MIS 5212-Advanced Penetration Testing

MIS 5212 - Section 001 - Wade Mackey

Fox School of Business

Loi Van Tran

Radio Hack sets off 156 Emergency Sirens across Dallas

by Leave a Comment

Last Friday around midnight, the 1.6 million people living in Dallas woke up to the screeching sounds of sirens that was triggered as a result of a supposed computer hack outside of the emergency notification network.  The emergency system was used to warn its residence of tornadoes and other dangerous weather conditions.  The alarms were blaring for 95 minutes until the administrators shut down the system manually. Initially the attack was thought to be caused by a network hack, but it wasn’t entirely accurate.

Dallas City Manager later clarified that the “hack” used a radio signal that spoofed the system used to control the siren network.  He did not disclosed any additional details, but noted that it was not a software issue but rather a radio issue.  Experts speculates that older Emergency Alert Systems are usually controlled by tone combinations that are broadcast over the National Weather Service’s weather radio.  The sirens receive their commands from a Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) that sends encoded commands from the command center.  If these frequency were not monitored, then an attacker can send endless combinations until they get the right one. Then all they had to do is repeat the signal.

Article: https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/

 

Scareware vulnerability confirmed for iOS 10.2 and Earlier

by 3 Comments

Apple recently confirmed that there was a vulnerability that allowed hackers to send infinite loop alert messages on the Safari application.  Instead of just affecting the tab that the website was opened it, it affects the entire application making Safari unusable.  Alert such as “Your device has been locked” was used to scare users into buying iTunes gift card and paying the ransom.  The only problem with this is it didn’t actually lock the iOS or encrypt any files. hence the name scareware.  The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.com]. When the user clicks links to those domain, they’ll get a infinite loop alert message.

Well the good thing is Apple recently patched this vulnerability in iOS 10.3.  If you don’t want to update, the other option is to clear your Safari’s cache.

Article: http://www.securityweek.com/ios-scareware-campaign-abuses-safari-vulnerability

Polish Banks an Other Financial Organizations Hit by New Malware

by 1 Comment

Suspected cybercrime group known as Lazarus is suspected to be behind numerous attacks against Polish banks.  Polish banks reportedly detected previously-undetected Malware variants in their system.  They reported usual behavior that included abnormal network traffic to foreign locations, encrypted executable, and malware on user workstations. The hackers conducted the attack by compromising the websites of their target by injecting them with malicious codes that redirects the visitors to an exploit kit that installs the malware.

I thought this is interesting since we had some experience with WebGoat and how attackers can inject codes to web applications.  This seems to be the route that this cybercrime group took.

Article: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/polish-banks-and-other-financial-organizations-hit-by-new-malware-attacks

Hacker Reveals Easiest Way to Hijack Privileged Windows User Session Without Password

by 1 Comment

This article is gear more towards internal threats. The article points out the local system admins can hijack privileged windows user session without passwords.  For instance, the CFO has his desktop/laptap containing sensitive financial data.  He went out for lunch and locked his computer, as required my company’s policy.  A local administrator could essentially remote in or if had access to the physical machine his own credential and hijack the CIOs session, giving him access to the sensitive data.

The article is pretty interesting and there is Demo video attached.

http://thehackernews.com/2017/03/hack-windows-user-account.html

My recent experience with an attempted social engineering attack

by 4 Comments

Yesterday, I received a phone call from this number: (570) – 524 – 2662.  If you do a quick Google Search you will find that it’s for a legitimate source, the State Police Department in Lewisburg or Milton, PA.

The caller claimed to be an officer of the department and requested to speak to me.  So I obliged and asked him what it was about.  He claimed that they had receive several complaints about me and was calling to sort it out.  After asking him what the complaints were about, he was hesitant and said that he will forward me to the investigating officer to talk about the complaints.

I immediately stopped him and told him to give me the direct line to the investigating officer so that I can call him directly.  The caller refused and told me to use the number that showed up on my caller id. I tried to get the identity of the caller but failed because he just told me to call the number back and he will be there to answer the call.  I hung up and did the quick Google Search of the phone number.

There were several things wrong with this call:

  1. Why would the State Police from the middle of PA call someone in Philadelphia?
  2. The caller had an Indian/Middle Eastern accent
  3. The caller did not want to provide me a number or his name.

I decided to call the number back, since it was a legitimate number, and got a hold of a “different” officer.  The officer assured me that he was the only there and nobody there was trying to get a hold of me.  I told him about the phone call that I just received and he was as surprised as I was.

Moral of the story is that anything can be spoofed and made to seem like it’s coming from a legitimate source.  Be careful who you divulge information to and should always ask for a callback number if you’re not the one who initiated the contact.

Meterpreter Being Used by Hackers

by 1 Comment

I found this article interesting as it relates to the same penetration testing tools that we are using in class.  Although Meterpreter wasn’t the only tool used, it was the tool that allowed hackers to gain access into banks, government organizations, and telecommunication companies system.   As we learned, some tools only runs in memory and does not affect storage.  Well, hackers having been using tools such as meterpreter to gain access into the victim machines. Once in, the use tools such as Mimikatz to obtain passwords and credentials for other machines, and PowerShell for control.

Article: http://www.databreachtoday.com/kaspersky-banks-governments-telcos-hit-by-fileless-malware-a-9678

 

Hope for Victims of Ransonware

by 1 Comment

I posted this article in another class, but I thought I should share it here as well.  We should all be familiar with ransomware and how it works. If not, the basics is simple; a hacker infiltrates a computers, either through phishing, embedded links, or Trojans, and encrypts the files on the computer.  For the victim to have the files decrypted, a payment in bitcoins is usually demanded.

Ransomware has been in existence since 1989, but really made its mark in the recent years.  Why? it’s simple really, more and more people are using digital storage technologies to store information.  Consumers are storing anything from financial data, credit information, medical history, and even sentimental things such as pictures and videos.  Organizations are storing a lot more information that are sensitive, proprietary, or files that are critical to their day-to-day business.  Knowing this hackers exploits it by using ransomware and bitcoin payment method, making it virtually impossible to trace.

While most law enforcement agencies have encouraged victims to payout the demand, there are organizations out there teaming up to combat this.  Europol, Kaspersky Labs, Intel Security, among others have started the “No Ransom Project” back in July 2016.  The purpose of the project is to provide the victims of ransomware free tools to decyrpt the files.  Thus far, they were able to decrypt about 24 variants of ransomware.  Although this is a small number compared to the average growth of 10 new ransomware family per month (TrendMicro, 2016), it is a good start.  As more and more organizations begin to share or join with the “No Ransom Project,” the number of decryption tools will begin to grow.  However, this doesn’t mean that we should not take preventative measures to protect ourselves.

Listing of Available Decryption Tools: https://www.nomoreransom.org/decryption-tools.html
Dark Reading Article: http://www.darkreading.com/threat-intelligence/6-free-ransomware-decryption-tools/d/d-id/1327999
TrendMicro Article: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-new-families-updated-variants-in-june

Beware! Fake Netflix App

by Leave a Comment

If you’re a Netflix subscriber and use it on your Android devices, be careful that you don’t download the wrong one!  This fake app is a malware that takes over your devices, to include camera, microphone, view your contacts, and read your text messages.  It is essentially used to spy on you.   Zscaler described it as a ‘well-crafted’ piece of spyware.  Once the user press on the icon, the app will disappear making you think it was deleted, but it is only releasing the Trojan to take over your device.  Once it is infected, the hacker can activate your microphone and listen to live conversations or turn on your camera and spy on you.  They can also copy files from the device and send to a command and control centre.  The good news is if you are downloading apps from a legitimate source, then you are probably safe.  The article states that downloading it from non-official sites is what puts you at risk.

Article: http://www.dailymail.co.uk/sciencetech/article-4160562/Fake-Netflix-app-read-text-messages.html