Week 09

Advanced Penetration Testing -Week-9

Article

Here is an interesting news article I found this week, titled “Is Trump Still Tweeting From His Unsecured Android Phone?” Apparently, President Trump was tweeting from a Samsung Galaxy S3 which he has been attached to and did not want to upgrade.  This version of Samsung’s Galaxy line was no longer receiving Android updates and was extremely susceptible to hacking.  The article stated, “The device, likely a Samsung Galaxy S3, has such serious security problems that it’s probably “compromised by at least one—probably multiple—hostile foreign intelligence services and is actively being exploited,” More recently, it appears Trump’s tweets have been coming from an iPhone.  His security team may have finally realized the security risk of his old Samsung device and forced the President to upgrade.

The author of this article, David Nield, did a wonderful job explaining how users can take advantage of all security features from all major technology platforms. Google, Apple, Facebook, Microsoft, Twitter, you name it. One of the things that caught my attention is that all of them have one thing in common, two-step verification. I’m sure all of you are aware that two-factor verification is a simple method requiring more than username and a password to successfully log-into an online account.

One the other hand, it looks like not all companies implement similar policies, and sometimes employ distinct ways to protect consumers within their platforms. When I first read the title of the article, I had the impression the author was going to focus on one major way, probably from one central technology platform, to protect all my online accounts. That was not the case. Rather, David wrote about each company separately to explain all features available that consumers can utilize to protect themselves online. Give it a read as there might be certain feature(s) that could be unfamiliar and from which you could enhance your online safety.

http://www.popsci.com/protect-your-accounts-online

Verifone, a massive credit card point-of-sales machine manufacturer, has been breached. On Jan 23, 2017 an urgent email from Verifone’s CIO, Steve Horan required employees to change their password. Verifone supposedly was breached in mid-2016 and was just able to find out which systems were compromised. Fortunately the only systems that were compromised were internal networks in the corporate offices. No POS devices were compromised as of yet.

https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/

New RF Transceiver extension for the Metasploit Hardware Bridge API now is available for organizations to detect and scan wireless IoT devices operating outside the standard 802.11 specification. The new extension further broadens the use cases for Metasploit. It is designed for enabling organizations to craft and monitor different RF packets for identifying and assessing the security state of multi-frequency wireless devices more effectively than current tools. It allows pen testers to create and direct “short bursts of interference” at such devices to see how they respond from a security standpoint. One of the greatest threats of wireless IoT devices is the unauthorized access to the information that those devices have access to. For example, a smart lighting system with both RF and WiFi components may be attacked on the RF side to get access to the WiFi side. In addition, many RF-enabled devices fail to serialize or otherwise make sure that each request and response is unique, and therefore are vulnerable to issues like replay attacks. Since organizations are expected to connect a constantly growing range of wireless IoT devices, it’s important to increase the RF testing capabilities.

Link: http://www.darkreading.com/threat-intelligence/new-metasploit-extension-available-for-testing-iot-device-security/d/d-id/1328452