Ethical Hacking

Wade Mackey

Main Content

FBI spams thousands with fake infosec advice after ‘software misconfiguration’

By Leave a Comment

In what is one of the bigger news items of the week, the FBI has had one of their servers compromised and fake emails sent out from it. Since the emails were sent from one of the FBI’s servers they appeared legitimate in nature, as they actually came from their domain. The emails that were sent out were a false warning that the FBI had detected a chain attack and that the company’s virtual servers had been exfiltrated. It also laid blame for the attack at Vinny Troia’s feet, who is the founder of infosec firms Shadow Byte Cyber and Night Lion Security. It does not appear that this is the case. In total about 100,000 of these emails were able to be sent out before the campaign was stopped.

 

https://www.theregister.com/2021/11/15/fbi_fake_emails/

Attack the block – How a security researcher cracked 70% of urban WiFi networks in one hit

By 1 Comment

A CyberArk researcher, Ido Hoorvitch, identified that many urban areas have unsafe and weak WiFi passwords that can be easily cracked. Hoorvitch collected 5,000 Wifi hashes around his neighborhood using network sniffing equipment. These were run through CyberArk’s “monster” password cracking rig which used an exploit found in PMKID hashes.

Hoorvitch noted that many people use cell phone numbers as their WiFi password. This allowed him to crack numerous hashes, obtain passwords, and then access their networks. In the cases where a phone number was used, it took approximately nine minutes for each crack. If routers do not support roaming modes, then they are not susceptible to this attack. It is recommended that complex passwords should be used with secure encryption protocols. WAP/WAP1 should be disabled.

Author: Matias Madou
Published: October 20, 2021
Link

The Top 3 Cyber Security Mistakes and How to Avoid Them

By Leave a Comment

Ransomware cost Americans an estimated $1.4 billion last year, and beyond high-profile hacks like the Kaseya and Colonial Pipeline breaches, cyber threats are more common than ever. As a result, businesses of all sizes are scrambling to learn more about cyber security and ensure that they have the proper measures in place to protect their operations. These are the top three considerations organizations must take into account when implementing or upgrading their cyber security approach.

  1. People and Training

First and foremost, there is a significant lack of cybersecurity education among employees. The human firewall is the most important defense, but it is also the most vulnerable. That means security training has to be a top priority when it comes to an organization’s cyber security. Organizations should implement a security awareness training platform which trains, tests and scores all employees. It’s important to teach employees how to identify cyber security threats and remain vigilant toward anything suspicious, such as scams, fraudulent emails, or even physical threats. It’s also important to consider implementing some sort of email gateway filter. With the rise of remote working, additional problems emerge as more people go mobile. For example, it is much easier on mobile to mix company and private mail and people tend to click quickly, which leads to errors. We all need to slow down, verify incoming requests and be cognizant of what we are clicking on so that we do not fall victim to a cyber security threat.

 

  1. Technology and System

It is also paramount that organizations ensure systems are fully patched, inclusive of their OS, firmware and applications. They must ensure each endpoint detection and response application is installed on each device, with all systems reporting back to a central location or Security Operation Center, where all notifications, events, and alarms can be correlated. A quality Detection and Response application is not only going to defend against malware and other malicious activity, but it will also identify possible insider threats by monitoring lateral traffic. Utilizing such Security SaaS should be part of the overarching security platform which will provide a level of behavioral analytics with the ability to determine what is standard for that user and/or system. Therefore, this allows organizations to identify unusual activity, even if the user has the rights to the systems being accessed.

Additionally, I would suggest V-LANs and least privilege access or even zero trust as a greater security play. For example, IoT devices should not cohabitate on the same V-LAN as the accounting or human resources department. This type of network segmentation allows for greater risk reduction.

 

  1. Staffing and Security Operations

Many organizations forgo the managed services model to create an in-house security operation center, believing they can do it themselves. There are many cyber security tools available; however, there are very few trained and certified security engineers, and these tools often rely upon alarms, event notifications, or automated messaging to provide alerts. However, this begs the question, who will be monitoring and mitigating the environment at 3 a.m. on New Year’s Eve? Effective cyber security infrastructure requires extensive resources to reduce the total volume of alerts, alarms and events to an actionable notification which requires mitigation. Vacation, training, sick time, education and retention programs are all factors to consider when creating a security operator center. There is a deficit of security analysts, engineers and architects throughout the cyber security space today. Even if you can hire a strong team of cyber security specialists, security operation centers require at least five to six people to ensure 24/7 coverage.

In addition to the personnel issues, there are also equipment, software updates and proper configuration to consider. True quality deployment will require multiple layers, and the systems will have to be integrated, monitored and managed. In comparison, an organization that outsources its cyber security needs can depend upon systems being maintained and a team of experts to support them. Simply put, organizations should secure their environment through a third-party managed security service. These services are inclusive of EDRs, patching systems, a security information event manager, behavioral analytics and east/west traffic monitoring. At best, with the current staffing shortage, an in-house SOC is an ineffective method to detect, quarantine and/or remediate an infected device and/or network.

Hackers are only becoming more sophisticated and, big or small, no organization can afford to go unprotected. Being aware of these three points is critical in protecting your organization from cyber threats. In the current cyber security environment, there is no room for mistakes.

The Top 3 Cyber Security Mistakes and How to Avoid Them – Cyber Defense Magazine

Hacker sends spam to 100,000 from FBI email address

by Leave a Comment

Hackers targeted the Federal Bureau of Investigation’s (FBI) email servers, sending out thousands of phony messages that say its recipients have become the victims of a “sophisticated chain attack.

A flaw in the FBI’s website allowed hackers to use the FBI’s legitimate email address

 

Link: https://www.nbcnews.com/tech/security/hacker-takes-fbi-email-server-blasts-spam-thousands-rcna5530

Nov. 13, 2021, 4:15 PM EST / Updated Nov. 14, 2021, 1:42 PM EST
By Kevin Collier

FBI spams thousands with fake infosec advice after ‘software misconfiguration’

by Leave a Comment

In what is one of the bigger news items of the week, the FBI has had one of their servers compromised and fake emails sent out from it. Since the emails were sent from one of the FBI’s servers they appeared legitimate in nature, as they actually came from their domain. The emails that were sent out were a false warning that the FBI had detected a chain attack and that the company’s virtual servers had been exfiltrated. It also laid blame for the attack at Vinny Troia’s feet, who is the founder of infosec firms Shadow Byte Cyber and Night Lion Security. It does not appear that this is the case. In total about 100,000 of these emails were able to be sent out before the campaign was stopped.

 

https://www.theregister.com/2021/11/15/fbi_fake_emails/

Attack the block – How a security researcher cracked 70% of urban WiFi networks in one hit

by 1 Comment

A CyberArk researcher, Ido Hoorvitch, identified that many urban areas have unsafe and weak WiFi passwords that can be easily cracked. Hoorvitch collected 5,000 Wifi hashes around his neighborhood using network sniffing equipment. These were run through CyberArk’s “monster” password cracking rig which used an exploit found in PMKID hashes.

Hoorvitch noted that many people use cell phone numbers as their WiFi password. This allowed him to crack numerous hashes, obtain passwords, and then access their networks. In the cases where a phone number was used, it took approximately nine minutes for each crack. If routers do not support roaming modes, then they are not susceptible to this attack. It is recommended that complex passwords should be used with secure encryption protocols. WAP/WAP1 should be disabled.

Author: Matias Madou
Published: October 20, 2021
Link

The Top 3 Cyber Security Mistakes and How to Avoid Them

by Leave a Comment

Ransomware cost Americans an estimated $1.4 billion last year, and beyond high-profile hacks like the Kaseya and Colonial Pipeline breaches, cyber threats are more common than ever. As a result, businesses of all sizes are scrambling to learn more about cyber security and ensure that they have the proper measures in place to protect their operations. These are the top three considerations organizations must take into account when implementing or upgrading their cyber security approach.

  1. People and Training

First and foremost, there is a significant lack of cybersecurity education among employees. The human firewall is the most important defense, but it is also the most vulnerable. That means security training has to be a top priority when it comes to an organization’s cyber security. Organizations should implement a security awareness training platform which trains, tests and scores all employees. It’s important to teach employees how to identify cyber security threats and remain vigilant toward anything suspicious, such as scams, fraudulent emails, or even physical threats. It’s also important to consider implementing some sort of email gateway filter. With the rise of remote working, additional problems emerge as more people go mobile. For example, it is much easier on mobile to mix company and private mail and people tend to click quickly, which leads to errors. We all need to slow down, verify incoming requests and be cognizant of what we are clicking on so that we do not fall victim to a cyber security threat.

 

  1. Technology and System

It is also paramount that organizations ensure systems are fully patched, inclusive of their OS, firmware and applications. They must ensure each endpoint detection and response application is installed on each device, with all systems reporting back to a central location or Security Operation Center, where all notifications, events, and alarms can be correlated. A quality Detection and Response application is not only going to defend against malware and other malicious activity, but it will also identify possible insider threats by monitoring lateral traffic. Utilizing such Security SaaS should be part of the overarching security platform which will provide a level of behavioral analytics with the ability to determine what is standard for that user and/or system. Therefore, this allows organizations to identify unusual activity, even if the user has the rights to the systems being accessed.

Additionally, I would suggest V-LANs and least privilege access or even zero trust as a greater security play. For example, IoT devices should not cohabitate on the same V-LAN as the accounting or human resources department. This type of network segmentation allows for greater risk reduction.

 

  1. Staffing and Security Operations

Many organizations forgo the managed services model to create an in-house security operation center, believing they can do it themselves. There are many cyber security tools available; however, there are very few trained and certified security engineers, and these tools often rely upon alarms, event notifications, or automated messaging to provide alerts. However, this begs the question, who will be monitoring and mitigating the environment at 3 a.m. on New Year’s Eve? Effective cyber security infrastructure requires extensive resources to reduce the total volume of alerts, alarms and events to an actionable notification which requires mitigation. Vacation, training, sick time, education and retention programs are all factors to consider when creating a security operator center. There is a deficit of security analysts, engineers and architects throughout the cyber security space today. Even if you can hire a strong team of cyber security specialists, security operation centers require at least five to six people to ensure 24/7 coverage.

In addition to the personnel issues, there are also equipment, software updates and proper configuration to consider. True quality deployment will require multiple layers, and the systems will have to be integrated, monitored and managed. In comparison, an organization that outsources its cyber security needs can depend upon systems being maintained and a team of experts to support them. Simply put, organizations should secure their environment through a third-party managed security service. These services are inclusive of EDRs, patching systems, a security information event manager, behavioral analytics and east/west traffic monitoring. At best, with the current staffing shortage, an in-house SOC is an ineffective method to detect, quarantine and/or remediate an infected device and/or network.

Hackers are only becoming more sophisticated and, big or small, no organization can afford to go unprotected. Being aware of these three points is critical in protecting your organization from cyber threats. In the current cyber security environment, there is no room for mistakes.

The Top 3 Cyber Security Mistakes and How to Avoid Them – Cyber Defense Magazine

Paying with your Phone?

by Leave a Comment

Title: Who’s In Your Wallet? Exploring Mobile Wallet Security

Author: Kelly Sheridan
Publish Date: October 25, 2021
Website: www.DARKReading.com

COVID-19 has affected us in so many ways over the last two years – our health, our values, our economy all with safety in mind, for the most part. Social distancing has been a key factor in our changes in behavior. Also increasing our awareness of surfaces we touch, how close we come to people and other things. Remember the days of writing checks? Non-existent. I don’t even own a checkbook.  Paying in cash – rare for me, but still relevant. Credit/debit cards – only when forced to. What is my new way of paying? Venmo, Apple Pay — my virtual wallet on my phone or my watch. I’ve uploaded all my credit cards, debit cards, rewards cards, into my “wallet” and now I no longer TOUCH a card or a payment console.

Now this makes my life easier but is it secure. For the most part yes but inconsistencies in what is required to bring up your payment method may make you more vulnerable than you think. This article explores the theft of phones and then using them for services that by pass your authentication. Particularly in public transportation in London, where payments can be made via virtual wallet that do not require a password or a fingerprint to process.

If you want to read the on more details as to how this was tested in the field, check this link out. Timur Yunusov will be giving a talk on 11/11 and 11/12 at the Blackhat Europe 2021 Conference.

-Vanessa

Working from Home = Invasion of Privacy?

by 1 Comment

Title: There’s been a big rise in monitoring workers at home. We should all be worried.

Author: Owen Hughes
Publish Date: November 8, 2021
Website: www.ZDNet.com

Interesting article that impacts all of us in the new work from home environment. This article expresses the very real concerns of remote monitoring tool becoming breaches of employee privacy. From being watched via webcam, tracking of online activity, and using surveillance software. This is not for “security” but instead to gauge that you are actually working and what you are working on. The biggest concern being that employees are largely unaware that they are being monitored. This articles is focused on the UK but the dangers of abuse are applicable across any country.

It seems like a reshaping of the industry is in order. Key elements of discussion:

  • Reviewing employer guidance on new workplace technologies
  • Full transparency on how these technologies are used and what data is being gathered
  • Modifying or creating new laws that protect employees and employers when using webcams to monitor people working from home or checking up on employees outside of meetings and calls.
  • Discrimination by age group or race, GDPR breaches for data being tracked on employees, unregulated use of snooping technology.

This is a very interesting topic given that a large percentage of the population is now working remote. I have to admit that this didn’t cross my mind.. not until I read this article.

-Vanessa

Reward! Uncle Sam promises $10m for info about DarkSide ransomware gang chiefs

by 1 Comment

It appears the US is going hard after the DarkSide ransomware group. This is the group that attacked the colonial pipeline which lead to the weeks long shutdown of their vital east coast pipe. The US is offering a large bounty for information on the gang and for information leading to any  individuals conspiring to participate in a future DarkSide variant ransomware incidents. The group has allegedly released a statement saying that they are ceasing operation for now due to pressure from the authorities but it is unlikely that this is the end for this ransomware group. In more positive news, there is also a note in the article at the bottom about Interpol, with the aid of Ukrainian and South Korean police forces were able to arrest half a dozen individuals on suspicion of being part of the Cl0p ransomware group. This was a 30 month investigation that ultimately lead to the arrest of these individuals. This highlights the ability of different agencies to relentlessly pursue the individuals responsible for these global ransomware attacks, hopefully sending an impactful message (but probably not).

 

https://www.theregister.com/2021/11/05/us_darkside_ransomware_10m_bounty/

Scammers are emailing waves of unsolicited QR codes, aiming to steal Microsoft users’ passwords

by 3 Comments

Adversaries are taking advantage of increased QR code adoption by launching phishing campaigns using the technology. “Quishing” is the usage of a QR code lure to harvest credentials and/or deliver a malicious payload.

A recent phishing campaign contained a QR code that prompted users to scan it in order to listen to an “encrypted voicemail.” When users scanned the QR code they were directed to a fake Microsoft login page which harvested their credentials.

QR codes have seen increased adoption at restaurants and other venues that require hands free exchange of information. The recent campaign is a good reminder to be mindful of what you’re scanning and where it may take you.

Author: AJ Vicens
Published: October 26, 2021
Link

 

‘Trojan Source’ Bug Threatens the Security of All Code

by 1 Comment

Krebs has a write up on this discovery of the “Trojan Source” vulnerability. What makes this vulnerability unique is that it affects most computer code compilers and many SDEs. This is due to the issue lying with the Unicode encoding standard. This is the standard that translates characters regardless of language used to facilitate communication between computers. The problem was discovered with the bi-directional override that is used to display the order in which the characters appear. This override exists for switching the order of characters when going from a left-to-right reading language to a right-to-left, such as English to Arabic. These Bidi overrides can be used in comments and strings, which is a problem because most programming languages allow comments which all text within is ignored by the compilers. And most languages allow string literals that can contain special or control characters. As quoted from the research paper, “Therefore, by placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code”. This research paper highlights this issue for almost all computer languages and makes it a great opportunity for vendors to get ahead of this issue before it becomes a problem.

 

 

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/#more-57367

Report Shows Appalling State of Employee Awareness of Common Cyber Security Risks

by 3 Comments

This is another article that shows the importance of security awareness training. In particular I thought the following findings were interesting:

  • Employee awareness of cyber security risks lowest in government and healthcare
  • COVID-19 disrupted employee cybersecurity training
  • Cybersecurity training has a positive impact on employee awareness

It’s always sobering to hear statistics about the present state of employee awareness. In particular, it was very concerning to see that healthcare and government sectors had the lowest awareness of cyber risks. This was surprising given the regulations that face both sectors.

Author: Alicia Hope
Published: October 25, 2021
Link