration: https://www.blackhat.com/html/webcast/10092014-cyberspace-as-battlespace.html

In this presentation, Dr. Kenneth Geers draws a new world map, based on the premise that human conflict now often takes place on digital terrain, that many attackers are able to operate from cyber safe havens, and that much of the rest of the Internet is already occupied ground.

The speaker will discuss the ways in which traditional military philosophy and the rules of espionage are being applied by governments to the cyber domain, as well as the nature of malware communications, network traffic analysis, and much more.

Regarding fake cell phone towers:
http://www.myfoxdc.com/story/26610194/tech-company-finds-mysterious-fake-cell-towers-in-dc-area
An independent company has found a large number of ‘non-network’ cell phone towers clustered in the Washington, DC area.
This raises the obvious question: Who is putting them there? Are they for the purpose of spying on the government since there are so many government agencies in the area, or are they the government spying on the public or foreign government embassies?

The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked. – See more at: http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521