William Bailey
For this week’s discussion, research an article describing a breach where wireless (Wifi) was the entry point for the breach.
What weaknesses in the configuration did the attackers use to enter their target’s system?
What countermeasures would you implement if you wanted to defend against this breach?
Please include the URL for the article, so that others can read the article(s).
During Week 11, what are your experiences with Security Shepherd?
Which deployment method (VMware / VirtualBox / Docker) did you choose, and why?
How many challenges did you complete?
When you encountered issues, what kind of steps did you take to resolve the issues and forge onward?
To help us understand what can be obtained via a web application that has vulnerabilities, or weaknesses, that an untrusted outsider can take advantage of. Krebsonsecurity talks about a breach caused to a web application that they had purchased from Fiserv, resulting in customers being able to to view account data for other customers, including account number, balance, phone numbers and email addresses. (https://krebsonsecurity.com/tag/fiserv/)
For this week, research a recent breach announcement that was attributed to a web application failure. How did attackers misuse the website, and what were they able to obtain? How could the breach have been averted?
This Discussion Question thread has been created to discuss how we’re succeeding with virtualization.
https://www.scmagazine.com/home/security-news/data-breach/carnival-must-right-the-ship-after-breaches-threaten-travelers-trust/?ocid=uxbndlbing
In this article, the author revealed that Carnival Cruise Lines detected a ransomware attack on August 15th that accessed and encrypted a portion of the technology systems of one of its brands and downloaded data files that contained customer personal information. Since 2019, Carnival has been the victim of two confirmed cyberattacks and a potential third attack, including a 2019 data breach that impacted the company’s Princess and Holland America cruise lines that was committed via deceptive phishing emails. It is noteworthy that this breach was initially identified in May 2019 and appears to have spanned the period from April 11 through July 23, 2019.
It is believed that the current breach may have resulted from Carnival’s use of vulnerable devices and their failure to apply available patches in a timely manner. Specifically, exploitation of a Citrix vulnerability (CVE-2019-19781) and a Palo Alto Firewall flaw (CVE-2020-2021) could have allowed hackers to gain unauthorized access to the corporate networks.
The author went on to state that, after learning about the prior breach in March 2020, cyber intelligence company Prevailion began sorting through its data relate to Carnival and discovered a malicious program. Prevailion attempted to warn Carnival, who failed to respond to their warnings. Prevailion refrained from going public with this information until the current breach was publicized.
It seems obvious that a thorough security assessment was not performed by or on behalf of Carnival after the breach that was identified in May 2019 since the networks were still so vulnerable to attack a year later. While data breaches are not always preventable, recurring breaches at the same company are difficult to ignore. Carnival claims the incident will not have a material impact on its business. However, it is difficult to measure the reputational harm that has been caused by this series of events. It is also too early to tell how significant the financial impact of allowing unauthorized access to the personal information of guest and employees may be on the world’s largest cruise operator.
During the week, research an article that describes a recent breach (hack) of an organization. Of special interest this week, does the article discuss whether the organization had conducted some sort of vulnerability scans, penetration tests, and/or red or blue team exercises?
When citing the article, include the URL, so that others can read the rest of the article.
https://krebsonsecurity.com/2020/01/iowa-prosecutors-drop-charges-against-men-hired-to-test-their-security/
I recall following this story about two Pen tester’s who were arrested during an authorized penetration testing engagement in Dallas County Iowa. The engagement took place at a county courthouse and the scope of the engagement tasked the two pen testers to physically gain access to the courthouses facilities. After tripping an alarm during the assessment the two pen testers found themselves under arrest even after providing proof of contract as well as contact information of individuals who authorized the assessment.
As part of our discussion this week we spoke about what are the attributes of a “good” pen tester. One of those attributes was that a qualified pen tester must be methodical in developing a game plan in order to execute a successful pen test. This is where the breakdown was in my opinion as it turns out that the courthouse was actually owned by Dallas county and not the state of Iowa (who actually requested the assessment). While I think the authorities handling of the situation was a bit extreme, it doesn’t appear that a quality or methodical game plan was deployed during the assessment – hence, the two pen testers found themselves in trouble. What do you think?
During the week, research an article that describes a recent breach (hack) of an organization. Of special interest this week, does the article discuss whether the organization had conducted some sort of vulnerability scans, penetration tests, and/or red or blue team exercises?
When citing the article, include the URL, so that others can read the rest of the article.
In our first lecture, we discussed insider threats and the value of business information and the subsequent damage it causes organizations if stolen. Capitalizing on the market of cyber espionage, a cybercriminal group, known as DeathStalker, is targeting smaller financial organizations. Security researchers report that DeathStalker is “offering hacker-for-hire services,” and are acting as “information brokers” by stealing and selling business secrets. The group attacks victims using phishing emails and a malicious PowerShell executable.
https://www.darkreading.com/attacks-breaches/deathstalker-apt-targets-smbs-with-cyber-espionage-/d/d-id/1338737
As we prepare for the first Webex on Thursday, I’ve set this post for each of us to introduce ourselves:
Please join in, and post a reply with a bit about yourself.
Just to kick things off. Here’s an article describing scammers using phishing techniques netted 11 million Canadian (9 Million US).
The article says this is not technically hacking. I don’t agree, but what do you think?
For those with an audit background, it also points out that anti-fraud controls were either not in place, or not effective.
I will start off this week’s discussion regarding wireless with an article that describes how a Las Vegas casino was hacked because of a fish tank that was connected to the Internet, and also a hack in which “smart pads” connected to insecure Wifi were used as the entry point.
https://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/index.html
For this week, find another example that demonstrates how wireless networks were the entry point in a successful breach / attack.
During Week 11, what are your experiences with Web Security Dojo?
How many challenges did you complete?
When you encountered issues, what kind of steps did you take to resolve the issues and forge onward?