Ethical Hacking

I had never heard the term: DevSecOps, so this article seemed interesting to me. This concept is a fairly new initiate that bring security personnel into the DevOps software development process, much earlier than they normally would be. This allows for security needs to be respected, all throughout the software development life cycle. In some software development circles, security is an afterthought. This new technique will hopefully prove to be the best overall solution.

https://www.darkreading.com/risk/devsecops-recreating-cybersecurity-culture–/a/d-id/1335783

North American Electric Reliability Corp reports a first of its kind cyber attack against power grids in the western region os the US. There are many unknowns about the attack, whether it was targeted or exploratory recon for a larger attack later. By exposing firewall vulnerabilities, attackers were able to cause blind spots for grid operators for about 10 hours on March 5. By exposing these vulnerabilities, the attackers forced unexpected reboots of the firewalls resulting in a denial of service conditions. The attack compromised web portals for firewalls that linked parts of the power grid in California, Utah, and Wyoming.

NERC posted a lessons learned document: https://www.eenews.net/assets/2019/09/06/document_ew_02.pdf

https://www.eenews.net/stories/1061111289

At this year’s Defcon conference, the US Airforce brought along an F-15 fighter jet data system to be evaluated for vulnerabilities, and serious vulnerabilities were found. The US Airforce is changing the way it looks at cybersecurity and is embracing external cybersecurity experts to assist in securing military technology. Rather than work in a bubble, they agreed to allow a hand-picked number of researches to attempt to highjack an orbiting satellite.

The F-15 fighter jet data system has many parts that are built by smaller third-party companies who don’t always design with security in mind. Working with external researchers allows the Air Force to understand these vulnerabilities and can start writing stronger security requirements into its SLA contracts.

How is this going to work? The Air Force will put out a call for submissions to researchers who are interested, then handpick their contestants, and allow them to test in a non-prod environment against satellite components.

The winner will attempt to compromise the ground station controlling the satellite, or the satellite directly altering the camera that is pointing at the earth, and change the position to capture the moon.

https://www.wired.com/story/air-force-defcon-satellite-hacking/

VMware released Workstation 15.5 Pro last night with security patches, bug fixes, performance enhancements and some added features.  This release fixed an annoying bug that was preventing me from installing Kali (unless I used the pre-built image) on one of my portable machines.  You can update from the built-in updater or download directly for Windows or Linux.

Some of you were having an issue getting Metasploitable running in VirtulBox.  Found this link:

I just worked through it and verified technique works.

https://kai-taylor.com/how-to-install-metasploitable-in-virtualbox/

I found this interesting because it is related to our assignment of “reconnasaince”. The article states the vulnerabilities of public share of google calendars. Avinash Jain, a security researcher from India said that it is convenient for organizations to share public calendars; however, these contain plenty of sensitive information such as event names, event details, location, or even meeting links which anyone can use Google search hacking query to gain this public information. In addition, hackers will use phishing technique in order to send a fake invitation link via google calendar to steal private information.

Source: https://thehackernews.com/2019/09/google-calendar-search.html

https://www.securityevaluators.com/whitepaper/sohopelessly-broken-2/

An independent security consulting firm (ISE) in 2013 tested popular router and NAS devices and discovered 53 new CVEs.  That study was entitled SOHOpelessly Broken as 100% of the devices had a vulnerability.  This year, 13 new SOHO routers and NAS devices have been tested to see if vendors have enhanced their security over the years.  SOHOpelessly Broken 2.0 vulnerabilities resulted in 125 CVEs.  The research concludes that common devices deployed in small office and home office settings are likely to be susceptible to exploits that can cause serious damage despite the enhanced attention IoT device companies have paid to security since 2013.  Although they have used a responsible disclosure process, it is still very worrying as many individuals do not update their firmware frequently.  It should also be noted that many vendors use the same code throughout their entire product line, meaning many other related devices will share vulnerabilities.

The news broke out today that an IT firm’s manager has been arrested after personal details of almost ENTIRE population of Ecuador was left exposed online. “Personal records of more than 20 million adults and children, both dead and alive, were found publicly exposed on an unsecured Elasticsearch server by security firm vpnMentor, which made the discovery during its large-scale mapping project. For a country with a population of over 16 million people, the breach exposed details of almost every Ecuadorian citizen, including President Lenín Moreno as well as WikiLeaks CEO Julian Assange, who was given political asylum in the country in 2012.” This is some serious stuff.

What happened?

Per the article “The unsecured Elasticsearch server, which was based in Miami and owned by Ecuadorian company Novaestrat, contained 18GB cache of data appeared to have come from a variety of sources including government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess. The cache reportedly contained everything from full names, gender, dates and places of birth, phone numbers and addresses, to marital statuses, national identification numbers (similar to social security numbers), employment information, and details of education. The cache also contained specific financial information related information to accounts held with the Ecuadorian national bank Biess, including person’s bank account statuses, current balances and credit type, along with detailed information about individuals’ family members.”

From what I read it seems that the government and its telecom agencies are going to take strict actions against the private companies. Ecuador is also amidst passing a new data privacy law which they have been apparently working on for almost a year now.

Source Article Link: https://thehackernews.com/2019/09/ecuador-data-breach.html