Week 8

OWASP’s 2021 List Shuffle: A New Battle Plan and Primary Foe

October 24, 2021 by Matthew Bryan 2 Comments

I thought this was timely given this week’s topic. OWASP recently refreshed their list of web application vulnerabilities which saw Code Injection Vulnerabilities being replaced by Broken Access Control as #1.

The article notes that this shifting in order was not due to “solving” Code Injection Vulnerabilities, but rather it illustrates how widespread Broken Access Control is in the field. Broken Access Control “encompasses a wide range of coding flaws” that could “enable attackers to modify a URL, internal application state, or part of an HTML page.” The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.

The updated OWASP list also debuted new categories on the list, including Insecure Design, Software & Data Integrity Failure, and Server-Side Request Forgery.

Author: Matias Madou

Published: October 20, 2021

Link

Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts

October 21, 2021 by Shubham Patil 2 Comments

Google said it found no fewer than 15,000 accounts behind the phishing messages and 1,011 domains that were purpose-built to deliver the fraudulent software responsible for executing cookie stealing malware designed to extract passwords and authentication cookies from the victim’s machine and upload them to the actor’s command-and-control servers. The hackers would then use the session cookies to take control of a YouTube creator’s account, effectively circumventing two-factor authentication (2FA), as well as take steps to change passwords and the account’s recovery email and phone numbers.

Link: https://thehackernews.com/2021/10/hackers-stealing-browser-cookies-to.html

Human Psyche is the Victim

October 19, 2021 by Vanessa Marin 1 Comment

Title: How Attackers Hack Humans
Author: Williesha Morris
Publish Date: October 15, 2021
Website: DarkReading.com

We talked about social engineering and how employees are targeted to gather information. Recon 101! Email, phone, text. It’s an interesting perspective article on hacking humans told from the POV of former CIA operative Peter Wamka. He speaks about how tools 20 years in the making are being used now to rely on soft targets to get to hard targets.

Some key points we talked about in class were distinctly pointed out in the article:

insider targets: overworked, underpaid, and underappreciated employees
job postings: can detail all of the systems and databases that a company uses that can be targeted for infiltration
media releases: show how an organization is growing and changing and name potential targets and their job titles or even hobbies and interests.
internet searches: “employee manual” and “PDF” can reveal benefit packages, rules, and other confidential information
social media: work history, certifications, volunteer work, political leanings, relationship statuses, and favorite books and movies.
pictures: demonstrate socioeconomic status

An interesting take on the article is that it provides an interesting alternative option to protecting their employees. Not jus the IT Security mandatory employee training, but taking “protecting your people” to another level.

Offering training or classes with guidance on how to secure their social media profiles.
- “Helping employees use privacy controls and restricted settings is good for their personal safety and can help the organization, as well.”
Show how social media posts can be used against a person.
Training to include what work details shouldn’t be posted socially.

Essentially, the company is protecting itself by virtue of protecting you.

Very good read!

Also, if interested: Peter Wamka has a book out that could prove to be very fun: Confessions of a CIA Spy: The Art of Human Hacking

Vanessa

Attackers Behind Trickbot Expanding Malware Distribution Channels

October 19, 2021 by Ryan Trapp 1 Comment

The bad actors behind the infamous Trickbot malware have resurfaced in an attempt to expand their distribution channels. Their new goal appears to be the deployment of ransomware. The Tickbot malware itself has evolved from a banking Trojan to a modular windows-based crimeware solution. They are moving away from sending out phishing emails with excel documents to a more diversified delivery methods.

https://thehackernews.com/2021/10/attackers-behind-trickbot-expanding.html

Rickroll Grad Prank Exposes Exterity IPTV Bug

October 17, 2021 by Matthew Bryan Leave a Comment

I thought this was a pretty funny, although risky prank, that took advantage of a zero day vulnerability in Exterity’s IPTV system. Minh Duong, a former student at Township High School District 214, identified this vulnerability and was able to take control of every TV within the district. This allowed him to pull off the “Big Rick” which played Rick Astley’s classic “Never Gonna Give You Up” on every IPTV across the district.

The Exterity IPTV system runs networked Projectors and TVs across the Township School District. The TV players can receive serial commands via a web interface and an SSH server which allows for centralized control. Duong noticed this set-up earlier on in highschool and was able to exploit the vulnerability, but didn’t do much with it initially. He later got the idea for the “Big Rick” as a senior prank.

Duong was very clear that he was lucky that the administration didn’t pursue criminal charges against him for unauthorized access. He notes in the article that people should “never access other systems in an unauthorized manner without permission.” The vulnerability has been reported to the manufacturer, although it’s unclear if this has been fixed.

Author: Becky Bracken

Published: October 14, 2021

Link: https://threatpost.com/rickroll-exterity-iptv-bug/175491/