Week 13: Evasion Techniques

It was recently discovered that a popular Captch WordPress plugin that was sold to an undisclosed buyer, has been modified and had a backdoor installed. The backdoor allows the plugin author to remotely gain administrative access to the WordPress websites. WordFence and WordPress teamed up to patch the affected version of the Captcha plug-in as well as preventing the author to publish further updates. It is advised and recommended that website administrators are replacing their Captcha plugin with the latest version.

https://thehackernews.com/2017/12/wordpress-security-plugin.html

https://www.csoonline.com/article/3242866/security/our-top-7-cyber-security-predictions-for-2018.html

This article taught me that there will be companies that will be subject to the European Union’s (EU) General Data Protection Regulation (GDPR) and most arear behind the May 25 compliance deadline. I found this add as Regulators will not audit for GDPR compliance, so companies are vulnerable to fines only if there is a breach or EU citizens file complaints. Even if a company experiences a breach or complaint, regulators will likely treat it leniently if the company can document good-faith efforts to comply. To me what is the point of a governing body (GDPR) and regulations if there is a possibility of no audit. Therefore unless there is a complaint or visible issue a company may not even pay a fine.

At this point the GDPR is predicted to punish when the companies are caught. The other points that I see at my work place are the decline of password-only authentication will accelerate. Even my job there is dual authentication process for VPN and sign-on. There will be an increase in state-sponsored attacks and IOT which should not be a surprise to anyone. We are aware of how countries like Russia, Korea, etc are attempting to increase security hacking.
What I did find interesting is how there is a risk of more automation of threats. I always expected hackers to be precise and hands-on. Lastly the big issue will be trust. Who can companies trust with guarding and protection and implementing security measures.

The Major US banks is where the majority of Americans money is held. If an attack would happen it could be catastrophic to not only the economy but to an individual as well. It is imporant to understand how your money and information is secured so that you can feel conferrable investing in that company.

 

https://www.csoonline.com/article/3240014/backup-recovery/the-best-kept-secret-in-cybersecurity-is-protecting-us-banks-against-catastrophic-attacks.html

https://www.upguard.com/breaches/credit-crunch-national-credit-federation

Coming only months after the revelation that the personal information of over 143 million Americans had been stolen from the systems of credit agency Equifax, the UpGuard Cyber Risk Team has discovered a new, damaging exposure from within a financial firm, which, beyond revealing critical internal data, also exposes customer information compiled by all three major credit agencies. This highly concentrated level of exposure, thoroughly revealing customer credit history several times over, serves to highlight the myriad dangers a single exposure can unleash.

This week is all about authentication, and I have two related articles about authentication:

https://www.buzzfeed.com/pranavdixit/amazon-is-asking-indians-to-hand-over-their-aadhaar-indias

and

https://www.wired.com/story/facebooks-new-captcha-test-upload-a-clear-photo-of-your-face/

In short, Facebook is testing a captcha test that requires the user to upload a selfie to authenticate, and in India, Amazon has required that customers use their Aadhaar (biometric unique identifier, similar to our SSN) to authenticate for tracking packages.

Both of these moves are significant because they are huge and growing platforms (FB and AMZN) – a policy move like this signals to other companies and sets industry standards and precedents. We have discussed in other classes how biometrics aren’t accepted as standards for authentication yet, this will no doubt have an impact.

Karim Baratov, a 22-year-old Kazakhstan-borm Canadian citizen has pleaded guilty to hacking charges over his involvement massive 2014 Yahoo data breach that affected over three billion Yahoo accounts.

In March, the US Justice Department charged two Russians which are Dmitry Dokuchaev and Igor Sushichim and two other hackers which are Alexsey Belan and  Karim Baratov for breaking Yahoo servers in 2014.

Karim was arrested in Toronto at his Ancaster home by the Toronto Police Department in March this year, the other three suspects are still in Russia, unlikely to be extradited.

Last Tuesday, Baratov admitted to helping the Russian spies and pleaded guilty to a total of nine counts in San Francisco as following:

• One count of conspiring to violate the computer Fraud and abuse Act by stealing information from protected computers and causing damage to protected computers.
• Eight counts of aggravated identity theft.

Besides any prison sentence, Baratov has also agreed to pay compensation to the Yahoo victims and a fine up to $2,250,000 (at $250,000 per count).

 

https://thehackernews.com/2017/11/yahoo-email-hacker.html/

Breaches in the retail and hospitality industries have decreased to less than 5 times per month. Previously, it was in the double digits over the past two years. The decrease is due to the merchants, hotels and restaurants improving their point-of-sale (POS) systems to accept EMV or chip payment cards. The POS systems were a large target for attacks for the hospitality industry. This accounted for almost 40% of the 181 breaches hotels and restaurants faced over the two-year period. The amount of attacks decreased to eight per month in 2015 then to two by the end of 2016.

For the retail industry, web apps were the main target for attacks. During the beginning of 2016, the retail industry saw an increase in web app attacks, but no POC system attacks. However, the hospitality industry experienced web app attacks in addition to the POS system attacks. Chip cards are more work for attackers to deal with. EMV cards do not hold a user’s data on a magnetic strip that could be skimmed and sold to the dark web. Also, special equipment is required to collect information off the chip payment cards. Due to this, it is easier for attackers to target web apps and intercepting an e-commerce transaction.

https://www.darkreading.com/mobile/retail-and-hospitality-breaches-declined-over-past-2-years/d/d-id/1330503

 

https://www.darkreading.com/threat-intelligence/iranian-nation-state-hacker-indicted-for-hbo-hack-extortion/d/d-id/1330474

 

An Iranian hacker was indicted for an attack against HBO in early 2017. He reportedly extorted the data  for $6 million in bitcoin. The hacker made away with scripts, employee emails, proprietary information and tv episodes. Some of this data was leaked online. While he has not been arrested, the indictment will restrict his freedom

 

According to the article, an Iranian web developer named Pouya Darabi discovered and reported a critical vulnerability in Facebook systems that could have allowed anyone to delete any photo from the social media platform. Darabi analyzed the vulnerability and found that when creating a new poll, anyone can easily replace the image ID in the request sent to the Facebook server with the images ID of any photo on the social media network. The researcher said he received $10,000 as his bug bounty reward from Facebook after he responsibly reported this vulnerability to the social media network on November 3. Facebook patched this issue on November 5.

 

https://thehackernews.com/2017/11/facebook-delete-photos.html

CNBC.com repots uber was hacked because of a third party web provider.  They paid $100,000 to keep things quiet.  The FTC is looking at uber policies regarding employee and privacy.

small but it shows companies are paying ransoms to keep things quiet.  This is why hackers will continue to look for week systems and valuable data.

it’s like fishing, they Hope to get lucky.

https://www.cnbc.com/2017/11/21/uber-hack-exposes-data-of-57-million-users-and-drivers-report-says.html