Your Network Is The Modern Day Castle, And It Is Under Seige.

‘In cyber space, computers are attacked from the moment they connect to the Internet’ – Ed Skoudis, Counter Hack Reloaded.

As I am studying for my next Certificate, the SANS GCIH, I am drawn back to the memories of my summer vacations with my grandfather in Hawaii. Every summer began by reading a book of his choosing, and when I arrived in Oahu, we would spend the next six weeks discussing it while going on the greatest adventures.

The last summer I spent with him our discussion focused on Sun Tzu’s Art of War 孫子兵法.  My grandfather would say that ‘life is challenging, its distractions will pull you in a million directions. In order to succeed, you need to apply a filter that takes all the chaos and puts it into perspective. Rather than seeing problems you now see opportunities.’ – Sean Maximus Murphy

The Art of War has survived for 2,500 years because its advice is not only persuasive, but concise, easy to grasp, and malleable. The Art of War is a series of recommendations that can be continuously adapted to a diverse set of circumstances. At its core, The Art of War is about human nature, and more importantly, how it can be exploited.

This post will explore how the Art of War principals and stratagems can apply directly to the modern world of Cyber Security.

Sun Tzu’s The Art of War begins with a forewarning:  ‘The Art of War is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no account be neglected.’― Sun TzuThe Art of War

Sun Tzu stresses throughout his treatise; ‘Know thy enemy. A thousand battles, a thousand victories.’ ― Sun TzuThe Art of War

So who is this enemy?

Professional criminals are well funded ‘businessmen’ who have adopted ‘corporate best practices’ establishing professional business models that outsource cybercrime called Crime-as-a-Service (CaaS). It is a distributed system where anyone with an agenda canobrela-security-industries-8-638 simply rent, lease or purchase an ‘‘As-A-Service’, services and ‘cash in’ on their crimes.

Some of the more of the well-known services include

  • Distributed Denial of Service as a Service (DDoSaaS)
  • Ransomware as a Service (RaaS)
This list is growing exponentially.

An advanced persistent threat (APT) is an attack campaign carried out by a team of sophos-apt-lifecycle1highly sophisticated cyber criminals with substantial financial backing.

The APT’s intent is to establish an unlawful, long-term presence on a network harvesting intellectual property and/or sensitive data usually by installing malware downloaded by advanced social engineering techniques such as Whaling campaigns.

Insider Threats are employees who have access to the organization’s network and are able to misappropriate data, use data exfiltration or destroy/alter the data. More often than not they are able to use legitimate credentials and permissions in order to access the data, consequently evading detection.

  • According to the 2017 Crowd Search Partners Insider Threat findings,
    • 56% of security professionals say insider threats have become more frequent in the last 12 months.
    • 60% privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations followed by 57% third parties and 51% of regular employees.
    • More than 75% of organizations estimate insider breach remediation costs could reach $500,000 while 25% believe the cost exceeds $500,000 and can reach in the millions.

Hacktivists are motivated by personal, political, religious or other beliefs, and they are intent on causing destruction and disruption including

  • Data theft
  • Reputational Damage (Release of emails/confidential information)
  • Distributed Denial of Service Attacks (DDoS)
  • Defacing websites

Nation States Bad-Actors who are preparing for

  • Cyber-war
    • Utilizing malware in order to disrupt or disable key infrastructures including power grids, water treatment plants, and nuclear power plants.
  • Network Infiltration
    • Launching distributed denial of service attacks (DDoS) in order to shut down access to government websites, emergency systems, and transportation systems.
  • Espionage
    • Collecting information for leverage such as blackmail.

 


 

‘Just As Water Retains No Constant Shape, In Warfare There Are No Constant Conditions’― Sun TzuThe Art of War

Cyber criminals are ruthless in their pursuit of finding a weakness they can exploit via rootkits, keyloggers, RATs, botnet attacks and countless other attack types and vectors. If successful, they will go back and collect their treasures that can be readily bought or sold on the Darknet including credit card numbers, social security numbers, bank account data and intellectual property. Worse yet, take control of your system to be used in a botnet in order to carry out future attacks on other systems.

Organizations can no longer remain the slow moving dinosaurs of the past using the excuse ‘we have always done it this way.’ Organizations need to be consistently evolving and adapting by upgrading systems, introducing new technologies and/or changing business models. The goal of securing your network is an ongoing, never-ending task; Organizations should be utilizing a best practice framework for IT, such as COBIT 5.vijf

‘You can be sure of succeeding in your attacks if you only attack places which are undefended.’ ― Sun TzuThe Art of War

In 2017; your network is constantly under attack.  The typical system will be attacked hundreds if not thousands of times in a given day. However, cyber criminals are lazy and will always ‘attack a weakness,’ over a stronghold. Employees, weak passwords, unhardened, and unpatched systems are their favorite ‘go-to’s.’

  • Employees are targets
    • Your employees are the principal targets for cyber criminals to gain access to your organization’s resources with Phishing attacks being the most common means by which breaches occur.
  • Weak passwords are a vulnerability
    • ‘Weak’ passwords may be the difference between a future breach and the security of your organization’s data.
    • Organizations control access to their data and systems 1409797915660227through ‘authentication,’ i.e., ‘the extension of trust’ based on a form of furnished proof of identity, that proof is more often than not a password.
    • Educate employees on why using strong passwords is essential, not a hassle.
      • A strong password should be at least eight characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
      • Adding just one capital letter, and one special character changes the processing time for a cyber criminal to crack an eight character password from 2.4 days to 2.10 centuries. Think about that!
  • ‘Out of the Box’ is not secure
    • The majority of individuals want ease of use in their devices. However, ‘out of the box’ or default configuration settings are far from secure and are easily ‘hacked.’ Default accounts and passwords need to be changed, and unnecessary services should be removed.
  • Patch Everything
    • Organizations can significantly reduce their cyber-risk by running the latest software and applications on all devices.

‘The whole secret lies in confusing the enemy so that he cannot fathom our real intent.’ ― Sun TzuThe Art of War

Worlds-Biggest-Data-Breaches-1-August-2016

When data becomes compromised, the consequences can be devastating. High-profile data breaches and ransomware attacks are increasing daily. Critical data should be encrypted both at rest and in transit.

Simply, data is always either in transit, moving via applications, email, through website connections and browsers; While at rest, it is stored in databases, the cloud, hard drives, and mobile devices.

  • Organizations that manage information have an obligation to protect it.
  • In the case of sensitive/confidential information, it is the law.
  • Encryption, using the science of cryptography, jumbles plain text into an unreadable cipher text using an algorithm that is irreversible without the decryption key.
  • At a minimum
    • Mobil devices should have their hard drives encrypted, thus reducing the risk of information exposure if the device is lost or stolen.
    • Servers, databases, backup media and all files containing sensitive/confidential information should be encrypted.
    • Encrypt data that is synced with the cloud.
    • All employees especially contractors and third-parties,  that access resources remotely should do so through a Virtual Private Network (VPN).

Backup, Backup, Backup

  • This principle can not be stressed enough. Backup your data people.
  • There are two kinds of organizations: those who have lost critical your-money-or-your-data-ransomware-cyber-security-and-todays-threat-landscape-18-638data as the result of not backing up their data, and those who will.
  • Backing up your data can literally be the only thing that ensures that your organization is able to continue to operate if critical data has been appropriated, corrupted, or held hostage by ransomware.
  • The threat is defused if you have a physical copy, a second copy off-site and a third in the cloud.

All warfare is based on deception.’ ― Sun TzuThe Art of War

Social Engineering is the ‘art of deception on the grandest of scales,’ and your employees are the weakest link in the chain. Cyber criminals prefer social engineering because ‘it is much easier to hack a human than a secured network.’  Social engineering attacks are a choreographed strategy against many employees, i.e., Phishing or a high valued target, i.e., Whaling.

However, social engineers also use an assortment of in-person or over the phone techniques to steal data, identities, credentials, money and/or infect a computer with viruses, keyloggers, trojans, and spyware.

In recent years, social engineering has been the primary cause of many high profile cyber-attacks. The impacts can be staggering including

  • Economic Loss
  • Business Failure
  • Loss of Privacy
  • Loss of Goodwill
  • Lawsuits
  • Regulatory Issues (PCI-DSS, HIPPA)

‘First lay plans which will ensure victory, and then lead your army to battle’― Sun TzuThe Art of War

When we know what assets cyber criminals are likely to target, organizations can better focus on protecting them.

  • Asset Management
    • Before you can confirm that your organization’s IT Resources are secure, you have to know what they are and where they are.
    • Create an inventory of your resources including their location, hardware, software and operating systems and update it regularly.
  • Physical security assessment
    • Review perimeter barriers, access controls, fencing, and electronic security systems.
  • Operational Security Assessment (OPSEC)
    • The majority of security failures occur on the operational side.
    • OPSEC emboldens organizations to view operations from the perspective of an outsider (i.e., competitor or cyber criminal) in order to identify vulnerabilities.
    • If an organization is able to remove their data while impersonating an outsider, the odds are high that cyber criminals can too.
      • OPSEC consists of a five step process
        • Identify the Critical Information
        • Determine the Threats
        • Analyze the Vulnerabilities
        • Assess the Risks
        • Apply Applicable Countermeasures

‘Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots.’ ― Sun TzuThe Art of War

There is no ‘Silver Bullet’ for cybersecurity. The only way to know that you have taken reasonable safeguards is to monitor and test them.

  • Real-Time Systems Monitoring
    • Monitoring systems in real-time for any unusual activity or suspicious behavior that could indicate a breach is in progress. This can alert security teams to shut down any access before criminals can do significant damage.
  • Your systems’ security logs are your friend
    • Log monitoring is a best practice and a crucial part of performing due diligence.
      • They identify event patterns
      • They pre-empt insider attacks
      • Real-time alerts can detect, alert, and avert network security attacks
      •  They are a pro-active measure, thus reducing the risk to business continuity
  • Endpoint Assessments
    • Ensure that all desktop, laptop, printers or any internet-capable computer hardware device on a TCP/IP network within the organization have not been compromised.
  • Perform Vulnerability Assessments (especially on legacy resources, i.e., older systems.)
    • Network Vulnerability Assessments look outward to your publicly exposed (i.e., internet-connected) firewalls, routers, servers and other devices in order to identify weaknesses.
    • Servers Vulnerability Assessments look internally focusing on applications and software running on servers providing reassurance that a breach has not occurred and looked to identify security holes.
  • Website Assessment
    • Any devices connected to the internet represents a likely attack vector for cyber criminals to enter your network. Some of the most dangerous attack methods include
      • SQL Injection (SQLi) Number 1 issue listed on OWASP 
      • Cross-Site Scripting (XSS)
      • Cross-Site Request Forgery (CSRF)
    • Testing detects vulnerabilities within web applications that are accessible from both inside and outside the organization and indicates what needs to be corrected.
  • Penetration Testing (Pen Testing)
    • Pen testing captures a picture of the current security posture and identifies potential security breach points. Moreover, it tests the effectiveness of existing security processes and ensures that configuration management has been followed through on assiduously.
  • Employee Awareness
    • Test your employee’s knowledge from the C-Suite to the mailroom.
    • Engage your IT department or hire an outside firm to run Phishing campaigns, Phone-based and In-person Social Engineering tests.
      • The phishing tests will determine how likely your employees are to click on a malicious link.
      • Phone based/In-person tests will demonstrate how much confidential data was able to be extracted from your employees.

‘In The Midst of Chaos, There Is always Opportunity’ ― Sun TzuThe Art of War

It ‘is not if but when’ your network will be attacked. Security teams and management should capitalize on the experience as an opportunity to learn. The more security teams can learn, the more effective they can become. Incorporate the intelligence that was learned from previous security incident(s) into the company’s overall security strategy and make practical and efficient use of it in order to make better-informed decisions.

‘Do not repeat the tactics which have gained you one victory, but let your methods be regulated by the infinite variety of circumstances.’ ― Sun TzuThe Art of War

So far in 2017 (as of 6/30/2017), there have been over 790 security breaches with more than 12,389,462 records exposed. Cyber criminals are not static; they exist in a state of flux. Altering methods, strategies and exploit tools. When it comes to defeating this elusive enemy, organizations must move from a position of defense-waiting for a cyber criminal to breach their network, to one of offense-controlling the cyber criminals actions and denying them the wherewithal to call the shots

In conclusion, Cyber criminals are increasingly harder to trace and even harder to remediate. They are creative collaborators, sharing successful techniques and progressively more dangerous malware. They are stealthier, using multiple vectors and entry points in order to navigate around network defenses and breach them; not to mention remaining hidden in our systems longer, thus becoming more costly for organizations. Business continuity is crucial for the success of any organization. Insecure systems are detrimental. Follow the teachings of Sun Tzu. ‘Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win’― Sun TzuThe Art of War

 

Really? Haha, No…

forensics15

Over the weekend, I participated in GoogleCTF2017, my first Capture The Flag (CTF) event. It was both humbling and exciting.  

If you asked me three days ago what was the absolute worst thing someone could say to me, I would have given a completely different answer than today, but today, my answer is ‘Really? Haha, no…’ a phrase I heard way too many times as I worked through the challenges trying to find flags.

In a CTF, each team has a set of challenges that needs to be solved in order to find the flag and grab the points. The flag is usually a piece of code =>CTF{this-is-a-flag}<=.  

CTF competitions touch on many aspects of information security including cryptography, steganography, reverse engineering, forensics, and other topics.

There are three common types of CTFs 

  • Attack and Defend
    • Red Teams (Offense) vs. Blue teams (Defence) actively attacking and defending network infrastructures.
  • Jeopardy.
    • Challenges are broken up into multiple topics ranging from easy to difficult, to insane. 
  • Mixed.
    • Varied formats. Depends upon the host of the event.

GoogleCTF2017 was set up as a Jeopardy-style event, and it turns out that I knew more than I thought; Moreover, it was a wonderful experience competing against peers and picking up mad new skills while expanding upon my security knowledge.

In order to increase my skills in preparation for this CTF (and many others to follow), I used the websites below to practice and train.

As a Front-end developer, knowing how to exploit your own web applications before a cyber criminal can is critical and Google Gruyere is an invaluable resource. You ‘learn by doing’ and in that process, you come to understand how applications can be attacked using cross-site scripting vulnerabilities (XSS) and cross-site request forgeries (XSRF). Additionally, it allows the user(s) to find, fix, and avoid vulnerabilities and other bugs that have an impact on security including

  • Denial-of-service (DoS)
  • Information disclosure.
  • Remote code execution.

However, the greatest part of the weekend I have neglected to mention so far was the elation you feel when you use tactics and exploits to find a flag, and it works, i.e., ‘you have successfully hacked something, and you captured a flag.’ Today, I realized, I belong in this field.

Results:

995 points, six challenges, ten hours, two days.

  • 1 Miscellaneous
    • Start Here (FAQ)
  • 3  Crypto Challenges
    • Crypto Backdoor
    • Introspective CRC
    • Shake it
  • 1 Pwn
    • Inst Prof
  • 1 Web
    • Joe

You don’t have to be an expert in order to compete in a CTF. You just need an unrelenting curiosity and passion to never quit!  The purpose of the competition, besides capturing the flag,  is to recognize your strengths and more importantly your weaknesses. CTFs require a great deal of work and dedication but are highly rewarding. Strive for excellence.

ctf_tools_1_dark_sd

What Is Really At Stake With The People Part Of The Cyber Equation?

images (15)

In 2016, the world experienced an enormous uptick in data breaches; numerous ransomware attacks and devastating DDOS attacks. In 2017, the attacks are increasing in number and scope with no slowdown in sight including the WanaCry Ransomware attack that targeted 74 countries, spread by a phishing email. According to a recent PhishMe study, 91 percent of all cyberattacks begin as phishing emails.

In today’s world of technology, human error can be the difference between success and ruination. Nowhere is this truer than in the workplace, where humans are the weakest link.

Case and point being, last week I was sitting on the tarmac, my flight had been delayed due to an unruly passenger, which is nothing new these days. However, what happened next was mind-boggling.

The man sitting next me was talking to his office; he explained that his flight was being delayed upwards of an hour and wanted to make use of the time by calling his list of ‘cold calls,’ the only thing is, the list was on a word file on his computer. Apparently, he never heard of the cloud.

He instructed his assistant Julia, whom he mentioned by name several times to turn on his computer, gave her his username and the password- three times, very slowly – at a decibel so loud, it was heard by more than half of the 100+ passengers on the plane.

He then told her that his username/password in the future could be found on a blue sticky note in his top left-hand drawer and that it is never locked.

When he hung up with his assistant, he made several cold calls which he proceeded to tell each one the same nauseating scripted story. Adding insult to injury, on one call he explained to the prospective client how to avoid the security desk. I was trying not to stare, but that was ultimately futile at this point.

So, just what did I learn? (All names have been changed.)

  • His name is Paul XXXXXXX.
  • He is a Senior Vice President.
  • Paul works for a Financial Services Company.
  • His company specifically works with high-net-worth clients.
  • His office is located at xxx Wacker Drive, Chicago.
  • His office is on the XXth floor, on the west side of the building.
  • Sensitive information in his office is not secured.
  • Username is first and last name.
  • His Password for all his accounts is ‘654321′ <= Clever…
  • His Business email is PaulW@company.com.
  • Office Phone number is 872-xxx-xxxx
  • Cell Phone number is 312-xxx-xxxx
  • His personal email is Paul2xxxxxxx@AOL.com
  • His assistant’s name is Julia, who just had a baby boy 3 months ago
  • He has 4 kids (3 boys, 1 girl), all in Ivy League Universities, that is costing him an arm and a leg.
  • His 3rd wife, Natalie, who cannot cook a meal to save her life, rents high-end Jewelry for a variety of events.
  • This is my favorite => If you do not want to deal with the ‘hassle’ of going through the security desk, there is a side entrance that is always opened and will not alert the alarm system because the smokers in the building use it for a smoking area and the elevators are located at the end of the hall
  • Come up to the XXth floor, knock on the window, and ‘someone will always let you in.’

I thought for sure this has to be a joke and at any minute someone probably dressed in a killer clown suit, was going to jump out and yell ‘Never, ever do this.’ No one jumped out.

The bottom line on how does this happen? Employees know far too little about the cyber security threats today and organizations are not doing enough to educate their employees or protecting their clients’ critical data.

 It is time for all organizations to act.

It is estimated that the majority of incidents globally involve human error. Cyber imagescriminals know this is an area of weakness and they target it, and more often than not, very successfully.

Cyber security awareness is a process that needs to concern the entire organization. All employees must understand both their roles and responsibilities as employees.

Moreover, all organizations whether small, medium or large, need to understand where their weaknesses are. A good first step is by conducting cyber-risk assessments through a holistic review of their policies and education for all employees from the C-suite to the third party relationships.

Suggested training activities

  • Educate employees on the need for resource protection including protecting passwords, locking computers and locking up sensitive information.
    • Never leave your password on a sticky note where it can be stolen. Once it is out of your control, so is your security.
    • Never share your password with another co-worker. NEVER.
    • Create different passwords for different accounts and applications.
  • Educate employees on why using strong passwords is essential, not a hassle.
    • A strong password should be at least eight characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
    • Adding just one capital letter, and one special character changes the processing time for a cybercriminal to crack an eight character password from 2.4 days to 2.10 centuries. Think about that!
  • Train employees on strategies used by cybercriminals to compromise networks including Phishing and fake websites; and how malicious software is installed by clicking on the links within the emails and downloading attachments from compromised websites.

Frequently conduct unannounced tests.  Engage your IT department or use outside experts to test employees both in person and on the computer using social engineering strategies.  Moreover, employees who routinely fail the tests need to be held responsible for their actions.

Cybersecurity is an enormous problem to address. Training and testing require planning and resources, but the process of preparation is far better than dealing with the aftermath.

A single vulnerability can lead to data breaches; it can also result in the theft of Personally identifiable information (PII) which often proves the most costly and detrimental to organizations. Negative headlines, financial and reputational penalties, while legal and regulatory sanctions can quickly escalate into the millions of dollars.

 

As-A-Service Expands, Buckle Up Your Seatbelt.

Cybercrime is a thriving high reward low-risk business model, and it can be summed up easily with just-$.

In the past, there were various obstacles to overcome in order to get into the cybercriminal game. The ‘original cybercriminals’ ran a centralized operation which images (7)owned the servers and constructed malicious software (malware) from scratch.

This business model proved to be incredibly expensive to operate and exceedingly time-consuming; in order to make a substantial profit, large organizations were the only option.

However, similar to other ecosystems, the cybercriminal ecosystem continues to evolve. obrela-security-industries-8-638Today,  it is a distributed system where anyone with an agenda can simply rent, lease or purchase an ‘as a Service,’ services and ‘cash in’ on their crimes.

Some of the more of the well-known as a Service, services include:

  • Malware as a Service (MaaS)
  • Distributed Denial of Service as a Service (DDoSaaS)
  • Ransomware as a Service (RaaS)
  • Hacking as a Service (HaaS)
  • Money Laundering as a Service (MLaaS) to name a few.

The distributed system requires less effort because the criminals take advantage of the current ‘trends’ including the ‘human factor,’ where one in three individuals within an organization, regardless of training, will click on a phisher’s email and/or ‘low-hanging fruit’ otherwise known as the persons or organizations that despite all the warnings incur the risks with sub-par security, found easily by an exploit kit. Rather than deploying sophisticated and expensive Zero-Day attacks, now, any endpoint becomes a potential source of revenue.

As a Service, services is a flourishing business model run on the black markets found on the DarkNet such as the TOR network. TOR is a technological revolution in the ddasfacilitation of cybercrimes, because of the anonymity under which groups are able to operate.

Cybercriminals commit crimes directly against individuals, organizations, or governments through means such as malware attacks.

Direct methods are when resources are taken directly from the victim including

The criminals also attack in indirect manners including identity theft and fraud.

Indirect methods involves information obtained covertly from the victim which can be sold on the DarkNet including

The introduction of the cloud computing as a Service, services paradigm has brought abundant 3bjbp2xc-1323738953advantages to the information technology industry but also greater opportunities for cybercriminals.

Cybercriminals no longer need to rely on their own skills and assets to carry out exploits.

Several of these services include

  • Infrastructure as a Service (IaaS) provides the rental of servers and storage devices.
  • Software as a service (SaaS) provides the infrastructure enabling the dynamic production of applications.
  • Data as a Service(DaaS) Data is stored in the cloud and is accessible by a range of systems, and devices.
  • Platform as a Service( PaaS) allows users to develop, run and manage applications without the complexity of building and maintaining expensive infrastructure and the space required to develop and launch applications.

These cloud-based technologies afford cybercriminals with greater flexibility, greater resource management and agility in the furiously-paced technological environment allowing for even-more-dangerous and aggressive exploits.

Cybercriminals have taken full advantage of these services because they eliminate the need to maintain their own infrastructure, they can facilitate better operational security (OpSec) which adds a layer of obfuscation between the cybercriminals and the organizations hunting them while efficiently creating and distributing their malware attacks.

Another fuel for as a Service is the rise and popularity of cryptocurrencies. Cryptocurrency iscrypto-currency_market_capitalizations digital money that utilizes a decentralized, peer-to-peer (P2P) payment network thus making it harder to discover criminal activity.

The most utilized form of cryptocurrency is Bitcoin.

Bitcoin is used globally for legitimate organizations but is better know for the criminal exploits.

The topic of Bitcoin would not be complete without addressing the processes of Tumbling. Tumbling essentially adds an additional layer of anonymity to block attempts to track and uncover Bitcoin transactions. There are multiple ways to Tumble Bitcoins including

  • Multiple Wallets Cybercriminals creates a wallet via TOR and adds Bitcoins to it. Atop-crypto-currency-wallets-03 second wallet is created, again, utilizing TOR, and moves the funds into the second wallet. Last but not least, a third wallet is created, and the funds are moved again, thus confusing the trail of transactions between the three wallets making attribution almost impossible.
  • Third Party Services DarkNet organizations offer services in order to launder howitworksbitcoins which add a ‘proprietary obfuscation technology’ that breaks the link to the source of the funds and prevents any blockchain analysis tracking bitcoin transactions.

The DarkNet is an encrypted network built on top of the DarkWeb. Two typical DarkNet Deep-Web-Dark-Webtypes are P2P used for file sharing and networks such as TOR for anonymity.

Tor-EncryptionTOR which is short for ‘The Onion Router,’ provides anonymity to its users by bouncing the user’s communications around a distributed network of relays worldwide; TOR also prevents tracking of what sites are visited, prevents the sites visited, from learning the user’s physical location, and allows access to .onion sites ranging from legal to absolutely illegal. TOR can be used on Windows, Mac OS X, or Linux without any additional software.

As with all things as a Service, where there is a need, service providers seem willing to satisfy it. Moreover, as long as the return on investment (ROI) remains high, the expectation for continued investment into even more resources in order to unleash greater numbers of cybercrimes on the broadest possible range of targets will continue. Buckle up your seatbelt.  

                                                 Prevention Guidelines

  • Use strong passwords- Eight characters. Include upper and lower case letters, Numbers and Special Characters (!@#$%^&*(
    • Adding just one capital letter, and one special character changes the Brute Force processing time for an 8 character password from 2.4 days to 2.10 centuries. Think about that!passwords
  • Never write your password on a sticky for an intruder to find.
  • Group the sites you visit into categories, i.e. business, personal, sensitive, and use a password for each category.
  • Activate your Firewall- it is the first line of defense.
  • Use your Anti’s
    • Anti-Virus
    • Anti-Malware
    • Anti-Spyware
  • Secure your Mobile Devices-They are just as vulnerable as your computer.
  • Install the latest OS updates.
  • Download Applications and Attachments FROM TRUSTED SOURCES ONLY.
  • Delete all unknown e-mails.
  • Use encryption for all your sensitive data.
  • Use HTTPS for all your transactions.
  • Backup your data frequently and store it in multiple locations.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

‘Know Thy Enemy,’ Distributed Denial of Service or DDoS.

images

We all know the axiom ‘know thy enemy’ – and this is above all germane to DDoS attacks.

Cybercriminals and their tactics are always evolving, becoming more dangerous and harder to detect by the day.

Unlike a Denial of Service (DoS) attack, in which a single Internet-connected device causes disruption and destruction. DDoS attacks are launched from numerous compromised devices, often dispersed globally in what is referred to as a botnet and controlled remotely by the botnet herder using a covert channel, such as Internet Relay Chat (IRC).

Some of the larger botnets whose name comes from the malware used to infect them are estimated to be in the millions of bots including  Zeus or ZbotConficker, and BredoLab or Oficla to name a few.

It is estimated that upwards of 3000+ websites fall victim to DDoS attacks daily. Regardless if the websites are back up and running the same day, damages to both revenue and customer and/or client trust can follow organizations for years.

The primary purpose of the DDoS is to overload network layers with a substantial amount of outwardly legitimate traffic.  Ultimately the traffic consumes a disproportionate amount of bandwidth within and/or outside of the network and pushes network operations to become excruciatingly sluggish or basically nonfunctional.

Adding to the confusion, botnet servers can be controlled either by a single botnet herder or by multiple herders. Ultimately, at any given DDoS attack there can be multiple origins and multiple controllers making it much more complicated to mitigate than attacks originating from a single source.

The aggressiveness of DDoS attacks was illustrated last year by the Mirai Botnet in which the attacks besieged several systems using corrupted Internet of Things (IoT) devices. iot

The expectation of IoT is upwards of 25 Billion televisions, refrigerators, watches, thermostats, and other connected devices by 2020; most with minimum to zero security in order to prevent malware infections. Resulting in an unknown amount of IoT devices ending up as mindless bots caught up in a criminal botnet.

To make matters worse, roughly 40 percent of malicious bots are able to emulate human behavior. Not only do the malicious bots deceptively present themselves to websites as legitimate bots, but they can also persistently change identities.

The infrastructure which enables these attacks is also increasing rent_a_botnet_ddos_for_hire_botnet_service_02dramatically. Anyone with mal intentions can easily purchase on-demand botnet services for DDoS attacks.

They are readily available from multitudes of online sources; for as little as $5 an hour to $40 per day; Cloaked behind the definition of  Booters or stressers services.

They are also referred to as ddoser, ip stresser, ddos tools and ddos programs. No matter the name, they all provide the same service- providing paying customers with on-demand DDoS attack capabilities, at will.

Below find some of the more well-known Booters and Stressers which are easily accessed on the Internet.

NetworkStresser.com

120GB/s of combined power. Takes down everything. Working Skype resolver. Active support. Multiple payment options.

Betabooter.com

100GB/seconds. Easy to use. API. Insane Power. Accepts Paypal.

Critical-Boot.com

Good Power. Easy to use source. PayPal/Credit cards and 15% off Bitcoin. Build Your Plan.

There are three standard types of DDoS attacks including Volumetric, Application, and Protocol attacks.

Volumetric Attacks utilize massive amounts of traffic inundating the bandwidth of the host.

Volumetric attacks are generated by employing amplification techniques which primarily elicit server responses that are disproportionate to the original packet request sent; ultimately completely blocking access to a website or service. The extent of the attack is measured in either bits or packets per second. Domain Name System Servers (DNS) Amplification being a well known volumetric attack.

DNS amplification is an asymmetrical attack in which the dns amplificationcriminal exploits vulnerabilities in DNS servers, i.e., ‘The Internet’s Backbone’ by manipulating publically-accessible domain name system servers by querying the DNS with spoofed or ‘faked’ target IP’s and making them flood a server with large quantities of User Datagram Protocol (UDP) packets.

This results in small queries being turned into massive payloads that can ultimately be used to bring down even the most robust server(s).

Moreover, DNS amplification attacks often relay the exploited DNS requests through one or more botnets, radically increasing the volume of traffic and making it that harder to track the attacker(s) identity(s).

osi-modelApplication Attacks exploit a weakness in the Layer 7 or as the name suggests the application layer.

The cyber community, in general, agrees that application attacks are both the most sophisticated and the most challenging to identify and/or mitigate.

Application attacks begin with making a connection with the host then it exhausts the dnshost’s resources by controlling processes and transactions. DNS Flood attacks are the most well known.

DNS floods are a symmetrical attack that endeavors to exhaust server-side assets like memory or CPU, with an inundation of UDP requests, generated by malicious scripts running on multiple botnet machines. The criminals will often target one or more DNS servers belonging to a specified zone, with the goal of obstructing and overwhelming the resolution of resource records of that zone and its subzones.

Protocol attacks specifically exploit weaknesses in the Layer 3 and Layer 4 protocol stack by consuming all the processing capacity of the intermediate critical resources like a firewall causing service disruption; With the most notorious attack being the Ping of Death.

A ‘ping’ is part of the Internet Control Message Protocol (ICMP) which is a networking utility that determines whether or not a host is reachable. The ICMP request packet is sent to the host, which the host then responds with an ‘echo’ reply. The size of an accurately formed ICMP request packet should be no larger than 65,535 bytes; anything larger is in violation of the Internet Protocol.ping of death

Criminals, in turn, send malformed packets in fragments as fast as possible in which the host attempts to assemble using up bandwidth. This leads to a packet size which violates the internet protocol of 65,535 bytes causing a buffer overflow, and eventually causing the host to crash and become unavailable for legitimate users. This is a Ping of Death DDoS attack.

DDoS scripts are written most often in Python, PHP, or Pearl and refers to malicious software that enables the execution of DDoS attacks.Each script can diverge in severity, ease of use and impact and attacks at the application layer.

Some of the DDoS scripts available for free on the internet (too many to list) include

LOIC  (Low Orbit In Canon)

LOIC was made famous by the hacker group Anonymous. It is easy to use especially for beginners, because of its easy-to-use GUI; all you need is the URL of the IP address of the server. LOIC performs the DOS by sending UDP, TCP, or HTTP requests to the victim server.

XOIC

XOIC comes with an easy-to-use GUI, so all levels can easily use it to perform attacks on servers and websites anonymously and secretly. All that is required is an IP address.

XOIC has three methods including, Test mode; Attack mode; Attack mode with a TCP/HTTP/UDP/ICMP Message.

TORsHammer

Tors Hammer is written in Python, and it is a slow post tool* that can be run through the TOR network** and can kill most unprotected web servers running Apache and IIS by means of a single occurrence.

HOIC (High Orbit in Cannon)

HOIC is written in BASIC and is an open source network stresser that can attack as many as 256 URLs at any one time.

Slowloris

Slowloris is written in Python and operates at the application layer. It opens as many connections to the web server as it can, and holds them open as long as possible by sending partial requests, and periodically adding them to keep the connection alive but never completing and denying connection attempts from legitimate users.

DDoS toolkits are software packages that require greater resources and generally more in-depth knowledge of scripting and systems and attacks the network layer. They infect computers and other Internet-connected devices (IoT) with malware in order to build a botnet.

The malicious bot landscape continues to evolve. Considering that more than 60 percent of the Internet traffic is generated by bots of which upwards of 30 percent is represented by malicious bots which present a force to be reckoned with when talking about internet security.

DDoS attacks can be unassuming or sophisticated, regardless, they are always ddos ransomdangerous, calculated and profit-driven with DDoS ransom being one of the nastiest elements.

Extortionists will demonstrate their capabilities by acting out an attack such as shutting down a website, followed by a threatening e-mail requesting a monetary sum usually in Bitcoin to be paid within a time-period. ‘Pay the ransom or face greater attacks.’

The extortionists will continue broadening their scope and diversifying their targets to include more diverse industry sectors and larger organizations and even larger payoffs.

Below find a few strategies which can make your network less vulnerable to attackers, remembering, there is No 100 Percent Solution to prevent cyberattacks. Continuous learning and continuous experimentation are critical.

  • Limit the number of new connections. Set parameters for the number of new connections during specific periods of time by a single user or by the network. Doing this simple strategy will make it that much harder for a criminal to overload systems.
  • Bandwidth Shaping. If configured correctly, bandwidth shaping can be an easy to apply policy against DDoS attackers.
  • Network Segmentation. By dividing your network into segments into public and internal sections, each protected by a firewall, this tactic can support your internal network when there is a DDoS attack against your public-facing systems.

CyberSecurity is a shared responsibility. Stop. Think. Connect.

It’s A Brave New Bot-Filled World, With Great Possibilities And Even Greater Risks

‘Bots’ short for robots, are essential to the Internet ecosystem. It is estimated that more than 60 percent of botwebsite traffic is not human, but bots. Bots are essentially software programs that perform automated, repetitive, pre-defined tasks.  These tasks can include almost any interaction with software that has an Application Program Interface (API).

There are many varieties of bots. Some are just basic programs that execute physical work such as ‘Crawlers’ who run continuously in the background, primarily procuring data from other APIs or websites. Then there are specialized crawlers called ‘Spiders’ that extract URLs from documents, download the content and then pass it off to an indexing system to analyze, and construct into searchable indexes like Googlebot. Some only monitor e-commerce websites for price changes, and still, countless others, monitor for site errors, bugs, and performance issues. However this is not the end of the story, but merely just the beginning.

The evolution of bots focuses on the boundless possibilities and opportunities for both businesses and individuals. Add in Artificial Intelligence (AI), Machine Learning (ML), and Natural Language Processing (NLP) all of which enable greater accuracy in understanding both spoken and typed words are bringing never-before-imagined levels of personalization and predictive assistance to generations of mobile-intuitive consumers who are content and self-assured with messaging as a communication paradigm.

These smarter bots have a unique server-side processing component that allows seamless interaction as they are able to understand and respond to queries balanced with a live network for assistance. We interact with these bots through Mobile messaging and/or Chatbots. These natural language interfaces enable retailers, restaurants, and multitudes of other companies to communicate with customers in an innovative and compelling way from hailing a cab, ordering takeout, designing that unique pair of shoes, or paying your credit card bill.

Then there are the autonomous bots, the most rapidly accelerating bot space which includes the Internet of Things (IoT) devices encompassing the self-driving car; to  ‘Amy Ingram,’ a virtual assistant; to Amazon’s Delivery Drones. These bots will eventually require zero human intervention to their jobs.

In contrast, no conversation about bots would be complete without an overview of the Malicious bots which are capable of causing enormous damages to organizations network infrastructures, reputations, brands or their bottom lines.

As technology advances and becomes more easily accessible, bots are becoming the go-to tool of choice for cybercriminals accounting for over 80 percent of all cyberattacks. Add in human characteristics from AI, and these bots become harder to detect by the authorities. While other malicious software corrupts and damages the infrastructure of their targets, these advanced bots are also known as ‘Impersonators’ infect networks in a way that escapes the immediate notice, and the damages can quickly run into the millions.

Here’s how it works: Cybercriminals use Social Engineering techniques such as Phishing, spam, or malicious websites to entice users to download and install various forms of malware, i.e., malicious software including

Traditional-Botnet

A malicious bot, also known as a “Zombie,’ not unlike a worm, is self-propagating malicious software designed to infect a host and connect to a C&C or central command and control server(s). Bots are part of a network of infected computers, known as a ‘botnet,’ which can stretch across the globe controlled by a ‘botnet herder.’

No network is immune.

Once the botnet infiltrates, they go to work logging keystrokes, collecting passwords, amassing e-mails, gathering financial information, spreading spam, capturing and analyzing packets, hijacking servers, and launching Distributed Denial of Service (DDoS) attacks.

DDoS attacks are an ever-growing threat to businesses, growing in both scope and DDos-attack-modeoccurrence every year. Moreover, they are becoming harder to thwart because the attacks are allocated across sundry public anonymous proxies including TOR enabling the substitution of users’ IP addresses with untraceable proxies.

A discussion of impersonators would not be complete without the mention of Googlebot-again. These imposter bots gain privileged access and capture tons of sensitive, valuable online information. Additionally, they are utilized for DDoS attacks. According to the folks at Incapsula, ‘1 out of 25 bots are up to no good.’ Source: Incapsula

two-faces-of-google-dr-crawlit-mr-hack

Cybersecurity is often described as an arms race, Security professionals vs. Cybercriminals. Both sides are tirelessly working to stay ahead of each other. When one side finds a newer more resilient defense, the other side develops a shrewder more destructive offense. What was a sure thing today, is sure to be old news tomorrow. Never stop learning.

Protecting yourself and your organization requires immediate action. 

  • Never open e-mails from unknown senders.
  • Never download attachments or click on links from unknown senders.
  • Never click on pop-ups.
  • Never insert an unknown USB stick into your PC, Laptop, etc.
  • Never store sensitive or critical data only on your PC. Have at least two backups– an external hard drive and in the cloud.
  • Adjust your browsers’ security and privacy settings.
  • Use an HTTPS connection for all credit card transactions.
  • Keep your operating system and software up to date.
  • Never log in as an administrator. Rather choose a guest with limited privileges.
  • Removed outdated plugins and add-ons.
  • Disable ActiveX content in Microsoft Office applications.
  • Block TOR and I2P.
  • Disable remote desktop.
  • Use an anti-virus product.
  • Use a traffic filtering solution that can provide proactive anti-ransomware protection.
  • Block binaries running from %APPDATA% and %TEMP% paths.
  • Work with the C-Suite to enact social engineering awareness training for all employees.
  • Consider a Computer Incident Response Team (CIRT), based on the organization’s needs and available sources.
  • Have a tested business continuity plan in the event of any cyberattack.

P.S., I am not a bot annie2

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Ransomware Is A Global ‘Cash Cow.’

Last month my 97-year-old Grandparents were celebrating their 70th  Wedding ksb_2016_eng_1Anniversary. I suggested that we hire a professional photographer for this ‘once in a lifetime moment.’  However, weeks after the pictures were promised, all attempts to make contact were avoided. Finally, I tracked the photographer down and demanded the photos. He broke down and blurted out that ‘ransomware had encrypted his computer which was filled with years of work. He followed the instructions, but his files were deleted.’  I had to ask if he had a backup, he just hung his head and said ‘he meant to get around to it….’

Ransomware is malware which installs covertly on a victim’s computer, smartphone or iot-ransomwarewearable devices and encrypts the victims’ data making it inaccessible until the victim pays for a decryption key. IOT/Ransomware

Ransomware will target and encrypt all files on the targeted network. Additionally, if online backups are located, more often than not, they may also be encrypted or deleted in order to prevent the organization from recovering encrypted data without first making the ransom payment.

Once the encryption process is complete, the splash screen appears, explaining that your data has been encrypted, time restriction threats, and specific payment amount usually in the form of a cryptocurrency such as Bitcoin. Bitcoin is preferred by cybercriminals because it is an encrypted, completely anonymous payment system independent from any central bank.

Splash Screen

jisaw-ransomware

Before a payment can even be made, a cryptocurrency wallet must be attained. The wallet is principally a sequence of letters and numbers used as a private encryption key.

Each cryptocurrency wallet varies from each other including the diverse mediums the wallets are stored on; or as in the case of a hybrid, offering more than one method of accessing the wallet.

The wallet types include Mobile which is run on a smartphone application; Online which is a web-based wallet on either a real or virtual server;  Hybrid which encrypts the private data before being sent to the online server. Hardware is dedicated hardware that stores the user’s private keys securely-USB devices for transport and security.

The one similarity among all the wallets is, if you lose your private encryption key, then you lose your money.

CryptoCurrency Wallets

top-crypto-currency-wallets-03

Once uniquely a consumer threat, ransomware’s technical capabilities paired with exceptional social engineering strategies have evolved into an efficient global business model and a ‘cash cow’ for cybercriminals. The same can not be said for the targeted organizations’ bottom line. Either directly or indirectly, ransomware can have a treacherous effect including productivity losses; reputational loss and substantial legal fines.

Furthermore, attacks that include the theft of regulated data comprised of personally identifiable information (PII), sensitive health information and/or credit card data are particularly sinister because of the probable data breach notification requirements, leading to potentially hefty regulatory penalties; financial loss and/or failure particularly since the average cost of a data breach is currently tracking at $4+ million per breach and expected to rise.

imagesCybercriminals will often leverage vulnerabilities in operating systems and software in order to gain initial access; However, the most successful attacks occur when cybercriminals exploit the organization’s own employees. Targeted social engineering techniques will ultimately do the ‘dirty work’ of infecting networks and operating systems, as employees remain the weakest link from a security perspective.

                                               The Enemy (Only a fractional list)

CryptoWall 3.0

CryptoWall 3.0 is extensively distributed using various exploit kits, spam campaigns, and malvertising techniques. It uses I2P anonymity network proxies for communicating command and control servers (C&C); TOR network for payments using Bitcoin.

CryptoWall 3.0, uses an AES key for file encryption. For added confusion, the AES key is encrypted further using a unique public key generated on the server making it completely impossible to find the actual key needed to decrypt the files.

CTB-Locker or Curve-Tor-Bitcoin Locker.  

Curve based on elliptic curves, which encrypts the affected files with a unique RSA key; Tor from the malicious server placed in The Onion Router (TOR) domain; Bitcoin refers to Bitcoin payments.

CTB-Locker uses RSA-2048 Encryption. It is widespread through the use of spoofed UPS Notifications with attachments, usually a Microsoft Office document. Attempts to view will ‘require enabling macros.’ Once the macros are enabled, encryption of your files ensues.

Jigsaw

Trend Micro in 2016 discovered the crypto-ransomware called Jigsaw, aptly named after the horror movie Saw. However, although it was removed from one site, it is believed within the cybercommunity that Jigsaw can be still downloaded from other locations.

Jigsaw is different from other crypto-ransomware because it not only ‘locks users out from accessing their files, but Jigsaw will actually delete them.’ Initially, the program creates a copy of the user’s files, and encrypts them into ‘.fun,’ ‘.kkk,’ ‘.gws,’ and ‘.btc,’ files and deletes the original file. There is an animated 60-minute timer, which adds strain and anxiety due to the snowball effect of the deletion of files hourly.

Worse yet, there is never just one variant of any crypto-ransomware programs, as the cybercriminals evolve so does their destructive programs. In the earlier versions of Jigsaw, the average ransom requested was ‘$150 in Bitcoin,’ but in recent variants, the ransom request is upwards of ‘$5000 in Bitcoin and appends the user’s files in .epic.’

Why is crypto-ransomware a nightmare for end-users?     

  • The encryption is unbreakable.
  • It will encrypt all filesDocuments, images, photos, music, and videos.
  • It can cause additional stress and confusion by scrambling file names and/or appends the files with different extensions.
  • Even if you pay the ransom, there is no guarantee that your data will be released and there is an even greater chance you will become a victim again.
  • The estimated cost of ransomware globally is in the $Billions with no end in sight.

Why is ransomware so pervasive?     

  • The human factor. It is easier to get an individual to open an attachment through the use of social engineering tactics than it is to break into a network.
  • One of the more insidious threats that can be downloaded through phishing e-mails are RATs or Remote Access Trojans. What makes them different is the program provides the ability to spy on their targets. RATs not only collect keystrokes, usernames, passwords, screenshots, browser history, Social Security Numbers, and e-mails. They install backdoors allowing the cybercriminal unencumbered access. Thus allowing the cybercriminal to monitor user behavior, copy files, access other connected systems and utilize the targets internet connection for other illegal activity.
  • Estimates indicate that more than 90% of US organizations have no form of social engineering training for their employees. This makes it incredibly easy for cybercriminals and opens the organizations up to enormous risk including financial and reputational.
  • Reports estimate that more than 70% of successful data breaches started with a Phishing attack.
  • Approximations indicate that as many as 70 million phishing e-mails are sent out daily, and upwards of 7 out of 10 are infected with ransomware.
  • Smaller businesses and municipalities are often unprepared to deal with advanced cyberattacks like ransomware and/or have a casual bring your own device policy (BYOD) that can leave them vulnerable to exploits.
  • Lack of online safety awareness makes individuals prone to manipulation by other social engineering attacks, opening an opportunity for the cybercriminal to gain access and launch attacks from the inside.
  • Public institutions and government agencies which have critical databases often use outdated software and equipment, which means that their computer networks are chockfull with security holes just begging to be exploited.

 Most common methods used to spread ransomware:  

  • Ransomware as a Service (RaaS). Allows just about anyone with or without IT or coding experience, to become a successful cybercriminal at minimal expense.
  • Phishing e-mail campaigns embedded with malicious code.
  • Aggressive spam campaigns that spoof fax messages-UPS, ADP, AMEX, etc.
  • Pop-Ups.
  • SMS messages.
  • Drive-by downloads.
    • Drive-by downloads happen when you land on a compromised web page,i.e., injected with malicious code. The user will either be directed to another webpage which hosts an exploit kit or is prompted with an alert box you have to click on to ignore.
  • Internet traffic that redirects to malicious sites (Pharming).
    • Pharming can be completed either by changing the host’s file on the victim’s computer or by exploiting a vulnerability in a DNS server software.

Protecting yourself and your organization requires action. 

  • Never open e-mails from unknown senders.
  • Never download attachments or click on links from unknown senders.
  • Never click on pop-ups.
  • Never insert an unknown USB stick into your PC, Laptop, etc.
  • Never store sensitive or critical data only on your PC. Have at least two backups– an external hard drive and in the cloud.
  • Never leave your password on a sticky post where an intruder can find it.
  • Adjust your browsers’ security and privacy settings.
  • Use an HTTPS connection for all credit card transactions.
  • Keep your operating system and software up to date.
  • Never log in as an administrator. Rather choose a guest with limited privileges.
  • Removed outdated plugins and add-ons.
  • Disable ActiveX content in Microsoft Office applications.
  • Block TOR and I2P.
  • Disable remote desktop.
  • Use an anti-virus product.
  • Use a traffic filtering solution that can provide proactive anti-ransomware protection.
  • Block binaries running from %APPDATA% and %TEMP% paths.
  • Work with the C-Suite to enact social engineering awareness training for all employees.
  • Consider a Computer Incident Response Team (CIRT), based on the organization’s needs and available sources.
  • Have a tested business continuity plan in the event of any cyberattack.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Phishing Evolved.

A Whaling attack or phishing evolved is specifically aimed at a single, high-profile business target including maxresdefaultC-Suite executives. This group has access to sensitive employee, and/or customer data, banking, and/or securities accounts. Phishers target this group with e-mails and web-pages embedded with malicious code. When e-mail attachments are opened, or web-pages clicked the code is activated. The malicious code unleashes backdoors, remote access or embeds keyloggers; and within hours or days, the phisher gains access.

How does the ‘bait’ differ between Plain-Vanilla Phishing and Whaling?

Plain-Vanilla phishing attacks are a numbers game and are mass generated; they are casually addressed ‘Dear customer,’ or ‘Dear user’ e-mails, web-pages or pop-ups that appeal to a personal aspect of the target’s life. They may include ‘once in a lifetime vacation offers’ that is time-sensitive, or an urgent message which appears to be from your bank, PayPal or Netflix accounts that use threats of ‘account closure’ or ‘compromise.’

In the case of Whaling, there are a smaller number of attacks, but the phishers are looking for a bigger score.  Whaling campaigns are highly customized to an executive’s specific position and responsibilities within the organization. Moreover, the phishers will specifically target those individuals who have wire transfer authority. Phishers craft e-mails and malicious web-pages that appear to come from a trusted source which will necessitate an immediate response.

The target opens the viral e-mail attachment or clicks into a malicious Web-page. Game Over. What is even more disturbing, once phishers are armed with access, often they will launch further attacks causing considerable damage including monetary and reputational.

Why is whaling pervasive? 

A key reason whaling is so pervasive is that individuals overshare personal and behavioral data on social media applications. Phishers can tap this information otherwise known as OSINT. The well-crafted e-mails and web-pages are designed using the targets OSINT.  The more personal information the target shares publicly, the greater the risk that this information will be used to manipulate them.

The risks are real. 

The FBI has commented that whaling or what they refer to as BEC (Business Email Compromise) attacks are an ’emerging global threat.’ Companies from all 50 US states and 79 countries have lost approximately $1.2 Billion dollars in the previous two years (2013-2015).

Reducing risk.

  • Lockdown privacy settings on social media accounts.
  • Limit the use of third-party applications.
  • Two-factor authentication and multiple signatures should be implemented for the vendor payment process.
  • Employ a team either in-house or from the outside that can effectively assess the organization’s overall predisposition to phishing/whaling attacks by having a precise idea of what OSINT is available that could be used against the organization.
  • Increase awareness through continuous and ongoing training programs with staged, real-world phishing, whaling, and other social engineering attacks.
  • Look to C-Suite executives to make data breach preparedness a continuing priority for the entire company.

As information security professionals develop new defenses and warnings, the threat actors will continue to adapt, and we need to be prepared. There is no one-hundred percent fix for social engineering threats. The key is continuous training and reinforcement and should include all employees, not just management and the executive branch.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Creating A Narrative With OSINT.

ae474a69a76d1e660f8ac88ebcbdd8faInformational footprints that individuals, corporations, organizations and governments leave behind on the WWW or other open source tools, contains incredibly useful information. This information is often referred to as OSINT, and it is helpful because it can reveal actions and/or intent; and ultimately can give the holder of this information the upper hand or edge over your competition or target.

OSINT is simply Open Source + Intelligence as opposed to ‘covert or clandestine’ and includes all unclassified intelligence that is freely available. The sources where information can be located is pervasive including Web-based;  Media; Public data; Academic or Professional.

Think about it, when you are doing reconnaissance, i.e., searching for answers to a question using the Internet or other available sources, be it the latest threat intelligence, a threat actor, your next employer, or background checks on potential nannies or home contractors, you are utilizing OSINT.

OSINT is one of the many INTs disciplines or intelligence gathering disciplines. The other well-known INTs include:

  • HUMINT Human Intelligence gathered from a person on the ground.
  • FININT Financial Intelligence gathered from analysis of monetary transactions.
  • GEOINT Geospatial-Intelligence gathered from satellite, aerial photography, mapping/terrain data.
  • SIGINT Signal Intelligence; Made up of COMINT Communication with individuals and ELINT Electronic communication.

OSINT can be utilized for Business Intelligence; Due Diligence; Competitor Analysis; Criminal/Legal Investigations; Background Checks; Identifying people and preferences by their IP address;  e-mail;  phone number(s);  Operating Systems used; Software/version; and/or Geolocation.

OSINT it is not always easily found. The information is out there, but often the link-crawling search engines Google (72.48%), Bing (10.39%), and Yahoo (7.78%) [ranked by market share] will not always provide you with what you need. By some estimates, these sources represent only a minuscule portion of the total web content, 1%-5%.  In contrast, other sources including the Deep Web which includes data not indexed by standard search engines; and the DarkNet using ‘The Onion Router‘ known as TOR may provide you with too much information creating frustration. When it comes to making use of information, simply collecting it, is not enough. The best research/intelligence is unusable if it cannot be delivered in an easily understood format, presenting a compelling narrative and completed in a timely fashion.

OSINT can be a cumbersome task to navigate without the proper tools. As humans, we process colors, shapes, and connections. OSINT Tools allows for easier spotting of patterns, out of place things, or hidden items; As a result, conveying critical information faster and more accurately.  If you want to transform information into ‘actionable intelligence,’ you need to learn the tools.

OSINT Tools (These are not all of them, but they provide a good starting point.) 

Creepy

Creepy is an incredibly useful tool for investigators written in Python, i.e. Cree.py. It allows the user to extract location Metadata (EXIF) from the photos on Twitter and Flickr social media accounts, and all you need is a username. After entering the username, you will get a list (right-click), and Google maps will open, giving the targets exact location plus other features.

To find out just how Creepy, Cree.py is, check out  I know where you are….

The Wayback Machine

There is nothing more frustrating than hitting a dead end in your information search because the website you were looking for no longer exists. The Wayback Machine (archive.org) website can help with this.

Who.Is

Who.is provides lots of information about the domain, the IP it sits on, the domain owner data, what other domains reside on the same server space and loads of other statistics.

Maltego

Maltego is an open source intelligence and forensics application developed by Paterva. Maltego uses Java, so it runs on Windows, Mac, and Linux and is quick and easy to install. This application provides a graphical interface that makes seeing relationships, even if they are three or four degrees of separation away, instant and accurate.

Shodan

Shodan is the search engine for IoT or internet-connected devices.‍ Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence. Who buys Smart TVs? What companies are affected by Heartbleed? To name just a fraction of what Shodan can provide.

ThreatPinch

Creates on-hover tooltips for every website for IPv4, MD5, SHA2, CVE or add your own threat intel IOC. Designed to work with any API. Customization is encouraged. It is the called the ‘infosec threat and OSINT swiss army knife for your browser.’

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Phishing: Attacks Are Not Going Away-They’re Far Too Effective.

scammers-using-social-media-brands-launch-phishing-fraud-malware-attacks

You check your e-mail, as usual, and this time there’s an urgent message from your bank threatening to close your account if you ‘do not reply immediately.’ This message and others like it are examples of a form of Social Engineering called Phishing. Phishing is a method of identity theft; however, in addition to stealing sensitive data, phishers can do much more including infecting your computer with viruses, keyloggers, trojans, and spyware. Once infected, your computer can work against you by reporting information directly to the phisher with every click of your keyboard; Track and record your online behaviors’. Turning your computer into a bot who will maintain fictitious conversations with other unknowing victims in chat rooms; and/or coordinate zombie networks that distribute new phishing e-mails or host phishing Web pages. All this just from clicking on a simple looking attachment within an email or another electronic form of communication. Phishing attacks is a numbers game they generate billions of dollars even when only a small percentage of the targets fall for the bait.

E-mail is the most common way to phish, but be aware, these criminals will stop at nothing to Phish you. Often using:

  • Instant Messaging (IM)
  • Short Message Service (SMS), i.e., Text messaging
  • Pop-Ups
  • Malicious Websites
    • Phishers develop e-commerce websites with ‘too good to be true’ offers. Often the bogus sites are indexed legitimately with different search engines. They often include banking sites.
    • Pharming attacks are DNS based (Domain Name System). The requests for URLs return a bogus address, and subsequent communications are directed to a ‘spoofed’ of fake site. Users remain oblivious of the fraudulent website controlled by phishers.

Once the phisher has assumed your identity, from your stolen data, they can do any or all the following:

  • Impersonate the victim, transfer funds.
  • Convince your friends to do something and your friends’ friends.
  • Commit crimes in your name.
  • Open credit card and bank accounts in your name.
  • Purchase merchandise (Think Big).
  • Hijack usernames and passwords.
  • Use and abuse your Social Security number.

The worst yet, is that phishers are never satisfied, when they get board they will simply sell your information on the Darknet where the process will begin all over again. Many (not all) phishers leave telltale signs in their notifications and Web pages. Be on the lookout for them and delete immediately:

  • Request for personal information.
  • Generic greetings, like ‘Dear Customer’ or ‘Hello User.’
  • Threats and requests for immediate action, such as ‘Please reply immediately’ or ‘we will cancel your account.’
  • Requests to re-enter or update personal information under the pretext that ‘account is about to expire’ or ‘multiple log-ins have been detected.’
  • Links that are misspelled, poor grammar, longer than normal URL’s especially those containing numbers and symbols, all are clear signs of phishing.
  • On occasion, the communications used by phishers can include unusually personal content, assured to appeal to the victim. Keep your guard up; there is a specialized type of phishing called Spear Phishing which targets individuals and includes personalized information gathered from OSINT. OSINT is intelligence collected from publicly available sources such as social networking sites.

When you get that e-mail or other activity that looks like a phishing attempt, never click on the links, or provide your personal information.

The most significant thing you can do is to remain aware and vigilant of what you download.

  • Hastily downloading e-mail attachments is dangerous. It only takes one click of a phisher’s malicious attachment to circumvent even the strongest anti-virus software.
  • Organizations including banks, social media platforms, and PayPal will never send you emails requesting your personal information.
  • This can not be stressed enough, never open an attachment from someone you do not know even if they have authentic looking logos.
  • If it is unusual for friends, your employer or groups you are involved with to send attachments, call them before opening the attachment.
  • Find a security website and frequent it often. Become aware of the latest scams and threats.
  • Finally, get into the habit of changing your passwords often and follow a strong password rule of at least eight characters, with a mixture of upper/lower case, numbers, and symbols-!@#$%^&*().

A few rules to follow in order to protect your computer from intrusion:

  • Turn your Firewall on and keep it on.
  • Update your Antivirus Software.
  • Update Your Antispyware Technology.
  • Update your Operating System (OS)

To sum up, phishing attacks can come in several different forms. Perhaps what is often overlooked are hidden threats related to phishing. Moreover, the mere numbers and level of sophistication of phishing attacks are increasingly making them one of the most structured and immensely profitable cybercrimes.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Security Is An Arms Race, The Only Way To Win, Is To Stay Ahead And Stay Knowledgeable.

unsecured-wireless-net

Securing your home wireless network is not a game, it is a serious business. If your network is not secured, an online cybercriminal will exploit it; it is just a matter of time. They will ‘listen’ to your traffic, retrieve sensitive data and/or take advantage of your network to launch malicious attacks. For this reason, learning how to exploit your home network before the cybercriminal does, is a very smart move.

Quick Overview On Wireless Security Options
WEP

  • Wired Equivalence Privacy
  • First 802.11 standard.
  • Very easily ‘hacked’ due to a 24 Bit Initialization Vector (IV) and weak encryption.
  • Uses RC4 Stream Cipher and 64 or 128 Bit keys.

Never use.

[A cyber attack executed against retailer T.J. Maxx in 2009 was traced back to WEP vulnerabilities.]

WPA

  • Wired Equivalence Privacy.
  • Implemented to address major WEP flaws.
  • Backwards compatible with WEP.
  • Personal and Enterprise Mode.
  • RC4 along with longer IV’s 256 Bit Keys.
  • Each user acquires new keys with TKIP.
  • Enterprise mode uses 802.1x & EAP

Only use if WPA2 is not available.

WPA2

  • Wired Equivalence Privacy.
  • Strongest standard.
  • Additionally, the Advanced Encryption does not affect performance.
  • Personal and Enterprise mode.
  • Replace both RC4 and TKIP with CCMP and AES algorithm for a strong authentication and encryption
  • Seamless roaming. Individuals can move from one AP to another on the same network without having to reauthenticate.

Most secure method.

There are fundamentally two types of vulnerabilities which can be found in the Wireless Home Network.  The most common one is poorly constructed configuration including weak passwords, no security settings, or using the ‘out of the box’ default configurations.

  • First things first, change the name of your Wi-Fi network, also known as the SSID (Service Set Identifier).
  • Your wireless router comes pre-set with a default password. That is very easy for a cybercriminal to guess it, especially if they can learn the manufacturer.
  • A strong password should be at least 8 characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
  • Adding just one capital letter, and one special character changes the processing time for an 8 character password from 2.4 days to 2.10 centuries. Think about that!

passwords

  • The second vulnerability is using weak encryption including the security keys (WEP, WPA) to protect the wireless network.
  • The strongest encryption settings to increase your Wi-Fi protection is WPA2 AES.
    • AES is short for Advanced Encryption Standard and is used by governments around the world, including the US.
  • WPA2 AES is a standard security system now, so the majority of wireless networks should be compatible with it.
  • If you are using WPA2 personal. Disable WPS.
    • WPS stands for Wi-Fi Protected Set-up.  It is a wireless networking standard that makes connecting a router and wireless devices faster and easier. However, although WPS can make your life easier, it is very vulnerable to attacks. (See Fern Wi-Fi)

Quick Overview On Wireless Cracking and the Tools

Knowledge is powerful. Cybercriminals are powerful because they have the critical knowledge that leverages all other knowledge, the ability to solve that puzzle-known as your password and win that prize-known as your data. Beat them to the finish line.

Wireshark

If you enjoy networking and know your protocols, then you will so enjoy Wireshark as much as I do. Essentially, it is a network protocol analyzer tool. You can ‘live capture packets’ and analyze them in order to find various things related to your network and lets you see what’s happening at a microscopic level. This tool is available for Linux, Windows, OS X, Solaris and other platforms.

Aircrack-ng

This is one of the most widely-known, and many would say popular wireless password cracking tools.

Aircrack-ng is a complete suite of tools to assess your Wi-Fi network security. It focuses on different areas of WiFi security:

  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking Wi-Fi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA-PSK (WPA 1 and 2).

All tools are command line which allows for heavy scripting.  It works primarily on Linux but also Windows, OS X, NetBSD, as well as Solaris and even eComStation 2.

Airsnort

Another popular wireless LAN password cracking tool and it can crack WEP keys of a Wi-Fi802.11b network. This tool passively monitors transmissions and then computes the encryption key when enough packets have been gathered. This tool works on Linux and Windows platform.

Kismet

This is yet another popular Wi-Fi 802.11 a/b/g/n layer 2 wireless network sniffer and intrusion detection system. It is available for Windows, Linux, OS X and other platforms. This tool is used in Wi-Fi troubleshooting and passively collects packets to identify the standard network and also detects the hidden networks. Built on a client-server modular architecture, this tool can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic.

Fern Wi-Fi

Fern Wi-Fi Wireless Cracker helps with network security by allowing you to see real-time network traffic and can identify hosts. It works with Apple, Windows and Linux platforms. It can run other network based attacks on wireless or Ethernet based networks. For WPA/WPA2, it uses WPS based on dictionary based attacks. For WEP, it uses Fragmentation, Chop-Chop, Caffe-Latte, ARP Request Replay or WPS attack.

inSSIDer

inSSIDer is the only tool that I use in which I pay for (19.99), But it is worth it. It is a very popular Wi-Fi scanner for both Microsoft Windows and OS X platforms. The Wi-Fi scanner can find open Wi-Fi access points, track signal strength, and save logs with GPS records. One of the best uses is to find issues in wireless networks. That alone is worth the money!

I learned how to use these tools through trial and error. My first target was my wireless home network, and I kept at it until I was able to strengthen my overall security. Then I focused on my family and friends (with their permission). Breaking into a wireless network without permission to gain access is a cyber-crime. Do not put yourself at risk.

I was able to turn this experience into an educational session for both my ‘test group’ and me. I was able to show them the importance of having a strong wireless network, and I proved to myself that I could ‘hack’ them.

Overall Results – 8 home wireless networks tested (Again, I stress, I had their permission)

  • 5 Set up their networks straight out of the box security – Fail
  • 1 Networks used WEP  – Fail
  • 1 Network had WPS enabled – Fail
  • 1 Network used a well-known password (hello…Not kidding) – Fail

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Python for Fun.

python-logo

Python is one the easiest languages to learn, due to its simplicity, readability and straightforward syntax. Additionally, it is excellent for Rapid Application Development, (RAD). RAD is a software development methodology that uses minimal planning in favor of rapid prototyping. It also works well as a scripting language.The Python interpreter and the extensive standard library can be used with all major platforms without charge and is available in source or binary form.

Python is hands down my favorite programming language because of the high throughput since there is no compilation step. In addition, debugging Python programs is super easy neither a bug or bad input will not cause a segmentation fault. Rather, an exception is raised when the interpreter discovers an error.

Python was developed by Guido Van Rossum in 1991 and has seen a pronounced surge in popularity due in part to Google’s investment in the language over the past several years.

Python has associated web frameworks which make it more convenient to develop web based applications. Some robust sites (off the huge list) which are operating in Python include Quora, Drop Box,  and Google.

Python is useful in applications that run entirely in-browser.

  • Websites
  • E-Commerce Websites (Etsy, Amazon)
  • Social Media Websites (Reddit)
  • Educated Websites (Wikipedia, Dictionary.com)
  • Search Engines (Google)

Here is a simple but fun Python code for creating a Password Generator. Copy it, try it and enjoy learning.

1 import string

2 from random import

3 letters = string.ascii_letters

4 digits = string.digits

5 symbols = String.punctuation

6 chars = letters + digits + symbols

7 min length = 8

8 max length = 16

9 password = “.join(choice(chars) for x in range(randiet(min_length,max_length)))

10 print (password)

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Life Lessons. Become Better Than You Were Yesterday.

54736f862eb87e02c829c1329c3bec3b

Never let your past dictate your future.

The past can not be changed. However, without our past, we would endlessly make similar mistakes over and over again. Our past allows us to learn the lessons that life is trying to teach us and allows us to move forward.

Don’t follow, lead.

There are two types of individuals in this world: leaders and followers. Successful individuals in life are the ones who lead the pack. Successful people did not get there by chance; rather they carve out their own path through hard work. Leaders deliver consistent value with integrity and passion, they take responsibility for their actions and follow-through on their commitments.

Move out of your comfort zone, forcibly if needed.

Let’s face the facts, being comfortable and unchallenged all the time kills productivity; without that rush of unease which comes from having deadlines and expectations, humans will tend to do the minimum required in order to get by. When you push your boundaries and move outside of your comfort zone, it allows you to develop and to expand your limits; by doing so, you become more productive; have an easier time dealing with unexpected chaos, and find it simpler to brainstorm and harness your resourcefulness.

Focus!

In today’s highly digital world, sometimes it is beneficial to take a step back and breathe. Getting caught up in the endless minor details blurs one’s ability to see how everything links together ultimately missing the overall vision, also known as the “big picture.”

To be successful requires focus and determination. Successful individuals have goals, and a plan in order to achieve those goals; they do not let obstacles, roadblocks or useless details derail them from getting there.

Never ‘do’ without learning.

The greatest gift an individual can give to themselves is the gift of learning something challenging, innovative and different. Successful individuals endeavor to constantly learn new things and expand on what they already know. Growth, change, and development is key to success.

Ask for advice.

Asking for advice is not always easy. More often than not,  individuals are determined to struggle to figure the problem out on their own. However, asking for help is not a sign of weakness, on the contrary, it is a great strategy, and Social Media has made it easier than ever to reach out to the experts who inspire us. Additionally, it better prepares you for the next time you find yourself or a colleague in the same dilemma.

Feedback is essential.

Feedback from peers or a mentor is critical because it gives you a different perspective on your current situation. Feedback allows you to review what you have completed and allows you to develop and implement ways to improve on the task or challenge next time.

Life lessons are about discovering who you are and endeavoring to become better than you were yesterday while helping those around you to become better too.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Being a Self-Starter

My yoga coach and mentor instilled in me that it is not what happens to us that determines our future—because what happens, happens to everyone. Rather, he imparted to me that the difference between failure and success is quite subtle. When you look at successful individuals, you discover there was a well thought out plan behind their success. More often than not, they were a self-starter.

Self-starters are not afraid to fail. They know what they want and have a roadmap getting them there, and if needed, they rework their plan. It is the foundation for success.

Two self-starters that I most admire once said: “Always meet your commitments. Do more than is expected of you. Do things faster than expected. Achieve better results than expected. Do all of the above with integrity and with little fanfare.”
― Mark DivineUnbeatable Mind   While Coco Chanel believed “In order to be irreplaceable one must always be different.  A girl should be two things: classy and fabulous. The most courageous act is still to think for yourself. Aloud.”

Attributes of a self-starter:

Learning. If you are not constantly studying the industry that you are a part of, or want to be part of, what does that say about you? The key here is that self-starters recognize that there is always more to learn if they want to grow and improve. Moreover, they seek strategic and/or tactical advice, rather than emotional encouragement.

Expectancy. Self-starters demonstrate a “can do” and “will do” attitude. Meaning they take the initiative, complete tasks and come up with strategies in order to improve the organization or team. A positive self-expectancy expresses confidence, skills and the knowledge necessary to perform any task and understand the equilibrium between value created and resources invested.

Attitude. Exude a team-player attitude and work ethic. Be polite and cooperative with your colleagues. Self-starters are social people who revel in being with and working with others. This attitude allows self-starters to accomplish more and sometimes motivate others who are less motivated.

Diligence. Self-starters are conscientious; they pay attention to details. Even when speed may be crucial for some tasks, a conscientious individual puts precision first and produces superior work without constant prodding.

Stagnation. Stagnation is the enemy of being successful and a self-starter. When competing, whether it is sailing, a project for a prospective client, or learning to fly a plane I always keep the finish line in focus; constantly gauging my performance, depending on my teammates, and pushing boundaries in order to surpass the previous results. Stagnation is also a business killer and self-starters know how and when to execute the work themselves, and when to delegate to others. Create a blueprint that is a constant improvement on yesterday.

Failing. Everyone makes mistakes. Mistakes are forgivable. What’s not forgivable is not owning up to your failures or not learning from them. This is somewhat of a platitude, but it is true. Self-starters do not see failures as a negative but rather part, of the laboratory of achieving success. Additionally, they appreciate, if not welcome, criticism, because it plays a critical role in self-improvement. Remember, safe and boring does not always parallel worthwhile.

In closing, self-starters are driven professionals and key business drivers that keep organizations moving forward with innovative ideas and strong work ethic. Self-starters remain lithe, adaptable, and steadfast in order to achieve their organization’s vision, mission, and goals. Self-starters know the importance of performing to the best of their ability and align to their organization’s top leadership, strategies, methods, and culture.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

What’s in a password?

images-3

So, why would we need to learn about password cracking techniques and the very cool tools used to do so? Password cracking plays a major role in cybersecurity. It is the processes of recovering passwords in order to breach the security of a computer system as both as a preventive measure and to locate weak links that may be vulnerable to an attack.


Brute-force attacks involve trying all possible keys including dictionary words and non-dictionary words too. Brute-force attacks can crack any password, once given the time to do so.

However, how long are you willing to wait for that password? For example, 128-bit key running at a billion keys per second equals 340,283,366,970,938,463,463,374… possible key combinations. In years, that’s just shy of 100,000,000,000,000. Brute-force can often be the last resort with the upside being that brute-force will always find the password. The downside is will you still be around when brute-force reveals the password.

Dictionary attacks use possibilities that are most likely to succeed derived from a dictionary software program. Dictionary attacks may not crack every key, but it is often faster than brute-force. However, although dictionary attacks remove the time-factor, the program will not be successful if the password is not in your dictionary file. For example, if your password is B#h$7yt, the simple addition of symbols and numbers can thwart the success of the attack.

Rainbow table attacks are by far the fastest method of password cracking, mainly because they come along with pre-computed hashes. For a basic example of hashing, say your password is Apple; After it is hashed it is transformed into 865948plpogh76542187629bd1. Woo Hoo, it is secure.

Not so fast, although hashing is a one-way function, meaning that you can never decrypt the hash unveiling the underlying clear text. That’s not the end of the story; basically, rainbow tables are humongous sets of pre-computed tables chock-full with hash values that are pre-matched to potential plaintext passwords.

Essentially, these tables allow anyone to reverse the hashing function in order to determine what the plaintext password might be. Additionally, it is possible for multiple different passwords to result in the same hash, pointing out that it is not important to find out what the original password was, just as long as it has the same hash. As long as the hash is matched, then it does not matter what the original password was.

The Very Cool Tools 

(There are other tools available. However, these are my favorites. I have included the links and descriptions so you can visit the sites, download the tools, explore them and learn.)

Cain and Abel

Cain and Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms.

John the Ripper

John the Ripper is a well known and popular free and Open Source software. Ripper supports fifteen different platforms including Unix, Windows, DOS, BeOS, and OpenVMS. You can use this either to identify weak passwords or to crack passwords for breaking authentication. Including performs brute-force attack with all possible passwords by combining text and numbers. Additionally, you can also use it with a dictionary of passwords to perform dictionary attacks

Additionally, Ripper can be used to identify weak passwords or to crack passwords for breaking authentication; perform brute-force attacks with all possible passwords by combining text and numbers and/or use it with a dictionary of passwords to perform dictionary attacks

 RainbowCrack

Rainbow Crack is also a popular brute-forcing tool used for password cracking. It generates rainbow tables for using while performing the attack. In this way, it is different from other conventional brute-forcing tools. Rainbow tables are pre-computed. It helps in reducing the time in performing the attack.

Various organizations published the pre-computer rainbow tables for all Internet users. To save time, you can download those rainbow tables and use in your attacks.

This tool is still in active development. It is available for both Windows and Linux and supports all latest versions of these platforms.

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi network security.  Aircrack-ng (the ng, refers to next generation) focuses on different areas of WiFi security including Monitoring: Packet capture and export of data to text files for further processing by third party tools;  Attacking: Replay attacks, deauthentication, fake access points and others via packet injection; Testing: Checking WiFi cards and driver capabilities (capture and injection) and Cracking: WEP and WPA-PSK (WPA 1 and 2).

The tools are command line which allows for heavy scripting.  It supports Linux primarily but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

THC Hydra

THC Hydra is often the tool of choice when you need to brute-force crack a remote authentication service. THC Hydra can perform rapid dictionary attacks against more than 50 protocols, including Telnet, FTP, HTTP, HTTPS, SMB, several databases, and much more.

This free-to-use tool allows pen testers, security analysts and others to learn how easy or difficult it would be to gain remote access to a system. This tool also lets you add new modules to increase the functionality. Via its GitHub page, you can also participate in the development process of THC Hydra. TCH Hydra supports Windows, Linux, Solaris, FreeBSD, and OS X platforms.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Cybersecurity is a Team Sport.

There are only two kinds of companies: those that have been hacked, and those that will be hacked. Even that is merging into one category: those that have been hacked and will be hacked again.”          

                                                                                   Robert S. Mueller, Director, FBI

Intel predicts 200 billion interconnected devices by 2020. Furthermore, any device, be it a computer, mobile phone, or an Internet of Things (IoT) ‘smart’ device, having an IP address which can be accessed by the web, means there is an enormous potential for cyber attacks. No one is immune.

Cyber criminals and hackers are upping the stakes with the average cost of a data breach currently tracking at $4+ million per breach and expected to rise. Additionally, cyber criminals are increasingly becoming more sophisticated, and the attack surfaces are rapidly expanding.

Regardless of the security invested in the protection of your organization’s assets; your plan is only as good as the weakest link (your employees).images Cyber threats to your organization are often at the hands of outsiders. However, many threats originate from within, when employees’ unawareness or negligence opens a door.

Cyber breaches are not just a technician’s issue. Cybersecurity is a team sport. Having an effective security program requires a partnership throughout the organization; From the boardroom to stakeholders to individual employees, and business partners.

In other words, the solution lies within each employee of your organization. The greatest weapon in protecting those assets includes training of the rapidly evolving threat landscape at every level of your organization.

images-2

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Don’t Be Afraid To Fail. Be Afraid Not To Try!

 

dont-be-afraid

Aspirations for 2017 and beyond.

Go after your dreams.

Trust yourself.

Risk more than is necessary.

Feal the fear and do it anyway.

Push your boundaries.

Always deliver a solution.

Simplify.

Innovate.

Focus.

Learn more than is called for.

Exude passion.

Let go of your inhibitions.

Deliver more than is required.

Excell.

Be a leader.

Laugh.

Speak your truth.

Know your values.

Inspire others with your largeness.

Let go of mediocrity.

Remain humble.

Be kind.

Act now.

Never ever stop.

Give something back.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

The ‘Sharing Economy’ is Reshaping Organized Economic Activity

Over the past several years traditional institutions worldwide, in order to stay ahead of competitors and to compete globally, have migrated their businesses information into digital form. This has introduced new risks including formidable cyber attacks. Moreover, as if cyber assaults were not perilous enough, there is a new stressor and major disruptor at play known as the ‘sharing economy.’

The Sharing Economy is reshaping organized economic activity, shifting us from affairs conducted within traditional institutions towards new funding methods.

  • Peer-to-peer (P2P) marketplaces allow several investors to fund loans by matching up the borrowers and lenders through an online marketplace.
  • Funding projects and or ventures by raising contributions from a large number of people. Think-crowdfunding and cryptocurrencies.
    • Crowdfunding provides capital to start-ups or to further ongoing ventures; Entry to principal with a hedged risk; A simpler source of funding than traditional conduits.
    • Cryptocurrencies, Bitcoin, and Blockchain practices are increasingly becoming accepted.

crypto-currency_market_capitalizationsblockchain3

In its sum, it is a new and unconventional socio-economic system which embeds sharing and collaboration across all phases of social and financial life.

The sharing economy that started with bikes and cars has now evolved to taxis and hotels with a keen focus set on industry giants including financial services and their intermediaries.

Until recently financial institutions and their intermediaries-insurance, banking, and financial management giants have prevented innovative more nimble market entrants from breaking into the financial services industry. However, as the sharing economy picks up speed led by the accelerated pace of technology, it has become increasingly ‘disruptive.’

This disruptive force is called Financial Technology, also known as FinTech, which is comprised of companies that use innovative technology to leverage available resources to compete in the open market of traditional financial institutions in the delivery an array of financial services.

These disruptors are often start-ups, fast-moving companies focused on the economistmost profitable elements-mobile payments to insurance. Industry analysts estimate that traditional financial services industries could be at risk of being lost to standalone FinTech companies within 5 years.Additionally, FinTech is making an impact on the industry tripling to more than $9+ billion in the US in 2014 alone. (Economist.com)

Having worked in the financial service sector for several years, I learned that besides being large, bloated and cumbersome the one thing many of them share is that they loathe change. The mere mention of change would set their ‘hair on fire’. However, without change, there is no growth, and eventually, the lumbering giants will need to evolve or be overtaken.

The shift toward using technology, cryptocurrencies and blockchain technologies to improve productivity, availability and functionality in financial services and intermediaries is a reflection of the 21st century-the digital era.

InfoSecurity vs. CyberSecurity

Over the past several years enterprises across all industries have fallen victim to cyber attacks including theft of sensitive data, disruption of information systems and even damage to critical infrastructure. In reading about these attacks both Information Security (InfoSec) and CyberSecurity (CyberSec) roles seem to be synonymous. However, although there are some similarities, there are also some important distinctions between them.

cia_triadInformation security principally means ‘data security’ and at the core of information security efforts is the CIA triad-Confidentiality, Integrity, and Availability. The CIA triad is comprised of the objectives needed to achieve its sole purpose of safeguarding data from unauthorized access, disclosure, modification, inspection, recording or destruction of data.  Infomation security coverage includes both electronic and paper.

CyberSecurity is broader and includes ‘Information cybersecurity-100635851-primary-idgeSecurity’ with respect to the protection of any digital data. Additionally, CyberSecurity protects the integrity of computing assets belonging to or connecting to a network; with its sole purpose to defend all assets against all threat actors throughout the entire life cycle of a cyber attack.

In summary, things are never black and white. As cyber attacks become more sophisticated, persistent and destructive; There seems to be a developing interconnectedness and a significant amount of overlap regarding functions and competencies as it relates to understanding what data is most critical and what controls should be put in place to protect the data. cyber-infosec

 

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Chances are, the next security breach will be caused by social engineers exploiting the weakest link in the security chain of your organization.

The art of manipulating people into giving up personal or sensitive information is known social-engineeringas Social Engineering. Social engineers are ruthless and innovative criminals who take advantage of human behavior to gain access to data, networks or infiltrate businesses; because it is often ‘easier to exploit an individual’s penchant to trust than discovering new methods to hack’ your systems.

The weakest link in the security chain of any organization is its employee’s. The weakness stems from the lack of training and awareness of social engineering methods. Organizations need to become versed on the threats posed by social engineers as employees from C-level executives to the mail room can and will be targeted, and some will fall victim; introducing risk into the organization.

The techniques used by social engineering criminals range broadly, from phishing emails that trick users into opening an attachment that includes dangerous payloads, showing up as delivery people, tech support, or job applicants, to physically access data centers including- ISOC’s and SOC’s. Worse yet, the social engineering criminal rings which resort to strong-arm tactics, ransom, and threats. Whatever the method of strategy the social engineer uses, they all play on our emotions motivated by curiosity, fear or greed.

There are thousands of variations of attacks used by social engineers. The only limit to the number of exploits is the criminal’s imagination. Often one victim can experience multiple forms of exploits wrapped up in a single attack. Nevertheless, when they get all they can from the individual, it is not over, more than likely their information is sold, and shortly new criminals are exercising innovative exploits against the same individual, their contacts, and their contacts’ contacts; resulting in an interminable cycle.

Start building your social engineering smarts.

Free Money! 

People, it is 2017, offers of ‘free money’ including winnings from foreign lotteries, a previously unknown wealthy relative who wants to leave you billions or requests to transfer funds from a foreign entity for a share of the money. All are guaranteed to be a scam. Don’t fall for it.

Email Hijacking

If it is out of the ordinary to receive an email from a friend, co-worker, your boss or your bosses boss that includes ‘links or attachments’ make a phone call before clicking on the potentially malicious attachments. The social engineer’s goal is to take control of an email account, then your social media, and all your friends and friends’ friends. All they need to accomplish this is for the recipient to click on that attachment. Don’t do it. Call and verify.

Phishing 

A phisher will send e-mails, instant messages (IMs), or text messages that seem to come from a legitimate organization such as your bank that requires you to ‘verify’ your personal information. Often the messages include an impending doom warning of what will happen if you fail to act ‘now.’  Criminals play on your emotions, whether it is a familiar bank,  or a co-workers name they utilize urgency and panic to get you to ‘respond first and think later.’ Stop and think before acting.

Ransomware

Ransomware is malware which kidnaps your critical data, encrypts it and holds it for payment in return for the decryption key. Ransomware spreads through phishing e-mail attachments, infected programs, and compromised websites. No organization is immune from healthcare to critical infrastructure. Once the computer or network becomes infected, there is no option other than paying the ransom. There are no guarantees the criminals will not kidnap your data again nor is there any guarantee that the data will be released. Don’t click on links and or attachments in unsolicited emails. Look up sites you are unsure of on  Malware Domain List before visiting them.

Vishing 

Vishing is a phone scam usually carried out through robocalling. These criminals are intent on stealing account numbers and passwords. The criminals are prepared with a convincing phone number which appears as if it is coming from your bank; the victim is then persuaded that their account(s) have been endangered and have to act quickly – panic often leads people into acting without thinking. The balances are transferred, and the criminals move on. Remember, banks, and financial institutions will never contact you to ‘verify’ your personal information.

Baiting 

Social engineers recognize that if you dangle something people want like free music, free movies or the hottest game in town for free, someone will eventually take the bait. Once the bait is taken, the individual’s computer is now corrupted with malicious software that often can lead to countless continued exploits. Often the victim loses their money without receiving their purchased item(s), and, if they used a checking account, they may find that their bank account(s) have been emptied.  Free is good, but it’s never actually free.

Social engineers want you to act first and think later. Never let their actions influence your careful review of the situation.

  • Be suspicious of all unsolicited messages.
  • Never open a link or attachment without verifying first.
  • Delete all requests for passwords or personal information.
  • Block all Automated calls.
  • Register on the Do Not Call List (1-888-382-1222)
  • Never answer a call from a Blocked number

Cybersecurity is a shared responsibility. Stop. Think. Connect.

“I know where you are….”

GPS navigation concept

Social Media plays a pivotal role in out lives; from Facebook, Twitter, Instagram, Flickr and Google+ to name a few. Most individuals use social media to keep in touch with family, friends and keep followers abreast on activities and achievements. However, there is a darker side to Social Media.

Social media often attracts those individuals wanting to know a great deal more about you for the wrong reasons. Too much personal information online can effortlessly provide stalkers, predators and or thieves the information needed to track their victims’ locations easily and even more dangerous, their patterns.

One of the most unassuming ways we can share too much of our personal information is through our photos. Geotagging and location-based services technology can contain location information stored in metadata (EXIF data)  within the photo;  Location data includes accurate Global Positioning System satellite technology (GPS) coordinates of where the photo was taken, as well as the time and date it was captured. GPS has become second nature, whether using it when we are lost or directions to that new spa; GPS is embedded into the majority of the smart devices and the applications we use every day.

Honestly, is it possible for a predator on the internet to track your every move? Yes, unquestionably, thanks to the pictures you post along with the assistance of an Open Source Intelligence (OSINT) gathering resource tool. Creepy is just one of the many OSINT tools available. Cree.py is written in Python coding language with its source code available on geocreepy.

creepyYou enter a sender’s social networking username (Creepy works with Twitter and Flickr) hit the ‘Geolocate button’ and Creepy collects all the geographical information available on the platforms, via photos that the sender has shared online. The end result being a navigable embedded Google map with latitude and longitude, date and time and what is more disturbing, often the text that accompanied the location/photo-For an additional personal effect.

Many of the free applications that are either preloaded or ones we chose to download on our smartphones or tablets, utilize geotags and location services to track our patterns. The majority of these are for marketing and revenue builders, including coupons from nearby coffee shops and retailers.maps-permission_ink_li However, as we have seen from above, individuals need to be careful about the information we share with the millions of people on the internet. The majority of individuals do not realize that geotagging is active either because default enables it or disabling it is not showing as an option. Users need to think wisely next time they opt-in for geolocation features by clicking “allow” or  “this application wants to use your current location” dialog box on your smartphone or tablet.

Below, find some options to protect yourself when it comes to geotagging.

  • Before you publish images taken with your phone, convert them to PNG file format and publish them from your desktop computer.
  • Change the permissions of your smartphone to ‘do not report GPS coordinates’ before posting on social media platforms.

Overview on how to disable your smartphone and/or tablet geotagging feature.

  • iPhone
    • Geotagging page
    • Hit Settings
    • General
    • Location Services
    • Disable the applications that use GPS data.
  • Blackberry
    • Hit Camera icon
    • Menu
    • Options
    • Set the geotagging option to disable
    • Hit Save
  • Android
    • Start the camera application.
    • Settings
    • Turn off Geotagging (Sometimes called Location storage depending on the version of Android)

Oh, and where did I write this? I am not giving away my location.

Cybersecurity is a shared responsibility. Stop. Think. Connect.