Blog review

What topics did I write on?

I wrote on a wide range of topics and tested a number of different tools. I wrote about general security issues such as NSA spying, concerns about Cyberwarfare, effects of the government shut down, and privacy issues. I did study password breaking methods. I did an overview of emerging new threats. I did another review of the most common causes of security breaches. I did study penetration testing and focused on the many features of BackTrack Linux. I did use BackTrack Linux to do a MITM attack and managed to steal session cookies. I also test drove Metasploit and the Social Engineering Toolkit. I also experimented in WIFI monitoring tools. I reviewed the “Art of Deception” to learn about social engineering. I tested a few encryption tools. I reviewed solutions to the future problem of Quantum Computing breaking today's encryption methods. I returned to BackTrack Linux to review its forensics tools. 

What sources did I use?

I used a wide variety of sources. This included online magazines, blogs, tuturials, and software support sites. I did find Bruce Scheier's blog to be interesting and useful. I also used the Dark Reading Blog. It had some useful postings to some valuable white papers. I also used Security Week several times. I looked at tutorials and videos on Metasploit and the Social Engineering Toolkit. I reviewed the pdf version of Kevin Mitnick's book “The Art of Deception.”

Is this type of blog useful? What lessons can be learned?

Since the security environment is constantly changing, blogs can often give information that is not as readily available elsewhere. I found the blogs can have helpful tips and how to instructions. I found a great deal of information on the use of BackTrack linux on blogs. Blogs often give a more honest evaluation of software and hardware products than the manufacture's websites. If I am having an issue, I am probably not the only one. It answer is likely out there somewhere on someone's blog. For example, I was trying to install a Linux distribution for a class next term. I could not get it to pick of my WIFI adapter. But I found the answer on someone's blog. One thing I blogged about was the use of different tools. I would recommend that students experiment with different tools. It is a great way to learn. I am impressed with BackTrack Linux and recommend students try it. I plan to experiment with it more.  

Using BackTrack Linux for Forensics

http://www.linuxforu.com/2011/03/digital-forensic-analysis-using-backtrack-part-1/

http://www.linuxforu.com/2011/03/digital-forensic-analysis-using-backtrack-part-2/

http://www.ubuntubuzz.com/2010/07/introduction-backtrack-for-digital.html

http://www.ubuntubuzz.com/2010/07/introduction-of-backtrack-for.html

http://fuzzexp.org/the-backtrack-forensics-the-howto.html

For this week’s blog I decided to go back to BackTrack Linux and take a look at what sort of forensic tools are available. When booting into BackTrack Linux it is important select forensics mode. This mode does not use a swap disk on the hard drive and does not allow the user to mount the hard drive. This way the hard drive is preserved in its original condition. BackTrack has dozens of tools available for forensics. I will only look at a few. Backtrack has a number of image capture tools. A main one is called dd. This allows a disk image to be saved for forensic analysis. Dd_rescue is a utility for rescuing failing media. I would be useful for general data recovery and not just forensics. Aimage is an advanced recovery tool that allows the user to save image data and metadata in a standard forensic format. AIR imager is a GUI front end of DD. These tools can recover data from temporary and deleted files. Several hashing tools are included to insure the integrity of the image file.

Once the image is saved, tools are available to recover data from the drive. One tool is Foremost. It can recover data for many common file types. Other tools are Scalpel and Magic Rescue. PhotoRec is a GUI tool for rescuing common file types. Autopsy is a graphical suite of recovery tools that is available for download.

PTK is a RAM dump and analysis tool. It can extract most common file types from memory. Volatility is a tool for analyzing RAM dumps. There are also some specialize recovery tools. PDGmail recovers Gmail from memory. PDFbook extracts Facebook information for memory.

RKhunter is a tool for discovering rootkits.  

There are several tools for recovering metadata. One example is Vinetta, which recovers thumbnails of pictures stored in metadata. PDFparser recovers data from PDF files. There are also several tools for reading and analyzing log files.

There are tools for extracting SAM files so that they can be loaded into a password cracker.  CMOSpwd is a utility designed to crack BIOS passwords. Fcrackzip breaks password protected zip files.

Network analyzers such as Wireshark are classed as forensic tools since they can give valuable clues to attacks over a network. Xplico is a tool for recovering common data types from a Wireshark capture.

There is even one tool that is classed as Anti-Forensics, TrueCrypt a powerful disk encryption tool.

Although there are a number of excellent commercial forensic suites available most are priced out of the range of many smaller businesses. BackTrack Linux gives a powerful suite of tools that is comparable to the commercial suite in a free package. I intend to spend more time over winter break learning how to use the power tools available in BackTrack. If I was running a business, I might let employees know that if they do something wrong in the digital realm, there are ways that they can be caught. People may be less likely to try stuff if they know that they could be held accountable. 

GPG4Win

I also looked at GPG4Win. This is a front end for GPG for the Windows environment. It seems to have much of the same functionality as PGP and is compatible with it. It does give users a freeware option if they need PGP capability. The main drawback I see is that GPG4Win has it functionality split into different tools while everything is available in one tool in PGP. This makes GPG4Win a little more clunky and difficult to figure out. Certificates management is done by Kleopatra. This program can also is used to encrypted and decrypt programs. Keys are managed by a tool called GPA. This tool also can do encryption of files as well as from the clipboard. The GPA tool was not included in the default installation. Still it wasn't too bad and is a viable alternative to PGP.

http://www.gpg4win.org/

Mailvelop

Many people use web based mail programs. I wanted to see if there was an easy to use encryption program for working with these programs. I found a convenient and very easy to use open source tool called Mailvelop. This program works with common mail programs such as Yahoo, Gmail, and Outlook. Other mail programs can be added. It is available as an add on to the Firefox or Chrome browsers. It works as a front end to GPG. When composing an email an icon appears in the writing window. When clicked a box appears that allows a message to be created. This box functions as a sandbox to separate the text from the mail program. Click a lock to encode. A box appears to chose a key. Select the key and it encrypts the message. Hit transfer and the message is sent to the email program. There is also an option that can be selected to allow encryption to be done in the email editor. This is easier but less secure since drafts can be saved unencrypted.

Decrypting is also very easy. Mailvelop detects when an encrypted message is sent. A lock appears. Click on the lock. A sandbox appears. Enter the pass phrase and the message appears in the sand box. There is also an option to cache the password but this is not recommend.

A lock icon in the browser corner allows confirmation of Mailvelop, and key creation and management. It has some limits. It does not encrypted attachments. Nor is it able to do signatures. Other programs will have to be used for that.

http://www.mailvelope.com

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: Mailvelope v0.7.0

Comment: Email security by Mailvelope - http://www.mailvelope.com

xsBNBFKQK5EBB/911JJrX8A+2NxVhWaF8h6ves9bktShz0tcv7zpC3+eFnk8

vMIJf4bTUzIydcJhapnS4TO5OYdGXFIJqE03njM3OjZMCElv2AVso0Ykt68j

x2G5B6IwdJtRaoAzJas1fA0tQ/TlXIjtHQcYEmc/MjLUnxwcU7Bzly1jW92E

T4ZCMEbJcifEBscPk7cHuvhhUonJ9miHelSmbObGSQFSkq7I8Asm3QwdReiH

cLlvYoA4ugP2ymnpW/NeotTMaJAJyGOLYOuQqtv+I1otMouHgolYZVu9UU3/

tusyc/BukiAebXaS0OX2h1aqSPY+AA9qG2rJzWtA2YSuBUGl637pqCyXABEB

AAHNKSJEYXZpZCBTLiBCYWtlciIgPGRiYWtlcl85NzAxNUB5YWhvby5jb20+

wsBcBBABCAAQBQJSkCuaCRBhVOJO7h1kwAAAk9AH/0oDfN5q283b/m1DPmQT

ykb95u0yreFMsRpUc7li9cIhcOXtfYImPZSpe2Ezo1QpSc9VoisIyxAWVbeI

T0KsoWfV6ZVSSZIS132HIIJEAb3GBlayXfBuIX1Q9FAnTYXi/44dQ475pxXY

TcAqNFxODliMlPnTyFFE8Dg5N56Nhgo9cIPz691eqBnTY7EHFiN5sCzifAqv

4Ac1e4l+QB9hmmaOQN1ZGxikS12ARb9xLUiUwaROsDzSdn82yeqSnx/kiIG9

EcEZP6YdXA77yk13yPNKwRxqv4p08gNZDU/lAFidfIHp0lHnWd/XJexXavEX

S2TzbEO5tp//cilf9AQVjr4=

=hXvV

-----END PGP PUBLIC KEY BLOCK-----

TrueCrypt

For this week’s blog I looked at some different encryption tools. To encourage people to actually use encryption, it has to be easy to use. One tool I looked at was TrueCrypt. TrueCrypt is an opensource free encryption tool that has many of the same features as Microsoft’s Bitlocker. It can encrypt folders and drives. There is a portable version that works with USB drives. It is quite easy to use. The TrueCrypt folder acts like a drive. Normal folder operations can be used and it will automatically handle the encryption and decryption. Data in the encrypted folder is never stored in an unencrypted form on the drive but only in memory. It works with Windows, Linux, and Apple. BitLocker only works with the professional version of Windows, which limits its use. TrueCrypt has a boot loading feature that allows the system to boot from an encrypted disk. TrueCrypt has several strong encryption methods available including AES. TrueCrypt has a stenographic method available which create a hidden volume or even a hidden boot drive. If I were in a work situation where people were doing work on personal devices or taking work out on USB drives, I would encourage the use of TrueCrypt.

http://www.truecrypt.org/

The end of encryption?

Post-Quantum Cryptography

Daniel J. Bernstein

http://www.e-reading.biz/bookreader.php/135832/Post_Quantum_Cryptography.pdf

The textbook expressed concern that quantum computing will someday end encryption. If this is true, there will be a major security crisis if and when quantum computers become generally available. This made me wonder if alternatives would be developed to provide secure encryption in the quantum computing age? I reviewed a pdf book on the topic. Much of the book is highly technical and way over my head. But the answer is no, quantum computing will not end encryption. A great deal of research is being done to come up with quantum proof encryption methods. Most secret key methods such as AES should be still secure. But public key methods such as RSA and ECC will be vulnerable. A number of alternative methods of public key encryption are being researched. Lattice based methods such as NTRUencrypt look promising. There are many alternatives that are available but not all have been thoroughly tested for security. Others methods have been been proven very secure but they are very inefficient or use very long keys. More work has to be done to create practical alternatives.  

Escaping CryptoLocker hell

Businesses offer best practices for escaping CryptoLocker hell

By Ellen Messmer,

Nov. 18, 2012

This article gives advice on dealing with the CryptoLocker malware. This malware encrypts user data and holds it ransom until the user pays the attackers for a key to unlock the data. Sometimes the key isn't even delivered when the victim pays. The ransom is typically $300 paid in Bitcoin. Often the only effective way to deal with the attack without paying the ransom is to do a full restore from a backup. The article recommends having frequent backups and backups of the backups. CryptoLocker is dynamic since its creators are continually finding ways to have it get past spam and anti-malware filters. CryptoLocker attacks are growing. The attackers use botnets and managed to hit 10,000 victims between Oct. 27 and Nov. 1. The attackers are relying solely on phishing emails to trick the users into installing the malware. From there it can spread through the network infecting other computers. The phishing emails often contain information seeming to come from FedEx or U.P.S. CryptoLocker not the only ransomware. There is a new version of the FBI virus going around. This ransonware states that it has the victim's criminal record and will delete it for a fee. The article suggests to use virus removal for the FBI virus instead of paying the ransom.  

Security problems with iOS apps

HP: 90% of Apple iOS mobile apps show security vulnerabilities

By Ellen Messmer,

Nov. 18, 2012

http://www.networkworld.com/news/2013/111813-hp-ios-vulnerabilities-276063.html?t51hb

HP has conducted extensive testing on more than 2,000 Apple iOS mobile apps. HP found that 90% of these apps had serious security flaws. HP found that 97% of the apps inappropriately accessed private information. HP found that 86% of the apps lack means to protect themselves for common attacks such as SQL injection or Cross Site Scripting. Three fourths did not use encryption properly, leaving data unencrypted on the device. Others did not implement SSL/HTTPS correctly. HP attributed the poor security problems to the rush of business to get apps out quickly. HP stated that Apple does provide security guidelines to developers but that the guidelines did not go far enough. Company are extending the web presence to mobile devices but are also expanding their attack surface. The HP report said, “It is our earnest belief that the pace and cost of development in the mobile space has hampered security efforts, mobile application security is still in its infancy.”

The Art of Deception.

For this weeks blog decided to scan through the pdf version of Kevin Mitnick's book “The Art of Deception.” This book gives an interesting examination of the workings of social engineering. Mitnick describes how social engineering can defeat even the strongest security systems. He stated, “Companies that conduct security penetration tests report that their attempts to break into client company computer systems by social engineering methods are nearly 100 percent successful.”

He gives many interesting examples of scams. These scams are mostly fictional but they are based on real life situations. If I were the victim of some of these scams I could see myself falling for them.

Social engineers know how to play on human nature. They know how to play on trust, desire to help or be helped, ingratiation, friendliness, and authority. Mitnick stated, “Some of these stories might lead you to think that I believe everyone in business

is a complete idiot, ready, even eager, to give away every secret in his or her

possession. The social engineer knows isn't true. Why are social engineering

attacks so successful? It isn't because people are stupid or lack common sense.

But we, as human beings are all vulnerable to being deceived because people can

misplace their trust if manipulated in certain ways.”

Mitnick's examples show how even seemly innocuous information can be useful to gain more sensitive information. Social engineers are skilled at extracting little bits of information at a time. These pieces of information allow them to successfully poise as someone else and get the information they want. Small things like a cost center number, employee ID number, or phone extension number may be the key. Much of the success as a social engineer comes from being able to use the right insider language and knowledge. Much of the effort of social engineers is spent on gaining this knowledge.

Mitnick describes social engineers as follows, “Manipulative people usually have very attractive personalities. They are typically fast on their feet and quite articulate. Social engineers are also skilled at distracting people's thought processes so that they cooperate. To think that any one particular person is not vulnerable to this manipulation is to underestimate the skill and the killer instinct of the social engineer. A good social engineer, on the other hand, never underestimates his adversary.”

I found some examples interesting. People have been deceived to installing a trojan horse by someone poising a IT support person. They were tricked into installing what they were told was an urgent security patch. People have claimed to be law enforcement officers to gain access to confidential records. Other people have fallen to attackers claiming to be doing a customer survey. It is amazing what people can get away with if they have a good story. Even pretending to be a person who called a wrong number can work. He discuss finding information through dumpster diving and methods of using social engineering to gain access to buildings.

Mitnick gives practical advice with his examples on ways to improve security. The book gives a useful and detailed section on company security policies. Some of the technical information is dated. Mitnick stressed the need for training people so that they are aware and on guard against the dangers of social engineering. 

Response to NSA revelations

Schneier: Make Wide-Scale Surveillance Too Expensive

By Ericka Chickowski

November 06, 2013

http://www.darkreading.com/vulnerability/schneier-make-wide-scale-surveillance-to/240163668#disqus_thread

Security and privacy advocate, Bruce Schneier, responded to the recent revelations of NSA spying with a call to make eavesdropping more expensive. If the cost of eavesdropping is too high the NSA and others spies will have to shift to targeted tracking rather than the whole tracking we see today. The vast amount of information that is collected on consumers is aiding the NSA’s monitoring. He said that what we now have is a public/private surveillance partnership. Schneier is advocating hardening the Internet for better security.  He stated, "Fundamentally, surveillance is the business model of the Internet. The NSA didn't wake up and say let's just spy on everybody. They looked up and said, 'Wow, corporations are spying on everybody. Let's get ourselves a cut.'" His main suggestion was to make encryption ubiquitous on the Internet backbone. He also advocated distributing services to make tracking more expensive. He encouraged wider use of end point security products and better anonymity tools. He also encouraged monitoring to make sure that software does not have hidden back doors. He said that while the NSA is in the limelight now it isn’t the only problem, many government agencies and private sector groups are engaged in spying. 

Big Brother Is Watching You.

How stores use your phone’s WiFi to track your shopping habits

BY BRIAN FUNG

October 19, 2013

http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/19/how-stores-use-your-phones-wifi-to-track-your-shopping-habits/

I find this article rather disturbing. Stores are beginning to monitor people’s cell phone Wi-Fi and Bluetooth signals when they visit stores. They are doing this by picking up the devices MAC address. Using this technology, they can track your every movement through the store. Your cellphone MAC number can be linked with the purchases you make when you go to the checkout stand. The stores are keeping this information in a database, so they can monitor your movements and purchases as you make return visits. The database can be shared between multiple stores. The company that makes the equipment to do this has an opt-out policy. But how many people even know that they are being monitored? Also, the stores that buy this equipment are not obligated to follow the opt-out policy.  Privacy advocates are concerned. What guarantee will there be that this that this technology won’t be misused to illegally monitor and track people? 

Good Old XP

Microsoft urges users to upgrade from 12-year-old Windows XP

By Adam Greenburg
October 30, 2013

http://www.scmagazine.com//microsoft-urges-users-to-upgrade-from-12-year-old-windows-xp/article/318715/

Good old XP. In my former work at a large semi-conductor company, we were still using XP on all our desktops. My old company is not alone. 64% of all enterprise level companies still are using XP. 52% of medium and 61% of small companies still are using XP. It got the job done and was light on system resources. But as of April 8, 2014 Microsoft will no longer provide security updates for XP SP3. It already has stopped supporting SP1 and SP2. Microsoft is urging users to upgrade to newer operating systems. This is easier said then done. Many are so many legacy computers and applications out there that need XP. XP has about a six times higher malware rate than Windows 8. When Microsoft ended its support for XP SP2, its infection rate skyrocketed 66% above XP SP3. Once XP is no longer supported, any new security hole found will remain open forever. This is a serious problem given how popular XP still is.

Metasploit tutorial.

As a network security person it is important to keep up to date on the tools that are available, both for offense and defense. Metasploit is a tool for penetration testing. It is rapidly developing. It is really a framework that allows many separate modules to work together. I found this recent video tutorial that gives an overview of Metasploit at http://www.securitytube.net/video/7854. Metasploit has scanning tools for to discover vulnerabilities.  Then there is a large database of exploits to attack those vulnerabilities. The exploit then delivers a payload which is the result desired from the attack. This can include opening a remote session to a computer or installing a backdoor. Metasploit also includes encoders. These encoders scramble the code of the attack program to try to sneak past anti-virus programs.

He went over a new tool call the Social Engineer Toolkit (SET). I tried it out on Backtrack Linux. This tool is amazing. It has everything you need to set up a social engineer attack. There are so many tools. It can set up phishing emails, complete with handy templates. There are a number of ways to load malware on to documents such as PDFs. It allows the attacker clone websites and load exploits on them. It even sets the website up for you. These fake websites can steal credentials or launch malware. It has a Java program that can be installed on the fake website. The Java program presents a credible looking fake certificate to user and when the user press okay, bam. You can create infectious USB/CD/DVD drives. There are even SMS attacks and malicious QRcode generators. It will allow you to set up malicious AP.

The speaker warns against misuse of the tool. He state that, “The difference between penetration testing and hacking is permission.” 

Spying on the neighbors.

In my last adventure engaged in session hijacking over WIFI. This made me wonder how many people out there have unsecured WIFI. So I loaded Vistumber. It is available from www.vistumbler.net. See project 8-2 in the book. This is a WIFI monitoring tool that gives SSID, MAC address, channel, signal strength, authentication type and other information. You can even set the speaker to tell you when it finds a signal. If the computer has GPS, it will automatically record the WIFI APs location. I could see this tool being useful for tracking down rouge APs.

Vistumber was able to pick up a surprising number of signals, even though many of them were too weak to connect to. I live in a typical residential neighborhood and without leaving my house I managed to pick up 46 signals. Of those 46, 3 were completely open, including my next door neighbors. Another 3 had open guest accounts. One used WEP for which there are cracking tools available. So more than one out of seven homes in my neighborhood were vulnerable. The other homes were using WPA or WPA2. But I bet a few of these may have had the router’s passwords set to default and could be opened. (I didn’t try.)

I found that if I held my laptop against the living room wall I could pick up quite a few signals. My daughter looked at me like what was I doing. I explained. She asked, “Dad! You’re NOT going to break into the neighbor’s computers are you!?” I assured her that I wasn’t. But I could have. My neighbor has a state of the art burglar alarm, but he left the door wide open for a virtual burglar. 

How to creep your kids out.

This week I played around some more with penetration tools. I admit, it is kind of fun. But I have mixed feeling about this because these tools in the wrong hands can be so easily misused. I played around with a Java application called Cookie Cadger. It is available at www.cookiecadger.com. Cookie Cadger can be used for session hijacking, in a similar way to Firesheep. It does this by monitoring for packets containing session cookies. After it finds the cookies, they are placed in a list. Just click on a session cookie and the hijacked session will pop up in Firefox. It was too easy. I used a machine running Backtrack Linux as the attack machine. First I attacked the victim computer over encrypted WIFI. I did this by doing a man in the middle attack. I used Nmap to find the IP address of the victim. I used a simple command line tool called Arpspoof for the MITM attack. Before I knew it I had hijacked my Yahoo mail, Blogger, and YouTube accounts. Then I temporary turned off my router’s encryption, it simulate an open WIFI spot. With Linux I was able to set the card into monitor mode and capture all packets coming from my home computers.

I showed my youngest son and daughter how it worked. My daughter’s reaction was, “That is creepy, totally creepy!” My oldest daughter came by for a visit. She pulled out her smart phone and connected to the home WIFI. My younger daughter said, “Be careful. Dad can see everything. I mean EVERYTHING!” It is kind of creepy. How many people will use an unsecure WIFI hotspot without a thought not realizing that the person sipping coffee at the next table is stealing all their personal secrets?  

Checking out BackTrack Linux

For this blog I decided to take a look at BackTrack Linux and see what I could learn. BackTrack Linux is a suite of tools used for penetration testing. I downloaded an ISO and created a live boot disk. I tested the GNOME version 5R3. There was an impressive array of tools available. My goal here was just to take a cursory view of what tools are available. BackTrack Linux is available at http://www.backtrack-linux.org/.  I plan to load BackTrack Linux to a USB drive since some programs take a long time to load off of the DVD.

When I opened up the Firefox browser I noticed a link to http://www.exploit-db.com/. This a database of a wide range of exploits, both local and remote, hardware and software based. The most recently posted new exploits are shown on the homepage. New exploits are being found all the time. Exploits are listed by hardware and software types.

I looked at random tools to see what some of them do. One of the tools is called WebSploit. It can be used to set up a variety of DoS attacks. It can be used for man in the middle and XSS attacks as well. It even has a tool to load a backdoor on to a USB drive.

Another program I found was Aircrack-ng. This program is a cracking program for WEP and WPA Wifi keys.

There were a whole bunch of online and offline password crackers such as John the Ripper and Ophcrack. There are also several tools for creating backdoors and rootkits. There was also about every type of scanning and monitoring tool imaginable.

It did also have quite a range of forensic tools but I didn't get too far in figuring out how to use them.

Metasploit looked like an interesting tool. It scans systems and networks for vulnerabilities and then allows the user to attack the system using a database of exploits.

There are so many tools. It would take time to research and figure out how to use them but it could be done. There is an amazing amount of power stuffed into on DVD. But along with that power comes a great deal of moral responsibility. The creators of these tools are arming both side of the battle. Both the good guys and the bad guys can use the same tools. If I took the time to learn these tools I could do some really unethical or even criminal things with them. With much power comes much responsibility. This exercise makes me much more aware of the need for good security. Anyone can get all these tools in a single download. If the good guys don't get their systems and networks first the bad guys will.

8 Most Common Causes of Data Breaches

The 8 Most Common Causes of Data Breaches

By Fahmida Y. Rashid

May, 2013

http://www.darkreading.com/attacks-breaches/util/10944/download

This whitepaper by InformationWeek discusses the eight most common types of data breaches based on research by Verizon. Verizon researched 621 data breaches. It found that 78% of all data breaches were low difficulty. Most of these breaches could have been prevented with better security policies. Verizon found that 92% of all data breaches were the work of external parties. Another 14% were done by insiders and only 1% were done by business partners. Verizon found that 71% of the attackers targeted the end user’s computers. Verizon described 75% of the attacks as opportunistic, that is, the attacker exploited weaknesses he knew how to take easy advantage of.

Weak and stolen security credentials remain the biggest means of security breaches. Verizon found the 76% of breaches were cause by weak credentials. This includes guessing passwords and cracking weak passwords. Stealing passwords from another site is another common means. People will often use the same password on multiple sites. Passwords are also compromised through keylogging malware or phishing. Verizon estimated that multifactor authentication could have stopped 80% of these attacks.

The second category of common data breaches Verizon found were back doors and application vulnerabilities. Some of these methods are well known, such a SQL injection attacks, and yet still widely effective. Many of these attacks can be done by amateurs with scripts and automated tools.

The third common types of attack are done through malware. Directly installed malware made up 74% of all malware cases. Many times it was done by simply downloading the malware on to an unattended computer.

Verizon found the social engineering made up a third of the cases. Verizon noticed that there was a big upswing in these types of attacks. Phishing was by far the most common method of social engineering, making up 77% if these attacks. The increasing amount of personal information on social sites is making social engineering easier.

Verizon found that many security breaches could have been eliminated by properly managing data permissions. Users are too commonly given access to data they have no real need for.

Another category of data breaches was misuse of data by insiders. This is a challenge because users think that they are entitled to the data. Insiders commonly transfer data to personal devices. One survey said that 56% of people did not think it was wrong to take company information with them when they left the job. Much of this information could end up with a competitor.

Physical attacks make up 35% of the attacks in Verizon’s survey. One growing type of physical attack is ATM skimming and another is tampering with point of sales devices.

Data breaches can sometimes happen through user error or improper system configuration. These errors are rarely reported outside the organization. 

Using malware for penetration testing.

Penetration Testing With Honest-To-Goodness Malware

By Gunter Ollmann

October 01, 2013

http://www.darkreading.com/attacks-breaches/penetration-testing-with-honest-to-goodn/240162078

Gunter Ollman encourages uses specially designed malware for penetration testing. This malware would be especially designed to report back and then remove itself. This type of testing is important because malware attacks are one of the main ways networks are compromised. Unskilled attackers using very average malware programs often succeed. Networks are increasing layers of network security but are still leaving themselves open to malware attack. Malware is often installed using social engineering methods. This penetration testing would replicate the actual methods that malware attackers would use. This type of testing would not be easy, because a range of different attack methods would have to be used. Malware threats are increasing as more people are bringing their personal devices into the workplace.  

10 Emerging Threats Your Company May Not Know About

10 Emerging Threats Your Company May Not Know About

By Debra Donston-Miller

May 2013

http://www.darkreading.com/vulnerability-threats/util/10937/download

In this white paper Debra Donston-Miller discusses some emerging threats that many companies are not aware of.

At the top of the list of emerging new threats are imbedded systems. An increasing number of these devices have Internet systems imbedded into them. For the network standpoint these devices act like just another PC or server. These devices have the potential for an attacker to use them to compromise or penetrate a network. Network administrator likely do not even know the location of all these devices. One research stated, “Companies have been further integrating mobile devices into their networks, into their environments. You basically have this little computer that you use to [for example] make phone calls that also has access to all of your corporate resources.”

The increasing use of mobile devices will become a major security threat. Employees bring their personal devices into the workplace and use them to access company resources. There is often little security controls over these devices. It is especially important is to educate users on security with mobile devices. Many of these devices have 3G/4G service. These devices can give access to the company's network that bypasses all companies security controls. Administrators would have no idea what traffic is flowing outside of the company. Hackers could install malware to give then access to the network through the device's 3G/4G access.

App stores are another security threat to mobile devices. Every device maker has its own app store. Not all vendors make sure that these apps are properly vetted for security. Apple requires that all its apps are signed by the vendor but Android apps can be self-signed. The app stores could be a means of installing malware.

A growing threat to network security is what the paper calls the “comsumeriztion of IT”. As the price of equipment comes down and cloud service are becoming widely available, more and more people are gaining access to what were once enterprise only applications. These users can set their own networks systems up but have little understanding of the security issues involved. There is a danger that these users could set up their own hardware, software, and services without the company's IT department knowing it.

There will also be a growing risk of what is referred to as “accidental cyber threats”. This is caused when company data users expose company data through carelessness. This could happen when someone takes sensitive data home on a USB drive, sends it to a cloud service like Dropbox, or sends it to a personal email account. Users could be working remotely on an unsecured network.

Another risk that few companies consider is the risk from the equipment supply chain. Many companies are buying equipment on the “gray market” through places like Ebay. Besides the risk of getting defective or substandard equipment, there are serious security risks. The seller could install malware or backdoors on this equipment.

Cyber espionage is a growing danger. The Pentagon has accused the Chinese government of targeting US computer systems for intrusion. The Chinese aren't just targeting the US government but a wide range of businesses. They are stealing a wide range of valuable technology and trade secrets. Other actors are also involved in cyber espionage. These attacks are highly advanced and difficult to guard against. Even smaller companies are being attacked.

With the growing popularity of social media, there is a danger that people will expose confidential company information on their personal sites. For instance, someone could let out the release data of a new product while talking about work on Facebook.

A new type of malware called ransomware is emerging. Ransomware either locks the screen up or encrypts the data on the system. Companies often will quietly pay the attacker to unlock the system rather than go through a long legal battle.

The paper also describe the growing use of “watering hole attacks”. Hacker injects code into sites their targets are likely to visit. There is no need for direct contact that way. Tibetan sympathizers have been spied on this way.

As technology advances, the attack surface on network systems is growing. Average users have the means to seriously compromise a network system, even if it is done unintentionally. The paper stresses the need to educate the users on security issues.

Are industrial control systems are vulnerable?

'Project SHINE' Illuminates Sad State Of SCADA/ICS Security On The Net

Kelly Jackson Higgins

Oct. 16, 2013

Project SHINE is a global Internet-scanning project that searches for SCADA/ICS devices and systems. Over a million devices have been found. Another 2,000 to 8,000 devices are being found on the public Internet each day. SCADA stands for supervisory control and data acquisition. ICS stands for industrial control systems. These devices cover a wide ranger of consumer electronics, routers, and industrial systems. Researchers on this project estimate that a quarter to a third of these devices are open to malware attacks or other types of attacks such as cross-site scripting or buffer overflows. One commonly used protocol on these systems, Universal Plug and Play (UpnP), is known to be vulnerable. Some of the device have administrator passwords set to default. Others have known backdoors left by the device's manufactures. The state of security for SCADA/ICS devices was said to be alarming. Of greatest concern is the security of industrial and infrastructure controllers.

User-Selected Passwords Still Getting Cracked

User-Selected Passwords Still Getting Cracked

By Robert Lemos

http://www.darkreading.com/advanced-threats/user-selected-passwords-still-getting-cr/240162756

Robert Lemos gives warning that passwords are becoming increasing vulnerable to attacks. Password cracking utilities can leverage the power of the processor on an off the shelf graphics card in order to do 26 billion password tries per second. Graphics card are very good at making parallel calculations. When Statford's password hash were stolen, most were recovered within 24 hours. These passwords were eight randomly selected characters. 630,000 passwords were cracked. Research are developing advanced real world lists of passwords for dictionary attacks. Researchers are also getting smarter at understanding the patterns people use when choosing their passwords. One expert stated, "Smart guessing is relevant when passwords are not totally random but when there was used some technique to create a password. In case of totally random passwords, only brute-force attack can help and that is when speed" becomes most important. The technique of substituting numbers and symbols for letters offers poor protection. Password crackers are aware of these methods and try them first. It is also important to use different passwords for different sites. Even with advances in password cracking most passwords are stolen using social engineering methods.  

Security issues during the government shutdown.

US Government Shutdown Creates Serious Cyber Risks: Experts

By Brian Prince on October 10, 2013

Top security experts are expressing grave concern that the government shutdown will seriously compromise the security of the government's information systems. Many agencies have only skeleton crews running the IT departments. There are too few people monitoring the governments sites. The shutdown also degrades the morale of the government IT workers. Even after the shutdown ends, there will be a backlog of work, such as reviewing security logs and installing patches. So security will be weakened for some time after the shutdown ends. Some government websites have completely shutdown.

One expert described the danger in this way, "Another weakness during times like this is that people are easily fooled given that nothing is normal. Traffic patterns are different, the person staffing the desk may be different, with all this change, social engineering attacks can be very effective."

One expert stated that the government could lessen the risks if it had a continuity of business plan to handle such emergencies. The main take away I got from this article is the need to have emergency plans for unusual situations. This article discussed doing risk evaluation in making decisions during a crisis.

Generational changes.

Combatting Today's Attacks: It's a Generational Thing

By Marc Solomon on October 10, 2013

http://www.securityweek.com/combatting-todays-attacks-its-generational-thing

Marc Solomon expresses concern that while today's attackers are using next generation tools, those that are the defenders are still using last generation tools. Many in the security field are not keeping up with changes in the networking environment, such as the growing use of mobile devices, SaaS, virtualization, and cloud computing.

New attack methods make it increasingly difficult to detect. Older generational defensive tools lack the historical data and intelligence to detect advanced attack methods.

As networks reach muli-gigabit speeds, network security devices have too keep up with the traffic. Older device just don't have the speed.

He gives some suggestions of key questions to ask when talking to vendors of security equipment.

The first question is to ask about is visibility. Can the equipment see all applications working in the environment regardless of protocol? Can it see hosts, infrastructure, and users? Does it have the ability to monitor changes in the IT environment? Can it provide site reputation information? Can it monitor network activity based on user, application, or device?

The second area of questions is to ask about threat effectiveness. Can the technology protect against known and emerging threats? Can it remain effective even under times of peak load? How does the technology detect threats? Can it detect and block specific types of threats? Can it compare baseline behavior against current behavior to detect anomalies?

The third area to ask about is the granularity of the system controls. Can the system allow fine-grained policies? If the policies don't allow sufficient flexibility, employees will be tempted to work around the security controls, thus making them worthless.

A fourth area to ask about is automation. Security systems can generate vast amounts of data. Can the process of shifting through all this data be automated allowing the security person to focus on key events?

A fifth concern is the availability of advanced malware protection. Can malware be detected in cloud based systems? Is the system able to gather information on emerging threats? Does it automatically update all connection points?

A sixth area to evaluate is the performance, scalability and flexibility of the system. Can it handle the speed of today's traffic. Can it be upgraded to handle the increased traffic of the future? Does the system have third party performance results available?

A final area to evaluate is the management and extensibility of the system. Does the system allow for easy central management? Can I extend the system as needed? How well does it work with third party solutions?

As an IT person, I may likely need to participate in system design, purchase, and upgrade decisions. These are important questions to ask in evaluating a system. I will need to consider not just current needs but future needs as well. As a IT person, I will need to keep both my systems and my knowledge up to date.  

Israel's army chief concerned about cyber-attack.

Israel Army Chief: Future War Possible on Many Fronts

http://www.securityweek.com/israel-army-chief-future-war-possible-many-fronts

October 10, 2013

In this article the Chief of Israel Army expressed concern that a future war could be conducted on many fronts. Besides missile and terrorist attacks the army chief is gravely concerned with the possibility of cyber-attacks. He stated, "It is possible that there will be a cyber-attack on a site supplying the daily needs of Israeli citizens; that traffic lights would stop working or the banks would be paralyzed." A cyber-attack although hypothetical was said to be in the realm of the possible.

Israel may sense a great danger of imminent attack due to its geo-political position, but such an attack could happen against the US as well.  

Is privacy impossible?

Interview: "It's Pretty Much Impossible" To Protect Online Privacy

https://www.schneier.com/news-148.html

April 8, 2013

This article contains a radio interview with Bruce Schneier by Radio Free Europe.  In this interview he describes the limits of privacy in the digital age. The interview starts by describing how major Internet players such as Google, Facebook, and Twitter are created detailed profiles on each person.  Not only do marketers buy this information, but government bodies are subpoenaing this information. Google publishes how many letters of request it is getting from national security agencies or other government bodies. He made an interesting quote, “So basically it's used to judge people. Either judge them for marketing purposes or judge them for political purposes.”

He stated how difficult it is to protect ones privacy against well-funded, skilled, and motivated adversaries. He expressed that there may be more danger from governments and corporations misusing the Internet than from its misuse by criminals and terrorists.  He gave an interesting example that he believed that Microsoft was allowing different governments to spy on Skype users. Businesses have to obey the law. They are primarily focused on making profit and so have little motivation to fight the government.  He sees a great danger of “those in power using the Internet to stay in power.”

NSA spy servers.

The NSA's New Risk Analysis

https://www.schneier.com/

This interesting article describes how the NSA has a series of servers around the Internet designed to break into other computers. These servers are designed to lure other computers to them. Once the targeted computer connects with the NSA server, the target is evaluated as to value and vulnerability. An appropriate exploit this then used on the target computer. The NSA has profiles on target computers, evaluating the risks to take on the target, its value, what data is desire, and what methods to use. For high value targets the NSA reserves zero-day exploits. The NSA does place a high value on keeping its intrusions undetected. The report states that Microsoft gives advanced warning to the NSA before it patches any of its vulnerabilities. Big Brother is watching you.

McAffee Virus Alert Website.

McAffee Virus Alert Website.

http://home.mcafee.com/virusinfo

As an IT professional, it will be necessary to keep track of on going threats. For this blog I decided to look at the McAffee virus alert website. The site contains listings of recently discovered new malware programs. This includes virus, worms, fake virus, and trojans. It also has a listing for recently update virus. Each threat is ranked as to the relative danger. The site includes a general threat alert indicator, indicating the overall level of danger. Currently it is set to elevated. It also includes a world map showing the hot spots for virus attacks. The user can drill down to find more information on a specific threat, such as type of program, method of infection and indication of infection. This sight is useful to give a quick and ready overview of new dangers.  

Breaking passwords is kiddie script stuff.

How I became a password cracker

by Nate Anderson - Mar 24 2013, 5:55pm PDT

In this article, the author describes how his editor came him a challenge to see how many password he could steal and crack in a day. He had never cracked a password before. He was limited to using only information, resources and free tools that were available on the Internet. He described password cracking as “kiddie script stuff”. He said he was someone who “can't hack my way out of the proverbial paper bag” but by the end of the day he was able to crack over 8,000 passwords. This was done on an ancient dell laptop.

His first challenges was to find a set of passwords to crack. He found this was easy. There are entire forms on the Internet dedicated to swapping lists of stolen user names and password hashes and assisting each other in cracking them. I found this alarming. It made me wonder if any of my personal information is just floating around on the Internet somewhere waiting to be stolen. He picked a 15,000 entry long password file which used unsalted MD5, a weaker hashing method. Most password cracking is not done online by repeatedly trying to log on to a website. Most websites limit the number of logons attempts. Rather lists of password hashes are stolen and the cracking takes place offline.

He experimented with available free password cracking utilities, such as John the Ripper and Hashcat. He picked Hashcat because it had an easy to use GUI. He found the instructions to use it on a Wiki. He used a dictionary attack, which tries to break passwords by trying passwords one at a time from a list. This method works because people often use common words and easy to remember passwords. He found a list of 14.5 million commonly used passwords, called RockYou. The RockYou list is based on research into commonly used password patterns. Password lists are getting smarter. Tricks like substituting letters for numbers won't work anymore. New lists take that into consideration. He failed at first to set things up correctly until he found step by step instructions from a famous hacker on how to do it. He could add rules to the dictionary attack such as appending two numbers to the end of the word in the dictionary. This extends the power of the dictionary. This is a common way that people create passwords. Password hackers understand common patterns people use to create passwords and can use rules to test those patterns. Hashcat included a number of predefined rules. After working through some set up issues he was able to crack over 7,500 passwords in 16 minutes.

He also used the brute force method. This tries every combination of a set of characters, one at a time. It can be the most time consuming method. He was able to find a number of passwords using this method. To speed the attack up he used only lower case letters. He found 334 in password in a minute. This shows the danger of using short and simple passwords.

He realized he could have cracked even more passwords had he used a more powerful computer or even multiple computers. Some password crackers will also tap into the processing power of the Graphics Processing Unit. There are other advanced cracking methods such as rainbow tables that he did not try.

The author suggested that salted hashes with a stronger algorithm than MD5 be used. Increasing processing power and growing sophistication of cracking tools are making passwords more vulnerable.

The main take away I got from this article is that commonly given advice for picking creating strong passwords may not give people the protection they think. The author was able to crack passwords that would have passed a test of password strength. What makes passwords so vulnerable? To be useful a password has to be remembered. People pick words and patterns that are easy to member. Crackers are learning these patterns. For security other methods of authentication, such as biometrics or security keys may offer better protection. If passwords are to be used a long randomly generated string would be stronger, although they would hard to remember.

New York Times DNS attack.

"How To Avoid Getting Your DNS Hacked Like The New York Times"

http://readwrite.com/2013/08/28/avoiding-dns-hacks-new-york-times#awesm=~ojdzZGYmUSzmqN

A few weeks ago the New York Times Website suffered from a DNS attack. The hack was done by a militant group in Syria. The attack redirected viewers to the group';s website. Matthew Prince, CEO of CloudFlare, stated that we should expect criminals to use DNS attacks more in the future. The article recommends choosing a domain name registrar with a strong reputation for good security. It also recommends using a strong password for logging on to the registrar and keeping it safe.

The hackers of Times attacked attacked Melbourne IT, which registrars the name for the Times. They were able to overwrite the Times domain name information. This was surprising because Melbourne IT has a strong reputation for security. It is used by other large organizations on the web, including Twitter. Why wasn't Twitter attacked? Twitter had registrar lock in place unlike the Times. Registrar locks are restrictive controls that make it more difficult to make changes in the registrar. Many user avoid using the locks because they are a hassle.

Registrars may have security features available that the users are often not aware of. Some offer two factor authentication such as requiring both a password and a code sent to a cellphone. Another security setup is to allow changes to only be made from one IP address, such as the one from the businesses office.  

Hi everyone,

I am just starting this post.