Week 12: Web Services

The real identity of Tessa88—the notorious hacker tied to several high-profile cyber attacks including the LinkedIn, Dropbox and MySpace mega breaches—has been revealed as a resident of Penza, Russian Federation.
The stolen data, taken years ago from several social media sites, included more than half a billion username and password combinations, which were then used in phishing, account takeover, and other cyber attacks.After exploring several confidential sources, Penza records, and Russian crime database, researchers find Tessa88 as Maksim Vladimirovich Donakov (date of birth: 02/07/1989), whose persona matches with the YouTube username ‘Donakov,’ Mitsubishi Lancer and person revealed in Imgur picture.

https://thehackernews.com/2018/11/tessa88-russian-hacker.html

A small bug has been detected that allows hackers to run some javascript code in the background that could potentially uncover sensitive information about user and their facebook friends. The javascript code runs with various combinations of search queries that the hacker can decide on beforehand. Through these queries, the hacker can learn what pages a user has liked, the locations of photos that you’ve uploaded or been tagged in, whether you have islamic friends, whether you’ve posted anything on a timeline with certain keywords, and so on. What kind of damage could this do? Probably quite a lot of the keyword searches turn up any incriminating posts that could be used to blackmail a person.

https://thehackernews.com/2018/11/facebook-vulnerability-hack.html

There was a hacking competition held in Tokyo where hacker teams from around the word were encouraged to attempt to hack into wifi-connected mobile devices, such as the iPhone X, Samsung Galaxy s9, and Xiaomi Mi6. Every single device was hacked by at least one of the teams. For the iPhone X, a team was able to gain access to the phone through a Just in Time (JIT) attack, and ended up stealing a recently deleted photo on the phone. For the Samsung, a team exploited a memory heap overflow vulnerability. Many exploitations that I’ve read about involve exploiting the heap part of memory and either causing an overflow or a seg fault. Competitions like this are a great way for companies to gain awareness about the kinds of vulnerabilities faced by their devices.

https://thehackernews.com/2018/11/mobile-hacking-exploits.html

I guess there really are people out there who try really hard to find bugs in new software updates that come out for the iPhone and other major devices. Basically, the articles discusses how a hacker, within months of the new iOS software update’s release, figured out how someone could hack into a locked iPhone. I don’t really feel like this should make Apple look bad, though, and I don’t think there will be any repercussions for them. One of the first things you learn in computer science classes is that it’s impossible to make bug free code. There will always be edge cases where something unexpected or unintended will happen. So, should we celebrate people that try to find these bugs? Is it even worth it for Apple to spend the money to patch these bugs? There will always be more to be found.

https://thehackernews.com/2018/10/iphone-lock-passcode-bypass.html

This is not only hilarious, but pretty concerning. Would someone who has never used a computer understand the damage that a simple phishing attack can do to an organization, let alone a government? Probably not. This reminds me of a CEO that doesn’t have a grasp of the kinds of cyber threats facing her company. If Japan’s head of cybersecurity has never used a company, he won’t even be able to understand the executive summaries that we write for our assignments in this class. Pretty alarming. Moreover, while some can claim that as long as he is good at operating the organization, he will do a good job. However, if he doesn’t even know what metrics to look for, how can he judge the success of Japan’s cybersecurity measures? My guess is that he can’t and will be replaced at the first sign of trouble.

https://gizmodo.com/japans-new-head-of-cybersecurity-has-never-used-a-compu-1830460831

The United States House of Representatives voted unanimously to pass legislation creating the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS).

This new agency would reorganize DHS’ National Protection and Programs Directorate (NPPD) into a new agency and prioritize its mission as the Federal leader for cyber and physical infrastructure security.

One NPPD official said that it actually will help better secure the nation’s critical infrastructure and cyber platforms.

Reference: https://www.securitymagazine.com/articles/89590-congress-votes-to-create-federal-cybersecurity-agency

A little late for ~this semester~ but this is a great walk thru and discussion for ~any~ vagrant image you want to set up (like metasploitable3…)

https://www.kali.org/news/announcing-kali-for-vagrant/

https://krebsonsecurity.com/2018/11/calif-man-pleads-guilty-in-fatal-swatting-case-faces-20-years-in-prison/

Tyler Barriss, 25, went by the nickname SWAuTistic on Twitter, and reveled in perpetrating “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Jackpotting- Installing malicious software and/or hardware in an untheorized manner at the ATM machines which target the control of the dispense in order to Cash-Out the ATM.
Ability to connect a chord of ATM to a laptop and the press of a button to install malware and start controlling the ATM using the keyboard or an SMS message. ATMs of a particular manufacturer using Windows XP as OS on ATMs are prone to this attack, the manufacturer was recommended to upgrade the OS of ATMs to Windows 7.
I think there should not be an option to connect external machines with the ATM machine on site, even for repair, one needs to bring in a new machine replace with a new machine and only repair the machine at a centralized location.
If the above option is not feasible there should be an alert mechanism which alerts the nearest bank or police station when someone tries to connect an external device to the ATM at the site.