ITACS 5211: Introduction to Ethical Hacking
Wade Mackey
CNBC.com repots uber was hacked because of a third party web provider. They paid $100,000 to keep things quiet. The FTC is looking at uber policies regarding employee and privacy.
small but it shows companies are paying ransoms to keep things quiet. This is why hackers will continue to look for week systems and valuable data.
it’s like fishing, they Hope to get lucky.
https://www.cnbc.com/2017/11/21/uber-hack-exposes-data-of-57-million-users-and-drivers-report-says.html
Nick Wells reported a story on CNBC.com with a headline suggesting online fraud is not a bad thing.
He comments on a report from Forter, an e-commerce fraud-prevention company. Forter monitors customer transactions to determine if the purchase may be fraudulent. Forter checks the device that purchased the item, the address it is being sent to, and other information. It will then approve or deny the transaction, based on machine learning and decision making.
The data in the report shows online fraud stabilizing at about 2% of all online transactions, or 98% of all transactions are legit. The report also mentions regular customers, who are technology savvy are taking advantage of coupon and referral promotions by using proxy and vpn’s to bypass authorization controls. Some referral bonuses include free giftcards or merchandise. Using these methods to circumvent the system is online fraud.
The story concludes with Forter CEO, Mickael Reitblat saying, “A little bit of fraud helps. As long as it’s controlled, it’s okay. It’s the cost of doing business.” What he means is that if a company closes down all fraud avenues, the customer will find it more difficult to make an online transaction, which will chase them away.
https://www.cnbc.com/2017/11/16/online-fraud-is-still-around-and-thats-not-a-bad-thing.html
A plastic surgeon of the celebrities in London decided to fight back against the hacker group, “Dark Overlord” after the group downloaded patient pictures and information. Fighting back by organizations has been on the rise and called, “Hacking Back”. The article mentions organizations deploying several different resources to gather information on the hackers and initiate an offensive against the hackers. The article didn’t mention any statics on the success, but I would imagine it would depend on the size and capabilities of the hackers.
The Dark Overlord is a hacking group that has taken credit for several major information system hacks over the last several years. They have been growing and do this as a full time job. Just like we go to our job and do whatever it is we do, they go to the office and hack systems. You never know who is on the other end of a hack. Be careful not to upset the beast. In my opinion, a group like Dark Overlord can destroy a person/company if they identify you as a target. My advice… Don’t put yourself in a situation where the Dark Overlord can beat you up. Do you best to avoid the conflict by protecting your system and acknowledging certain information may be best kept in a secure system, segregated from other organizational networks.
Here are a few sips from the article on what happened.
“…the hackers had targeted London Bridge Plastic Surgery (LBPS), which describes itself as “one of the leading plastic-surgery clinics in the U.K.” on its website. LBPS clients include TV star Katie Price and other celebrities, …graphic and close-up images of surgery on male and female genitalia”
“doctors tried to gather information on the Dark Overlord with a small hack of their own”
“The hackers shared a Word document with The Daily Beast that the group says Chris Inglefield, LBPS’ chief surgeon, sent to them, but …it contains no text at all”
The file was an “image stored on a server belonging to LBPS. When the target opens the document, it opens a connection and retrieves the image from LBPS’ server, meaning LBPS now has the target’s IP address”.
He was caught by the “Dark Overlord” group and they responded with, “We confronted Christopher about his attempt to de-anonymize us, and he denied it vehemently. …We punished Christopher accordingly, …it amounts only to a fair bit of chuckling around the office.”
https://www.thedailybeast.com/hackers-say-plastic-surgeon-to-the-stars-hacked-back-at-them
Thanksgiving at my family’s house looks like a day on the trading floor at the New York Stock Exchange. The 50+ people, including adults and children requires multiple days of preparation and clean-up. We always seem to find time to get it done, but having a Vicki from Small Wonder would make life so much easier.
Here are a few items you may see around the place you spend Thanksgiving.
http://smarthome.reviewed.com/features/10-gadgets-that-will-practically-host-thanksgiving-for-you?utm_source=usat&utm_medium=referral&utm_campaign=collab
These items are great and seem like a big help. They are easy to use and most have an app to manage the device. I did notice one thing… I couldn’t find the word encryption, security, protection, or anything like that anywhere… Oh well, as long as the Turkey is done, it doesn’t matter if someone is spying on us while we watch the football game…
In a recent report, an employee at Twitter shut down President Donald Trumps twitter account for 11 minutes on their last day of work. President Trump responded by tweeting his account was taken down by a “rouge employee”. He is making me think that he is the Emperor and the employee is a member of the rebel alliance. (Starwars Reference)
Anyway…
CNN discusses why this could be really bad…
http://www.cnn.com/2017/11/03/politics/trump-twitter-account-down/index.html
USA Today reports the NSA’s Tailored Access Operation unit had a serious data breach. This is one of the largest incidents at NSA over the last five years.
The story reports, the access controls at the TAO’s locations are “porous”, allowing workers to easily remove information by digitally removing or by simply walking out the front door.
Here are a few quotes from the story:
“Physical security wasn’t much better, at least at one TAO operator’s facility. He told The Daily Beast that there were “no bag checks or anything” as employees and contractors left work for the day—meaning, it was easy smuggle things home. Metal detectors were present, including before Snowden, but “nobody cared what came out,” the second source added. The third source, who visited TAO facilities, said bag checks were random and weak.”
“If you have a thumb drive in your pocket, it’s going to get out,” they said.
Unsurprisingly, workers need to swipe keycards to access certain rooms. But, “in most cases, it’s pretty easy to get into those rooms without swipe access if you just knock and say who you’re trying to see,” the third source added.
“The TAO is the tip of the NSA’s offensive hacking spear, and could have access to much more sensitive information”.
“Defense Department’s inspector general completed in 2016 found that the NSA’s “Secure the Net” project—which aimed to restrict access to its most sensitive data after the Snowden breach—fell short of its stated aims. The NSA did introduce some improvements, but it didn’t effectively reduce the number of user accounts with ‘privileged’ access, which provide more avenues into sensitive data than normal users, nor fully implement technology to oversee these accounts’ activities”
I guess the Top Secret classification doesn’t mean what it used too…
http://www.msn.com/en-us/news/technology/elite-hackers-stealing-nsa-secrets-is-%E2%80%98child%E2%80%99s-play%E2%80%99/ar-AAtiWhO?li=AA4Zoy&ocid=spartandhp
Sara Guo was interviewed at the Cyber Security Summit in Boston this morning. She works for a venture capitalist firm investing in technology companies. She mentioned the companies involvement with two security companies and shocking results from audits of several clients’ information systems.
She said, “There wasn’t a single [company] where we didn’t find bad behavior already… while examining the databases of some of its clients, was able to find a shocking amount of bad behavior that the companies were completely unaware of — including corporate espionage and insider threats.”
Yikes…
https://www.cnbc.com/2017/10/09/greylocks-sarah-guo-us-doest-take-data-security-seriously-enough.html
My In the News story this week came from the latest episode of Vice on HBO. The episode discusses Russian Hacking, and also exposes how black-hat hackers attack targets. It shows how two white-hat hackers were able to gather information on the host and make a purchase on her credit card. Here is how they did it…
They new what hotel she was checking in at from her blog. They waited in the lobby all day until she came into the hotel. Once she entered the hotel lobby and checked in, they created a fake wifi hot-spot with a common hotel name, like “Hilton Hotel Wifi” using software on their laptop. They waited a few minutes and… bingo! Guest started to join their network. The fake log-in page asked for their name, phone number, and room number. This is the only information they needed.
After they got this simple information, they asked a female friend to call the hotel, claiming to be the host, and add them to the room. The fake Female friend only authenticated with the name, phone number, and room number.
Once they two white-hat hackers were added to the room, they obtained a room key, with her credit card information. They proceeded to use another software application to de-encypt the room key and get her credit card information.
With her credit card information, they purchased a gift from the gift shot for her.
This was all described in the show.
Peter J. Henning for the New York Times reported the Government Accountability Office had found IS deficiencies at the SEC that “limited the effectiveness of the S.E.C’s controls for protecting confidentiality, integrity and availability.” They also found poor encryption practices on certain data.
The hack was on a SEC system used by companies who are about to go public. The system is used as a practice system, where they enter in company information, just as they would when they become a publicly traded company.
The hack could have exposed insider information on companies who used the system to practice, and entered in real data vs. test data. Meaning, actual results, financial statements, and other data reported to the SEC by publicly traded companies.
This could have led to insider trading, by giving the hackers knowledge of non-public information and making trades based on that information.
The questionable thing is that the hack occurred last year… NIST and FISMA require reporting of a breach within 120 days of knowing. Now, these documents also include guidance to determine if a breach notification is required based on the likelihood of harm and could be argued why the SEC didn’t report last year, but… This type of incident handling now gives companies like Equifax a road map on how “Not” to report a security breach.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
https://www.nytimes.com/2017/09/26/business/dealbook/sec-hack.html?mcubz=1