Saturday, August 11, 2012

Week 10: Lessons learned

Current Trends in Cybersecurity, Week 10,  lessons learned.

Looking back, this class seemed to fly by, yet was one of the most taxing classes I've taken so far.  When the class first started and we were given the option to go at it without a textbook, I thought: "Well, this should be a pretty easy class if a book isn't even required," nothing could have been further from the truth.  So, right off the bat if I had to revise my approach, I would have definitely ate the cost and purchased the book sooner than I had.

The biggest issue I had with this class was trying to narrow the scope of my work; I found myself jumping between NIST guidance, referencing CISSP material, and following guidance in my penetration test material, and basically found myself fighting self-inflicted scope creep and found myself spending way too many nights up at 3am just short of banging my head on my keyboard in frustration.     

To do over again, I'm sure I could deliver a better final product, but to be quite honest, I'm not sure that I would do it any differently -- I am sure the amount of reading and research I've done over the last 10 weeks will pay off in spades in the long run.   

Lesson learned, there may be a dozen ways to skin a cat, but in a project like this, pick ONE model and go with it; don't mix it up or it becomes hard to handle as the project grows.  At work we follow NIST guidance exclusively, so it's easy to follow a blueprint and get from A-to-Z.  I could have gone that route and saved myself a lot of headaches, but in the end, I think I've learned more by stepping out of my comfort zone and trying to recreate the wheel.

Sunday, August 5, 2012

Week 9

Having wrapped up week 9 of Current Trends in Cybersecurity, it's hard to believe we're only a week away from being done with this term!  It's been quite a challenge packing 12 weeks of study into 10, especially these last couple of weeks.  I've been revisiting a lot of my CISSP material for this course, as there's a lot of overlap. 

My home testbed is all but covered in cobwebs, as I haven't had the time to play with all the reading I've been doing these last couple of weeks. 

It's a real challenge to keep the size of these documents down to a manageable size for the class, I'm finding myself picking and choosing what to add and what to dismiss because otherwise the final product would be massive; unfortunately I feel that my deliverable products seem a bit lackluster because of that fact, but I'm sure my peers are not interested in reviewing a gargantuan document.

We're in the final stretch, I'm looking forward to hearing what my peers have to say about my final project, and eager to make corrections, tidy it up and be on my way to the next hurdle; only 4 classes to go until this degree is in the books.

Sunday, July 29, 2012

Lights, Camera, Action Plan!

Week 8 of 'Current Trends in Cybersecurity' has us working on a Threat Action Plan for the fictional Harry & Mae's organization.  This week I am to reflect on the hardest part of working out the Action Plan.

For me the hardest part of working on the Harry and Mae Case Study to provide threat, vulnerabilities, and risk analysis is trying to find the happy medium of demonstrating that I understand the material without going overboard.  Done properly (as if Harry & Mae's were a true world client), the Threat Action Plan would likely be somewhere in the ballpark of 80 pages long.

There are a lot of references out there to draw from, to include NIST pubs and CISSP material, but  my biggest problem is trying to grasp what is really required for these assignments.  I could spend another 40 hours sifting through NIST documents, and another 40 hours using ALE (SLE * ARO) calculations to present something that demonstrates a strong grasp of how to approach this case study, but I'm not sure if something along those lines are required, or if it'd be overkill. 

The material for the other class I'm currently enrolled in (Ethical Hacking and Response) is very familiar, so it frees me up to really focus on this class.  Again, the challenge for me this week is to know where to draw the line on identifying threats/vulnerabilities/risks; for example, identifying threats/vulnerabilities/risks associated with a Cisco Nexus 7000 Switch could take a week by itself, so I've opted to provide a few simple examples for each area I'm addressing and hope that it's enough to meet the requirement and demonstrate that I have a grasp of what we're attempting to achieve.

Sunday, July 22, 2012

Technical Aspects of CyberSecurity


There's a plethora of Cyber Security tools available on the Internet, but I've come up with a top 10 list of my favorite tools which I feel are beneficial for any Cybersecurity Professional.

·         The Cyber Security Evaluation Tool (CSET):  A Department of Homeland Security (DHS) that aids organizations in protecting their cyber assets.  Loaded with a variety of standards (NIST, NERC, ISO, DoD, etc), that can be selected and used to scan security assurance levels of systems.  The software generates a detailed report which indicates areas that can be improved.  
 

·         Microsoft Security Essentials:  A free tool provided by Microsoft to aid in protecting against viruses, spyware, and other malicious software.  Easy to install, update, and runs in the background so it's not intrusive to end-users.


·         Ad-Aware Free Antivirus+:  Free Anti-spyware and Ant-Virus software; features download protection, sandboxing, and advanced detection.


·         RootkitRemover:  A free, stand-alone McAfee product which is used to detect and remove complex rootkits and associated malware.  


·         Wireshark:  A free, open-source network protocol analyzer.  Wireshark is a great tool for network troubleshooting and analysis.  It's user-friendly with a graphical frond-end.


·         NMAP:  A free and open-source tool for network discovery and security auditing.  This is a must have tool for Cyber Security.  


·          Leviathan Auditor:  A network auditing and penetration tool which works on (and against) Microsoft machines.  Leviathan can enumerate: users, local groups, shares, hidden shares, transports, installed services, registry and more.


·         THC-Hydra:  A free, open-source network logon cracker.  Easy to use and one of the faster network logon crackers.


·         Cain & Abel:  A password recovery tool for Microsoft operating systems.  Can be used to sniff networks, crack encrypted passwords via dictionary, brute force, and cryptanalysis attacks.  It can also capture VoIP conversations, decode scrambled passwords, capture and crack wireless networking keys.


·         BackTrack Linux:  Hands down my favorite technical security tool.  BackTrack is the one-stop-shop of security tools.  It can be installed to a PC or run from a Live CD distribution.  Installing BackTrack, and utilizing Metasploit, NMAP, and Nessus, and it's one of the greatest tools a security professional could hope for!   

Also, two great sites to peruse for an abundance of tools (many of them free) are:

-and-




References:

Ad-Aware Free Antivirus+.  Retrieved 22 July, 2012, from: http://www.lavasoft.com/products/ad_aware_free.php?t=overview

Backtrack Linux:  Retrieved 22 July, 2012, from: http://www.backtrack-linux.org/

Cain & Able.  Retrieved 22 July, 2012, from: http://www.oxid.it/cain.html

Control Systems Security Program (CSSP): CSET.  Retrieved 22 July, 2012, from: http://www.us-cert.gov/control_systems/satool.html

Leviathan Auditor.  Retrieved 22 July, 2012, from: http://leviathan.sourceforge.net/

Microsoft Security Essentials.  Retrieved 22 July, 2012, from: http://windows.microsoft.com/en-US/windows/products/security-essentials

NMAP.  Retrieved 22 July, 2012, from: http://nmap.org/

RootkitRemover.  Retrieved 22 July, 2012, from: http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

SecTools.org: Top 125 Network Security Tools.  Retrieved 22 July, 2012, from: http://sectools.org/

THC-Hydra.  Retrieved 22 July, 2012, from: http://freeworld.thc.org/thc-hydra/

Wireshark.  Retrieved 22 July, 2012, from: http://www.wireshark.org/

Sunday, July 15, 2012

What's in your wallet?

Nikhil Kolbekar, aka HellsAngel, was arrested in Mumbai, India on the 11th of July.  Eric Bogle, aka Swat Runs Train, was taken into custody in Canada and Justin Mills, aka xTGxKAKAROT, was taken into custody in Colorado.

Kolbekar and Bogle are suspected of selling complete credit card information, to include: names, addresses, social security numbers, birth dates, and bank account information.

Kolbekar also sold remote desktop protocol (RDP) access data that could be used to break into computers and steal credit card information and identity information from PCs located in Turkey, India, CZech Republic, Brazil, Germany, France, Italy, Spain, Sweden, and other countries.

Kolbekar was brought before Esplanade Court last Thursday and has remained in judicial custody.  He will be brought before the Patiala House court in Delhi on the 25th of this month, and the US is pushing for his extradition through Interpol.

Janice K. Fedarcyk, the assistant director in charge of the New York FBI said that cross-border law-enforcement operation is targeting "highly organized cyber criminals" and their focus is to "root out criminal behavior on the Internet."  Fedarcyk says that the arrests in India, Canada, and the US are all part of Operation Card Shop, and that these arrests serve as an example that cyber criminals will be stopped even if they cross boarders. 

Operation Card Shop is an international operation aimed at catching those involved in the buying and selling of stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools.  27 people have been arrested since 26 June, 2010 as part of this ongoing operation.

It's exciting to see that there's something is being done to crack down on identity and credit card theft, but looking at the numbers, 27 arrests in a little over two years doesn't seem that hefty, but if these individuals are major players in operations the numbers may not be as important as the message that it sends to those who are involved in this type of criminal activity. 


References:

Hacker wanted by FBI arrested (2012):  Retrieved 15 July, 2012, from:  http://www.indianexpress.com/news/hacker-wanted-by-fbi-arrested/973844/

Manhattan U.S. Attorney And FBI Assistant Director-In-Charge Announce Additional Arrests As Part Of International Cyber Crime Takedown.  Retrieved 15 July, 2012, from: http://www.justice.gov/usao/nys/pressreleases/july12/cardshopfollowup.html

THN Security Analyst (2012).  Hacker wanted by FBI held in India for carding crimes.  Retrieved 15 July, 2012, from: http://thehackernews.com/2012/07/hacker-wanted-by-fbi-held-in-india-for.html

Monday, July 9, 2012

Reviewing List of Sources

A few weeks ago I came up with a list of sources that I feel are useful for vulnerability research:
This week I consider the following: Are these the actual sources that I am using in my current class? Are there any additional sources I've discovered? Any that I have decided would not be good to use?
To answer the first question: Are these actual sources that I am using in my current class?

The sites that I feel I am getting the most use out of are: nvd.nist.gov, cve.mitre.org, and exploit-db.com.

Second question: are there any additional sources that I've discovered?  No, with such an extensive list already compiled, haven't had the time or need to seek out additional sources this week.

Third question: Any that I have decided not to use?  In regards to looking for specific vulnerabilities, I would say that I would use the three that I've listed in my first answer, and the rest would simply be used for situational awareness of new vulnerabilities that are being talked about online.

  

Saturday, June 30, 2012

The most important IT security policies & proceedures

           This week my focus has been on IT security policies and procedures and I figured that it wouldn't hurt to have a list of some of the more important ones. 

            A security policy is documentation that spells out and enforces a specific set of rules and regulations.  A policy is the foundation for ensuring a security program can be developed.  A policy can be put in place to hold people accountable for their actions.  It is a living document that allows an organization to define very clear objectives, goals, formal procedures, and rules that aid in defining the overall security posture and design of an organization.

            Before getting into specifics, there are a few characteristics that all policies should have:

·         The policy must be understandable

·         The policy must be realistic

·         The policy must be consistent

·         The policy must be enforceable

·         The policy must be documented, distributed, and communicated correctly

·         The policy must be flexible

·         The policy must be reviewed

            A policy should spell out the following:

·         Roles and responsibilities of those affected by the policy

·         Which actions, processes, and activities are and are not allowed

·         What the consequences are for non-compliance

            The following list is what I feel are the most important policies and procedures:

·         Password security policy - defines rules for passwords: complexity, length, expiration, etc.

·         Physical access policy - guidelines for physical access and control

·         Encryption policy - guidelines for encrypting data

·         Remote access policy - defines what actions are an are not allowed when remotely entering the system.

·         Internal Information access policy - covers who has access to what, a 'need-to-know'

·         Social Media policy - covers what employees shouldn't post on social media sites

·         Data classification policy - guidelines for data classification

·         Acceptable use policy - covers Internet, local network, software installation, e-mail use, etc. for all users

·         Privacy policy - guidelines on private data usage and control

·         Disposal and destruction policy - guidelines on when/how data is disposed of or destroyed, and by who

·         Storage and retention policy - guidelines for storage and retention of data

·         Incident response policy - guidelines for incident response to include roles and responsibilities

·         HR policy - guidelines for HR

·         Change management policy - guidelines for change management

·         Firewall policy - guidelines for firewall

·         Personal electronic device policy - guidelines for mobile electronic devices, USB, and DVDs, what is and is not allowed in the facility








References:

Davidson, E. Media, D. (n.d.).  IT security and the importance of policies and procedures.  Retrieved 30 June, 2012, from: http://smallbusiness.chron.com/security-importance-policies-procedures-1100.html

Global Knowledge (2010).  10 Essential security policies.  Retrieved 30 June, 2012, from: http://www.infosecisland.com/blogview/5033-10-Essential-Security-Polices.html

Shimonski, R. (2003).  Defining a security policy.  Retrieved 30 June, 2012, from: http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html

Thursday, June 21, 2012

Flame On!!!

                        It is being reported today that unnamed Western officials have confirmed that the Flame computer virus was developed by US and Israeli governments.  The Flame virus collected intelligence which aided in slowing Iran's nuclear program.   

            According to officials, the virus covertly monitored and mapped Iran's computer networks, and data was retrieved and steadily sent back to prepare for a cyberwarfare campaign.  Included in the effort to develop and deploy the software was the National Security Agency (NSA), the Central Intelligence Agency (CIA), and Israel's military.  The efforts also included destructive software such as the Stuxnet virus which caused malfunctions in Iran's Nuclear-enrichment facilities.

            According to one former high-ranking U.S. intelligence official: "This is about preparing the battlefield for another type of covert action [...] Cyber-collection against the Iranian program is way further down the road than this."  The official also indicated that Flame and Stuxnet were elements of a larger assault that continues even today.

            Eugene Kaspersky, whose security lab recently discovered the Flame virus that had been used against Iran says that there should be an immediate global effort designed to stop what he calls cyber terrorism.  "It's not cyber war, it's cyber terrorism and I'm afraid it's just the beginning of the game [...] I'm afraid it will be the end of the world as we know it [...] I'm scared, believe me."

            Roel Schuwenberg, a senior researcher at Kaspersky Lab said: "We are now 100 percent sure that the Flame and Stuxnet groups worked together [...] The fact that the Flame group shared their source code with the Stuxnet group shows they cooperated at least once."

            Cyber security experts say that Flame is one of the most sophisticated malware codes that has ever been discovered, and believe that it was released to specifically infect computer systems in Iran and in rival regimes across the Middle East.

            It seems as though news of cyber warfare, cyber attacks, cyber terrorism is on the rise.  These are interesting times to be part of information security.  I don't foresee a slowdown in the development of more advanced cyber attack methods, programs, or code, if I had to guess, the cyber battle space will continue to grow and will be the new frontier for a new kind of war.  It's going to be an interesting few years to be sure!   


References:

Heyes, J.D. (2012).  Flame malware, creted by US government, could wreck critical infrastructure.  Retrieved 21 June, 2012, from: http://www.infowars.com/flame-malware-created-by-us-government-could-wreck-critical-infrastructure/

Rey, F.  (2012).  US and Israel developed flame maware to cripple Iranian nuclear power program.  Retrieved 21 June, 2012, from: http://socialbarrel.com/flame-malware-nuclear-power-program/39261/

THN Security Analyst (2012).  US and Israel developed flame malware against Iran.  Retrieved 21 June, 2012, from: http://thehackernews.com/2012/06/us-and-israel-developed-flame-malware.html

Thursday, June 14, 2012

Sources for IT Security News, Threats, Vulnerabilities and Updates



This post will identify credible sources of information for IT threats, vulnerabilities, updates, and security news in general. Included is list of sources I consider to be credible, and why.



·         http://nvd.nist.gov/ -  My #1 site for information on security vulnerabilities is the National Vulnerability Database (the NVD is sponsored by Department of Homeland Security - National Cyber Security Division/US-CERT and NIST).  The NVD the U.S. government repository of standards based vulnerability management data, using Security Content Automation Protocol (SCAP).  It covers vulnerability management, security measurement, and compliance.  Included are: security checklists, security related software flaws, misconfigurations, and impact metrics.



·         http://cve.mitre.org/ - The Common Vulnerabilities and Exposures (CVE) is international in scope and is free for public use.  The CVE is a large dictionary of publicly known information security vulnerabilities and exposures.  The CVE can be used for vulnerability management, patch management, vulnerability alerting, intrusion detection, and much more.    



·         http://www.symantec.com/security_response/ - who does security better than a company that earns it's bread and butter by providing security solutions?  The list of threats, vulnerabilities, risks, and security news delivered by Symantec is arguably near the top of the list; the list is constantly updated and is vast, covering: spyware, adware, hack tools, joke programs, remote access, hoaxes, trackware, the list goes on and on.



·         http://www.iss.net/threats/ThreatList.php - A great list of current and relevant Internet threats and vulnerabilities.  Though the list is geared towards showing how IBM ISS products & services can help protect against the listed threats, it gives plenty of details on what the threats and vulnerabilities are, what they do, and steps that can be taken to mitigate the risk.



·          http://www.itsecdb.com/oval/ - The IT Security Database (ITSECDB) collects Open Vulnerability and Assessment Language (OVAL) definitions from sources such as: Mitre, Red Hat, Suse, NVD, Apache, etc. and provides a one-stop shop with easy to navigate web interface to research a wide array of IT security related items such as patching, vulnerabilities, and compliance checklists.



·         http://www.exploit-db.com/ - The Exploit Database (EDB) is another great site to check out, at the time of typing this, they have a total of 16,108 exploits archived.  This site is geared towards penetration testers, vulnerability researchers, and security addicts.  The site also has blogs, papers, and a community who is apt to share information.  The site is run by the folks at: http://www.offensive-security.com



·         Other good resources for security news (a.k.a. the usual suspects):

o   http://news.cnet.com/security/

o   http://thehackernews.com/

o   http://www.securityfocus.com/

o   http://www.blackhat.com/

o   http://seclists.org/isn/

o   http://www.zdnet.com/topics/security

o   http://www.scmagazine.com/

o   http://www.nist.org/news.php

o   http://www.securityweek.com/

o   http://www.eweek.com/c/s/Security/

Sunday, June 10, 2012

The Weakest Link

Last week was a bad week for three major Internet companies; LinkedIn, eHarmony, and Last.fm were all targeted and successfully breached by hackers.  Early in the week on a Russian hacker forum (InsidePro.com), a site which offers password-cracking tools, two files containing passwords was posted; one of the files contained 6.5 million passwords, and the other 1.5 million passwords.  The password files were posted by a user "dwdm" who asked others to help crack the passwords.  The forum thread has since been taken offline, and the passwords were not displayed in plain text, but rather they were obscured via hashing, though it is reported that more than 200,000 of the passwords have already been cracked.

So far none of the companies are releasing any details about how their users' passwords got into the hands of hackers, but LinkedIn says that the passwords contained in the files are hashed with the SHA-1 algorithm, and no other data accompanies the passwords (i.e. user names or personal data), but security experts are strongly suggesting that people change their passwords immediately, eHarmony has reset the passwords of accounts it believes have been affected.  Apparently many of the passwords that were published to the hacker forum had the term "LinkedIn" in them, i.e. "linkedin1234," or "linkedinabcd," this was a good indicator that these passwords were in fact LinkedIn passwords; it is assumed that many people use weak passwords such as the site name + a string of easy to remember characters.

Just because the password lists were posted without user names does not mean that the original poster doesn't have the user names list that goes along with the passwords.  For this reason, anyone using any of these services should immediately change their password.  This is an excellent reason why a common password should not be used across sites.  If the hackers are able to crack a password and use it against your account, if all your accounts share the same log in information they essentially have a master key to your online life.

Simple passwords containing dictionary words and strings such as 123 or abc will be quite easy to crack, a strong password doesn't necessarily need to be filled with special characters and numbers, a long password with 4 random words such as: Chicago, hockey, cigar, and certification = Chicagohockeycigarcertification would take a brute force tool a very long time to crack, though changing a few characters to numbers or special characters wouldn't hurt if you can remember what characters you changed; for instance, changing all e's to the number 3, or all i's to the number 1.

Best practices would be to limit the amount of personal information you share online, use hard to guess/crack passwords, change your passwords frequently, and don't use the same password for multiple sites.









References:

Mills, E. (2012).  What the password leaks mean to you (FAQ). Retrieved 10 June, 2012, from: http://news.cnet.com/8301-1009_3-57449325-83/what-the-password-leaks-mean-to-you-faq/?tag=epicStories


Paul, I. (2012).  Update: LinkedIn confirms account passwords hacked. Retrieved 10 June, 2012, from: http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html


Last.fm Confirms They Were Hacked, Change Your Passwords Nowhttp://thehackernews.com/2012/06/lastfm-confirms-they-were-hacked-change.html

Friday, November 18, 2011

Week 12 Post: Reflections

Reflecting on the blogs I’ve written over the last 11 weeks, it is apparent that the blogs I have posted have been largely focused on the hacking community.  My primary source of information was Cnet.com and thehackernews.com.  I primarily used them as my launch points for blogging as they have long been my source for IT Security related news, as they can always be trusted to have the lastest in IT security related stories.

I focused on hacking stories because in the world of IT security, hackers are the #1 threat, and because I find the topic both interesting and relevant to the goals of not only our blogging assignment, but towards the entire degree path. 

In my searching for stimulating and pertinent material each week, I would spend a considerable amount of time researching various sites to get multiple viewpoints of any given topic, and would often find myself researching topics more than I normally would just to learn about what was going on in any given event.  This research I performed each week has broadened not only my view of the hacking community but the climate of the world as well.

We are living in interesting times, with groups/movements such as WikiLeaks, Anonymous, the 99% Movement, and the Occupy Movement, etc.  It’s quite interesting to see the lines between the real and digital world blurring.  How digital attacks and events are complimenting protests and actions performed in the real world. 

I believe blogs such as these could aid IT Security professionals and future IT Security students in understanding the current climate and the threats that exist in the cyber world.  Understanding the pathology of cybercrime and keeping abreast of security threats, both past and present may aid in the proactive development of countermeasures for future threats.     

Friday, November 11, 2011

Week 11 Post: $14 Million Click-Hijacking Scam

The U.S. Department of Justice said on November 9th that it had uncovered an Internet scam ring that fetched 14 million dollars by means of infecting millions of computers around the world with malware that is designed to redirect Web searches to websites that generate revenue.

Seven culprits, six from Estonia and one from Russia are being brought up on charges of wire fraud and computer intrusion, says the FBI. The group is accused of infecting roughly 4 million computers in more than 100 countries (500,000 in the U.S. alone), including NASA – with malware named DNSChanger. The malware makes changes to the Domain Name Server (DNS) settings on the infected computers, effectively redirecting them to rogue DNS servers which then point them to specific Web sites.

Essentially the malware hijacks the infected computers and when certain Web searches were performed, it would redirect them to sites that would pay them money whenever people visited the sites and clicked on ads.

An FBI statement reports: “When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software."

Additionally, the malware would redirect the infected machines that searched for Netflix to a business called “BudgetMatch” and searches that were intended to find the IRS were redirected to H&R Block.”

The accused are also facing charges that they replaced legitimate ads on sites with their own ads that triggered payments to themselves. An example is that they replaced an American Express ad on the Wall Street Journal’s home page with an ad for “Fashion Girl LA” as well as replacing an “Internet Explorer 8” ad on Amazon.com with an ad for an e-mail marketing firm.

The way that computer were infected with DNSChanger was triggered when they visited certain Web sites or when they downloaded certain software to view videos online. Additionally, the malware software prevented antivirus and operating systems from updating correctly.

The accused allegedly created companies that masqueraded as legitimate advertising publisher networks. Apparently the operation began in 2007 and ended in October of this year with the completion of a two-year FBI investigation dubbed “Operation Ghost Click,” says the FBI.

The rogue DNS servers that were used in this operation have been replaced with legitimate servers in effort to correct the Internet access issues persistent on infected computers. The owners of infected computers will need to be proactive in clearing the malware off of their machines. People can verify if their computers are infected by typing their DNS information into an FBI webpage (https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS).

The indictment filed in the U.S. District Court of New York was unsealed on Tuesday.



References:
Mills, E (2011). Seven accused in $14 million click-hijacking scam. Retrieved 10 November, 2011 from Web site: http://news.cnet.com/8301-1009_3-57321844-83/seven-accused-in-$14-million-click-hijacking-scam/?tag=txt;title

Wednesday, November 2, 2011

Week 10 Post: Anonymous threatens Mexican drug cartel

The Mexican arm of Anonymous is going toe to toe with one of the world’s most dangerous criminal organizations, the Mexican cartel Los Zetas. Anonymous is making threats to the drug cartel over the alleged kidnapping of one of its members in Veracruz.

Anonymous does not identify the missing member by name, but alleges he was kidnapped from a street protest, “doing Paperstorm” which is a reference to posting flyers or messages in public areas.

In a Youtube video, a man dressed in a suit and tie, and wearing the Guy Fawkes mask from the movie “V for Vendetta” (the mask has become the symbol for Anonymous), says in Spanish: “You made a huge mistake by taking one of us. Release him. And if anything happens to him, you (expletive) will always remember this upcoming November 5th” He continues with “We demand his release, we want the Army and the Navy to know that we are fed up with the criminal group Zetas, who have concentrated on kidnapping, stealing and blackmailing in different ways.”

"We can't defend ourselves with a weapon, but if we can do this with their cars, houses, bars, brothels, and everything else in their possession," the video says. "It won't be difficult. We all know who they are and where they are."

The video posted earlier this month also threatens to expose its associates to include journalists, taxi drivers, police and corrupt government officials who allegedly cooperate with the cartel. The website of a Gustavo Rosario, a Mexican politician suspected of having connections with the cartel was defaced and the words “Es Zeta” (is Zeta) were shown on his main page.

These threats move Anonymous into a whole new realm, they typically target corporations, government agencies, and law enforcement departments that it deems financially or morally corrupt, gangs have never before been the target of their attacks.

The U.S. Justice department states that the Zetas cartel may be the most technologically advanced sophisticated and violent force of the paramilitary enforcement groups in Mexico.

Mike Vigil, a retired head of International Operations for the DEA said that the Zetas Cartel needs to take Anonymous seriously because by publishing the names they identify the Zetas Cartel members to rivals and they will go after them. If Anonymous makes good on its threats and publishes these names, it will most certainly lead to more deaths.

This is a pretty bold move by Anonymous and it will be interesting to see the resulting fallout.









References:

Anonymous Veracruz copia. Retrieved 01 November, 2011 from Youtube Web site: http://www.youtube.com/watch?feature=player_embedded&v=3ZL0E1J7wOg!

Mills, E (2011). Anonymous online activists threaten Mexican drug cartel. Retrieved 01November, 2011 from Cnet Web site: http://news.cnet.com/8301-1009_3-20127534-83/anonymous-online-activists-threaten-mexican-drug-cartel/?tag=txt;title



THN Reporter (2011). Anonymous hackers threatening a Mexican drug cartel. Retrieved 01 November, 2011 from The Hacker News Web site: http://thehackernews.com/2011/10/anonymous-hackers-threatening-mexican.html

Thursday, October 27, 2011

Week 9 Post: German hacking group releases new web attack tool

The German hacking groups known as “Hackers Choice” have released a program that they declare will allow for a Web server to be taken down by a single computer using a secure connection.

The program named The THC-SSL-DOS (The Hackers Choice-Secure Socket Layer-Denial of Service) tool was released to the public on Monday. Evidently this tool exploits a flaw in Secure Socket Layer (SSL) renegotiation protocol by barraging and overwhelming a system with numerous requests for secure connections. SSL renegotiation makes it possible for Web sites to create new security keys over and SSL connection that has already been established.

Hackers Choice has announced that it released the exploit to bring attention to the flaws existing in SSL, which enable sensitive data traffic to flow between Web sites and an individual user’s computer without being captured.

According to a blog posting by an anonymous member of the group: “We are hoping that the fishy security in SSL does not go unnoticed,” the member continued with: "The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”

The group has also stated that the exploit will also works on servers which do not have SSL renegotiation enabled, but requires some configuration and the addition of more attacking computers. The group states that this exploit would afford a single IBM laptop to take down an average Web server over a standard DSL connection. Establishing a SSL connection requires

Establishing an SSL connection is 15x more taxing on the processing power of the server than on the client. This program exploits this lopsided property by overloading the server and kicking it off the Internet. This problem affects all SSL implementations today. Vendors have been aware of this problem since 2003 and the topic has been discussed widely.

Both UNIX and Windows flavors of this program are freely available to the public at the following site: http://thehackernews.com/2011/10/hackers-choice-releases-ssl-ddos-tool.html. Thehackernews.com site also gives the following information:

Tips & Tricks for whitehats

1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).


Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator



I find it curious when groups like Hackers Choice release such powerful tools to the general public. I understand the argument that it forces vendors to seriously address the issues, but on the flipside of the coin, until a fix is provided we could see issues across the Internet because anyone with a computer now has the power to attack and potentially temporarily cripple Web sites. I think a better approach would be to announce that they have found an exploit and work with the vendors to correct the holes that they have found rather than arm the masses with a tool like this.



References:

New attack tool targets web servers using secure connections. Retrieved 26 October, 2011 from Web site: http://news.cnet.com/8301-1009_3-20125058-83/new-attack-tool-targets-web-servers-using-secure-connections/?tag=txt;title



Hackers Choice releases SSL-DDOS-Tool. Retrieved 26 October, 2011 from Web site: http://thehackernews.com/2011/10/hackers-choice-releases-ssl-ddos-tool.html

Saturday, October 22, 2011

Week 8 Post: Cyberwarfare, the future of war

According to The Ney York Times, White House officials said that they had considered attacks on Libya’s government computer network to block the country’s early-warning data gathering and missile launches on NATO war planes during the American-lead strikes last spring, but they had decided against.
Though the cyber attacks would have lowered the risks to pilots, ultimately it was called off because they fear opening that door, and the precedent a cyber offensive would.  Also there was a concern that there would not be enough time to find all of the holes in Libya’s networks and exploit them before the strikes.  There were questions of whether Congress would need to be notified prior to the attacks.
Weeks later, there were talks among military strategists discussing smaller attacks to prevent alerting Pakistani radars from noticing the helicopters that carried the Seal commandos who would go on to kill Osama bin Laden in May.  Instead, the operation deployed Black Hawk helicopters and a surveillance drone that were equipped with radar-evading technology.
One could speculate that there may be another reason given that the Pentagon is inching towards declaring cyber attacks launched by foreign nations an act of war, which merits a military response.
Also, there is some speculation that the U.S. may have played a role in the creation or spreading of Stuxnet, which according to researchers who have analyzed the code, say that it appeared that it was designed to sabotage Iran’s nuclear program. 
It’s easy to see articles like this in many different lights. One prone to conspiracies could assume that the statements given by Obama’s administration are flat out lies, that our government is in fact engaging in cyber warfare, and just like every other country on the planet, flatly denies it.  But, this only makes sense, if our government (or ANY government for that matter) were to disclose that they were in fact involved in offensive cyber attacks, it opens Pandora’s Box.  With all the reports of China performing offensive cyber attacks and data collection, but them acting ignorant to it in the news, is it any wonder that the US would do the same?  People who can get past the conspiracies may see the logic in the government not using Libya or Pakistan as a test bed for cyber attacks, I mean let’s be honest, are these countries deploying countermeasures that are adequate enough to repel our airborne and cloaking technologies? I highly doubt it, and in this age of WikiLeaks, would America really want to risk being under the spotlight on the world stage for matter-of-factly employing cyber offensives?  I think not. 
That being said, it is almost certain that cyber warfare will be a part of the future of war.  Strictly from an IT Security standpoint, it will be interesting to see how this new arm of warfare shapes the future faces of war.




References:

 Mills, E. (2011).  U.S. rejected cyberattack on Libya, report says.  Retrieved 20 October, 2011 from Cnet Web site: http://news.cnet.com/8301-1009_3-20121681-83/u.s-rejected-cyberattack-on-libya-report-says/

Friday, October 14, 2011

Week 7 Post: German officials accused of hacking… by hackers.

A group of German hackers known as the ‘Chaos Computer Club’ (CCC) allege that they have uncovered a Trojan program designed for spying on Skype communications.  The allegations are leveled at German law enforcement officials, whom the group says used the Trojan for surveillance. 
The Trojan, the group learned after reverse-engineering and analyzing the ‘lawful interception’ malware program used by German police forces, has flaws which put the infected computer at risk to serious attacks by others.
The CCC wrote in a post on their Web site: "The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the Internet."
The group uncovered the Trojan while it was performing some consulting for German lawyer Patrick Schladt, who is defending a client facing charges of illegal export of pharmaceuticals.  Schladt had given his client’s laptop to the CCC to examine the machine using computer forensics.  The CCC used forensic software to restore the Trojan files, which had earlier been removed to cover the tracks of the program.
Mr. Schladt alleges the Trojan was installed on his client’s laptop by customs officials per the request of Bavarian state police when the client was returning to Germany after a trip in 2009.  Following his client being charged, prosecutors provided as evidence screenshots taken of the client’s Web browser.  Following that, Schladt contacted the CCC.

Snooping on suspected criminals is within the legal guidelines for German authorities, but they need court permission to do so and any spyware used for monitoring Voice over IP (VoIP) calls used by authorities cannot alter code on a suspect’s computer, nor can additional functionality be added to the software.
Mr. Schladt argues that the screenshots presented demonstrate that the software used to spy on his client’s laptop went “way too far for German logging” laws.  He brought his argument to a higher court and the judge agreed.  Mr. Schladt said: "The most important thing is that every screenshot that was made and every file out of that Trojan will not be in the case."

The malware in question, known as the “State Trojan” or “R2D2” has the capability to not only monitor Skype, but is also capable of monitoring MSN Messenger, and Yahoo Messenger communications.  Additionally, it is able to capture keystrokes in Internet Explorer, Firefox and other browsers, and it can capture screenshots. 

The malware violates German law because of its capability to receive uploads of programs from the Internet and is capable of executing them remotely.  According to the CCC “This means, an 'upgrade path' from lawful spyware to the full State Trojan's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance, the government malware can, unchecked by a judge, load extensions by remote control, to use the Trojan for other functions, including but not limited to eavesdropping."

The State Trojan could theoretically be used to plant evidence on the infected machine.  It could also delete files, hence completely obstructing justice.  It also has serious security holes that would open the infected computer up to attacks made by others aside from the law enforcement agency that is controlling the software.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the Trojan are even completely unencrypted," the CCC post says. "Neither the commands to the Trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies' IT infrastructure could be attacked through this channel."
The CCC says that it has contacted the German Ministry of the Interior about what it has uncovered. The group says that they (Ministry of Interior) have had enough time to activate the existing self destruct function of the trojan.”

At a news conference on the 10th of October, German federal government spokesman Steffen Siebert said that officials are looking into the matter.  “We are taking the allegations very seriously; we will need to check all systems thoroughly.”

WikiLeaks had released a confidential memo in 2008 that showed communications between German state law enforcement and a German software agency DigiTask, a company that makes software that is capable of monitoring Skype communication.

Seibert said that the software in question was 3 years old and had not been used by federal officials.
DigiTask lawyer Winfried Seibert said that the company had developed programs for authorities in Germany.
Regarding the use of the trojan, if it’s within German laws to spy on people’s computers in this fashion, then there’s nothing wrong with them using such methods.  The problem lies in the idea that they are creating security holes in the victim’s machines.    



           

References:
Mills, E. (2011).  Hackers say German officials used backdoor.  Retrieved 12 October, 2011 from Cnet Web site: http://news.cnet.com/8301-1009_3-20118194-83/hackers-say-german-officials-used-backdoor/