ITACS 5211: Introduction to Ethical Hacking
Wade Mackey
https://www.forbes.com/sites/jasonbloomberg/2017/02/20/four-disruptive-cyber-trends-at-rsa/#5272e2d69917
This article is interesting in all of the different kinds of cyber tools out there that companies could use to
analyze any kind of potential cyber security attack on their systems.
Apple has lunched recently the new IphoneX with a new future called FaceID to replace the Finger print ID future. Few issues concerning the new facial recognition system have been raised, It became such a debate whether it might make it easier for the authorities or thieves to force a user to unlock their handset and whether it will handle the hijab worn by some Muslim women, among other facewear.
This new Iphone X will be available in November. Journalists at the launch at the company’s Cupertino, California headquarters were shown Face ID working in controlled circumstances.
On Wednesday, Senator Al Franken published a letter he had sent to Apple seeking more information about this new future.
The biggest question at this time how Face ID will impact iPhone users’ privacy and security, and whether the technology will perform equally well on different groups of people,” he wrote.”To offer clarity to the millions of Americans who use your products, I ask that you provide more information on how the company has processed these issues internally, as well as any additional steps that it intends to take to protect its users.”
I really like the following article this week and I think it’s nice to share it with the entire class:
Fitbit became another device that can be used to track our personal lives and give Hackers the ability to even change our record that Fitbit collects. These Hackers discovered a way of intercepting messages transmitted between fitness trackers and the cloud servers where data is sent for analysis.
These changes that can be made in the record would not only affect us as users but big companies as well. So many companies are dependent on such devices to collect information do develop and rate certain product won’t receiving accurate data and all their new products would be built using false information.
If this kind of analysis that shows that the Fitbit servers are not receiving the correct data. It could be used to determine whether a person has a specific medical condition; and, the impact of this to the individual could be raised healthcare premiums or even denied coverage due to pre-existing conditions. Further, once the data is in the hands of an organization, it could potentially be sold for other purposes.
To solve this issue and secure the Fitbit, the researchers have created guidelines to help manufacturers remove similar weaknesses from future system designs to ensure users’ personal data is kept private and secure. It is very hard to secure such devices but it can be done by keep researching and studying all the weaknesses to create the right patches that will not give chance to Hackers to reach out there goals.
https://www.infosecurity-magazine.com/news/fitbit-vulnerabilities-expose/
I thought this was a pretty interesting article because it pertains to stuff that we were discussing in class. The article discusses how the US would like china to not enforce their new policy that requires companies who do business with china to house all data in the country and also have security that is subject to checks.
I think that this is important because you need to know the local laws of the companies that you are working with. It is also important because if china does not listen to the US and enforces the polices a lot of companies will have to rework a lot of their infrastructure and security in order to comply.
https://www.usnews.com/news/top-news/articles/2017-09-26/us-tells-wto-concerned-about-chinese-cyber-security-laws
http://www.technewsworld.com/story/84795.html
Credit Agency Equifax Cracked, 143 Million Consumers Exposed
This article talks about the following: Equifax suffered a major criminal data breach that exposed personal information of as many as 143 million consumers in U.S, sensitive personal data, including names, addresses, social security number, birth dates, and driver license number were exposed, Equifax took action as soon as they found out about the attack, Equifax responded well to the attack, they accepted full responsibility and immediately started to work on the issue, and finally consumers should check the Equifax site to insure that their data has not been exposed.
It will be interesting to see how things unfold in the upcoming months. Are there other companies that might be affected due to doing business with Equifax? Did Equifax have the right controls in place to prevent the attack or were they negligent? Also, will they be held accountable and what will the cost be?
I found this article quite interesting since I recently entered the environmental sector for work.
A hacker group known as “Dragonfly” is behind recent cyber attacks on the energy industry in Europe and North America. There was strong activity shown in the United States, Turkey and Switzerland. These attacks can disrupt energy operations in both continents. The impact of the attacks has been minimal, but many are concerned about the future. The motive behind these attacks has not been determined. There have been no signs of motivation in regards to monetary, extortion or economic espionage. Due to the targets of the attacks, the level and types of attacks and collection of data and information, it has been concluded that a nation-state may be behind this. Additionally, the attackers are using unsophisticated methods to hack into the SCADA systems. They are not exploiting zero-day vulnerabilities, but are taking the social engineering route. The Dragonfly hackers are collecting credentials and performing reconnaissance on the systems they are targeting.
http://www.technewsworld.com/story/84790.html
This is a pretty interesting article that I found that even though it is a couple weeks old now I think that it still hold true and gives important information. The article talks about how the NSA sues langue to track identities of anonymous people, like Satoshi Nakamoto, the person who invented bitcoin. They use a lot of techniques that are actually not that new to trace back his origin and pin point who he really is. What is interesting is back in the late 90s this is part of the way that the FBI caught the Unabomber Ted Kaczynski. They analysed his manifesto and published it and with the uniqueness of his language was able to find him. I thought this was interesting with us hacking different systems we all leave a trace or a something that is unique about us that sometimes we don’t even realize.
Source: https://medium.com/cryptomuse/how-the-nsa-caught-satoshi-nakamoto-868affcef595
Source: http://time.com/4828306/russian-hacking-election-widespread-private-data/
This article is a synopsis of hacking efforts in the 2016 election, as more reports have surfaced about the type of hack and amount of data compromised. One of the biggest takeaways is that systems in all 50 states were probed, as one official noted “We had to assume that they actually tried to at least rattle the doorknobs on all 50, and we just happened to find them in a few of them.” That being said, the number of successful intrusions was “less than a dozen.” The article mentions that the hackers used automated programs that scan for vulnerabilities — I wonder what programs they used?
The information hackers did manage to obtain include social security numbers and drivers license information. The two biggest concerns at the moment are 1) whether or not one of the candidates had access to this info and if they were able to gain an advantage with this data and 2) Public perception of polling systems and integrity of the vote. Losing public trust in a fair democratic process would/will have huge ramifications and no doubt spur legislation to try to secure these systems.
CCleaner, a popular maintenance and file clean-up software, was found to have been compromised with a backdoor application. Piriform, the developers of CCleaner, announced on September 18 that CCleaner version 5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Window users were the infected versions. Through an investigative process, it was noticed that the software was illegally modified before it was released to the public and made available. The modification was made in the binary of the .exe file that allowed for a two-stage backdoor from a remote IP address on the affected systems. Besides the backdoor applications, it was also collecting information on the name of the computer, list of installed softwares and windows updates, running processes, MAC addresses, and information if the processes were running with administrator privileges. Currently, CCleaner Cloud has been automatically updated and that CCleaner should be manually updated as soon as possible.
https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#51b0f0a1316a
http://thehackernews.com/2017/09/ccleaner-hacked-malware.html
http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Original PDF Source (See Page 8)
tl;dr: >10 GB of data was exfiltrated from a North American casino using a recently installed Internet of Things fishtank.
There’s not a TON of info on this (since no casino wants to divulge too much about how it was hacked or what data was lost), but there’s two details that really stand out to me: