Week 13 Summary
Network security is inherently difficult and there are many reasons for that. Protocols are often insecure, software is frequently vulnerable, and educating end users is time-consuming. Security is labor-intensive, requires specialized knowledge, and is error prone because of the complexity and frequent changes in network configurations and security-related data. Network administrators and security analysts can easily become overwhelmed and reduced to simply reacting to security events. A more proactive stance is needed.

This introductory paper on Intrusion Prevention System (IPS) describes some of the basic evasion techniques that can be used to successfully evade detection. The following are some of the different approaches and techniques that can be used when it comes to an IPS evasion; Obfuscation, encryption and tunneling, fragmentation and protocol violations. Organizations mostly use firewalls and Intrusion Prevention System (IPS) to protect its network infrastructure.

Although IPS is an excellent evasion technique, internet service providers have fallen to manipulation of payload, traffic flow and header files thus rendering green light for all traffic to pass through using attacker shell access among other techniques. Luckily there are multiple tools that can be used of researching evasion, few of the more known ones are Snort, Wireshark, HxD and Evader.

Lastly, one must manage expectation when it comes to IPS goals and objectives; it is not your organization’s next silver-bullet protection. It needs to be used in conjunctions with other best-of-breed tools. Also, one should never just rely on the default settings from the vendor supplying the IPS. The vendor will set the IPS to work for the majority of their clients but the vendor does not have the blue-print to your network so it recommended to look deeply at the settings, keep track of your own assets and of which services are in use. This can assist in designing a truly customized IPS security profile that can meet your organization needs and objectives. Finally it is recommended to block Null sessions (unless you need them) and keep an eye on your IPS alerts.

News Article: JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services
This week’s interesting article shows how money laundering is such a key component of cyber crime operations; hacking is no longer used for quick gains, it is a sustainable growth, hacker business model. This week, the model which has been unsealed and the federal indictments served against four men accused who made big gains and stole tens of millions of consumer records from JPMorgan Chase and other brokerage firms among other unnamed victims. For further information regarding this article, please click on the link below.
http://krebsonsecurity.com/2015/11/jpmorgan-hackers-breached-anti-fraud-vendor-g2-web-services/

Week 12 summaries
The next grand evolution in the internet is Web Services. While the physical infrastructure, connections, capacity planning has been rolled out, however with much of the data is now created for the web, calls from the websites to backend databases, web services are the new client and server application communication channel of the web. Web services provide a standard means of interoperate between software applications running on a variety of platforms and frameworks. Being that web services are unique in that it internet native, therefore they have great interoperability and extensibility. They are also machine-processable descriptions, thanks to the use of XML.

This evolution of web services paradigm brings new security challenges to organizations that use the Internet, namely how to secure their businesses while conduct everyday business transactions over the web. Moreover, unprotected web services are vulnerable to the following types of attacks, reconnaissance, denial of service, integrity attacks, bypassing of Firewalls, unintended software interactions and immaturity of platform(s).

However, there are counter measures that can help mitigate the risks of web service attacks such as enforce Trust relationships, encrypt transport links, engineer secure components, perform regular tests on components, reconcile WDSL specifications with actual operation, use HTTP proxy filters and finally configuration management.

There are technical solutions which have been developed to deal with web service vulnerabilities such as security Assertion Markup Language (SAML), eXtensible Access Control Markup Language (XACML), XML Signature, XML Key Management Specification (XKMS) and Kerberos.

As more and more organizations grow and extend their IT infrastructure to include XML Web Services as the main services, it will be important to appreciate the security implications and how to mitigate against the vulnerabilities of using XML Web Service message constructs within their web-based applications.

News Article of Interest: Hijacking phones with radio waves, Siri and headphones.
As personal assistants, users use Siri, Google Now and Cortana to make calls, send messages, perform web searches among others. In view of that, a pair of French researchers have conceived an attack to remotely hijack phones with and described the radio wave attack using sent FM radio signals from a laptop to an antenna, which transmits the signals to a nearby voice-command enabled phone with headphones plugged in. In this attack, the headphone cord acts as an antenna, sending commands through the microphone to a digital assistant like Siri.
For more information related to this article, please see the link below:
https://nakedsecurity.sophos.com/2015/10/15/hijacking-phones-with-radio-waves-siri-and-headphones-should-we-worry/

Web application vulnerabilities are rampant and the most popular form of this style of attack is SQL injection. The attacker in this attack format will attempt to place data that is interpreted as instructions in common inputs. There are many goals associated with such an attack; attacker may use SQL injection to do a number of database exploitation all the way through circumventing authentication and finally gain complete admistrative control of the sought after databases from a remote server.

The reason why this style of attack is so effective is because SQL is the standard language for accessing databases. Moreover, majority of web applications today use some sort of SQL database to store data for the application.

Problems come up time and time again because strings are not properly escaped. Secondly, data types are appropriatly restricted and constrained. There are ways to prevent SQL injection but not eliminate. First, we will need to constrain data types (e.g. Integer data field should only accept integer value, etc…). Another way is to ensure that escape user input is eliminated if possible. Meaning that escaping the apostrophes and backslashes (e.g. ‘, \’, \, \\). Finally, I have also read that the best way is using prepared statements; although it was originally designed to optimize database connectors, a prepared statements can restrict separate user data from SQL instructions. In view of that, when one uses prepared statements, the user input will not be interpreted as SQL instructions.

News Article:
Attackers used SQL injection flaw to attack Joomla. Within hours of discovery, release and patching of a critical vulnerability, malicious attackers began exploiting Joomla, a popular open-source content managment system. This SQL injection flaw found in versions 3.2 and 3.4.4 of Joomla could potentialy grant attackers full administrative access to any vulnerable site. This vulnerability was discovered by Trustwave researches. For more information on this article, please click on the link below.

The prevalence of today’s web applications make it a good attack surface because of the many ways it can be reached. Moreover, web application vulnerabilities is a real and likely threat vector for many organizations with a web facing presence today. One of the tools that can assist with detection of web vulnerabilities is Burp Suite. This suite is a robust web application vulnerbaility test tool with many functionalities; some of the tool’s functionalities is called spider which is used to get a complete list of URLs and parameters for each site. The tool looks into each page that was manually visited and goes through every link it finds within the testing scope. Also, XSS is one of the most common particular web attack vulnerability.

I found this interesting article from Electronic Frontier Foundation; it speaks about law enforcement agencies around the country are all too eager to adopt mass surveillance technologies, but sometimes they have put little effort into ensuring the systems are secure and the sensitive data they collect on everyday people is protected which I thought you might like it:
https://www.eff.org/deeplinks/2015/10/license-plate-readers-exposed-how-public-safety-agencies-responded-massive

Malware recent developments and advancements have allowed hackers and attackers to exploit any device that has an internet connection; many hackers have resorted to using Cryptolocker malware to infect their target, then lock the user out from their files by encrypting them in order to blackmail the end user and pull him into a ransom payout in order to retrieve his/her files. Worms has been able to cause the most damage to end users for the least amount of effort on the attacker’s part; it’s life expectancy is prolonged though infinite loops and self-replication schemes.

In Cyber-Security News- Let’s Encrypt is one step closer to offering free HTTPS certificates to everyone! For more information, please see link below.
http://thenextweb.com/insider/2015/10/20/lets-encrypt-is-one-step-closer-to-offering-free-https-certificates-to-all-sites/

NetCat has been surging in popularity since 2000 among information security professionals. NetCat is unlike Nmap because this utility allows you discover, read and write data across TCP and UDP network connection. Thus giving you the ability to manipulate connections remotely. NetCat was created by Hobbit in 1995 as a feature-rich network debugging and exploration tool. We can thank Hobbit for giving us a tool that can be used in infinite ways of using it to remotely prompt any node and perform such actions as hiding FTP transfers, port scanning, encryption among other uses.

I found this interesting article regarding design flaws which make drones vulnerable to cyber-attacks. Thus rendering normal (recreational) as well as weaponized drones having weaknesses, which can exploited by “drone hacking smartphones”.
Please see link below for further information:
http://thehackernews.com/2015/10/drone-hacking.html

There are different sniffing techniques that can be applied within a switched and non-switched environment; ARP spoofing techniques and tools are available that allows an attacker to conduct network reconnaissance. This method has been proven very effective in a switched environment with fairly good accuracy built-in logic allowing many network protocols to be decoded, they have the capability to filter the sniffed traffic on the fly, and highlight sensitive information such as usernames and passwords which has dangerous implications.

There are more challenges to eavesdrop on network traffic in a switched environment because switches will only send network traffic to the machine that it is destined for; this ability can be seized with the right tool.

Packet sniffing in a non-switched environment is vulnerable if the organization is not employing strong encryption to slow down and even stop certain sniffing and password cracking attacks. For example, the most widely used encrypted protocol, which happens to be vulnerable to sniffing and cracking attacks is Microsoft’s LAN Manager Protocol. Multiple MS LM iterations have been released in an effort to address this vulnerability but it is penetrable and data can be infiltrated and/or exfiltrated.

There are ways to mitigate the risk of sniffing tools however, it starts by Locking down the network environment. Locking down the environment is one of the more holistic way to secure the network. Software applications, virtual LANs attempt to control and segment a network into logical segments is one way. That being said, they are still vulnerable to sniffing; therefore the most viable solution to protect against packet sniffing is encryption using IPSec33.

What’s in the News:
Attackers have developed a botnet capable of 150+ gigabit-per-second (Gbps) distributed denial of service (DDoS) attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems.

To find out more, please click on the link below:
http://www.infosecurity-magazine.com/news/xor-ddos-botnet-20-attacks-per-day