Week 10: Web Application Hacking

Radisson hotel group is one of the largest hotel groups in the world with more than 1,400 hotels in 114 countries. The hotel group informed that a small percentage of their loyalty club members had their personal information accessed by an unauthorized person. It seems that the attackers first gained access to staff accounts which led them to customer data.

The breach didn’t seem to affect credit card and password information. However, it exposed rewards member names, addresses, email addresses, company names, phone numbers, rewards member number and frequent flyer numbers. Such information is to be monetized through enhancing pattern analysis on particular individuals, either high net worth or people with specific access to something.

Since the hotel chain has its presence all over the world, GDPR is likely to come into play. Also, the hotel group was not forthright while dealing with this breach, because the breach was discovered on October 1, but the company informed the members only last week, which was after a month.

https://www.infosecurity-magazine.com/news/radisson-hotel-group-spills/

Two New Bluetooth Chip Flaws Expose Millions of Devices to Remote Attacks

– Swati Khandelwal

Security researchers have unveiled details of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips embedded in millions of access points and networking devices used by enterprises around the world. The vulnerability is called as BleedingBit which allows remote attackers to execute arbitrary code and take control of devices.

 

This vulnerability affects medical devices such as insulin pumps and pacemakers, as well as point-of-sales and IoT devices. Discovered by researchers at Israeli security firm Armis, the vulnerabilities exist in Bluetooth Low Energy (BLE) Stack chips made by Texas Instruments (TI) that are being used by Cisco, Meraki, and Aruba in their enterprise line of products.

 

Following are two vulnerabilities CVE-2018-16986 and CVE-2018-7080 have their patches released by respective vendors.

 

Reference: http://community.mis.temple.edu/mis5206sec401fall18/2018/11/02/in-the-news/

There are some reports that hackers are trying really hard to hack the midterm elections.  Some are saying they aren’t successful, but others are saying misinformation being spread by them are causing enough damage.  Targets include the voter registration databases, election officials, and networks across the country.  They are trying to injections of malicious computer code to a massive number of bogus requests for voter registration forms.

 

Facebook is also battling this front by removing bogus accounts that partake in these activities.  Given it’s voting day, have you guys seen any evidence of this yourselves?

 

https://www.bostonglobe.com/metro/2018/11/04/hackers-targeting-election-networks-across-country-lead-midterms/d0EzG4Cmh2jeMqllhXo4WP/story.html

https://www.vox.com/policy-and-politics/2018/11/6/18067756/2018-midterm-election-russia-hacking-interference-meddling-china-iran

A vulnerability called PortSmash or CVE-2018-5407 has joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including older ones like Meltdown, Spectre and Foreshadow. This side channel vulnerability resides Intel’s Hyper-Threading technology. This vulnerability allows an attacker to see sensitive protected data like passwords and keys from other processes running in the same CPU core with simultaneous multi-threading feature enabled.

Will something like the T2 chip that apple makes on the Mac prevent issues like this?

 

https://www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability/

 

 

I found this article pretty interesting especially for those folks that will end up working for smaller companies.  You’ll see why security is always important no matter the size of your company or if you think you’ve never been hacked before.  In fact it talks about how security can help your company save money.

Here’s a list of the myths the article talks about:

Myth 1: Small organizations are low-value targets for hackers.

Myth 2: There’s no reason to invest in security when organizations with tight security controls still experience security breaches.

Myth 3: Our organization has not been breached before, so we’re still safe.

Myth 4: Security is an expense, not a revenue generator.

 

https://www.informationsecuritybuzz.com/articles/four-cybersecurity-myths/

Iran was hit by another malware similar to one their nuclear plant was hit with in the past called Stuxnet.  This attack is most likely from Israel.  Shows you how warfare has moved in to the cyber world.  I think these type of attacks are only going to grow in frequency.  I would also bet for everyone we hear about, there’s a handful of other ones that fly under the radar without getting any publicity.

 

https://securityaffairs.co/wordpress/77553/cyber-warfare-2/stuxnet-new-version-iran.html

 

Intro-to-Ethical-Hacking-Week-10https://capture.fox.temple.edu/Mediasite/Play/f1a6995a3ed340779833aaa0966ab32d1d