Ethical Hacking

Wade Mackey

Ethical Hacking

MIS 5211.001 ■ Fall 2019 ■ Wade Mackey

Main Content

“OceanLotus” targets BMW and Hyundai networks

By Leave a Comment

APT hacker group “OceanLotus” apparently compromised network systems of automaker BMW and Hyundai by installing some hacking tool which would control and spy their systems. What they did was nothing new but it was sophisticated.

According to the article

Created Fake Websites

To get access to other computers, the hackers created a fake website that gave the impression of belonging to the BMW branch in Thailand, as they can monitor networks and find out which folders and files that users logged in.

Hackers Observed for Months

The security team at BMW allowed hackers to stay active with an intention to know more details like, who they were, how many systems they managed to compromise, and what kind of data they were after.

Based on sources, no sensitive information was accessed by hackers during the incident and no primary computers were compromised.

BMW declined to provide additional information on the attack.

“We have implemented structures and processes that minimize the risk of unauthorized external access to our systems and allow us to quickly detect, reconstruct, and recover in the event of an incident,” BMW said in a statement.”

Source Article: https://www.cisomag.com/apt-hacker-group-targets-bmw-and-hyundai-networks/

 

More SIM Cards Vulnerable to Simjacker Attack Than Previously Disclosed

by Leave a Comment

According to the news, there is a critical unpatched weakness in a wide range of SIM cards, which an unnamed surveillance company has actively been exploiting in the wild to remotely compromise targeted mobile phones just by sending a specially crafted SMS to their phone numbers.

Basically, the attacks can be summarized in four following steps:

Step 1 — Attackers send a malicious OTA SMS to the victim’s phone number containing an S@T or WIB command such as SETUP CALL, SEND SMS, or PROVIDE LOCATION INFO.
Step 2 — Once received, the victim’s mobile operating system forwards this command to the S@T or WIB browser installed on the SIM card, without raising an alert or indicating the user about the incoming message.
Step 3 — The targeted browser then instructs the victim’s mobile operating system to follow the command.
Step 4 — The victim’s mobile OS then performs the corresponding actions.

https://thehackernews.com/2019/09/dynamic-sim-toolkit-vulnerability.html

Microsoft thinks a dual-screen Android phone can take on Apple and Samsung

by Leave a Comment

I have never really been a fan of Microsoft in the cell phone business but I will definitely want to own this gadget. I just hope they get it right this time around.

More than two decades ago, Microsoft started designing software for mobile devices. Two years ago, it gave up on phones, conceding that Google and Apple had won the OS battle. On Wednesday, Microsoft reversed course, unveiling a dual-screen smartphone. But rather than push a homegrown operating system in phones, Microsoft has taken up rival Google’s Android software, which powers over 2.5 billion devices around the world.

During an event Wednesday in New York, Microsoft showed off its new Surface Duo, as well as a dual-screen computer called the Surface Neo. The Surface Duo sports two 5.6-inch displays that swing 360 degrees around a hinge and combine to make an 8.3-inch display. The company didn’t give many details about the device but touted the ability to do things like view your inbox on one half of the device while responding to a specific email on the other.

“We started really with the goal of how can we help make people more productive,” Yusuf Mehdi, corporate vice president for Microsoft’s modern life, search and devices group, said in an interview after Wednesday’s event. “If you’re going to have a device that fits in your pocket, and you can do phone calls and you want to run apps … it made sense for us to choose” Android.

https://www.cnet.com/news/microsoft-thinks-a-dual-screen-android-phone-can-take-on-apple-and-samsung/

Article 4: Motorola, Known For Cellphones, is Fast Becoming a Major Player in Government Surveillance

by Leave a Comment

Now having invested over $1.7 billion dollars in acquisitions since 2017, tech giant Motorola Solutions has acquired a large chunk of the surveillance market, who the primary buyer is the government, under a single roof. Among the technologies they have acquired and been developing include police body cameras, smart train cameras that can identify faces and distinguish suspicious behavior, and smart camera networks that can track car movements by their license plates. What many civil liberties groups find frightful about this information is that Motorola may be selling most of their developed and acquired surveillance technology as a single product or as packages, arguing that your privacy is safer when “information about you is scattered among agencies and entities”. I looked personally to see if Motorola Solutions had issued a response or a statement regarding their recent acquisitions of surveillance tech companies, however I could not seem to find anything regarding the matter.

Source: https://yro.slashdot.org/story/19/10/02/2134249/motorola-known-for-cellphones-is-fast-becoming-a-major-player-in-government-surveillance

Article 3: FBI Investigating Alleged Hacking Attempt Into Mobile Voting App During 2018 Midterms

by Leave a Comment

This article speaks in regards to the beginning of a federal investigation into an attempted hack of an app that is still under development that would allow US citizens who are active military or registered for the right to vote abroad to place their votes through their phones. While the preliminary investigation by the organization and the federal prosecutors states that “no intrusion” had occurred and that the “integrity of the votes” were safe, they are executing an in-depth federal investigation. West Virginia Secretary of State Mac Warner also noted how this is partially a threat that any attempt to compromise an election will face thorough federal investigation and serious prosecution. Among the more interesting things discussed in the article regarding this app is how it’s developed to use blockchain technology as a means of ensuring the integrity of votes casted through the app. The article does note however that if the mobile device itself isn’t secure, then the app can be manipulated anyways.

Source: https://politics.slashdot.org/story/19/10/02/1922206/fbi-investigating-alleged-hacking-attempt-into-mobile-voting-app-during-2018-midterms

Researchers Find New Hack to Read Content Of Password Protected PDF Files

by Leave a Comment

The article states that there is a new threat which hackers can unauthorized access and change to encrypted PDF without knowing password. This threat is called PDFex attacks which hackers remotely use the technique to remotely exploit PDF data. This means using this attack can automatically send the decrypted file out by using a remote-controlled server. Vulnerabilities were found in various well-known software such as Adobe Acrobat, Foxit Reader, and Nitro Reader and multiple browsers such as Chrome, Firefox, and Safari. Additionally, a team of German security researchers found 2 weaknesses of PDF encryption which are partial encryption and ciphertext malleability.

Link : https://thehackernews.com/2019/10/pdf-password-encryption-hacking.html

Cybersecurity in Public Schools

by Leave a Comment

I came across this article in Forbes: It’s Time To Solve K-12’s Cybersecurity CrisisIn this article, the disclosed 160 cybersecurity incidents in K-12 during the summer months of 2019, a 30% rise compares to the year 2018. “47% of K-12 organizations are making cybersecurity their primary investment, yet 74% do not use encryption.” and ” 93% of K-12 organizations rely on native client/patch management tools that have a 56% failure rate, with 9% of client/patch management failures never recovered.”

With the limited resources, budget and funding constraints, the numbers and trends in this article come with little surprise. In addition, the article continues to look into the current technology landscape in the school districts, 94% of them have high-speed internet and 82% of them provide students with school funded devices. The trend has been on the rise since 2016.

With all the troubling findings, the article does mention some of the appropriate approaches public schools can take towards resolving the issue, ” this is not something that can be achieved by simply spending more money… especially when that money comes from public funds. The questions they each need to be asking are if they have the right foundational security measures in place, and whether the controls they have already invested in are working properly. Without key foundational elements of a strong and resilient security approach in place – things like visibility and control, it becomes nearly impossible to protect your students, your data, and your investments.”

New Cybersecurity Companies Have Their Heads In The Cloud

by 1 Comment

Privacy has become a big deal. Government regulators are moving to squash indiscretions and protect consumers while preserving constitutional liberties … a tall task.The Federal Trade Commission recently announced wide-ranging monetary settlements with Facebook  and Equifax to resolve ongoing investigations.Facebook will pay $5 billion for its part in the Cambridge Analytica data scandal. State attorneys general asserted that lax standards at the social media giant allowed political operatives to weaponize fake news accounts and influence the 2016 presidential election.

 

https://myaccount.google.com/privacycheckup?utm_source=paid-media&utm_medium=1043393&utm_campaign=P-S-campaign&utm_content=441554961&dclid=COrf4peX–QCFdVDNwodG64KKg&pli=1

Banks confront the insecurity of physical security

by 1 Comment

This article describes some of the vulnerabilities that exist because of IoT security devices that are not being managed properly. For example, the “Devil’s Ivy” vulnerability allowed an attacker to remotely access a video feed from IP cameras, or block another user’s access to the feed. The article mostly focused on physical security systems that banks implement, but the main concept is that devices that are supposed to assist in physical security, can also be an entry point to the organization. These devices need to be patched, hardened and replaced on some sort of cycle.

https://www.securityinfowatch.com/video-surveillance/article/21107167/banks-confront-the-insecurity-of-physical-security

A cyber security chief’s 8 tips on how to protect yourself online as data breaches continue

by Leave a Comment

Encryption is viewed by many as “bulletproof” technology to protect data from cyber thieves. Organizations swear by it, and consumers feel overly confident knowing that their recent transactions and personal data are encrypted. Despite the confidence around this “go to” technology, time has shown that encryption is just not enough. In fact, it’s failing us.

High-profile data breaches, including Thursday’s DoorDash breach, continue. While the details of the Doordash incident — which included the last four digits of payment cards for some consumers, as well as names, emails, delivery addresses and phone numbers — require further analysis, other recent corporate hacks shows us that encryption either did absolutely nothing to prevent hackers from infiltrating systems or, worse, helped disguise cybercriminals while wreaking havoc in organizations’ systems.

https://www.cnbc.com/2019/09/27/cybersecurity-chiefs-8-tips-to-protect-yourself-online.html