Social Malice

http://www.darkreading.com/insider-threat/167801100/security/client-security/231901810/social-malice-one-in-100-tweets-and-one-in-60-facebook-posts-are-malicious.html

Considering the topic of our newest group project I thought that this article would be perfect to write about. Recently i read an article about how so many posts on social networking sites such as Facebook and Twitter are malicious. It is said that one in 100 tweets today are malicious and one in 60 Facebook posts are also. People have been confessiong that they feel unsafe on psites such as facebook and twitter and even a moderate percent of people feel unsafe on LinkedIn. It goes on to talk about how these things can be a danger to businesses because of the use of these sites in the workplace.

The article lists some of the latest Barracuda statistics:

- LinkedIn is the least-blocked social network by enterprises, with only 20 percent of organizations preventing their employees from using LinkedIn from work. That in contrast to Twitter (25 percent); Google+ (24 percent); and Facebook (31 percent).

-most users say the important factors to consider when joining a social network are security (92 percent), that their friends use it (91 percent), privacy (90 percent), and ease of use (87 percent

- More than 90 percent have received spam over a social network, and more than half have experienced phishing attacks

- More than 20 percent have received malware, 16.6 have had their account used for spamming, and about 13 percent have had their account hijacked or their password stolen

-43 percent of Twitter accounts as “true users” with real followers and regular tweets, and 57 percent as “not true users” — either spam bots or inactive accounts

- measured search malware on Google, Bing, Twitter, and Yahoo over a 153-day period and found 34,627 malware samples, with one in 1,000 search results leading to malware

- one in five search topics lead to malware, with “music + video” containing the most malicious links. The number two search term leading to malware: <=”" i=”">’s “JenniJ-Woww,” with 17 percent of the malicious search results.

Steps to take after the hack

I was reading an article recently on securityweek.com that listed some steps that should be taken from the view point of a systems administrator. Considering how many people in the class wish to pursue that particular career I decided to write about it. The first step which could very well be the most important is to make a call to IT and tell them “Do not shut down the system.” I know that the first thing to come to someones mind would usually be to shut it all down to stop the attack, however if you do that then there is no way that you can trace the hacker or find out what it was that they were trying to steal from the company that your work for. So I know it may be tempting, but do not disconnect.

Next step is to gather as much information as possible about the attack and the hacker. You should find out things from all the departments and examine all possibilities. Some of the questions your should be asking yourself while gathering this information includes: How large is the problem? Is it one computer, or the entire network, or somewhere in between. Has IT noted any peculiar employee behavior? Are any logs suggesting suspicious behaviors? Any employees dismissed recently? What was hacked? What was not hacked? Does it appear that the data was not touched, or was the data stolen, but left intact to look like it was not breached? Is the breach open? Is it spreading and from where?

The next step would be to call in some extra help. The best person to get a hold of would be the closest “white hat” that you can find. These guys know all the things and probably more than whoever broke into your network.  It is their job, 24 hours a day, to know the latest and to be experts in cutting edge technology. They will be able to help you find anything that you may have missed.

The final step you should take is to think about what your response should be in terms of reporting what happened to the company. You should think long and hard, depending on the seriousness of the situation, about whether or not to let your customers know what happened. If the attack was very serious and important information was compromised, like credit cards. The company should probably report it to the customers and try to ease their minds. Nothing reaps havoc on the mind like knowing if your credit card number is “out there” somewhere and in the hands of a shady character. Ways that you could help ease the person is by giving them a phone number to call that can help rebuild their credit and do flagging of unauthorized use of credit cards. . A company’s reputation, if founded on how customers are treated, will help soften the blow that may come to the company’s established reputation.

Risk Assessment: Motor Vehicle

Description: A great piece of machinery that allows for us to travel much farther distances than we would normally be able to.

 

Assets/Security Goals:

• Fast mode of transportation
• Shelter while traveling
• Used in racing(entertainment)
• Gives jobs to people(mechanics/dealers)
• Keep someone relatively safe in a crash

 

Potential Adversaries/Threats/Weakness:

• Bad weather/road conditions
• Rust
• Thieves/burglars
• Animals
• Other drivers
• Lack of security beyond locks and alarm
• Crash

 

Possible Defenses:

• Driving safer
• Keeping your vehicle in a garage
• Keep vehicle up to date with breaks and tires to avoid unnecessary accidents

 

Risk Map

 

Conclusion:

It is show that most risks for motor vehicles are on the severe side. However the likelihood for most of them are not as high and most of them have to do with crash and burglary being the only two big things that could happen to your car with everything else just be things that cause those two. Almost everyone has a car and they just need to make sure that they drive safe and keep it safe. Cars don’t have the best security but as long as you don’t leave it parked a block from your house where you can’t hear the alarm you should be fine, even though a garage would be the best place for it.

Spoofing Locations

I found an article that talked of a security researcher, Don Bailey, visiting Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported. The man was using a Zoombak to report in at multiple places by intercepting SMS. The device is essentially a GSM module with a separate micro controller. The service sends a SMS over GSM with A5/2 encryption and then the device responds with its location via pure HTTP.

From the device Bailey was able to find the T-mobile sessions used by the service by checking the cellular networks home location register. He then performed a search for the numbers that were on but only allowed SMS and disabled incoming calls. Now he could send HTTP as that number and make it look like he was in different countries within a matter of minutes.

Using this research allows for spoofing of SMS responses from GSM-based traffic controls systems and SCADA systems. So what it comes down to is that any remote devices that uses SMS over GSM modules is completely vulnerable to this kind of attack. It even said in the article that this would include GSM-based skimmers placed on ATMs, which would be good thing if law enforcement knew how to intercept these devices. Below I’m going to be pasting Baileys talk that he gave which was all about his research on this subject.

“A Million Little Tracking Devices: Turning Embedded Devices into Weapons”

Using XSS and Google Street view data to determine physical location

While looking for an article or topic to write about today i came upon some articles regarding the black hat convention that was held in Las Vegas last year. A man by the name of Samy Kamkar showed an interesting hack which extracted extremely accurate geo-location information from a Web browser, while not using any IP geo-location data. Before I explain what he did allow me to explain what XSS is. XSS is an abbreviation for cross site scripting. XSS is a security vulnerability found in Web applications that enables attackers to inject script into web pages viewed by other users. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Now how he does the attack is by first having the victiom visit his malicious web site and then using JavaScript and AJAX to acquire the routers MAC address. He was about to do this because when the user visited the site the JavaScript did a scan for the type of router and its MAC address. With this info he was able to use Google Street View to determine the location of the router within 30 feet of where it actually is. This isn’t Kamkars only hack. he also was the creater of an XSS worm that hit myspace a while back. In the video im posting below he does a demonstration of the hack.

LulzSec and Their Favorite Attack Techniques

For those of you who don’t know of LulzSec they are a hacking group that recently broke up. However, before they did break up they claims to do things such as taking the CIA website offline and the compromise of user accounts from Sony Pictures in 2011. This group was comprised of 6 main members that did a number of attacks during the summer of 2011 besides those two mention above. Also they worked with other groups such as Anonymous from time to time. In an article I found it observed some of the groups attacks and found that they use atleast 3 out of the 4 most popular attack techniques.

Attack number 1 used not just by them but by so many hackers as it is one of the most successful is the SQL Injection. An SQL injection is a technique that exploits a web application vulnerability in order to access the organizations data in an unauthorized manner. The easiest way to do the injection would be entering a bit of code into the username field so that the hacker can find out information from the system. It was found that 83% of successful attacks are SQLi.

Attack number 2 is something called remote file inclusion. RFI is used to replace a reference within the web application with any file of their own. Then once that file has been uploaded the hacker has complete control of the server ad can upload further information as well a manipulate data. The way LulzSec used this technique was by having bots perform the attacks so that it was like a DDoS and it is thought that this is how they brought down the CIA website. Its shown that RFI attacks account for only 4% of the top four most prevalent attack types.

The third attack that is listed is a directory traversal attack. This type of attack is used to go through the web applications file directory in an attempt to find hidden files that were exposed to the application. The main goal of the DT is always to try and get to the file’s parent directory. This attack took up 37% of the top four most prevalent attack types. It has also been found that the majority of the time these attacks are used more for reconnaissance than for doing damage. Once the hacker has found out other vulnerabilities he or she can proceed with an additional attack that can do some actual damage. It was found that DT is used in conjunction with RFI attacks most of the time.

The fourth and final attack is the Cross Site Scripting , or XSS. XSS is an attack that doesn’t directly attack the server, but instead targets the users of the website. The hacker uses XSS to execute scripts in a victim’s browser that could redirect the user to wherever the hacker wants or even to steal user credentials. Many applications have a vulnerability to XSS. Even Microsoft’s programs have been found to have the vulnerability and had to be patched to ensure that XSS couldn’t be used on their one program Sharepoint. The attack counts for 37% of the top four web attack techniques. Because WAAR is able to monitor these attacks however it shows that the XSS lays the foundation for a Search Engine Poisioning or SEP scheme. The hacker will create URLs and place them in forums which then get used by the search engines and as people search for these popular sites they find the fake URLs and get redirected because of the XSS.

Macbook Battery Exploits

Recently it’s been discovered that lithium batteries, especially those within Mac computers, can be compromised via a new malware. batteries use microcontrollers to tell the computer that it is full or when it needs to be recharged while also reporting to the OS so that you can be prompted in advance. A man by the name of Charlie Miller has discover that the batteries shipped within most macbooks have their firmware default password exposed. This leaves anyone that tries the ability to hack your battery.

Miller says has found multiple things that can be done once you are within the battery. He found that by entering multiple wrong passwords you can “brick” a battery. He also saw that if the hacker wanted to they could make the battery explode. The final and most interesting exploit that was discovered was that a hacker could in fact place malware on that could remain on the device even when you try to reinstall the OS. Other methods such as replacing the hard drive and re-flashing the BIOS will also not remove the infection.

The act of actually getting to the microcontroller does take some work however. Also to attack the batter would require another vulnerability between the chip and the operating system. However as Miller said in his one comment,” that is not much of a barrier.”  The article with this information is in fact about 1 and 1/2 months old so I must assume that a fix has been found however, it is kind of scary how anything with a microcontroller can be altered. Also in a apple forum post the topic was brought up and one comment mentioned their aluminum models that have sealed batteries and how they are gonna be in big trouble if the exploit still exists within those computers.

http://www.securityweek.com/hacking-laptop-batteries

http://forums.appleinsider.com/showthread.php?threadid=128882

Tools for Better Defense

So as I was doing some searching through the internet I came upon a security news site that had an article that talked about some great tools that can be useful to a security researcher or administrator. These tools could be used to further research for future attacks and over protect any network from attack. The first of these tools that could possibly be the most important is Wireshark. Wireshark is by far the ultimate network protocol analyzer and can be an amazing asset to you.  Wireshark can show you all the information passing through your network and has data on over 100 different network protocols. Also if you intend to create your own protocol this would be a great way to test it.

Another tool that is also great for testing things is a sandbox environment. No one wants to crash their personal machine, but they do want to play with the copy of stuxnet that they received. An invaluable tool for playing with these viruses and perhaps ultimately learning ways to break them down and defend against them better would be VMWare. VMWare is virtualization software for desktops servers and other platforms that can be used to run a virtual machine within the program that will provide you with that sandbox environment that you require for your virus testing.

And the final tool that I’ll be covering is a debugger and decompiler. These two tools will allow you to look “under the hood” of  programs to find out what is wrong with them and in the case of a malware program, these could potentially allow you to break it down and find out what exactly it’s doing. One example given in the original article that I like had to do with a text copying malware.  This malware would intercept your messages and copy them to a dropbox so that owner of the malware could obtain data from you. However with these tools you find out what this malware is doing, how it is doing it, and then get the code of it with the decompiler.

These tools can definitely be a great help to anyone interested in information security and I’m gonna post the original article so that you all can read about the other tools that the author talked about.

http://www.securityweek.com/essential-weapons-security-researchers-arsenal-part-1

http://www.securityweek.com/essential-weapons-security-researchers-arsenal-part-2