This week’s reading article emphasized on the importance of vulnerability management program in any organization. Specific importance was given into difficulties organizations face in choosing their business partners. We have seen over the years that hackers target vendors/business partners to gain an entry into the target organization. This article provided a brief introduction to open source tools which can be used to get the necessary information about vendors’/ business partners’ strength and security of IT systems, without disrupting relations. Information obtained using these open source vulnerability assessment tools can help organizations in making informed decisions regarding their business partners.
Uncategorized
Readings Week 3 – Concepts of Reconnaissance
This was an excellent read. Reconnaissance is the first step in the MITRE ATT&CK chain. It helps attackers find vulnerabilities on internal systems. Many times this is done by analyzing public facing web servers. There is a myriad of information to be gained from web-servers. These systems will show services and banners and the exact software versions that are being run on the server. The article referenced many tools to accomplish this. Some of these I have heard of and used in the past such as Shodan, and others I have not heard of such as Recon-ng.
Shodan is very useful as it will scan an IP and tell you what ports are open and many times what services are running on the website such as Apache, IIS, Nginx, etc. You need the IP address of the site you want to scan. Generally you can just plug a website URL into a DNS lookup tool and get the IP that way, then just plug it into Shodan. Recon-ng, according to the article is a command line tool that is included in Kali. It is a python script that works like Metasploit that queries Google and Shodan for information on a given a site for services and open ports. The article goes on to mention that once you determined a particle service is running such as Apache 2.4.4, http://www.cvedetails.com will allow you to research any know vulnerabilities against that service.
Questions for the class:
While Nmap and OpenVAS are standard programs for port scanning and basic enumeration, why are open source reconnaissance tools like Shodan and Google searches a better starting point in terms of stealth?
Student arrested for cyber-attack against Miami schools used ‘easy to prevent’ program
A 16-year-old teen accused of launching a cyber-attack that temporarily shut down Miami-Dade’s online classes. The teen used a simple, easy-to-download distributed denial of service program to overwhelm the servers. Miami-Dade is the nation’s fourth-largest school district. The teen is accused of orchestrating no fewer than eight of at least two dozen cyber-attacks. The first three days of the districts virtual classes were halted due to the attacks.
What alarmed cybersecurity experts was the simplicity of the attacks. According to experts, the district should have been able to ward of an attack this simple. The student admitted to using a tool called “Low Orbit Ion Cannon (LOIC).” This tool easy to download and even easier to operate. This was a point-and-click program that doesn’t need a great degree of sophistication to operate. This was the same tool that the hacker group Anonymous used a decade ago to cripple companies such as MasterCard, Visa and PayPal.
Experts and law enforcement officials were shocked that the school’s servers could not handle the LOIC attack. Official’s stated that the firewalls on the district’s computer network should have been able to detect and mitigate the attack. One expert said this attack was “really easy to prevent,” and the schools router configuration must really be out of date. Experts were shocked that a school district of Miami-Dade’s size could be taken down so easily.
The student faces a felony charge of using a computer to attempt to defraud and a misdemeanor charge of interference with an educational institution. The student will likely to be charged by Miami-Dade prosecutors and tried in state court, and not by federal prosecutors with the U.S. Attorney’s Office. The school is being encouraged to use federal resources, provided by the Cybersecurity and Infrastructure Security Agency (CISA) to secure its networks, including virtual classrooms.
https://www.miamiherald.com/news/local/education/article245461020.html
Week #3 Reading Discussions
Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment
- Using a Google search of “intitle:index.of “Apache 2.2.22at “, we can find all servers using that version of Apache. When you attach a site name, all the possible queries showing vulnerable software or sensitive information (password, scans, files) can be found. This can be done using any search engine.
- If flagged, Google can prompt you to answer the captcha puzzle, Google can also freeze all search activity on your network if Google decides there’s a botnet on the server.
What software can be used to test sites against malware/spam?
What tools can be used to non-intrusively perform a vulnerability assessment?
Week #1 Reading Discussions
Basics of computer networking
- Differences between an open system and a closed system, why would anyone use a closed system if it can’t be connected to a network or communicated with. Computer networks include the devices and also things can help connect the devices such as routers and switches.
How can the MAC address help incriminate an electronic device compared to just using the IP Address?
How can you use the IP address to physically locate the electronic device?
Intro to basic networking terminology
- To facilitate the connection between two parties, a number of protocols have to be in place so the products can communicate and share information. A number of protocols working together are called protocol suites or stacks.
Why would it be useful to have network reference models developed for products(different manufacturers)?
Why would VPNs be useful to you?
Layers of OSI
- The physical layer would be the one responsible for the connection of devices and also for translate to 0s and 1s. It’s required that the physical layer translate and then the data link pieces the message back together.
Which layer would be most important to ensure the connection is secure? What’s the use of the dialog controller?
TCP/IP
- The application layer of the TC/IP model performs the top three layers of OSI, Application, Presentation, and Session. TC/IP model protocols are not easily replaced and can only provide connectionless services.
What are the key differences between layers of OSI and layers of TCP/IP models?
WK #3: Sophisticated Phishing Scam Targeting Lloyds Bank Customers
One of the largest banks in England and Wales, Lloyd Bank fell victim to an elaborate phishing scam. Clients were sent emails and text messages that displayed warnings that their accounts would be shut off unless they logged in to verify their credentials. The attacker then set up a realistic site that contained official words, logos, and personalized details to trick the user into believing the legitimacy. Phishing attacks are one of the most easily used social engineering attacks, many clients untrained in identifying the signs fall easily into giving up their PII. In July, HSBC Bank also faced a similar attack and prompted users to give up their credentials.
https://www.infosecurity-magazine.com/news/phishing-scam-lloyds-bank-customers/
Discussion Questions:
- What are the attacks targeted audience demographic for phishing attacks?
- How can companies resolve the issue internally as well? (As many employees are also susceptible to these attacks)
Uber ex-security boss accused of covering up hack attack
I found a very interesting article on the former chief security officer of Uber, Joseph Sullivan. Sullivan is currently being charged with obstruction of justice for an incident that happened at Uber in 2016. At that time, the company had the details of 57 million uber drivers and passengers exposed by a hacking group. To keep this quiet, Sullivan tried to cover up the data breach by paying the hackers 100,000 dollars to delete all the data they had stolen. When the data breach was revealed to the public in 2017, Uber fired Sullivan. Now he is being charged with obstruction of justice because he took “deliberate steps” to stop the FTC from finding out about the hackings.
He disguised the payments by using bitcoin instead of actual money and called it a “bug bounty” reward which is usually given to cyber security experts for discovering vulnerabilities so that they can be fixed. On top of this, he had the hackers sign a non disclosure agreement as part of the payment that stated that they had not stolen any data from Uber. Because of his actions, Uber had to pay $148 million dollars in legal claims from all 50 States.
Tidy, Joe. “Uber Ex-Security Boss Accused of Covering up Hack Attack.” BBC News, BBC, 21 Aug. 2020, www.bbc.com/news/technology-53861375?intlink_from_url=www.bbc.com/news/topics/c347w30eq7xt/computer-hacking.
Reading questions with key points
Basics of computer networking
Network topology can have a network arranged in many different layouts that include: star, mesh, point to point, daisy chain, tree, hybrid, ring.
What is the difference between well known ports, registered ports, and ephemeral ports?
Intro to basic networking terminology
The most widely used network reference model, which were developed to allow products from different manufacturers to interoperate on a network, is the TCP/IP model (which was developed by the Department of Defense)
Why would the DOD need to create a network reference model when there was already one widely used?
Layers of OSI
The open system interconnection (OSI) model is a 7 layer architecture that works to transmit data from one device to another device across the globe.
Was the OSI model to complicated to use? Is that why they created the TCP?IP model?
TCP/IP
The transmission control protocol/internet protocol is a 4 layer architecture model and was created by the DOD and is a concise version of the OSI model.
How does the OSI model compare to the TCP/IP model (architecture wise)?
U.S. Health and Human Services Department Suffers Cyberattack
Amid this period of the COVID-19 pandemic, there has been an increase on attacks to the health sector industry, amid the articles that I have come across, the article on the US Health and Human Services Department suffering a cyber attack i.e. a distributed denial of service ( DDoS ). it doesn’t appear that the hackers took any data from the systems, and the hack involved overloading the HHS servers with millions of hits over several hours. The DDoS was service impacting and several hours can be the difference between a “Life or Death situation.
I wondered if there had been:
1) Preliminary survey: It is not known for certain if or how the attackers performed reconnaissance on the network prior to the attack, but it probably would not have required much more than internet searches.
- Why this timing of the attack and motive behind it: Why target the U.S. Health and Human Services Department?
According to the Bloomberg article, in quotes
https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response
“The U.S. Health and Human Services Department suffered a cyber-attack on its computer system, part of what people familiar with the incident called a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor”.
“We are aware of a cyber incident related to the Health and Human Services computer networks, and the federal government is investigating this incident thoroughly,” John Ullyot, a spokesman for the National Security Council, said in a statement. “HHS and federal government cybersecurity professionals are continuously monitoring and taking appropriate actions to secure our federal networks.”
SANS compromised from phishing attack
On August 11th the SANS institute suffered a data breach due to a phishing email. The attack caused 513 emails to be forwarded to the attackers. The emails contained 28,000 records of PII (personally identifiable information). SANS has since released the IOCs (indicators of compromise) for the phishing attack. The phishing email pretended to be a file shared by a SANS SharePoint service. The malicious file was an Excel file called “CopyofJulyBonus24JUL2020.xls. The email prompted the user to click on the ‘Open’ button to access the file. Once the user clicked ‘Open’ it redirected them to a malicious website that was spoofed to look like an Office 365 login page. Once the user entered their O365 credentials and addon named ‘Enable4Excel’ was installed. This addon would then create a forwarding rule in the users Outlook named ‘Anti Spam Rule.’ This rule monitored for specific keywords in emails. Once a match was found in an email, it would be forwarded to an external address where the attackers could retrieve the emails. The words that were being monitored were:
agreement | Bank | bic | capital call | cash | Contribution | dividend | fund | iban | Payment | purchase | shares | swift | transfer | Wire | wiring info
This phishing campaign was conducted July 24th, 2020. According to the article, SANS was not the only company targeted. 2 other companies uploaded similar emails to VirusTotal.
https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/