Zeltser, L. (2014). “Ouch! What Is Malware,” The Monthly Security Newsletter for Computer Users, The SANS Institute.   This reading provides a short high-level overview of malware, its sources, and protecting against it.

Hardikar, A. (2008). “Malware 101 – Viruses,” Information Security Reading Room, SANS Institute.   The paper provides an excellent introduction to: malware, complementary virus classification systems, and SANS’ six-step incident handling process.  The technical overview of malware types and the deeper dive offered by the classification systems provides motivation and insight into the nature and objectives of each step of the malware handling processes.  The article effectively couples the need for organizational security awareness training with the need for an Incident Handling Escalation Matrix.

Question for the class:  What criteria would you use to determine when an organization is justified in having an incident handling team?

News of the Week: Jack Daniel, “SWAMP, the SoftWare Assurance MarketPlace”, September 20, 2015. SWAMP is a free suite of 16 practical and useful software security analysis tools for assessing and testing applications coded in C/C++, Java, Java on Android, Ruby, and Python. SWAMP was developed by an academic research consortium with funding from U.S. Department of Homeland Security for the broader community of software and software tool developers. SWAMP’s tools are integrated within a centralized, cloud-based software security testing platform of 700 processing cores, 5TB of RAM, 104 TB of HDD and display their results within an inter-operable results viewer to simplify vulnerability analysis and remediation.  Work is underway to add support for JavaScript and PHP. http://blog.uncommonsensesecurity.com/2015/09/swamp-software-assurance-marketplace.html

Malware is like an umbrella term used for all malicious software to fall under. Viruses, Trojans, worms, etc all fall under the umbrella of Malware. The Sans Six incident handling model was suggested by the reading as a way to handle malicious software. Under this model there are 6 steps, preparation, identification, containment, eradication, recovery and lessons learned. Preparation and identification are constantly happening. Since there are so many viruses they can be broken into 4 subgroups, memory based, target based, Obfuscation Technique Based and payload based.

My question would be what type of malware do you think is the easiest to protect against and what could do the most damage?

Article:  http://www.zdnet.com/article/yahoo-latest-at-kill-the-password-alter/

Yahoo is looking to do away with passwords and instead go with a login that sends a push notification to the phone of the account owner to approve or deny an attempt to access an account.

Reading Summary: Malware

Malware infection is becoming very popular nowadays, ranging from Trojans, Backdoors, Zero-Days, Virus, Worms, and Polymorphic malware. Each organization has its way of handling such an infection, however each has an Incident Handling procedures in place that assists for dealing with various types of malware. More importantly, it helps the security personnel to quickly handle the malware and reduce any impact or any disruption it might cause the business as a whole. SANS introduces the Six Step Incident Handling Process as the following: preparation (policies and procedures), identification, containment, eradication, recovery, and lessons learned. In addition, the most important skills/attributes to have when handling an incident are:

1. Preparation: prevent the entry point of malware into the network.
2. Patience: formulate an effective strategic solution instead of taking quick un-prepared steps.
3. Persistence: analyze the malware sample regardless of its difficult and complex design.

In the news: New zero-day exploit hits fully patched Adobe Flash [Updated]

Adobe has acknowledged that there is an unpatched flaw in Flash that is being actively exploited. The acknowledgment comes one day after Adobe’s monthly security update; the issue was not addressed in that update. The flaw affects Flash version 19.0.0.207 and earlier for Windows, Mac, and Linux. Adobe plans to issue an emergency patch for the flaw next week. However, in the meantime, this zero-day exploit is targeting government agencies (i.e.: Russian politicians) as part of a long-running espionage campaign carried out by a group known as Pawn Storm. In addition, it has also infected the iOS devices of Western governments and news organizations.

For additional information regarding this article, please click here.

Question for the class:

Have you been a victim of a zero-day attack or have experienced any malware/virus in your personal workstation or that at work? If so, how was it executed and how did you resolve the infection?

Social engineering is an often overlooked form of security threat for an organization. In some cases you could probably argue that social engineering might be the easiest way to launch an attack on an organization.

Social engineering attacks generally have 4 steps to the cycle. Information gathering, developing relationship, exploitation, execution. Like anything in Cyber Security these lines tend to blur and there can be different steps but for the most part these 4 are always present.

Examples of social engineering can be as simple as getting to know an administrator and asking for a password or taking advantage of a nice employee who holds a door open to a data center giving you the benefit of the doubt that you should have legitimate access.

Question for the class: Have you ever been placed in a position where you had to be conscious of potential social engineering attacks?

Article: http://www.zdnet.com/article/here-is-how-internet-experts-plan-to-fix-poor-security/

This is about a plan frown up by 260 internet experts with the goal of making routers more secure and as a result the internet more secure. The full proposals sent to the FCC is found here https://www.fcc.gov/article/fcc-15-92a2 .

The summary given in the article:

“The experts said routers should be open-source so their code should be made public and available for review. Additionally, manufacturers should assure that any router firmware updates are under the owner’s control rather than the manufacturers and they should allow for a 45-day patch window for vulnerabilities for five-years after the device ships.

If, say the experts, the companies fail to comply, the FCC could decertify existing products or, in severe cases, bar new products from that vendor from reaching the market.”

You have been invited to attend a Mediasite presentation.

Presentation Details:
Title: =MIS 5211.001_10/7/2015
Date: Wednesday, October 7, 2015
Time: 5:30 PM (UTC-05:00) Eastern Time (US & Canada)
Duration: 2:30:00
Link: http://tucapture.fox.temple.edu/Mediasite/Play/47e1712dda1d42a09986c8f34bd901cd1d

Intro-to-Ethical-Hacking-Week-7

Social Engineering

Social Engineering is bad, mm’kay? It takes advantage of the weakest link in security, which are the people. Th systems can be secure, but people have the need and desire to help others or follow the rules of authority. Social engineering has the malicious actor act as either someone in need, someone in authority, or they can act as tech support in a reverse social engineering attack. This forces the average hacker to be social instead of a lurking troll in their basement who lacks people skills.

A reverse social engineering attack occurs when the malicious actor advertises his false credentials and skills as tech support. After an attack from the hacker, people will call the hacker thinking he is tech support, and thus give him their passwords.

Non technical social engineering involves dumpster diving, piggy backing, tailgating, should surfing, or just talking to employees at the smoke pit. Technical social engineering involves phishing, and creating fake websites for employees to foolishly enter their credentials. The strongest counter measure against social engineering is user education, policies, incident response strategy, and strong physical security.

News Article: China arrests hackers that were wanted by the US.
http://techti.me/2015/10/10/china-arrests-hackers-of-us-government-on-behalf-of-the-us/

Allen, M. (2006). “Social Engineering: A Means To Violate A Computer System”, SANS Institute Reading Room.  Allen’s article provides a good introduction and overview of social engineering. It covers definitions, workflow (or “Cycle”), motivation and traits of the social engineer, counter measures and controls to social engineering risks, and reviews and attack simulation to maintain preparedness.  Allen describes the following 8 core controls that organizations can implement: Management buy-in, Security policy, Physical security, Education/Awareness, Good security architecture, Limit data leakage, Incident response strategy, and Security culture.  He goes on to report that social engineering testing is unpopular among many organizations, leaving simulated attack the least common among the approaches to maintaining preparedness.

Question for Class: Are senior citizens more easy targets for social engineering than younger people?  Why or why not?

In the News:  “Amazon Downplays Cloud Breach Threat”, Referring to the research article “Seriously, Get Off My Cloud! Cross-VM RSA Key Recovery in a Public Cloud”, Mathew Schwartz reports that security researchers at Worcester Polytechnic Institute were able to breach one co-located virtual machine within Amazon Web Services’ Elastic Compute Cloud (EC2) machine to hack into another virtual machine.  The researchers demonstrated that “colocation can be achieved, and detected by monitoring the last-level cache in public clouds. More significantly,” they “present, a full-fledged attack that exploits subtle leakages to recover RSA decryption keys from a co-located instance.”  http://www.databreachtoday.com/amazon-downplays-cloud-breach-threat-a-8581.

Social Engineering, Encoding, and Encryption

Social Engineering can be described as human psychological or behavioral technique that allows to gain trust of a targeted victim. For example, pretending to be an employee of an organization can reveal certain information leading to a data compromise if proper behavioral techniques are used. To avoid such issues, proper CIA triage controls as well as thorough training must be implemented and revisited to ensure users are aware of potential attacks, able to sense a common pattern in attacker’s behavior, and have knowledge of dealing in this situations.

Question for the class

Do you think Phycology Courses as part of human behavior training would stop Social Engineering attacks?

In the News

Hillary Clinton’s private email server, which stored some 55,000 pages of emails from her time as secretary of state, was the subject of attempted cyberattacks originating in China, South Korea and Germany after she left office in early 2013, according to a congressional document obtained by The Associated Press.

Server was located at Clinton’s house in NY between 2009 and 2013. IPS got installed by SECNAP company in October 2013, so before that time a server was most likely vulnerable. In Feb 2014, SECNAP found a malicious software originated from China was running on server.

New revelations underscore the extent to which any private email server is a target, raising further questions about Clinton’s decision to undertake sensitive government business over private email stored on a homemade system

FBI is still investigating this issue.

Read details at: http://abcnews.go.com/Technology/wireStory/clinton-subject-hack-attempts-china-korea-germany-34327812