Ethical Hacking

Wade Mackey

Ethical Hacking

MIS 5211.001 ■ Fall 2019 ■ Wade Mackey

Main Content

“OceanLotus” targets BMW and Hyundai networks

By Leave a Comment

APT hacker group “OceanLotus” apparently compromised network systems of automaker BMW and Hyundai by installing some hacking tool which would control and spy their systems. What they did was nothing new but it was sophisticated.

According to the article

Created Fake Websites

To get access to other computers, the hackers created a fake website that gave the impression of belonging to the BMW branch in Thailand, as they can monitor networks and find out which folders and files that users logged in.

Hackers Observed for Months

The security team at BMW allowed hackers to stay active with an intention to know more details like, who they were, how many systems they managed to compromise, and what kind of data they were after.

Based on sources, no sensitive information was accessed by hackers during the incident and no primary computers were compromised.

BMW declined to provide additional information on the attack.

“We have implemented structures and processes that minimize the risk of unauthorized external access to our systems and allow us to quickly detect, reconstruct, and recover in the event of an incident,” BMW said in a statement.”

Source Article: https://www.cisomag.com/apt-hacker-group-targets-bmw-and-hyundai-networks/

 

Article 9: Microsoft Announces Plan To Support DoH In Windows

by Leave a Comment

In a bid to improve end-to-end cyber security and improve privacy controls for all Windows users, Microsoft has begun the planning phase in the implementation of DNS Over HTTPS (DoH). The Microsoft team has already laid out the their standards and guiding principles of this implementation project, which include: Windows DNS needs to be private and functional by default, users (familiar and unfamiliar) are required to set DNS configuration, streamline the process of DNS configuration for all users, and Windows should never fallback to unencrypted DNS without explicit permission from the administrator.

Source: https://yro.slashdot.org/story/19/11/18/1929229/microsoft-announces-plan-to-support-doh-in-windows

Article 8: Google Maps Tests a Social Networking Feature

by Leave a Comment

Google has begun rolling out a pilot program that will allow Google Maps users visiting specific regions to “follow” that region’s top local guides who recommend, review and spread information on businesses and locations they visit. These “top local guides” are users of the community who actively and frequently review local businesses as a part of Google Maps’ new rewards program. The countries that this is rolled out for so far include London, Delhi, Mexico City, New York, San Francisco and Tokyo, with more to come if the trial proves succesful.

Source: https://tech.slashdot.org/story/19/11/18/2123252/google-maps-tests-a-social-networking-feature

APIs and Cybercrime: The State in 2019 So Far

by Leave a Comment

Cybercriminals are targeting Application Programming Interfaces (APIs) as they become more popular.  This year alone there have been several APIs targeted to gain unauthorized data access.  APIs are a set of protocols that allow different programs communicate with each other.  They are being used in many places and without careful API management, they will continue being used maliciously worldwide.

LandMark White Limited – February 2019
Justdial unprotected API – April 2019
GateHub – June 2019
Venmo – June 2019

https://cyware.com/news/apis-and-cybercrime-the-state-in-2019-so-far-b73a675a

How to Maintain Data Privacy During Software Development

by Leave a Comment

This article lists off some popular security models that companies can pull from when building software for a certain market sector. Also in the article, it describes the importance of having a multidisciplinary software development team. If everybody thinks the same and has similar goals, then the software will have security holes. The article suggests having people on the team that are focused on: data privacy, user design, quality assurance, software security and testing. All of these people can have useful input that can direct the path of the project.

https://www.business.com/articles/how-to-maintain-data-privacy-during-software-development/

Data storage issue reveals breach

by Leave a Comment

IT provider InfoTrax Systems is being sued by the FTC for failing to detect 20 hacking intrusions over a 22-month period. 22 months!  Hackers went undetected and were able to access data for 1 million consumers including full names, SSNs, physical and email addresses, phone numbers, and credentials for InfoTrax accounts. The breach was only discovered by InfoTrax due to the hacker maxed out their cloud storage system.

The following article outlines the FTC complaint against InfoTrax. It lists InfoTrax’s unreasonable security practices (lack of controls and processes) https://www.ftc.gov/system/files/documents/cases/162_3130_infotrax_complaint_clean.pdf

  • Not taking inventory and deleting personal data (data retention policy)
  • Not conducting code review of its software and testing the security of its network
  • Not detecting malicious file uploads
  • Not adequately segmenting its network (protect critical business assets)
  • Not implementing security safeguards (IPS/IDS)to detect suspicious activity on its network

https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/

Manage Cloud Security

by Leave a Comment

This article outlines some of the biggest challenges providers are facing. One of the biggest divides from the survey results is who owns the responsibility. Is it the customer or is the cloud service provider. There is no one solution fits all, the answer is it depends on the situation. the article also laid out different aspects to consider when choosing a cloud service provider: physical security, compliance, etc.

Creating a responsibility matrix to highlight the roles and responsibilities prior to finalizing any contractual agreements is a great way to fall back onto once an incident has happened, roles and responsibilities are clearly defined.

Instagram tests hiding Like counts globally

by Leave a Comment

Instagram is testing a new option to hide the “like” counts from the public and only available to the post owner self. The user can decide whether they wanna receive public’s opinion of the post. Social Media’s new attempt to put humanity in front of technology? My questions would be, why not just having a “like” function without any amounts collecting?

 

techcrunch.com