Reading: Dyrmose, M. (2013). Beating the IPS. SANS Institute InfoSec Reading Room.  The paper: describes how to build an intrusion protection system research laboratory, introduces four evasion techniques, and illustrates how to use three of them in various combinations to avoid detection by 1 open source and 5 commercial intrusion protection systems (IPSs) to execute a successful web-based information security exploit.  The techniques include: Obfuscation, Fragmentation (including overlapping, reassembly order, and timeout variants), and Protocol violations.  The article demonstrated that the simple one-exploit attacks were detected by most of the IPSs, but particular combinations could be formulated to bypass any one of them.

Question for the Class:  Did you know that: “99% of all successful attacks/breaches involve a vulnerability that is at least 1 year old”, and “ 90% of all breaches involve a vulnerability from 7 years or older”?  (From: http://www.coresecurity.com/videos/what-your-scanner-isnt-telling-you)

InTheNews: Shackelford, S.J. (2015-10-30) Another ‘Back to the Future’ Moment – 27 Years After the World’s First Cyber Attack.  Twenty-seven years ago (1988) a Cornell University grad student (Robert Morris) launched the first “Internet worm” from MIT. Meant to measure the size of the Internet, the worm morphed into a denial of service exploit copying itself onto many of the 60,000 computers connected to the Internet. The worm caused between $100,000 to $10 million in damages. Morris received 3 years of probation and a $10,050 fine,  and note as “the world’s first cyber attacker” prosecuted under the Computer Fraud and Abuse Act. He is now a tenured MIT professor and dot-com millionaire. Today, there are > 9 billion devices and >3 billion people online.  Positive outcomes traceable to Morris’ exploit include: Carnegie Mellon University’s Cyber Emergency Response Team (CERT), proactive cybersecurity best practices, and the NIST Cybersecurity Framework. The government of Australia reports success in preventing 85% of cyberattacks based on following 3 common sense techniques: (1) Only permitting pre-approved programs to operate on networks (i.e. application whitelisting), (2) regular patching of operating systems and applications, and (3) minimizing the number of people on the network with admin privileges.

http://www.huffingtonpost.com/scott-j-shackelford/another-back-to-the-future-moment_b_8428352.html?utm_hp_ref=cybersecurity

Burns, S. (2001). “Web Services Security – An Overview”. SANS Institute, InfoSec Reading Room.  Web services are software functions provided at a network address that enable machine to machine communication over the web.  Each web service has an interface described in a machine readable format (i.e. WSDL and UDDI), and is interacted with using Simple Object Access Protocol messages communicated over TCP/IP networks via HTTP/HTTPS using XML translation.  Unprotected web services are vulnerable to the following attacks and problems: Reconnaissance, Denial of Service, Integrity Attacks, Firewall Bypassing, Unintended software interactions, and platform immaturity.  Burns recommends the following counter measures to protect web services,: Enforce Trust Relationships, Encrypt Transport Links, Engineer Secure Components, Perform Regular Tests on Components, Reconcile WSDL Specs with Actual Operation, Use HTTP Proxy Filters, and Configuration Management.  At the time of publication, the following emerging technology solutions included: Security Assertion Markup Language, eXtensible Access Control Markup Language, XML Signature, XML Key Management Specifications, Kerberos, and Lightweight Directory Access Protocol.

Kwabi, C. (2003). “XML Web Services Security and Web based Application Security”. SANS Institute, InfoSec Reading Room. “XML Web Services are severely hampered by the inherent lack of support for security.” This paper provide a glimpse into efforts to “create a standardized security framework” for “…interoperability and end-to-end security amongst heterogeneous systems involved in XML Web Service communications sessions”.

InTheNews: Fox-Brewser, T. “Want Some Nuclear Power Plant ‘Zero-Day’ Vulnerabilities? Yours For Just $8,000”, Forbes/Security.  Interesting article on the availability of tools that contain SCADA system exploits, and are updated and maintained with zero-day exploits:  http://www.forbes.com/sites/thomasbrewster/2015/10/21/scada-zero-day-exploit-sales/

Question for Class: JSON seems to have two advantages over XML: 1) Speed and ease in parsing data, and 2) Simple data retrieval from Javascript, however the use of the eval() function to parse JSON into JavaScript objects makes it vulnerable to executing arbitrary JavaScript code in production applications. Data access with XML tags does not require code execution to extract data.  With that said, which is more secure XML or JSON?

Reading: Marezzi@gmail.com (2008), “Full SQL Injection Tutorial”.  The tutorial describes SQL injection as a code insertion technique for attacking poorly implemented data-driven client-server and n-tier applications based on databases that support SQL. Poverty of implementation comes into play when user input is not strongly typed and unexpected code is executed, or user input is incorrectly filtered and literal escape characters embedded in SQL expressions are permitted to execute and run nefarious commands.  Successful SQL injection attacks can be used to probe and exploit any unprotected SQL database or website supported by a SQL database. The result of SQL injection can violate database’s confidentiality, integrity or availability.

InTheNews: Kovacs, E. 2015-09-17, “Russian Hackers Target Industrial Control Systems: US Intel Chief.” Security Week. Russian actors have compromised at least three industrial control systems (ICS) vendor’s product supply chains with malware, and the production lines of many are at risk.  “Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your organization, and its reputation, as one from within the organization. … There’s a great necessity to track everything that is happening in the supply chain as even the smallest supplier or the slightest hiccup can have dangerous impact on your business.” http://www.securityweek.com/russian-hackers-target-industrial-control-systems-us-intel-chief

Question for Class: What would be a practical/feasible approach to managing the cost implications of the need for ‘cradle to grave’ supply chain security for small high-tech firms integrating industrial controls for clients?

Karthik, R.  Burp Suite Guide: Part 1 – Basic Tools, Part 2 – Intruder and repeater tools,  Part 3 – Sequencer, decode and composer. SearchSecurity.techtarget.in.  Karthic’s terse three part guide provides an overview and illustrative screen captures of the free edition of the Java-based Burp Suite web-application security testing platform developed by the firm Portswigger Web Security.  The Burp Suite consists of a number of tools, including: Proxy and Spider introduced in Part 1, Intruder and Repeater described in Part 2, and Sequencer, Decoder and Comparer covered in Part 3.  Proxy enables inspection and modification of intercepted TCP/IP packets (internet traffic) sent between the browser and target application. Spider automates the process of developing a detailed site map of the content and functionality of a target web application.  Intruder helps penetration tester attack, identify, and exploit a rage of web application security vulnerabilities including SQL Injection (SQLi) and Cross-Site Scripting (XSS) attacks on a web page. Repeater enables penetration testers to iteratively probe target web pages by modifying and reissuing (playing back) HTTP requests to analyze vulnerabilities in a web page. Sequencer helps test the randomness/uniqueness, i.e. the quality, of web-application security tokens and their generators.   Missing from the free edition of Burp is Scanner, which seems to combine the functionality of the tools described in Karthic’s guide with tests to detect for many other security issues for $299 per user year.

Distler, D. (2013). Web Application Injection Vulnerabilities, A Web App’s Security Nemesis?, SANS Institute InfoSec Reading Room. This article complements Karthik’s articles with a more details presented in a good overview of two of more commonly exploited injection attack categories of web application vulnerabilities: SQL Injection (SQLi) and XSS.  Distler describes a number of mitigations including: installing a web application firewall (WAF), conducting explicit error checking for all input, conducting web application security scans, and providing developers with secure code writing training.  He balances the mitigations against a number of human “factors inhibiting organizations from remediating vulnerabilities” (including lack of budget, responsibility, and incentives) which are “as significant as… any security flaw.”  He concludes: “A greater understanding of the risks by leadership and developers alike can only lead to increased pressure to allow resources for adequate security to be built and maintained.”

In the News:  “ID Experts Wins $330M Federal Data Breach Recovery Services BPA,” With an initial task order valued at $133.3M and potential to grow over 3-years to $329.8 million, ID Experts is tasked to protect the financial identities of 21.5 million people affected by the cyberattack and breach at the Office of Personnel Management. http://www.govconwire.com/2015/09/id-experts-wins-330m-federal-data-breach-recovery-services-bpa/

Question for Class: Should an informed ITACS student affected by the breach at the Office of Personnel Management who is seeking to sign up for financial identify protection by ID Experts: 1) favor sharing their personal identifying information (including: Name, Address, Email address, Social Security Number, Birth Date and Year) the telephone to sign up, 2) favor use of a web form protected via SSL seeking the same PII, 3) be indifferent between 1 and 2, or 4) fear the risks of both options and choose not sign up for financial identify protection?

Zeltser, L. (2014). “Ouch! What Is Malware,” The Monthly Security Newsletter for Computer Users, The SANS Institute.   This reading provides a short high-level overview of malware, its sources, and protecting against it.

Hardikar, A. (2008). “Malware 101 – Viruses,” Information Security Reading Room, SANS Institute.   The paper provides an excellent introduction to: malware, complementary virus classification systems, and SANS’ six-step incident handling process.  The technical overview of malware types and the deeper dive offered by the classification systems provides motivation and insight into the nature and objectives of each step of the malware handling processes.  The article effectively couples the need for organizational security awareness training with the need for an Incident Handling Escalation Matrix.

Question for the class:  What criteria would you use to determine when an organization is justified in having an incident handling team?

News of the Week: Jack Daniel, “SWAMP, the SoftWare Assurance MarketPlace”, September 20, 2015. SWAMP is a free suite of 16 practical and useful software security analysis tools for assessing and testing applications coded in C/C++, Java, Java on Android, Ruby, and Python. SWAMP was developed by an academic research consortium with funding from U.S. Department of Homeland Security for the broader community of software and software tool developers. SWAMP’s tools are integrated within a centralized, cloud-based software security testing platform of 700 processing cores, 5TB of RAM, 104 TB of HDD and display their results within an inter-operable results viewer to simplify vulnerability analysis and remediation.  Work is underway to add support for JavaScript and PHP. http://blog.uncommonsensesecurity.com/2015/09/swamp-software-assurance-marketplace.html

Allen, M. (2006). “Social Engineering: A Means To Violate A Computer System”, SANS Institute Reading Room.  Allen’s article provides a good introduction and overview of social engineering. It covers definitions, workflow (or “Cycle”), motivation and traits of the social engineer, counter measures and controls to social engineering risks, and reviews and attack simulation to maintain preparedness.  Allen describes the following 8 core controls that organizations can implement: Management buy-in, Security policy, Physical security, Education/Awareness, Good security architecture, Limit data leakage, Incident response strategy, and Security culture.  He goes on to report that social engineering testing is unpopular among many organizations, leaving simulated attack the least common among the approaches to maintaining preparedness.

Question for Class: Are senior citizens more easy targets for social engineering than younger people?  Why or why not?

In the News:  “Amazon Downplays Cloud Breach Threat”, Referring to the research article “Seriously, Get Off My Cloud! Cross-VM RSA Key Recovery in a Public Cloud”, Mathew Schwartz reports that security researchers at Worcester Polytechnic Institute were able to breach one co-located virtual machine within Amazon Web Services’ Elastic Compute Cloud (EC2) machine to hack into another virtual machine.  The researchers demonstrated that “colocation can be achieved, and detected by monitoring the last-level cache in public clouds. More significantly,” they “present, a full-fledged attack that exploits subtle leakages to recover RSA decryption keys from a co-located instance.”  http://www.databreachtoday.com/amazon-downplays-cloud-breach-threat-a-8581.

Armstrong, T. (2003), “Netcat – The TCP/IP Swiss Army Knife”, Information Security Reading Room, SANS Institute. Based on Nmap’s optimized and tested passive and active scanning libraries, Ncat is a powerful and flexible general purpose command line tool, useful for a wide range of interactive and network-connected backend testing and administration tasks. It  can read, write, redirect, and encrypt/decrypt data across an computer network, and enable users to: control every character sent among servers, network services, and clients, and view the resulting raw, unfiltered responses.  As such it is helpful in understanding a service, and how clients are using it, and enables: fixing problems, finding security flaws, and testing custom commands. It runs on all major operating systems, and can act as a connection broker among clients and services.

Question for class: How do penetration testers test for and detect the most common SCADA attack methods: Restriction of Operations within the Bounds of a Memory Buffer (26%), Improper input Validation (9%) ?

News of the Week: Dell’s 2015 annual security report states: Attacks on Supervisory Control and Data Acquisition (SCADA) systems doubled worldwide between 2013 (163,228 attacks) and 2014 (675,186 attacks.) They target basic system operations controls, access and credential management, network navigation and input validation – and have potential to wreak major havoc over critical infrastructure systems for all. Most common successful attack methods against SCADA target insecure applications programming and management practices, including: Improper, Restriction of Operations within the Bounds of a Memory Buffer (26%), Improper input Validation (9%), Information Exposure (9%), Resource Management Errors (8%), Improper Neutralization of Input During Web Page Generation – i.e. Cross-site Scripting (7%), Permissions, Privileges and Access Controls (7%),…

https://software.dell.com/docs/2015-dell-security-annual-threat-report-white-paper-15657.pdf

King, T. (2007). “Packet Sniffing In a Switched Environment”, SANS Institute InforSec Reading Room. The article introduces packet sniffing as largely a within network (“internal”) threat to unencrypted and poorly encrypted data traffic that includes user names, passwords and other sensitive data. King illustrates tools and techniques for capturing user names and passwords from data packets communicated within non-switched and switched IT networks. Address Resolution Protocol (ARP) spoofing and poisoning techniques within switched networks are illustrated as a basis for understanding how to conduct “man in the middle” attacks. The author discusses ways of detecting and combating packet sniffing, including network segmentation via virtual LANs (VLANs) and concludes: “the most viable solution to protect against packet sniffing is… to encrypt all network traffic by using IPSec.”

Question for Class: How does segmenting the network via VLANs make packet sniffing and man in the middle attacks more difficult?

News of the Week: Theodoros Arambatzis “DNS Spoofing/ARP poisoning for Advanced SETookit Attacks” walks the reader through techniques for spoofing Facebook’s website (http://centralgeekhub.com/dns-spoofingarp-poisoning/) as an improvement to the tools and methods of website cloning and credential stealing he illustrates in: “How to Acquire a User’s Facebook Credentials, Using the Credential Harvester Attack” (http://centralgeekhub.com/how-to-acquire-a-users-facebook-credentials-using-the-credential-harvester-attack/). These articles are brilliant in their terse illustration of hacking techniques that further apply and extend this weeks’ reading lesson on ARP spoofing in man in the middle attacks.

McGreevy, J.P.  (2002). “Footprinting: What Is it, Who Should Do It, and Why?”, SANS Institute Information Security Reading Room, Sans Institute.   In planning an attack, the author instructs that “Footprinting” is the first step hackers take in gathering information and building a database about their perspective target “organization’s security posture, profile of their Intranet, remote access capabilities, and intranet/extranet presence.”  McGreevy suggests that to thwart a hacking attack, security specialists should gather the same information about the system they are tasked with protecting to understand its weakness and what an attacker can use against it.  He outlines a high-level four-step foot printing process that includes: (1) Open Source Searching, (2) Network Enumeration, (3) DNS Interrogation, and (3) Network Reconnaissance.  As footprinting an entire organization’s IT infrastructure can be a big and challenging task, McGreevy advises security personnel to focus initially on one department or segment of the network and broaden from their over time.

Owens, K.J. (2003). “Battle for the Internet: The War is On!” SANS Institute Information Security Reading Room, Sans Institute.  Owens places Footprinting in context as first of seven steps conducted by nefarious hackers, each of which must be mastered by security professionals if they are to protect systems from attacks.  He introduces each of the seven steps along with a rich collection of (likely outdated) resources and techniques for different operating system environment to master, sandwiching them all with warnings of legal and ethical consequences of their inappropriate use.

Question for Class: While Owen’s twelve year old article leaves the reader believing the techniques are likely still sound, do you think the Linux tools have more staying power and have outlasted the Windows ones?

InTheNews: The Value of a Hacked Email Account, Krebsonsecurity.com – http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/   Signing up for any service online almost always requires you to supply your email address.  Almost always, any person in control of your email address can request a password reset email and take controls of your service or accounts. While there are not central exchanges for these accounts, credentials are being offered for resale by underground peddlers. For example: “iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting providerGodaddy.com, as well as wireless providers Att.com, Sprint.com,Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.”  Hacked accounts, in contrast, “go for $1 to $3 for active accounts at dell.com, overstock.com,walmart.com, tesco.com, bestbuy.com and target.com.” The keys to unlocking access to files stored in online and cloud file-storage services such as DropBox, Google Drive, and Microsoft Skydrive also lie “in your inbox.”

Week Four Reading:  Mitchel, J. (2002). Proactive Vulnerability Assessments with Nessus, SANS Institute.  Once setup and configured, Nessus is a powerful tool for applying signatures for detecting known vulnerabilities in a computer system.  I found the author’s instruction about saving time with operating systems and databases by proactively setting up the system’s security configuration settings prior to running the first Nessus scan particularly useful: “If you don’t spend the time to properly harden a system before putting it on the network, you’ll spend countless hours tracking down the numerous vulnerabilities that Nessus will detect.”

Question for the class: The article suggests great caution in particular aspects of using Nessus. In which specific ways can Nessus specifically threaten operation of a target computer system being scanned?

News of the Week: Apache Spark Cluster 1.3.X –Arbitrary Code Execution https://www.exploit-db.com/exploits/36562/   Apache Spark is an open source cluster computing framework with multi-stage in-memory processing primitives provides performance up to 100 times faster than Hadoop’s two-stage disk-based MapReduce paradigm https://www.sigmoid.com/securing-apache-spark-cluster/.  Spark clusters which are not secured with a proper firewall, however, do not have any authentication mechanism and can be taken over easily.  The exploit described in the Exploit Database articles illustrates how to take over and run arbitrary code over an unprotected cloud-based Apache Spark cluster resource.