Week 05: Metasploit

Previously, websites could only access files and services of your computer through the use of Java or ActiveX plugins. However, thanks to the new Native File System API update included in Chrome 78, websites can simply open a file picker dialog, allowing them to open, upload and make changes to files on our computers without the need for plugins. Thankfully, Google thought of many controls to implement prior to implementing this update. These include: Limiting access to files by requiring permission to be granted by an admin account for every file to be opened, requiring permission for every change to be made, and an indicator in the address bar that shows if you have given a site file permissions.

Source: https://tech.slashdot.org/story/19/11/02/2323246/chrome-tries-apis-that-allow-changing-a-users-files-receiving-sms-verification-texts

I came across this article in Forbes: It’s Time To Solve K-12’s Cybersecurity Crisis. In this article, the disclosed 160 cybersecurity incidents in K-12 during the summer months of 2019, a 30% rise compares to the year 2018. “47% of K-12 organizations are making cybersecurity their primary investment, yet 74% do not use encryption.” and ” 93% of K-12 organizations rely on native client/patch management tools that have a 56% failure rate, with 9% of client/patch management failures never recovered.”

With the limited resources, budget and funding constraints, the numbers and trends in this article come with little surprise. In addition, the article continues to look into the current technology landscape in the school districts, 94% of them have high-speed internet and 82% of them provide students with school funded devices. The trend has been on the rise since 2016.

With all the troubling findings, the article does mention some of the appropriate approaches public schools can take towards resolving the issue, ” this is not something that can be achieved by simply spending more money… especially when that money comes from public funds. The questions they each need to be asking are if they have the right foundational security measures in place, and whether the controls they have already invested in are working properly. Without key foundational elements of a strong and resilient security approach in place – things like visibility and control, it becomes nearly impossible to protect your students, your data, and your investments.”

Privacy has become a big deal. Government regulators are moving to squash indiscretions and protect consumers while preserving constitutional liberties … a tall task.The Federal Trade Commission recently announced wide-ranging monetary settlements with Facebook  and Equifax to resolve ongoing investigations.Facebook will pay $5 billion for its part in the Cambridge Analytica data scandal. State attorneys general asserted that lax standards at the social media giant allowed political operatives to weaponize fake news accounts and influence the 2016 presidential election.

 

https://myaccount.google.com/privacycheckup?utm_source=paid-media&utm_medium=1043393&utm_campaign=P-S-campaign&utm_content=441554961&dclid=COrf4peX–QCFdVDNwodG64KKg&pli=1

This article describes some of the vulnerabilities that exist because of IoT security devices that are not being managed properly. For example, the “Devil’s Ivy” vulnerability allowed an attacker to remotely access a video feed from IP cameras, or block another user’s access to the feed. The article mostly focused on physical security systems that banks implement, but the main concept is that devices that are supposed to assist in physical security, can also be an entry point to the organization. These devices need to be patched, hardened and replaced on some sort of cycle.

https://www.securityinfowatch.com/video-surveillance/article/21107167/banks-confront-the-insecurity-of-physical-security

Why is this exploit significant? It cannot be addressed with a software update, only a hardware revision can address this. Named “checkm8,” the exploit is a bootrom vulnerability (initial code that iOS devices load when they boot up) that gives hackers access to iOS devices on a level that Apple cannot block. The iOS hacker claims the exploit is permanent and can be used to create a jailbreak on all iOS devices ranging from iPhone 4s (A5 chip) to iPhone 8 and iPhone X (A11 chip). The exploit does not impact the latest two chipsets, A12 and A13.

When reading further, the jailbreak itself is not there yet, a lot of fear theory around what it could do. The article goes on to state that jailbreakers deem this to be a tethered exploit, meaning it can only be used/activated via USB and a computer. It could be a game-changer If this exploit tool leads to an untethered jailbreak which could then be applied to hundreds of missions of iOS devices.

https://thehackernews.com/2019/09/bootrom-jailbreak-ios-exploit.html

I have always been a proponent for using web-based Outlook instead of the local thick client for performance, data consistency, and troubleshooting reasons. Security is another reason to make the switch. Microsoft Outlook for Web will now block an additional 38 file extensions in email attachments. Blocking these extensions protect its email users from becoming a victim of malicious scripts or executables attached or embedded in emails.

Some common extensions currently blocked in the list of 104 include .exe, .url, .com, .cmd, .asp, .lnk, .js, .jar, .tmp, .app, .isp, .hlp, .pif, .msi, .msh.

The new 38 blacklisted extensions are affiliated with the following programs:

• Python scripting language: “.py”, “.pyc”, “.pyo”, “.pyw”, “.pyz”, “.pyzw”
• PowerShell scripting language: “.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.psd1”, “.psdm1”, “.psd1”, “.psdm1”
• Digital certificates: “.cer”, “.crt”, “.der”
• Java programming language: “.jar”, “.jnlp”
• Various applications: “.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

These are not extensions I see a normal end user sending as part of their daily operations, this blacklisting change should be transparent to users. For any reason, the Exchange admin can whitelist a blacklisted extension.

https://thehackernews.com/2019/09/email-attachment-malware.html

Data breach seems to be a trend this month. Doordash, a food delivery company, confirmed data breach this afternoon in which over 4 million people which includes employees, customers, and merchant’s data have been reported stolen. Apparently it happened over 5 months ago and the company came out with this news today. According to TechCrunch – “The breach happened on May 4, the company said, but added that customers who joined after April 5, 2018 are not affected by the breach.

It’s not clear why it took almost five months for DoorDash  to detect the breach.

DoorDash spokesperson Mattie Magdovitz blamed the breach on “a third-party service provider,” but the third-party was not named. “We immediately launched an investigation and outside security experts were engaged to assess what occurred,” she said.

Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen.

The company also said consumers had the last four digits of their payment cards taken, though full numbers and card verification values (CVV) were not taken. Both delivery workers and merchants had the last four digits of their bank account numbers stolen.”

More than 100,000 driver licenses have been stolen as well. What boggles me is that the company failed to take proper steps after their customers had complained about their accounts getting hacked.

Source Link: https://techcrunch.com/2019/09/26/doordash-data-breach/

Intro-to-Ethical-Hacking-Week-5

https://capture.fox.temple.edu/Mediasite/Play/6f2d7fe678cd4897a09e3f308554a45f1d

Ecuador authorities have captured its senior manager of IT counseling firm Novaestrat after the individual subtleties of nearly the whole population left uncovered online in what is the biggest data breach in the nation’s history.
The source of this breach is Novaestrat’s unsecured Elasticsearch server based in Miami. It contained 18GB reserve of information of government vaults, an automotive association, and an Ecuadorian national bank.
As a component of the investigation, Ecuadorian authorities said they had captured the administrator of Novaestrat William Roberto G, and held onto electronic hardware, PCs, stockpiling gadgets, and documentation during an attack at his home.
Given the security concerns encompassing the occurrence, the nation’s Minister of Telecommunications said legitimate actions would be made against the influenced foundations to endorse privately owned businesses in charge of damaging protection and publicizing individual data without approval.
The Minister of Telecommunications additionally said it is intending to pass another information security law in the nation, which they have been working for as far back as eight months, to ensure the individual information of its residents.

https://thehackernews.com/2019/09/ecuador-data-breach.html