This week find an article about cyber security and post it here along with comments about what happened.
I’ll start with the article below. This was a case I handed here about a Temple student changing his grades.
Curve Breaker: Temple University Student Convicted of Hacking Into School System To Improve Grades
Darin Bartholomew says
There is a ransomware attack that is encrypting victims machines after tricking them by offering free access to Netflix on the website. In order to rid yourself of the attack you need to pay $100 worth of bitcoin.
I thought this was interesting because usually, at least in my reading, you see a story of ransomware targeting a machine that has more financial incentive for a successful attack. A device being used by a banker, a server at a hospital. They then charge a huge sum to get the data back (well over $100 like in this case). This is the first time I’ve read of ransomware specifically targeting small consumers like those watching Netflix who are probably doing so from their home PC which probably has valuable data to the person, but it’s not the kind of data that can get 6 figures in ransom.
http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012?
Ruslan Yakush says
Nice post, Darin! I agree with your point about interesting shift for attacking small less valuable targets versus chasing a “big fish” for more ransom. My input on this thought would be….what if attacking larger number of less secured targets would get more profits to malicious hackers rather than trying to attack more profitable highly secured targets with less chance to actually exploit them!? Maybe this is one of reasons malicious hackers are making a paradigm shift.
Elizabeth V Calise says
Good point made and definitely helped me think through Darin’s article. Like you said, could be quite easier for a attacker to trick online users versus a large corporation. I feel as if many people lack cyber awareness, which is why so many people fall for scams, whether it is clicking a link to get free Netflix or falling for a phishing scam (example: PayPal scam).
Vaibhav Shukla says
There can be a cheaper solution .Most of the home PC users should probably keep some of their sensitive data backed in the cloud .Most of the cloud service providers provide some GB space as free of cost .In case the home PC is compromised users have their data backed up as most of the cases of ransomware you dont have 100% surety to get back the data even the hacker is being paid off .
Roberto Nogueda says
Hello Darin/Ruslan/Vaibhav- this is a very good article that encapsulates three important things:
1. The level of sophistication on how users have very low or non security in their devises
2. How vulnerable users are and how users lack of knowledge to secure information in personal devises.
3. The issue just continues and hackers can do this all day, in different countries with the same principle.
So my take on this article is that victims still believe in magic, and free stuff and often fall in the tramp. A phishing attack can easily get someone to click on something, so once the initial email is sent, the rest is on the user.
To mitigate these kind of incidents, I advise my friends and family not to click on suspicious emails or unexpected messages offering you something. In cases of curiosity, I advise to hover over the links and read the destination, and then do a Google search of that destination. My last advise is to mark those types of emails as spam and monitor how many spam email a user gets a week, that’ll give you a better understanding on how serious a hacker wants you to be the victim.
BIlaal Williams says
Roberto,
I really like the advice you give to hover over links and read the destination and do a Google search of the destination. Following this step will mitigate against a large portion of malicious links and downloads. The most important step is being aware that one click is all it takes for a system to become infected.
Jonathan Duani says
Really Interesting article! I think of it this way. They could make more money if they attack the random Joe Shmoe because if they attack 1000 of them vs 100 high value targets the changes are might greater in their favor. A lot of higher value targets have solution in place to counter act this where a random end user does not. So it can collect $100 over and over again fairly easily
Anthony Clayton Fecondo says
I agree with Jonathan’s point that attackers can make huge profits through the volume of attacks they can make against smaller fish. Generally, the average person has less financial assets than a big corporation, but they also have significantly less security and awareness. As a result, attackers can save a lot of time by foregoing reconnaissance and utilizing simple attacks such as phishing.
Loi Van Tran says
Very interesting article Darin,
The major problem, as other have mentioned, is the users. They want free stuff, like who really wants to pay $10 month, to watch TV shows and movies. And most times, they will simply do a google search to see if they can find it for free online, but it is not without risk. Downloading and using anything from illegitimate sources has risks and really shouldn’t be done. Most virus protection will warn you of key generators and the such, but people will just turn it off to try to use it anyway. The creator of this faux Netflix knows this and is exploiting it.
Andres Galarza says
Makes sense. This is a good example of the “path of least resistance”. Small fish are much more likely to have much less resiliency than a larger corporation and the extortion prices are “affordable’ if something is at risk of losing all their media.
Elizabeth V Calise says
St. Jude Medical Patches Cardiac Machine’s Cybersecurity Flaw
St. Jude Medical recently started deploying software to help protect its remote monitoring system for implantable pacemaker and defibrillator devices. It came out that its product, Merlin@home transmitter, contained vulnerabilities. The product collects data and sends it to the physician over the Merlin.Net Patient Care Network via a landline, cellular, or Internet connection. The article explained that the healthcare industry is a target for hackers, but the risk of anyone tampering with the devices is low. However, if the device is vulnerable, the risk of an attack is high and results can be fatal. There is potential for a hacker to use these devices (like a pacemaker) as leverage against someone to get access to their financials.
This article was quite intriguing and created another perspective on cybersecurity for me. My first thought on cyber-attack targets are banks, large department stores (Target), healthcare companies (customer information), the government, so the “norm” for hackers. To look at it from a healthcare industry perspective, but their products specifically is something new to me. It makes sense that if “body-interfacing IoT devices” are vulnerable, they can easily be hacked. However, I believe this is quite extreme though because getting access into a body-interfacing device can have fatal consequences. There may have to be something severely wrong with someone to use these devices as leverage to access another’s financials.
http://www.technewsworld.com/story/84219.html
Vaibhav Shukla says
Its very important for healthcare industry to revamp their security considerations.In present times any medical device on the network could be a probable target of hackers.When we hear about healthcare industry most of the security policies deal with protecting the patients PHI .But series of attack on iOT devices clearly proves that if healthcare devices are attacked they could probably risk the life of patients which is more dangerous than hacking of cameras and internet-TV.
Roberto Nogueda says
Hello Elizabeth/Vaibhav- here is another interesting article that makes us scratch our heads and think carefully how medical facilities and major hospitals use technology to fix peoples issues, but not securing the whole information cycle.
I always say, secured connect your devises or use VPNs. As you mention in your article Elizabeth, over the internet, line-lines and cellular communications are not strong enough to protect medical records tied to a patient, let alone having those expensive devises stay connected to an open online connection.
This looks like those organizations need to go over a good cyber security assessment, to find, detect, analyze, and resolve vulnerabilities in their software, hardware and firmware combine.
Elizabeth V Calise says
I could not agree with both of you more. This article definitely made me scratch my head and take some time to think about it. The life of a patient is definitely more dangerous than hacking other systems. Like Roberto said, the health industry definitely needs to take some courses on cyber security and ensure the information is safe, but most importantly, so are the patients.
Loi Van Tran says
Thank you for the discussion,
Considering all the development dollars that they put into these devices to make it work, they should put more focus on making them secure. I think it’s all time for regulators to take action, rather than wait until people start dying because their pacemakers were hacked.
Andres Galarza says
I can hear the cries of “Free market! free market! free market!” but I agree. There needs to be some teeth in the consequences on not taking quick action to address vulnerabilities such as the one Elizabeth highlights.
Anthony Clayton Fecondo says
I think that government regulation would serve as a temporary solution, but I think it fails to address the underlying issue; the need for ubiquitous cyber security awareness. Regulating the problem away keeps consumers in the dark regarding the importance of cyber security and postpones awareness. Once awareness develops, then the market will recognize the importance of secure internet of things devices and demand them which in turn will require manufactures to develop more secure devices. However, I could see the legitimacy of legislation for specific industries, such as healthcare, due to the high risk nature of the application of IoT devices.
Ruslan Yakush says
Elizabeth, great article! The fact that tampering with Bio-IoT devices pose life threatening situation is really serious concern. It is one thing when hackers get advantage of financial landmark and gain money, but if hackers can potentially exploit vulnerability in IoT devices, and I am sure they will at some point, then it really bring a huge concern on how to protect human lives from such danger. I guess, Bio-IoT device must at least transmit data in encrypted format with strong authentication and non-repudiation mechanism.
Ruslan Yakush says
I found this article about charges pressed against Russian cybersecurity expert – Ruslan Stoyanov, who worked for largest cybersecurity firm in Russia, Kaspersky Lab. He also used to work for Ministry of Communication of Russia and had ties with FSB – Federal Intelligence Agency, who is being blamed by U.S. intelligence for hacking DNC system and manipulating votes to help Trump in presidential election. Eventually, it turns out that Kaspersky Lab has nothing to do with hacking, but blame is still out there.
This article triggered a few thoughts…… From Digital Forensics perspectives and with all applicable international laws, to what extent can U.S. Government Agencies demand evidence from Russia even though they have found potentially legitimate evidence? What are the limits in terms of searching for evidence on systems that are found to be sources of attack residing at Russian territory? What means should FBI and NSA use to collect evidence all way through discovered trace?
Perhaps, no one can ever find out the true source of hacking attack as real hackers could use Russian servers as proxy or middle-man servers for U.S. attacks, after which most important evidence/traps had been vanished.
Ref. Articles:
http://www.ehackingnews.com/2017/01/treason-charges-pressed-against-russian.html
http://www.esquire.com/news-politics/a49791/russian-dnc-emails-hacked/
Vaibhav Shukla says
As mentioned by you its difficult to prosecute and collect evidences in the case of international cyber crimes.
As of now there is still no strong international charter available which defines procedures,support for investigation in such cyber crimes. A russian backed treaty in UN was rejected in 2010 due to differences between developing and developed countries on law.There do exits charters of G8 and UN which define dealing with cyber crime but they are not substantial to tackle growing interstate cyber crime.As you mention in the above case the Russia will keep asking for legitimate evidence and the farthest step US can take is to take the case to international court and get some sanctions imposed of Russia which although Russia is still facing.
Andres Galarza says
I think, in addition to Vaibhav is saying, you have to question who can really apply pain/pressure/”justice” to Russia. They have a permanent seat on the UN Security Council, and the International Criminal Court (ICC) doesn’t seem to carry much weight. I looked at their primer on “how the ICC works” and it doesn’t inspire confidence that Russia would have much to be afraid of.
https://www.icc-cpi.int/iccdocs/PIDS/publications/UICCEng.pdf
Elizabeth V Calise says
Really appreciate all the comments everyone. I am new to cyber so it helps reading your thoughts related to international cyber crime, which I am not very knowledgeable in. With the constant increase in cyber attacks and I am sure it will continue to increase since we live in a technical world, I am wondering when a strong, reliable international charter regarding cyber crimes will be addressed and put in place. There is always discussions about Russia and China cyber attacking the US and I am sure other countries are being hit as well. The problem will only continue to get worse, then again, I am not that familiar to know how difficult it might be to develop a strong charter and implement it.
Andres Galarza says
Elizabeth, it’s definitely a huge and intricate problem to solve. I guess we can be a little heartened by looking at how international relations and diplomacy work now. Economic sanctions seem to be the preferred weapon of choice for the United States, but there hasn’t been a “cyber” Peal Harbor or something similar that has impacted us directly. I don’t think I’m being too cynical when I say that it’s only a matter of time. Our nation’s infrastructure is very vulnerable, simply put.
I wonder if in our lifetimes we’ll see the U.S. make a conventional military response to a cyber attack.
Ruslan Yakush says
Thanks everyone for your great comments! It seems like Russia keeps dictating rules and not really cooperating with organizations such as UN and International Court. I think it would really be the best if Russian find a mutual agreement with U.S. for international cybercrime laws and try not to violate them. Otherwise, eventually everyone will become violent creating chaos and who knows what else much worse.
Nevertheless, I think U.S. should do whatever it takes to invest in cybersecurity technologies and knowledgeable professionals who can built a comprehensive “defense-in-depth” cybersecurity measures that would not only improve security of DNC and other governmental critical agencies, but also avoid unnecessary investigation efforts and potential conflicts with other countries. USA has a lot of power and resources, but both have to be allocated appropriately and professionally to achieve high-end security, process consistency and protection of assets.
Darin Bartholomew says
I think this highlights a massive issue that we’re going to have to face as a connected world and on a smaller level we need to figure this out as a county. Much like our lack of charter among countries, we also have a maze of different laws and regulations from state to state in the United States which complicates things. It’s going to start to become an economic burden for multi national and multi state organizations who are forced to comply with such a wide range of regulations.
Ruslan Yakush says
Darin, great point! I believe if USA had all states united in terms of having one set of country laws and regulations, then a lot of complications would have been gone. I think it would simplify cybersecurity laws and tactics, general laws and standards, etc..
As an example, it is similar to having a company with lots of tools and applications not talking to each other well enough, thus creating complications, inconsistencies and misinterpretations. Instead, company could have one or a few unified solutions to eliminate all above issues.
Joseph Nguyen says
The University of Geneva has a system that I found good to share and can prevent a problem that Temple faced with the hacking in the article. PCs for students have a blank new OS image at each reboot!
Relate to the article, I read in the database legislation of the United States under section 1030, (Fraud and related activity in connection with computers) that describes the Crimes and Criminal Procedure against the government computers, which can be passable of imprisonment up to 20 years (subparagraphs E) or life (subparagraph F).
Ruslan, very interesting posting about Russian hackers and Vaihab about international cyber crimes.
Andres Galarza says
I wonder how often and under what circumstances violations of the laws you quoted are prosecuted. I’ve worked around government computers for more than half a decade and was unaware of those laws!
Jonathan Duani says
A lot of school use software like deepfreeze, where upon reboot it will re image the computer. It makes it annoying if you saved something locally then forgot but from a security standpoint if anything goes wrong you can just reboot the machine and it should fix the problem.
Darin Bartholomew says
Joseph great comment. I wonder if this is something that Temple is starting to do on select PCs. I’ve noticed that Windows 10 machines in Alter common areas always give me the “setting up this PC” prompt as soon as I log in.
If they’re giving a fresh image on every reboot what sort of challenges would a forensics expert face if they need to recover information from a machine used in a malicious act?
Roberto Nogueda says
5 Cybersecurity Lessons Learned from the Super Bowl
Rag Harnish, a contributor for Security Magazine.com talks about the security around 3rd party vendors and the risks imposed when they are not secured on their end, making you vulnerable and easy to be attacked.
In my short experience with 3rd party vendors I have learned that new vendors push their way in to do business with you or your company, but often forget to assess their company and the security levels to avoid a disaster.
For new vendors, I suggest you and your organization have a robust process on on-boarding vendors. It starts with procurement to begin a relationship with the vendor. Some of the tools that will make things easy for both parties is a network request, a legal agreement, a cyber security assessment, and an enforcing team that will keep things in place.
For existing vendors, it’s safe to say that they do need a reassessment at least once a year, just to give you visibility in risk and how things can get better from the security perspective.
Also, if your organization is big, work with your legal, network, perimeter defense, network architecture, compliance and local IT to better understand the situation and provide a better customer experience.
http://www.securitymagazine.com/articles/87777-cybersecurity-lessons-learned-from-the-super-bowl
Amanda M Rossetti says
The security risks that come from engaging third parties are, in my opinion, ones that companies routinely handle badly, but managing them should be one of the companies highest priorities. Organizations tend to think when they outsource a function, they are also outsourcing the risks associated with that function, when it is actually the opposite of this. There are now more risks associated with that function and they have now become harder to manage. Some of the most high profile breaches we’ve seen over the last few years have occurred partially as a result of the organization’s failure to manage vendor risk. The Target breach is a classic example of this. The hacker didn’t go right for Target’s systems. They attacked Target’s HVAC vendor, and then used the legitimate access that the HVAC vendor had to Target’s systems to perpetrate the attack. Organizations need to have robust vendor risk management programs to understand and manage the risks that come with engaging third parties. They need to know all third parties they engage, what access each third party has to the organization’s systems or data, and what security is in place for each of these vendors.
Vaibhav Shukla says
Its really a great article and even I had less knowledge on 3rd party vendors security procedures.I think 2 things can play an important role as per your suggestions-
1)A charter or SLA should be signed by the 3rd party vendor before going into the business and the charter should cover all security boundaries where the vendor accepts to follow them along with periodic assessment In case of a security breach the organization has the right to sue the company to recover damages.
2)Minimize the level of exposure of your systems to vendor only share the data and systems which is required by the vendor
Darin Bartholomew says
Roberto I thought this was a great article and a fun take on cyber security. I thought the most important one to remember is that it’s a people game. At the root of every cyber attack or vulnerability is a human element. A computer doesn’t decide to do evil things, a person tells it to act that way. A system is vulnerable because a person can find a way to exploit it. I think the human element is so huge.
Noah J Berson says
“Hacker Dumps iOS Cracking Tools Allegedly Stolen from Cellebrite”
Cellebrite is an Israeli firm that focuses on aided law enforcement in extracting information from phones they obtain. They specialize in creating an all-in-one solution device that law enforcement can physically attach to a phone no matter what model. It is capable of exploiting flaws in older versions of android, blackberry and iOS. Recently they were the victims of a hacker who took over 900GB of data which has now begun to leak onto the internet. He was able to get into a remote server that had a lot of files and backup images of the cracking software they sell. The hacker has been vocal with news sites when asked questions. In his opinion, he sees society moving to more authoritarian regimes and that when backdoors are created they eventually will get released no matter the intention. This appears to be referencing the debate over whether Apple should crack their own software for the San Bernadino terrorist. The argument is that even when a tool is created to stop crime that it will end up in the wrong hands eventually and may cause more damage than the good it does.
Cellebrite’s initial response to the hack was claiming that only basic customer contact information was taken but which no longer seems to be what happened. Cellebrite says that their software has helped law enforcement in multiple cases with crimes such as drugs, murder, and child trafficking.
The tools released show that Cellebrite was also modifying some public phone solutions for their forensic purposes. Some code looks similar to that of the famous iPhone jailbreaker, GeoHot. Cellebrite does create their own cracks for the latest versions of iPhone software and these methods are supposed to never leave the company unlike the code the hacker was able to get into.
https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite
Jonathan Duani says
This is a really interesting article I think everyone needs to be aware of. Tim Cook said last year when the the FBI was trying to get into the iPhone 5C that he would not make this software because he was scared of what would happen if this was released into the world. Now that it is released into the world, i am curious to see what happens. If this does get into the wrong hands I could not even imagine what people would be capable of.
Loi Van Tran says
I remember us having quite a few heated discussions whether should or should not provide backdoors into their iOS. The outcome was simple, if Apple didn’t, someone else would. In this case Cellebrite’s. Nothing is 100% secured and even if a piece of technology was intended for the good of all, it can be used in a negative way.
Noah J Berson says
I think the hacker here probably had similar discussions with peers but decided to prove his point by doing this illegal act. While he does prove that backdoors can get out, even releasing one can create a lot of harm if other hackers with worse intentions get a hold of it. I think that most of the tools released require physical access to the device so the damage may not be on a widespread scale here but it could be. A skilled hacker may be able to use the same flaw in a remote code.
Amanda M Rossetti says
This is part of why the San Bernardino iPhone case was so terrifying to me and why I think it is important for tech companies to not build in back doors for law enforcement. I want people who do bad things to get caught and justice to be served, but I think that the risk of these back doors being exploited by the people who do bad things far outweighs the benefit to law enforcement. I think it is more of a when than an if that the back doors would be exploited. I think that these back doors will be found in multiple ways, including that criminals constantly looking for back doors to exploit, so it is possible they will find the built in back door for law enforcement in their normal search for vulnerabilities. Also, as we have seen multiple times over the last few years, the US government has terrible cyber security. If they have knowledge of these back doors, the hackers will find where that knowledge is stored and take it. I honestly don’t think it would even be that hard for an attacker to find the back doors once they know one exists for law enforcement and where to look.
Noah J Berson says
The company Cellebrite is only able to use certain exploits in the code since there aren’t really any backdoors yet. A back door implies giving a lot of control over everything in the system even moreso than just copying data. Discovering a backdoor in software can tank a company’s reputation as hard as a singer caught lipsyncing. Many people want to know that there data is safe and any backdoor will compromise that integrity.
Jonathan Duani says
Email Is Forever – and It’s Not Private
A very interesting article that I found talking about how safe your private emails really are. I thought it was interesting because we have been talking about discovery in class and emails maybe one of the things we are going to have to collect for someone for a some reason. They discuss how insecure of a way to communicate it is. They also explain that people become exposed cause they open themselves up to short cuts and could cause a major leak of information because of this.
Source: http://www.securityweek.com/email-forever-and-its-not-private
Elizabeth V Calise says
Good article pick due to how much people utilize email these days and the risks it can bring. In the article, it mentioned about the lack of cyber awareness from people, which I could not agree more with. It reminded me that at work before an employee sends an email, a message comes up and you have to click if the email should be labeled as containing international information, company proprietary information, etc. This message pop up I think can be beneficial because it might make a person double think what they are sending and if it is okay to send over email. It also informs the receiver what type of information they are receiving and email message contains a warning about disclosing any company data.
Andres Galarza says
I’ve heard it said by more than a few people that many c-suite and board members in certain businesses simply no longer use email for anything other than rote clerical and scheduling function. The fact is that anything sensitive or incriminating written in a email can be reconstructed/leaked or stolen. When this risk is catastrophic to an individual or business, meeting face-to-face or calling with a burner phone is harder to prove.
Samantha M Sederstrand says
Jonathan,
I found your article very interesting. Normally when I hit the delete button I just assume that the content is gone and I no longer have to think about the information that the email contained. I think that it makes more sense that it is an insecure way to communicate since it would be easy for hackers to learn a ton information about a person based on the content of the emails.
Darin Bartholomew says
Great post Jonathan. Generally the rule of thumb I’ve operated under is that if I don’t want to see it on the front page of Philly.com I shouldn’t hit send in the first place. I wonder if we will ever go back to physical paper communication for incredibly sensitive communication without an urgency of delivery time. We as professionals entering the cyber world don’t want that to happen, but I wonder if we will ever reverse direction in some cases.
Amanda M Rossetti says
A hospital in Virginia had over 5000 patient records stolen in a data breach. Vascular and thoracic patients from 2012 to 2015 had their records stolen from a third party vendor. The information includes patient names, social security numbers, and procedure information. The breach was discovered in November 2016 and the hospital has now sent out written notice to affective patients. The vendor says they are enhancing their security after the breach and the hospital says they are working with law enforcement and a cyber security firm to investigate. This incident highlights the importance of vendor management and the risks organizations open themselves up to when allowing third parties access to their systems and data.
http://wavy.com/2017/01/16/sentara-healthcare-security-breach/
Loi Van Tran says
Amanda,
I thought this was interesting and decided to do some more research on the company. It seems that this was not their first data breach. In October 2015, they lost a hard drive containing 1040 records of patient’s names, birth dates, diagnoseses, type of procedure and clinical notes. Before that, in 2012, 56,000 patient information was stolen from a laptop inside a locked car of an employee with another third party vendor, Omnicell, LLC. It is clear that they are lacking physical and logical security to protect patient information. Isn’t there some sort of negligence clause that could hold their top level management to the fire?
https://www.law360.com/articles/881565/sentara-vendor-breach-exposes-5k-hospital-patients-data
Loi Van Tran says
Free Ransonware Decryption Tools
There has been a lot of buzz about ransonware, some studies has shown it has increased 750% from 2015 – 2016. The article posted by Darin, shows that it’s now targeting consumers through fake apps that delivers the ransonware.
Well, there might be some hope for companies and consumers that doesn’t want to ditch out the bitcoins to get their files decrypted. In July 2016, the Dutch National Police , Europol, Kaspersky Lab, and Intel Security have teamed up on the No More Ransom project. The goal of this project is to provide free decryption tools to victims of ransomware. So far, they were able to crack 24 different variants of ransomware. Ransomware criminals have taken notice, but as more organizations like Bitfender, Emsisoft, Check Point, and Trend Micro continue to join the effort, it might be a relief for some people.
http://www.darkreading.com/threat-intelligence/6-free-ransomware-decryption-tools/d/d-id/1327999
Loi Van Tran says
Supposed to be a separate article.
BIlaal Williams says
I actually looked at an article last year which talked about No More Ransom and it’s attempt to provide tools to the public to defend themselves against ransomware attacks. It’s good to see that the project has progressed and there are now several tools available. It is important for every cyber security professional to be aware of these tools and how they work as ransomware attacks become more prevalent in the industry.
Amanda M Rossetti says
I was a freshman when the grade hacking incident happened here at Temple. I remember several professors, including my intro to MIS professor, giving lectures about academic dishonesty and how the hack took so much more effort than just actually doing the course work. My MIS professor was particularly disappointed because with that kind of skill the student could have had a bright future as an IT or security professional and instead decided to use his knowledge for evil.
The situation at Temple is apparently also not that uncommon of an occurrence. I can’t say I’m surprised, since students have always come up with new and inventive ways to cheat. I found a few more incidents that occurred around the same time as the Temple incident, many of which used the same key logger hack that the Temple student utilized. The key to remember here is that all of these students go caught. Some of the students changed Bs to As, so it isn’t just the fact that Fs get scrutinized more that lead to the Temple student getting caught.
http://www.usatoday.com/story/tech/2013/06/14/purdue-university-grade-hacking/2423863/
Mengxue Ni says
Nice comment on the news, Amanda,
I didn’t remember the incident, but I think every professior talks about academic dishonesty at the beginning of classes. But still students can come up with different ways to cheat. I felt cheating was useless because one day you have to work in the society, there is no chance to cheat. Also, even if you have a 4.0 GPA, you don’t know any skills, you still can not find a decent job in the future.
Noah J Berson says
They probably were cheating in multiple ways since they were colluding. It also mentioned they were taking test answers ahead of time. I do not like how this article presents these students as particularly skillful. What appears to have happened is that sometimes they find the professor’s password out or figure out the professor’s password recovery process. One of the ways they did this was through keylogging keyboards, which they probably bought instead of created.
Anthony Clayton Fecondo says
I think part of why the students get caught is because its so easy to connect the dots that if one student’s grades are changing, the perpetrator is probably that student. It’s kind of comical to think about. Another thing that these hackers should keep in mind is that the digital records of their grades are very rarely the only copy of the grades which makes identifying disparities a simple matter. Overall, I think the risk to reward ratio for changing the grades seems a little off and I have to agree that just doing the work in the first place would have been much easier.
Mengxue Ni says
How Hackable Is In-Flight Wi-Fi? We’re About to Find Out
Public Wi-Fi is always a vulnerability that exposes to hackers. Free Wi-Fi at airports, restaurants, coffee shops are available for everyone. If you connect with a fake Wi-Fi that was created by hacker, your information will leak immediately.
In the news, they did an experiment. The cybersecurity experts set up an unauthorized insecure Wi-Fi at the airport, and called airport Wi-Fi. Within a minute, 15 travelers logged on without noticing it’s an unsecure Wi-Fi. Also, charging stations are also targets of hackers. It called juick jacking. When you plug in a USB port, a pop-up prompt will ask if you trust the device. Most people will simply choose trust, if the port was controlled by a hacker, you will lose your data on the phone.
Here are some advices to protect yourself:
1. Don’t charge in a USB port, use a plug
2. Be wary of pop-up prompts
3. Be skeptical of generic network names
4. Use a virtual private network
Link: http://www.nbcnews.com/tech/security/how-hackable-flight-wi-fi-we-re-about-find-out-n699251
Samantha M Sederstrand says
Mengxue,
I enjoyed your analysis on the article. I think it is important for the public should be aware of the increasing threat to private information from technology. It makes sense that hackers would use different wifi connections to take personal information. Knowing that there is a threat makes it easier to protect yourself against it.
BIlaal Williams says
Very good article which explains what is in my opinion the main method that malicious hackers attack the public. I also thought it was interesting that Gogo is inviting hackers to test their network and report vulnerabilities for reward. I believe this will be an effective way to improve the security of public wifi – this method would be similar to the hardening of open source software through community involvement. I feel that this new attitude towards network security which allows feedback from hackers to improve security will prove beneficial in the long run.
Andres Galarza says
“How to make 60,000 printers print whatever you want”
This is a cool article on how to exploit a lesser-known and often unsecured port that allows you to own networked printers.
https://kur0sec.org/print
Darin Bartholomew says
This is great, Andres. One more example of how important it is to block ports that aren’t being used or aren’t necessary. It looks like the port in question is only used for administrative purposes and could probably be closed without any major impact on end user functionality.
Anthony Clayton Fecondo says
I read an article that summarized an interview with a hacker who was responsible for hacking Freedom Hosting II, a hosting provider that drives about 20% of sites on the dark web. The article touches on the hacker’s process for this attack, but doesn’t actually list the twenty-some steps he took. Originally the hacker intended to just look around, but after discovering a bunch of child pornography, he decided to shut the sites hosted by Freedom Hosting down. The hacker intends to hand over the process and records of the files to a professional so that justice can be served.
Article: https://motherboard.vice.com/en_us/article/talking-to-the-hacker-who-took-down-a-fifth-of-the-dark-web
Ruslan Yakush says
Anthony, nice article! This is great example as proof of consequences when company does not have appropriate security access controls, services and protocols monitoring and alerting. However, in this case, given inappropriate site’s content, hacker did a great job revealing the truth and having court of law to apply all required prosecutions.
Besides, in case if anyone was watching, there is also a TV show called “Mr. Robot”, where Elliot hacked one caffe shop where owner was involved in child pornography abuse. Hacker called police and had man arrested for further prosecution to the full extent of law. So, this is just similar example of “good-will” hackers.
BIlaal Williams says
What’s also interesting about this article is the statement on how the Fed usually handles these types of dark web sites. In the article it states that the hackers good intentions may make it harder for the Fed to track down individual users since they normally infiltrate the site and inject malware on user’s systems while the site is still active. This being said I still applaud the actions of this hacker and the fact that he chose to make the methods he used to infiltrate the site available to the public.
Samantha M Sederstrand says
I found an article that discusses the Super Bowl from a cyber security perspective. It focuses on how the NFL uses risk management to protect 73,000 ticket holders from a cyber attack using tools of mitigation. The article looks at preparing for the worst by looking at the threat horizon that make sure that the staff is skilled in security incident and event management. Secondly, implementing pre-emptive planning which involves identifying risks and ways to monitor and prioritize threats. Finally, understanding the human factor that the staff can be targets. Having policies in place that help with bring your own devices and treating people to identify phishing threats.
Reference:
http://www.forbes.com/sites/centurylink/2017/01/26/4-tips-for-securely-accepting-payments/#7a33963b1c68
Noah J Berson says
It is good when industries recognize that they need to increase their security overall. The super bowl attracks many people and with that would be attackers as well. Respecting the human element of possible breaches is one of the most important rules.
Darin Bartholomew says
Great post Samantha. I think one of the most telling things about this was that 30% of businesses survey either aren’t in compliance or are unsure of the compliance with PCI standards. That’s incredibly scary.
BIlaal Williams says
This article explains a pretty straightforward way to hack an android phone. It involves the metasploit modules msfvenom and msfconsole. In msfvenom, you create a malicious payload which will create reverse shell code and inject it into an apk file. This file will need to be downloaded by the victim to gain remote access. Prior to downloading the file, a listener will have to be set up in msfconsole, which will be activated once the user opens the program. Methods to get a user to download this file will require some creativity and social engineering, the file could be offered on a fictitious website, or provided in google play store to download. This is a good practice in developing and using a tool that is used by hackers to gain unauthorized access to android phones. I ran the exploit against my phone and was able to access the web cam, web stream, and SMS text messaging.
http://itechhacks.com/how-to-hack-android-phones-using-kali-linux/
BIlaal Williams says
This article explains a pretty straight forward way to hack an android phone. It involves the metasploit modules msfvenom and msfconsole. In msfvenom, you create a malicious payload which will create reverse shell code and inject it into an apk file. This file will need to be downloaded by the victim to gain remote access. Prior to downloading the file, a listener will have to be set up in msfconsole, which will be activated once the user starts the program. The download can be delivered via fictitious website or social engineering. This is a good practice in developing and using a hacker tool used to gain unauthorized access to android phones. I ran the exploit against my phone and was able to access the web cam, web stream, and text messaging.
http://itechhacks.com/how-to-hack-android-phones-using-kali-linux/