Week 04

Advanced Penetration Testing -Week-4

At the recent RSA Conference, Trend Micro researchers presented the result of their investigation data on exposed cyber assets in the top 10 largest US cities by population. They found tens of thousands of webcams, network attached storage devices, routers, printers, phones, media players and etc. that connected via the public Internet were vulnerable to cyber attacks, and thus put users online at risk of data theft and exposure, and DDoS attacks. Based on the data they collected, they also found the distributions of exposed cyber assets were disproportionate according to population size. The second-most populous city, Los Angeles, topped the list with approximately 4 million exposed devices online, while the most populous city, New York, was a respectable seventh place. In terms of the types of devices and services found, firewalls were the number one exposure. In these instances, once the administrative interface of the firewall was exposed, firewall rules would be changed to allow malicious traffic into the network. The next most frequently exposed devices were webcams, routers and wireless access points, printers and PBX phones. In addition, cities examined in the research had different concentrations in the types of devices exposed. For example, Houston and Chicago came in first and second for total exposed webcams, while San Jose led the pack in terms of exposed PBX phones.

I think this report is very interesting and should be presented to all companies in the top 10 most populous cities. It determines the devices that are most likely exposed and therefore, companies can focus on improving security of these devices to better protect their data and systems. A good news is that Philly ranked 10^th with around 0.4 million exposed devices in this research, even with the 5^th largest population in the US.  However, Philly was in the second place according to the total number of exposed printers. Worse than that, Philly has the most number of exposed cyber assets in the education sector. As a TU student, I feel a little unsecure now.

Link: http://www.darkreading.com/vulnerabilities—threats/the-10-most-cyber-exposed-cities-in-the-us/d/d-id/1328149

https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/us-cities-exposed-in-shodan

Article

Hackers found a way to get the NES to play games from other retro gaming consoles, not just what is pre-loaded on the NES.  Since there was no USB cables, or wifi enabled on the device, users are limited to the 30 pre-installed games.  Hackers have found ways to jailbreak the device, but it would lead to voiding the warranty, and also possible legal ramifications.

I found this article interesting as it relates to the same penetration testing tools that we are using in class.  Although Meterpreter wasn’t the only tool used, it was the tool that allowed hackers to gain access into banks, government organizations, and telecommunication companies system.   As we learned, some tools only runs in memory and does not affect storage.  Well, hackers having been using tools such as meterpreter to gain access into the victim machines. Once in, the use tools such as Mimikatz to obtain passwords and credentials for other machines, and PowerShell for control.

Article: http://www.databreachtoday.com/kaspersky-banks-governments-telcos-hit-by-fileless-malware-a-9678

 

Arby’s Restaurant Group (ARG) was the latest victim to succumb to a credit card breach. This breach was due malicious software being installed on payment card systems throughout hundreds of its locations nationwide. Most of the stores affected by the breach were corporate stores, franchise stores were not affected. The PSCU (the payment solution manager for credit unions) has received long lists from Visa and MasterCard regarding over 355,000 credit and debit cards. PSCU says that with a number of cards compromised it is bigger than just one fast-food chain, they expect that another fast-food chain will be expecting to make a statement about another compromise shortly. Dan Berger, president and CEO of the National Association of Federal Credit Unions suggests that people use their credit cards, which are easier and faster to report fraud on. Using debit cards could run the risk of wiping out your bank account as well as bouncing checks.

Article – https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/

Social Media phishing attacks jumped by a massive 500% in Q4,2016. The report claimed fraudulent accounts across sites like Twitter and Facebook increased 100% from the third to fourth quarter. So-called “angel phishing” is a relatively new tactic in which the black hats register fake Twitter accounts that masquerade as customer support accounts. They monitor the real support accounts for irate customer messages and then quickly jump in to send messages back to those users loaded with malicious links.

I was phishing attacked by an email that told me I was hired by a company which I never applied. I did search the person who was trying to interview me, I found out the real-person said she didn’t hire people through google hangout or skype. Also, she said her identity was stolen on LinkedIn. For students who is desecrating to get a job after graduation, I think this kind of phishing is very attractive. The only thing I didn’t get is how did them get my school email.

 

Link: https://www.youtube.com/watch?v=qE3lce3XGXw

Unanet provides end-to-end services automation, its web-based software enables the management of people and projects from a single database. According to the company, it offers “one look and feel, and one connected set of applications.”

The issue, Trustwave security researchers say, resides in a code branch within the Unanet product that maintains a hardcoded user, unlisted in the users table of the database. This user, they explain, was initially identified via a user enumeration vulnerability.

The user cannot login directly but, because session cookies within Unanet function in a vulnerable manner, with zero entropy and no session timeouts, anyone can bypass the need to authenticate with this user. The construction of a Unanet session cookie, the researchers explain, includes UserID, username in uppercase, roles concatenated together with ‘^’, static cookie value, and digest.

 

http://www.securityweek.com/unanet-backdoor-allows-unauthenticated-access

A vulnerability in WordPress’ Rest API has been exploited by up to 20 hackers, which has impacted 1.5 million WordPress sites. Majority of these attacks occurred after WordPress disclosed the vulnerability. The vulnerability allows “unauthenticated attackers to modify the content of any post or page within a WordPress site.” Before WordPress publicly disclosed the vulnerability, they patched the issue in a Jan. 26 fix, however, a large amount of sites do not automatically install these patches, as administrators want to test the code before installing. As a result, after WordPress publicly disclosed the issue, the attackers were in a rush to impact as many vulnerable sites as possible, resulting in up to 800k sites to be violated in only 48 hrs. Although there are efforts by the web servers to block or filter the attacks, ultimately, if the a WordPress site is not updated to the latest release, it will continue being vulnerable.

http://www.csoonline.com/article/3168717/security/recent-wordpress-vulnerability-used-to-deface-1-5-million-pages.html

We live in a text messaging world. In fact, texting is arguably one of the most (if not the most) commonly used form of communication many people interact, share contents with family and friends. WhatsApp, Facebook’s Messenger, Google’s Allo, the list goes on and on.

Encryption security is the crucial intersection that messaging cannot afford to avoid to gain the minimum trust of users. Most of messaging services I mentioned above implement good effort to address the security issue, but are they doing enough with all the leaking, hacking and contents interception going? Numerous controversies surfaced over the past few months about attackers stealing people’s information via most popular messaging platforms. For example, bgr.com’s Chris Smith wrote this year about hackers having a new way to steal banking login information using WhatsApp. Which brings me to my point to ask, are there any reliably secure messaging service out there? This is the answer “Signal” is trying to answer. Signal is by far the best secure messaging services I have ever used thus far. It comes with several good features to at least make someone feel secured. For instance, Signal won’t allow users to take screenshots from its system. Snowden recommended Signal as the most secure messaging app out there. Also, The Hillary Clinton campaign utilized Signal to avoid creating another email controversy. I would suggest you to go and try it, then let us know your thoughts.

https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/

This is an interesting article about fileless memory that does not need to be downloaded to a hard drive. It runs in the kernel or RAM without downloading any payload to the hard drive. Therefore, it could go undetected by traditional AV software.

This highlights the importance of having a defense in depth strategy that monitors activity on the network and endpoints, enforces strong access management, prevents data leakage, enforces a strong perimeter, etc. If a company or bank is relying solely on AV software to detect and remove malware, they will struggle to defend against today’s threats.

https://www.wired.com/2017/02/say-hello-super-stealthy-malware-thats-going-mainstream/

https://community.mis.temple.edu/mis5212sec001sp2017/2017/02/10/3174/