Readings:

Wireshark was developed in 2006 (originally called Ethereal as was developed by Gerald Combs back in 1998) and so far is the best free Open Source tool that is used for deep network data packet analysis, in which comprehensive information is extracted from captured network transmissions. Wireshark provides analysis of all 7 layers of the OSI model, which helps to troubleshoot network communications issues, discover security flaws, debug and learn network protocols. Wireshark is compatible with various OS flavors and customizable for development purposes.

Question to the Class: Would BurpSuite be a good fit as competitor for packet analysis of Layer 7 of OSI model?

In the News: Subgraph OS — Secure Linux Operating System for Non-Technical Users

Subgraph OS was designed from the ground-up to reduce the risks in endpoint systems so that individuals and organizations around the world can communicate, share, and collaborate without fear of surveillance or interference by sophisticated adversaries through network borne attacks.

Subgraph OS is designed to be difficult to attack. This is accomplished through system hardening and a proactive, ongoing focus on security and attack resistance. Subgraph OS also places emphasis on the integrity of installable software packages.

Special Features:

• Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected.

• Mandatory Full Disk Encryption (FDE)

• Online Anonymity — Everything through Tor

• Advanced Proxy Setting

• System and Kernel Security

• Secure Mail Services

• Package Integrity

Read more @: http://thehackernews.com/2016/03/subgraph-secure-operating-system.html

Since there’s no assigned readings (according to the syllabus), I thought I would share this interesting article:  “Office puts chips under staff’s skin”.

Epicenter, a new hi-tech office block in Sweden, are trying a new approach on how they conduct business. The company is implementing an RFID chip about the size of grain of rice under employee’s hand. This allows the 700 employees to access doors, photocopiers, pay in the café all with a touch of a hand.

Even though this is a great idea to allow the convenience of the employee, but what about the actual radio frequency of that chip? How easy is to re-direct the frequency towards that chip or to interfere with other frequencies? It looks like chips will soon replace wearable technology, but how safe and secure are they? I will leave that to future studies…to be continued.

For more information, feel free to access it here.

Readings:

Web based attacks are most dangerous environments with numerous ways to compromise Confidentiality, Integrity and Availability. Various methods exist to break into web services, servers and sites components, such as: Phishing XSS, Injections Flaws, Unsecured storage,  Broken Authentication and access controls, Unvalidated data inputs, etc. Especially, SQL Injection is very powerful in hands of hackers since SQL databases are all over the globe in every web site. The best security practices to avoid being a victim of such attacks is to make sure industry standards are followed when designing web based applications.

Question to the Class: Would WebGoat be considered the best up-to-date tool to practice attacks?

In the News:

If you are using a SimpliSafe wireless home alarm system to improve your home security smartly, just throw it up and buy a new one. It is useless.

Read more here:

http://thehackernews.com/2016/02/hack-home-security-alarm.html

Assigned readings:

Burp Suite is a tool that allows security testing of Web applications. This framework is very powerful for if it is used properly, it identifies vulnerabilities and exploits them. This tool is composed of proxy, spider, intruder, repeater, sequencer, decoder and comparer. Burp intruder allows you to customize attacks against any Web applications and it is composed of four elements: target, positions, payloads and options. SQL Injection testing is also another method that is used within the Burp intruder. Burp repeater manually modifies the HTTP requests and tests the responses given by the page. Burp sequencer checks for the extent of randomness in the session tokens generated by the Web application. Burp decoder sends a request to the decoder and lastly, burp comparer compares between two sets of data. Web application vulnerabilities is becoming more sophisticated however they are various methods to prevent such threats and protect the assets of the company. One of the most common methods include web application scanners and firewalls. Also, it is important to note that managers play a significant role when it comes to web application security.

Question for the class:

What are you experiences thus far using Burp Suite?

In the news: “Vulnerability found in two-factor authentication”

Two-factor authentication is a computer security measure used by major online service providers to protect the identify of users in the event of a password loss. Security experts have long endorsed two-factor authentication as an effective safeguard against password attacks. But what if two-factor authentication could be cracked not by computer engineering but by social engineering? A study was conducted with a scenario in which a hacker, armed only with the target’s mobile phone number, attempts to log into a user’s account and claims to forget the password, triggering a verification SMS text. I n a pilot test of twenty mobile phone users, 25 percent forwarded the verification code to an attacker upon request while proving the success of Verification Code Forwarding Attack.

Click here to read more about this article.

“Keybase Releases Encrypted File-Sharin iPhone App”

Keybase last week announced the alpha release of the Keybase app for the iPhone with a cryptographically secure file mount. Users can write data in an automatically created folder in this format: /keybase/public/username. Files written in the folder are signed automatically and appear as plain text files. The folder prevents server-side and man-in-the-middle attacks. Files stream in on demand; there is no syncing as there is in Dropbox, Google Drive and Box.

For more information regarding this article, please click here.

*/ No Reading for this week.

In the News:

National Security Agency merging offensive, defensive hacking operations

The U.S. National Security Agency on Monday outlined a reorganization that will consolidate its spying and domestic cyber-security operations, despite recommendations by a presidential panel that the agency focus solely on espionage.

Read more at: http://www.reuters.com/article/us-usa-cyber-nsa-idUSKCN0VH21H

Advanced Penetration Testing -Week-5

You have been invited to attend a Mediasite presentation.

Presentation Details:
Title: =MIS 5212.001_2/8/2016
Date: Monday, February 8, 2016
Time: 5:30 PM (UTC-05:00) Eastern Time (US & Canada)
Duration: 2:30:00
Link: http://tucapture.fox.temple.edu/Mediasite/Play/838dfd6cce4641f1a38055e70c51733e1d