Regardless of how many security products and procedures you put in place there will still be ways to get around them and cover the tracks. Evasion techniques are used to accomplish these goals. Our reading is an introductory piece to evasion techniques and lists obfuscation, encryption and tunneling, fragmentation, and protocol violations as evasion techniques.

Evasion is incredibly dangerous because it is an attack that you’re unable to trace. It would be like the IT version of a stealth bomber flying into your airspace without you being able to track it on radar. Since these techniques are so dangerous it’s important to test your ability to launch one of these attacks on your systems. The suggested method in the reading was to set up a test network that simulates the real environment and is off the grid.

Article for the week: Anonymous declares cyber war on ISIS http://fortune.com/2015/11/16/anonymous-cyber-war-isis/?xid=soc_socialflow_twitter_FORTUNE

I thought this was of note because as we shift to more and more cyber risk in society there is a chance that individuals can play unsolicited roles in military type actions that used to be exclusive to the government.

Web Services are defined in the reading as “component services that others might use to build bigger service.” An example of this is a service that automatically updates the stock price while you’re reading a Wall Street Journal article about a company. This lead me to the question “what is the difference between a web application and a web service?” So I did a little poking around and it looks like one of the big differences is an application is full service with a user interface and much more robust. A web service is part of a larger presentation on the webpage, like the stock price updater is just a component of the presentation of the story. If you went to the Wall Street Journal stock tracker that would be an application because it has a full interface where you can select stocks, see prices, select different periods of time for the chart and completely customize the experience.

Web services can be attractive for launching attacks because they run through ports that are often kept open so advanced queries can get through a firewall. Web services are also good for reconnaissance and have a number of opportunities for denial of service attacks.

My question for the class would simply be if my above explanation of the difference between an application and service is correct.

News article: Comcast resetting passwords of users whose account credentials were posted online http://www.zdnet.com/article/comcast-resets-passwords-after-login-details-posted-on-dark-web/

590,000 Comcast account credential combinations were released on a dark market website selling access to the accounts in exchange for bitcoin. Comcast says about 1/3 of these are still active accounts. I thought this was of interest because even though Comcast is, and will continue to be, the one who suffers the PR blowback for this, it appears it was a 3^rd party vendor who had the security breach. It reminds us how important it is to have proper controls in place with 3^rd party vendors to ensure security of data because the 3^rd party vendor won’t face near the backlash that the other company receives.

SQL injection is a technique where someone uses the URL of a website to inject SQL queries and establish information about the SQL database that the application runs off of. Once the information is gathered it is possible to launch more attacks. Using this technique, you can get usernames and passwords and then go further from that point. Someone could get any information from the table if they’re able to properly guess what the column or row heading might be.

Question for the class. How would you prevent against this type of attack?

Article: http://www.zdnet.com/article/dark-mail-debut-to-open-door-for-lavabit-return-ladar-levison/

The same guy behind Snowden’s encrypted email service is working on a new set of protocols and software from the ground up to create a new surveillance proof service for security minded individuals. This is an interesting project and will further the conversation about what information companies are responsible to provide authorities, how we go about obtaining data from emails etc.

Burp suite is a powerful tool used to test potential vulnerabilities in web applications. Burp sequencer is used to find authentication to web applications. Burp decoder is used to decode encrypted usernames or passwords on the client side and gain access to a web application. Burp comparer simply compares two sets of data like various responses so that you can see where the differences are. Burp proxy works between the browser and the application to potentially launch a man in the middle attack. Burp proxy is literally in the middle of the application and the browser being used to connect to it. Burp sitemap helps to identify where you want to focus your attention on a domain, similarly burp spider gets an exhaustive list of URLs for every site. For example Temple.edu would receive a large number of responses compared to darinbartholomew.com. Burp intruder finally executes the attacks. Once you used the various other tools to find authentication methods and define your scope you can deliver a payload.

Question for the class: Do you see web application threats to be a growing trend as we become even more connected and our applications become more network dependent than they already are?

Article http://www.zdnet.com/article/find-a-flash-drive-pick-it-up-study-highlights-poor-city-security-habits/

This article interested me because it used a “social experiment” (sort of like social engineering) to see how many people would pick up an abandoned USB drive and later plug them into their devices. 17% or one in five plugged them into their devices. This is a huge vulnerability because someone could do a similar thing with malicious intent and the drive could launch malicious software instead of the software used in this case to simply find out if it was plugged in. In our application this is something to think about because without proper training and employee knowledge, one of these drives could end up infecting an entire network that we are one day working to protect.

Malware is like an umbrella term used for all malicious software to fall under. Viruses, Trojans, worms, etc all fall under the umbrella of Malware. The Sans Six incident handling model was suggested by the reading as a way to handle malicious software. Under this model there are 6 steps, preparation, identification, containment, eradication, recovery and lessons learned. Preparation and identification are constantly happening. Since there are so many viruses they can be broken into 4 subgroups, memory based, target based, Obfuscation Technique Based and payload based.

My question would be what type of malware do you think is the easiest to protect against and what could do the most damage?

Article:  http://www.zdnet.com/article/yahoo-latest-at-kill-the-password-alter/

Yahoo is looking to do away with passwords and instead go with a login that sends a push notification to the phone of the account owner to approve or deny an attempt to access an account.

Social engineering is an often overlooked form of security threat for an organization. In some cases you could probably argue that social engineering might be the easiest way to launch an attack on an organization.

Social engineering attacks generally have 4 steps to the cycle. Information gathering, developing relationship, exploitation, execution. Like anything in Cyber Security these lines tend to blur and there can be different steps but for the most part these 4 are always present.

Examples of social engineering can be as simple as getting to know an administrator and asking for a password or taking advantage of a nice employee who holds a door open to a data center giving you the benefit of the doubt that you should have legitimate access.

Question for the class: Have you ever been placed in a position where you had to be conscious of potential social engineering attacks?

Article: http://www.zdnet.com/article/here-is-how-internet-experts-plan-to-fix-poor-security/

This is about a plan frown up by 260 internet experts with the goal of making routers more secure and as a result the internet more secure. The full proposals sent to the FCC is found here https://www.fcc.gov/article/fcc-15-92a2 .

The summary given in the article:

“The experts said routers should be open-source so their code should be made public and available for review. Additionally, manufacturers should assure that any router firmware updates are under the owner’s control rather than the manufacturers and they should allow for a 45-day patch window for vulnerabilities for five-years after the device ships.

If, say the experts, the companies fail to comply, the FCC could decertify existing products or, in severe cases, bar new products from that vendor from reaching the market.”

Net cat is just another tool used to test machines and networks with the main difference over nmap being the ability to read as well as write. Net cat is important to know because it is widely regarded as one of the most popular tools among security professionals. The reading clearly notes that net cat should not be loaded onto production systems.

My question for the class would be since net car can read and write when is it better to use nmap instead of netcat? It seems that net cat has more features.

News for the week:

http://www.securityweek.com/north-korea-suspected-hacking-seoul-subway-operator-mp

North Korea launched a cyber-attack on South Korea’s subway system. I thought this was interesting because when we think about who we need to worry about with Cyber Security I think we often think about the same countries we need to worry about with military might but cyber-attacks sort of even the playing field in some ways and allows anyone to be a massive force.

The reading this week talks about sniffing or “eavesdropping” on the packet information being sent on a network to begin to pick up sensitive information like usernames and passwords that are sent across the network when users are logging in. It clearly states that it is easier to sniff on a hub network rather than a switched network. The reason for this is that the switch allows the transmission of packets to be more direct. Essentially from point A to point B which makes it tougher for someone not on that line to break in. The way around this is by doing a man in the middle style attack where you as the sniffer trick the two communicating to thing your computer is the intended target of the information. It seems to me from the reading that the best ways to protect against sniffing on your network is if you’re running windows across the network you should restrict the apps you allow onto the network to exclude sniffers. The other best defense is encryption.

My question to the class is that the reading sounds like wireless networks are still incredibly easy to do a man in the middle attack over. Is this still the case or has this changed since publication?

The article for the week

http://www.zdnet.com/article/more-regulations-necessary-for-apac-cybersecurity/

This is a call for governments in the asia pacific to create more regulations around cybersecurity especially for financial institutions. What I gathered from the article is that institutions in the asia pacific region are very vulnerable. I included this article because it mentions the wide availability of hacking tools on the internet. I thought this was interesting since some of these same tools might be the ones we are learning about in class, although we use them for ethical purposes.

The reading this week focused on a number of tools and how to use them to footprint a company and their networks to piece together the network typography. This is important not only for a malicious hacker but for the security professionals working to secure the company. By using these techniques you can see what a malicious intruder would see and begin to cover up these tracks of your system. The second reading begins to talk deeper about enumeration and finding information about users and user groups to target a system. These techniques set off more alerts within a company’s detection systems so you should only try them on your own machines.

My question for the class would be: Are there ways that you can see using enumeration techniques to find information on an individual rather than a business?

In the News:

http://www.zdnet.com/article/hp-bulks-up-security-features-on-enterprise-laserjet-printers/

HP is enhancing security features on their enterprise laserjet printers. An interesting point from the article. “Citing a Ponemon Institute, HP claims that 64 percent of IT managers believe their networked printers are likely infected with malware, while 56 percent of enterprise companies ignore printers in their endpoint security strategy.”

The reading this week discusses using Nessus as a scanning tool to find potential vulnerabilities in a system. Nessus is used to test a number of vulnerabilities in a system in one scanning swoop rather than testing them individually by hand to see if they exist. While Nessus can identify potential vulnerabilities it can’t identify why they exist, like company policies, or false positives from the scan. Another important takeaway about Nessus is that it only finds the potential vulnerabilities, it doesn’t actually fix them. It is still up to the IT department and management to use these findings as the proof needed to spark organizational change to close these security holes.

My question for the class comes from a classic example from the reading. Do you think it is best to enable all the plugins for a scan or disable the non-dangerous ones and run the rest? Are there situations where one method is better than the other?

My news article ties back to last week’s topic about public information. http://www.zdnet.com/article/microsofts-project-sonar-malware-detonation-as-a-service/

This is a story about a new malware detonation service from Microsoft. The technology itself is interesting but I thought the noteworthy thing here is that this story lead was found simply by scanning Microsoft job postings, which was one of the examples of public information we talked about in class.