Reading Summary: Evasion

Organizations mostly use firewalls and Intrusion Prevention System (IPS) to protect its network infrastructure. IPS is as an evasion technique used to detect any security attacks. However, ISPs can be manipulated by changing the header, payload and traffic flow. This will then allow traffic to pass thru and allow the attacker shell access to the target system protected by the ISP. There are various ways and techniques that can be used when it comes to IPS evasion, such as obfuscation, encryption and tunneling, fragmentation, and protocol violations. However, there are multiple open source tools used to conduct research regarding evasion, such as Snort, Wireshark, HxD, Evader, etc.

Question for the class:

In your personal experience, how successful are evasion tools used to detect any malware or evasion techniques used to attack and take control of the machine?

In the news: New Moker RAT Bypasses Detection

The latest remote access Trojan can effectively mitigate security measures on machines and grant the attacker full access to the system. This is known as a RAT (aka Moker) which researches found out that it communicated with a server in Motenegro. This malware can bypass antivirus, sandboxing and virtual machines. Once embedded, the RAT can take full control of the device to take screenshoots, record web traffic, sniff keystrokes, and exfiltrate files.

For more information regarding this article, please click here.

Reading Summary: Web Services

Web services is a tactic used to improve productivity in terms of increasing the speed and quality of information flow, as well as to make it easier for producers and consumers of information to locate each other and exchange value. The goal and the main approach of web services is the replacement of middleware protocols (i.e.: COBRA) with a vendor neutral services architecture that operates over HTTP. In addition, it provides the means to advertise the availability of component services and the pre-defined usage rules. As great and efficient as this approach sounds, there is a big concern regarding the security of web services. Organizations are vulnerable to various attacks ranging from reconnaissance, DoS, integrity attacks, bypassing of firewalls, etc. Moreover, XML web services are evolving as the building blocks for creating distributed integrated solutions across the Internet regardless of where they reside or how they were implemented. However, XML lacks support in terms of security within the initial version of standard. This threat results in concerns dealing with confidentiality and message integrity. However, organizations are being proactive and in the way of creating a standardized security framework for XML web services.

Question for the class:

Have you experienced a web service attack in your organization, and if so, how was it handled?

In the news:  “Thai government websites hit by denial-of-service attack”

Several Thai government websites have been hit by a suspected DDoS attack targeting the site of the ministry of information, communications and technology and the main government website of tahigov.go.th. This attack appeared to be a protest against the government’s plan to limit access to sites deemed inappropriate where thousands of people have signed a petition against the proposal known as the “Great Firewall of Thailand.”

For additional information regarding this article, please click here.

Reading Summary: SQL Injection

SQL injection is one of the most common vulnerabilities in web applications and that is why it is very crucial to test for vulnerabilities when one creates a website since it might allow modification of the URL in such a way that it can maliciously connect to the database and extract/modify/delete important data. SQL injection is used to perform operations on the database, bypass authentication mechanisms, read otherwise unavailable information from the database and write information to those databases. There are various ways to find SQL injection bugs such as using a single quote or a semicolon. If an error results, then the application is vulnerable. If there is no error, then make sure to check for any output changes.

Question for the class:
Have you experienced a SQL injection attack and what tools/techniques did you use to go back to operational mode?

In the news:

“Hacker group claims to have looted $100 via SQL injection attack”

A group of hackers known as TeamBersek took credit on Twitter for using a SQL injection attack to access usernames and passwords in plaintext for customers of Sebastian, a California based Internet, phone and TV service provider. It then leveraged those credentials to steal $100,000 from online accounts. The issue existed with recycling the same passwords across multiple accounts. Also, it is interesting to note that in July, cyber crooks were charged with hacking more than a dozen companies and using SQL injection to steal 160 million credit card numbers.

You can find more information about this article here.

Reading Summary: Web Application Hacking

Web application hacking is very common through client-submission of unexpected inputs. Knowing how to leverage such vulnerabilities is very important and yet challenging for most organizations. Injection attacks are very popular which are delivered by a malicious code to a web application. The goal of such attacks are to obtain restricted data from a back end database which results in data exfiltration. A great example of a web application hacking is SQL injection which simply bypasses security controls and offers access directly into very sensitive data. However, there are already tools developed to minimize such attacks, if not stop them all together from occurring. One of these tools is Burp Suite which is an integration of various tools to perform security testing of Web applications. In addition, it aids penetration testers in the entire testing process from the mapping phase all the way to the identification of vulnerabilities and exploitation. Some of the features of this tool include proxy, spider, intruder, repeater, sequencer, decoder, and comparer where the two most important tools of the framework are intruder and repeater.

Question for the class:

Have you used any tools to prevent web application hacking such as those offered by the Burp Suite? If so, what was your experience and takeaway?

In the News:

Insight – Cyber insurance premiums rocket after high-profile attacks

Following a wave of attacks (i.e.: profile breaches at Home Depot Inc., Target Corp., Anthem Inc., and Premera Blue Cross) insurers have massively increased cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover. Insurers are also raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that.

For additional information regarding this article, please click here.

Reading Summary: Malware

Malware infection is becoming very popular nowadays, ranging from Trojans, Backdoors, Zero-Days, Virus, Worms, and Polymorphic malware. Each organization has its way of handling such an infection, however each has an Incident Handling procedures in place that assists for dealing with various types of malware. More importantly, it helps the security personnel to quickly handle the malware and reduce any impact or any disruption it might cause the business as a whole. SANS introduces the Six Step Incident Handling Process as the following: preparation (policies and procedures), identification, containment, eradication, recovery, and lessons learned. In addition, the most important skills/attributes to have when handling an incident are:

1. Preparation: prevent the entry point of malware into the network.
2. Patience: formulate an effective strategic solution instead of taking quick un-prepared steps.
3. Persistence: analyze the malware sample regardless of its difficult and complex design.

In the news: New zero-day exploit hits fully patched Adobe Flash [Updated]

Adobe has acknowledged that there is an unpatched flaw in Flash that is being actively exploited. The acknowledgment comes one day after Adobe’s monthly security update; the issue was not addressed in that update. The flaw affects Flash version 19.0.0.207 and earlier for Windows, Mac, and Linux. Adobe plans to issue an emergency patch for the flaw next week. However, in the meantime, this zero-day exploit is targeting government agencies (i.e.: Russian politicians) as part of a long-running espionage campaign carried out by a group known as Pawn Storm. In addition, it has also infected the iOS devices of Western governments and news organizations.

For additional information regarding this article, please click here.

Question for the class:

Have you been a victim of a zero-day attack or have experienced any malware/virus in your personal workstation or that at work? If so, how was it executed and how did you resolve the infection?

Reading Summary: Social Engineering

Social Engineering has become a powerful hacker technique that most organizations still ignore, if not, underestimate its true impact. This technique takes into advantage the weakest link of the security chain in the organization (i.e.: people/employees). However, there are various counter-measures techniques used to reduce the likelihood of a successful social engineering attack. In most cases of a successful attack data is compromised and computer systems are violated.  The cycle consists of four phases: information gathering, developing relationship, exploitation, and execution. It is also important to note the human behavior of a social engineering attack. Most individuals are motivated either by revenge, financial gain, self-interest, etc. to perform such an attack in the first place. Some of the techniques they use include shoulder surfing, checking any trash cane/ recycle bins, email/mail-outs, forensic analysis, website, phishing, etc. Lastly, the counter-measures include different ways to reduce the attack in the first place, such as security policy, physical security, education and security awareness program, etc.

Question for the class:
Have you been a target from a social engineering threat? If so, how were you notified and what were the corrective steps taken to prevent a similar future attack?

In the news: Iran Threat Group Uses Fake LinkedIn Network to Target Victims

Dell SecureWorks found that potential victims were targeted thru social engineering by an extensive network of fake LinkedIn profiles.  Threat Group 2889 consists of 25 fake LinkedIn accounts that pertain to 204 legitimate LinkedIn users in Middle East, North Africa and South Asia, and are likely targets of TG-2889. In addition, they are divided into two groups: fully developed personas (leader accounts) and supporting personas. Once Dell SecureWorks informed LinkedIn of the fake profiles, LinkedIn took them down immediately.

For additional information regarding this article, please click here.

Reading Summary: NetCat

NetCat is a tool built by Hobbit and made available in a Windows platform by Weld Pond.  It is recommended to test the firewall and router configurations in a test environment and not in a production network.  This utility allows security professionals to test the operating system lockdown procedures by allowing them to write and read data across TCP and UDP network connections. In addition, some other features include the ability to use any local source port, built-in loose source-routing, full DNS forward/reverse checking, etc. Lastly, security professionals use NetCat in their environment for file transfers, firewall testing, proxy gatewaying, script backends, spoofing tests, protecting X servers, etc.
Question for the class:

Have you previously used NetCat and if so, how did you  utilize this tool to its full potential?
In the News:  Trump hotels hacked, credit card data at risk

Trump hotels across the US and Canada were impacted by a computer virus where hackers had access to customer credit card data for an entire year.  Anyone who visited a Trump hotel in New York, Chicago, Honolulu, Las Vegas, Toronto, and Miami between May 19, 2014 and June 3, 2015 were impacted by the malicious software placed on the hotel’s payment systems which allowed any sensitive information to be exposed, such as credit card numbers, expiration dates, and security codes on the back of the cards. As a result of this hack, the hotel is offering one year of free identity fraud protection to any affected customer.

Click here to find out more information regarding this article.

Reading Summary:

Packet sniffing can exists in a switched or non-switched environment. Packet sniffing usually arises from an internal threat and it is shares the same concept as the man-in-the-middle attack where the attacker uses various ways to re-route the network traffic from the person’s machine to his own machine. As a result, re-configuring the IT infrastructure, such as replacing hubs with newer switches, can mitigate such an attack. ARP (Address Resolution Protocol) spoofing” allows a hacker to access and monitor the network traffic in a switched environment. However, there are third party tools that allow sniffing on a switched network and alert the company of any potential threats. Packet sniffing in a non-switched environment is very popular with repeating passwords or any other significant information from the network. There are many free sniffing tools, such as “dsniff” which is used for plaintext protocols.  Even though packet sniffing continuously occurs, companies must adapt to a better encryption policy. This will replace insecure protocols and mitigate any threats on its environment.

Question for the class:

Can you think of any cheaper solutions to prevent packet sniffing given the fact that encryption is very expensive and companies tend to choose speed over money (a solution/tool that allows them to encrypt data at a fast rate but not have best security in place)?

Article:

The US Securities and Exchange Commission (SEC)is investigating two former Capital One data analysts who allegedly used insider information associated with their jobs to trade stocks—in this case, a $150,000 investment allegedly turned into $2.8 million. The challenge arises when these defendants believe that the Fifth Amendment protects them and does not allow to turn over their mobile devices passcodes. As a result to protecting against self-incrimination, Judge Mark Kearny, federal judge in Pennsylvania ruled that the defendants cannot be forced to divulge their smartphone passwords to SEC.
Click here for additional information regarding this article.

Reading Summary: Enumeration and Footprinting

The Enumeration process identifies valid user accounts or any weak component/resource. Some of the key areas of information include user and groups, network resources, and applications and banners. There are various tools used for this process such as Windows NT/2000 Enumeration which contains remote admin tools and port assignments for common UNIX utilities. Another tool is called NetWare Enumeration which is a Novell based tool that checks the status of all the servers on the opponent’s network as well browse he NDS trees all the way to the end lead using this tool. UNIX Enumeration displays user’s home directory, login and idle time, office location, etc. via the “finger” command.

Footprinting is the initial step in hackers information gathering which displays critical information regarding remote access capabilities, profile of the company’s Intranet/extranet, etc.  This will then allow hackers to build a database with all of the company’s security weaknesses. Footprinting is accomplished various ways such as via open source searching, network enumeration, DNS interrogation and network reconnaissance. Companies are struggling and in need of protection their infrastructure against Denial of Service attacks. The installation of an anti-virus is no longer as critical as having a holistic approach in place that provides layers of security posture (attributes ranging from policy, procedures, awareness, and technology) which will prevent the hacker to footprint the company’s network, if not, make it a harder process of obtaining critical information.
Article: Military Battles to Man its Developing Cyber Force

The U.S. Defense Department is assembling 133 Cyber Mission Force teams to defend military networks, protect critical U.S. infrastructure, and strike back in cyberspace when necessary. This team was to be in place by the end of 2016, however, with the requirements of fully manned, trained, and equipped it will now be extended by fiscal year 2018. In addition, there will be 5,825 cyber personnel to join by 2018 ranging in each division: army, air power, navy, and marines. The last resource of seeking civilians is within the reserve where six of the Air Forces cyber teams will reside, as well as up to 2,000 Reserve and National Guard personnel. It is important to note that these are people who currently work in the cyber field which means their skills and training are current.

Interested in reading more about this article? If so, you can do so here.

Question for the class:

Have you previously been exposed, or are currently, in using an enumeration tool for your company? If so, what have you found to be the weakest components of the company’s infrastructure?

Reading Summary:

The enterprise often contains firewalls and an intrusion detection system (IDS) to keep the organization secure. However, that is not enough to detect vulnerabilities or web attacks on an external web server or BIND exploits on a DNS server. There are different approaches when it comes supplementing the security model. Proactive vulnerability is done various ways, depending on the organization, such as proactive vulnerability assessments with Nessus, a low cost automated vulnerability scanner. If the enterprise chooses Nessus, first it will need to configure it properly and then scan the network. After  the scan is complete, interpretation and analysis of the reports is crucial, such as identifying what is a false positive.

Article:

Law firms are willing to spend more than $6.9 million on information security or 1.92% of their gross annual revenues.  This industry contains very sensitive client data and they will take whatever it takes to keep that client data secure. How will they achieve that goal? Law firms are strengthening in-house security skills, identifying gaps through internal and external security assessments, transferring risk with new insurance policies by investing in cyber-liability insurance, and providing training to attorneys and staff on electronic communications risks and phishing e-mails.

For more information regarding this article, please click here.

Question for the class:
Law firms are a growing industry and in the need of more cyber security analysts. Do you see yourself being part of such industry, and if so, how would you contribute on client’s data security?