Week 08: Social Engineering, Encoding and Encryption

In the article, the author introduces about the reason why it is hard to punish the companies for data breaches. Sometimes the companies did everything right. Data breaches are because of unlucky, so it is unfair and unproductive to punish them. The hardest part is to determine where the line is between companies that do their due diligence and those that are negligent. Companies do not spend much money on protecting their data. For the companies have data breaches, they should face a combination of consequences that included both fines and corrective security measures. The fines would need to be hefty enough to motivate greater investment in data security and cover their customers’ losses. That makes them understand it is time-consuming and money-consuming if they do not protect data well.

 

https://www.nytimes.com/2018/10/16/opinion/facebook-data-breach-regulation.html?rref=collection%2Ftimestopic%2FComputer%20Security%20(Cybersecurity)&action=click&contentCollection=timestopics&region=stream&module=stream_unit&version=latest&contentPlacement=3&pgtype=collection

I stumbled upon this paper from three researchers in Portugal. They do a good job defining a lot of terms and definitions which are used in the Social Engineering. Especially helpful is that the paper describes many of these attacks and shows examples in Kali. On the other hand the paper is a little short and pretends to be a research piece when no new information is given. It only really describes the existing state of Social Engineering but draws no new conclusions.

https://www.researchgate.net/publication/315351300_SOCIAL_ENGINEERING_AND_CYBER_SECURITY

 

Interesting news about a security researcher has discovered several critical vulnerabilities in Amazon FreeRTOS, a embedded real-time operating systems, and its other variants, exposing a wide range of IoT devices and critical infrastructure systems to hackers. RTOS has specifically been designed to carefully run applications with very precise timing and a high degree of reliability, every time.

The security researcher discovered a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack that also affect its variants maintained by Amazon and WHIS, as shown below:
freeRTOS. The vulnerabilities could allow attackers to crash the target device, leak information from its memory, and the most worrisome, remotely execute malicious code on it, thus taking complete control over the target device.

 

https://thehackernews.com/2018/10/amazon-freertos-iot-os.html

https://thehackernews.com/2018/10/amazon-freertos-iot-os.html

Looks like Amazon’s FreeRTOS a leading open source real-time operating system has several critical vulnerabilities. A researcher has found the the embedded systems that have been ported to over 40 microcontrollers, which are being used in IoT, aerospace, medical, automotive industries, have vulnerabilities could allow attackers to crash the target device, leak information from its memory, and the most worrisome, remotely execute malicious code on it, thus taking complete control over the target device. Amazon has since deployed security patches. Looks like the risk for IoT is still prevalent, even from our major vendors.

Looks like a Telsa owner caught on camera some thieves that tried to steal his Telsa Model S car by hacking the passive entry system.  Telsa has some preventative controls developed to prevent this however the guy had not implemented them.  For example, there’s a way to make the user put in a PIN number to activate the car to drive.  Or there’s a way to use a “Faraday pouch” to store the fob, which would have prevented the thieves from nabbing the signals that he didn’t use either.

It comes down to if you lock the doors to your house but leave the windows open you will still be vulnerable to a thief.  Telsa has come up with ways to lock your doors, your windows and every other entry point but the car owners need to implement them or this can happen.

https://www.engadget.com/2018/10/22/tesla-model-s-theft-keyfob-hack/

Looks like Facebook’s answer to it’s hack that exposed millions of people’s information is to buy a cyber security company.  Must be nice to be able to just throw money at a problem for it to go away!  I wonder what other high profile company’s will use this tactic to battle their security issues that might come up in the future!

https://www.engadget.com/2018/10/21/facebook-may-buy-large-cybersecurity-company/

 

 

This event is (practically) next door…free, good networking, refreshments (chips and soda) …great speakers and topic.

https://sites.temple.edu/care/files/2018/08/GuestSpeakerFlyer_YinYang.pdf

This is a scary place to have things broken.

The number of systems actually effected is relatively small with fairly specific conditions needed but it is still just passing a server something it doesn’t expect…

…like the Jedi mind trick…this user IS SUCCESSFULLY authorized…

https://www.tenable.com/blog/libssh-vulnerable-to-authentication-bypass-cve-2018-10933

More on the lib itself…

libssh 0.8.4 and 0.7.6 security and bugfix release

 

https://capture.fox.temple.edu/Mediasite/Play/6ca67198932c49e6b626a3d51cb3dc3d1d