Introduction to Ethical Hacking

Week 13 Summary
Network security is inherently difficult and there are many reasons for that. Protocols are often insecure, software is frequently vulnerable, and educating end users is time-consuming. Security is labor-intensive, requires specialized knowledge, and is error prone because of the complexity and frequent changes in network configurations and security-related data. Network administrators and security analysts can easily become overwhelmed and reduced to simply reacting to security events. A more proactive stance is needed.

This introductory paper on Intrusion Prevention System (IPS) describes some of the basic evasion techniques that can be used to successfully evade detection. The following are some of the different approaches and techniques that can be used when it comes to an IPS evasion; Obfuscation, encryption and tunneling, fragmentation and protocol violations. Organizations mostly use firewalls and Intrusion Prevention System (IPS) to protect its network infrastructure.

Although IPS is an excellent evasion technique, internet service providers have fallen to manipulation of payload, traffic flow and header files thus rendering green light for all traffic to pass through using attacker shell access among other techniques. Luckily there are multiple tools that can be used of researching evasion, few of the more known ones are Snort, Wireshark, HxD and Evader.

Lastly, one must manage expectation when it comes to IPS goals and objectives; it is not your organization’s next silver-bullet protection. It needs to be used in conjunctions with other best-of-breed tools. Also, one should never just rely on the default settings from the vendor supplying the IPS. The vendor will set the IPS to work for the majority of their clients but the vendor does not have the blue-print to your network so it recommended to look deeply at the settings, keep track of your own assets and of which services are in use. This can assist in designing a truly customized IPS security profile that can meet your organization needs and objectives. Finally it is recommended to block Null sessions (unless you need them) and keep an eye on your IPS alerts.

News Article: JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services
This week’s interesting article shows how money laundering is such a key component of cyber crime operations; hacking is no longer used for quick gains, it is a sustainable growth, hacker business model. This week, the model which has been unsealed and the federal indictments served against four men accused who made big gains and stole tens of millions of consumer records from JPMorgan Chase and other brokerage firms among other unnamed victims. For further information regarding this article, please click on the link below.
http://krebsonsecurity.com/2015/11/jpmorgan-hackers-breached-anti-fraud-vendor-g2-web-services/

Week 12 summaries
The next grand evolution in the internet is Web Services. While the physical infrastructure, connections, capacity planning has been rolled out, however with much of the data is now created for the web, calls from the websites to backend databases, web services are the new client and server application communication channel of the web. Web services provide a standard means of interoperate between software applications running on a variety of platforms and frameworks. Being that web services are unique in that it internet native, therefore they have great interoperability and extensibility. They are also machine-processable descriptions, thanks to the use of XML.

This evolution of web services paradigm brings new security challenges to organizations that use the Internet, namely how to secure their businesses while conduct everyday business transactions over the web. Moreover, unprotected web services are vulnerable to the following types of attacks, reconnaissance, denial of service, integrity attacks, bypassing of Firewalls, unintended software interactions and immaturity of platform(s).

However, there are counter measures that can help mitigate the risks of web service attacks such as enforce Trust relationships, encrypt transport links, engineer secure components, perform regular tests on components, reconcile WDSL specifications with actual operation, use HTTP proxy filters and finally configuration management.

There are technical solutions which have been developed to deal with web service vulnerabilities such as security Assertion Markup Language (SAML), eXtensible Access Control Markup Language (XACML), XML Signature, XML Key Management Specification (XKMS) and Kerberos.

As more and more organizations grow and extend their IT infrastructure to include XML Web Services as the main services, it will be important to appreciate the security implications and how to mitigate against the vulnerabilities of using XML Web Service message constructs within their web-based applications.

News Article of Interest: Hijacking phones with radio waves, Siri and headphones.
As personal assistants, users use Siri, Google Now and Cortana to make calls, send messages, perform web searches among others. In view of that, a pair of French researchers have conceived an attack to remotely hijack phones with and described the radio wave attack using sent FM radio signals from a laptop to an antenna, which transmits the signals to a nearby voice-command enabled phone with headphones plugged in. In this attack, the headphone cord acts as an antenna, sending commands through the microphone to a digital assistant like Siri.
For more information related to this article, please see the link below:
https://nakedsecurity.sophos.com/2015/10/15/hijacking-phones-with-radio-waves-siri-and-headphones-should-we-worry/

Reading Summary: Evasion

Organizations mostly use firewalls and Intrusion Prevention System (IPS) to protect its network infrastructure. IPS is as an evasion technique used to detect any security attacks. However, ISPs can be manipulated by changing the header, payload and traffic flow. This will then allow traffic to pass thru and allow the attacker shell access to the target system protected by the ISP. There are various ways and techniques that can be used when it comes to IPS evasion, such as obfuscation, encryption and tunneling, fragmentation, and protocol violations. However, there are multiple open source tools used to conduct research regarding evasion, such as Snort, Wireshark, HxD, Evader, etc.

Question for the class:

In your personal experience, how successful are evasion tools used to detect any malware or evasion techniques used to attack and take control of the machine?

In the news: New Moker RAT Bypasses Detection

The latest remote access Trojan can effectively mitigate security measures on machines and grant the attacker full access to the system. This is known as a RAT (aka Moker) which researches found out that it communicated with a server in Motenegro. This malware can bypass antivirus, sandboxing and virtual machines. Once embedded, the RAT can take full control of the device to take screenshoots, record web traffic, sniff keystrokes, and exfiltrate files.

For more information regarding this article, please click here.

Intro-to-Ethical-Hacking-Week-12

You have been invited to attend a Mediasite presentation.

Presentation Details:
Title: =MIS 5211.001_11/11/2015
Date: Wednesday, November 11, 2015
Time: 5:30 PM (UTC-05:00) Eastern Time (US & Canada)
Duration: 2:30:00
Link: http://tucapture.fox.temple.edu/Mediasite/Play/13ee57a6d84148feb9b74b36c5b2a9931d

Description:

Web Services Security – An Overview: 

Web services allow complex applications to present their information in a simpler manner via common processes such as HTTP or HTTPS.  The most common web service vocabularies are SOAP, WSDL and UDDI which enable the communication required to present the information.  This technology provides the next phase of evolution, but does come with challenges and risks.  There are a wide array of attack vectors which unprotected web services are vulnerable to such as,: Reconnaissance, Denial of Service, Integrity Attacks, Firewall Bypassing, Unintended software interactions, and immaturity of the Platform.  Fortunately, several countermeasures have evolved to counter these attacks such as,: Enforce Trust Relationships, Encrypt Transport Links, Engineer Secure Components, Perform Regular Tests on Components, Reconcile WSDL Specs with Actual Operation, Use HTTP Proxy Filters, and Configuration Management.

In the NEWS: http://www.databreachtoday.eu/hackers-claim-fbi-portal-breached-a-8667

A group of hackers claims to have breached an FBI information-sharing portal and gained access to numerous sensitive systems, including records of individuals who have been arrested by U.S. federal agencies as well as tools for sharing information between U.S. federal agencies and partners located both domestically and abroad.

Web Services explanation:

Web services  describes a standardized way of communication and data transfer between Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone, usually HTTP.

XML is used to tag the data, SOAP  (Simple Object Access Protocol) is used to transfer the data, WSDL (Web Services Description Language)  is used for describing the services available and UDDI ( Universal Description, Discovery and Integration) lists what services are available in an online repository for other applications to find.

Web services allows for different software systems to exchange data with each other by using XML tags for data exchange instead of a particular language. The “rules” that are needed to facilitate the communication is contained in the WSDL.  UDDI  also defines which software system should be contacted for which type of data, similar to a phone book or directory. Once the software system finds out which other system it should contact, it would then contact that system using SOAP.

In the news:

OmniRat Allows Cyber Criminals Hack Mac, Linux, Windows PC and Android Phones

RAT stands for Remote Access Trojan. When the OmniRAT was analyzed for its way of getting into the system it was found that it gets into the devices via a client component that starts communicating with a server counterpart which allows hackers to make the phone do things they want it to. It is usually used for testing and is downloaded as an apk file on mobile devices.

Web Services

Web Services are components that proved web communications using major protocols, such as TCP/IP over HTTPS and others, thus replacing middleware protocols. Some components can request other components as part of overall service. Developers must use certain web service components architecture standards, such as: SOAP, WSDL, UDDI to create consistent web components interaction. Web Services are vulnerable to attacks, such as: DDoS, Integrity Check, Enumeration, SQL Injection, firewall break through via open ports, etc.  Mitigation would include Web Filters, Packet filters, Proxies, IPS/IDS over certain web traffic and open ports, web components integrity check, use of cryptography; certain languages provide high web security such as XML Web Services platforms if built right way with all security in mind.

Question for the Class: What are web services languages considered to be more sophisticated than XML platform?

In the News:

Personal information for 100 million people was accessed by cyber-thieves between 2012 and the summer of 2015.  Twelve institutions were victims of the hacking, including JPMorgan, and asset manager Fidelity.

US prosecutors said they were expanding charges against two Israeli men, Gery Shalon and Ziv Orenstein, as well as a US citizen, Joshua Samuel Aaron.

Charges against the three men were expanded to include computer hacking and identity theft among 21 other counts.

The men allegedly manipulated stock prices by selling shares of companies to individuals whose contact information they had stolen. They then dumped their own shares, causing the price to fall.

The men were also charged with running an illegal payment processing business that they used to collect $18m (£11.9m) in fees.

Ref. Reading: http://www.bbc.com/news/business-34782369

Burns, S. (2001). “Web Services Security – An Overview”. SANS Institute, InfoSec Reading Room.  Web services are software functions provided at a network address that enable machine to machine communication over the web.  Each web service has an interface described in a machine readable format (i.e. WSDL and UDDI), and is interacted with using Simple Object Access Protocol messages communicated over TCP/IP networks via HTTP/HTTPS using XML translation.  Unprotected web services are vulnerable to the following attacks and problems: Reconnaissance, Denial of Service, Integrity Attacks, Firewall Bypassing, Unintended software interactions, and platform immaturity.  Burns recommends the following counter measures to protect web services,: Enforce Trust Relationships, Encrypt Transport Links, Engineer Secure Components, Perform Regular Tests on Components, Reconcile WSDL Specs with Actual Operation, Use HTTP Proxy Filters, and Configuration Management.  At the time of publication, the following emerging technology solutions included: Security Assertion Markup Language, eXtensible Access Control Markup Language, XML Signature, XML Key Management Specifications, Kerberos, and Lightweight Directory Access Protocol.

Kwabi, C. (2003). “XML Web Services Security and Web based Application Security”. SANS Institute, InfoSec Reading Room. “XML Web Services are severely hampered by the inherent lack of support for security.” This paper provide a glimpse into efforts to “create a standardized security framework” for “…interoperability and end-to-end security amongst heterogeneous systems involved in XML Web Service communications sessions”.

InTheNews: Fox-Brewser, T. “Want Some Nuclear Power Plant ‘Zero-Day’ Vulnerabilities? Yours For Just $8,000”, Forbes/Security.  Interesting article on the availability of tools that contain SCADA system exploits, and are updated and maintained with zero-day exploits:  http://www.forbes.com/sites/thomasbrewster/2015/10/21/scada-zero-day-exploit-sales/

Question for Class: JSON seems to have two advantages over XML: 1) Speed and ease in parsing data, and 2) Simple data retrieval from Javascript, however the use of the eval() function to parse JSON into JavaScript objects makes it vulnerable to executing arbitrary JavaScript code in production applications. Data access with XML tags does not require code execution to extract data.  With that said, which is more secure XML or JSON?

Reading Summary: Web Services

Web services is a tactic used to improve productivity in terms of increasing the speed and quality of information flow, as well as to make it easier for producers and consumers of information to locate each other and exchange value. The goal and the main approach of web services is the replacement of middleware protocols (i.e.: COBRA) with a vendor neutral services architecture that operates over HTTP. In addition, it provides the means to advertise the availability of component services and the pre-defined usage rules. As great and efficient as this approach sounds, there is a big concern regarding the security of web services. Organizations are vulnerable to various attacks ranging from reconnaissance, DoS, integrity attacks, bypassing of firewalls, etc. Moreover, XML web services are evolving as the building blocks for creating distributed integrated solutions across the Internet regardless of where they reside or how they were implemented. However, XML lacks support in terms of security within the initial version of standard. This threat results in concerns dealing with confidentiality and message integrity. However, organizations are being proactive and in the way of creating a standardized security framework for XML web services.

Question for the class:

Have you experienced a web service attack in your organization, and if so, how was it handled?

In the news:  “Thai government websites hit by denial-of-service attack”

Several Thai government websites have been hit by a suspected DDoS attack targeting the site of the ministry of information, communications and technology and the main government website of tahigov.go.th. This attack appeared to be a protest against the government’s plan to limit access to sites deemed inappropriate where thousands of people have signed a petition against the proposal known as the “Great Firewall of Thailand.”

For additional information regarding this article, please click here.