Archive | December, 2015

Hacking for Good – Daily Security Byte EP. 194

Most of the time, the media uses the term hacking in the negative context. However, there are many white hats who hack for good. In the last Daily Security Byte episode for 2015, I cover two fun stories that show how people can use hacking and reverse engineering techniques to do things that improve our lives.

Show note: This will be the last Daily Byte video this year. I’ll resume the daily video January 4th, 2016.

(Episode Runtime: 3:12)

Direct YouTube Link: https://www.youtube.com/watch?v=Oz7nY-5YwLU

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Prediction #10 – Alien Attackers Hijack Our Broadcast Signals from Space

Unlike cyber criminals, who want to stay under the radar, Hacktivists like to make big splashy messages. The whole point of “cyber” activism is to use technology to get as many people as possible to notice your message, whatever it may be.

Prediction video link: https://youtu.be/EEbqr-2XFRk

Anonymous is a great example of this, with their well-known videos containing a man in a suit wearing a Guy Fawkes mask and speaking with a distorted voice over theatrical music. All of the Anonymous’ “operations” are designed to get noticed. Whether they’re trolling the Church of Scientology, DDoSing credit card providers, defacing websites, or doxing someone they disagree with, the goal is getting attention for their cause. What better way to get attention than to hijack a live TV signal or big event?

While hacktivists are known for their attention-grabbing videos, so far they’ve never taken over live TV or radio, and really gotten their message across to a wider audience. Movies and TV would have us expect “l33t h@x0rs” to take over the airwaves, but so far their strange hacktivist videos have been relegated to YouTube posts anyone can do. Hacking TV broadcasts may sound like sci-fi, but there is precedent. Back in the 80s, a weird, masked man (sound familiar?) took over a few Chicago TV stations for a few minutes at a time. While our TV broadcast have become more protected today, the breach to TV5Monde—a French broadcast network—shows that attackers still have the potential to take over the airwaves.

Next year, I expect cyber attackers to pull off some hack that gets broadcast to the world live. Perhaps they’ll take over a big stadium screen during the Super Bowl or World Cup; they might hijack all of the big TVs in Times Square; or perhaps they pull off the ultimate hacktivist’s dream, and hijack a major TV network’s live broadcast. Whatever it is, expect hacktivists to do something big that televises their revolution to the world live.

Visit our WatchGuard security predictions site

— Corey Nachreiner, CISSP (@SecAdept)

Devastating Kerberos Flaws? – Daily Security Byte EP. 193

A few stories surfaced yesterday talking about “devastating” vulnerabilities in Windows’ Kerberos. Today’s vlog explores whether or not these are new issues, how severe they really are, and where you can learn how to mitigate them.

(Episode Runtime: 3:44)

Direct YouTube Link: https://www.youtube.com/watch?v=yxcoqfagLfI

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Prediction #9 – Spies Slip Into Wireless Alliances

To be honest, wireless security hasn’t changed too much in the last few years. That’s not to say it’s perfectly secure. There are still plenty of folks using legacy WEP encryption standards, and organizations that use WPA2-PSK with a horrible password. There are also many wireless networks that don’t segment clients, so attackers can sniff plenty of private connections by hanging out on public hotspots. Furthermore, many SMB organizations haven’t solved the problem of rogue hotspots or evil twin hotspots. That said, there hasn’t been a huge, industry-wide wireless standard vulnerability in quite awhile.

Prediction video link: https://youtu.be/A4m6D6fqmWA

While we don’t know exactly what it’ll be, we suspect the next big wireless vulnerability will have to do with an “ease-of-use” feature. The Wi-Fi Protected Setup (WPS) standard was a great example of this possibility. WPS was designed to make it easier for new users to join a secure wireless network without having to remember a complex password. Unfortunately, it suffered from a flaw that made it easy for attackers to brute-force a WPS pin and gain access to the wireless network quickly. Unfortunately, usability features can sometimes clash with real security.

Recently, Windows included a new wireless feature called Sense. This feature is intended to allow you to automatically connect to secure wireless networks that your friends or acquaintances have used. While no one has found any issue with this feature yet, this is the type of feature that may introduce new wireless problems. In 2016, expect the next wireless security vulnerability to involve an ease of use feature like Sense.

Visit our WatchGuard security predictions site

— Corey Nachreiner, CISSP (@SecAdept)

Joomla Attack in Wild – Daily Security Byte EP. 192

If you use Joomla to manage content on your website, you’re going to want to patch immediately. Today’s daily video covers a new zero day flaw in the open source content management system (CMS) that attackers are actively exploiting in the wild.

(Episode Runtime: 1:42)

Direct YouTube Link: https://www.youtube.com/watch?v=oLcHEBQb274

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Prediction #8 – Breaches Come to the IoT Frontier

When a hacker hijacks a computer, gaining persistence (or making sure his malicious trojan stays on the computer) is easy. The attacker just has to load malware onto the computer’s hard drive and make sure it runs when the computer reboots. However, hijacking the Internet of Things (IoT) is a different story. Many IoT devices don’t have local storage, and are often small embedded systems with low resources. Gaining persistence on these devices is much more difficult and may actually involve modifying the software these devices use to boot, which we call firmware.

Prediction video link: https://www.youtube.com/watch?v=iU63Bhmv6LU

Next year, we expect to see more researchers release proof-of-concept attacks that permanently modify and hijack the firmware of IoT devices. It’s not enough to just find a vulnerability in these devices, but you also have to figure out how to inject malicious code that can stick around. We expect to see vendors start to harden the security of their IoT devices by implementing secure boot mechanisms that makes it more difficult for attackers to modify firmware.

Visit our WatchGuard security predictions site

— Corey Nachreiner, CISSP (@SecAdept)

Ironic Watering Hole Attack – Daily Security Byte EP. 191

Cybercrime; Is it out of control?

Yes! When attackers hijack your news site to serve malware from your cyber crime article, it probably is a bit out of control. Watch today’s video to learn what I’m talking about, and how you might protect yourself from legitimate web sites unknowingly spreading malware.

(Episode Runtime: 3:28)

Direct YouTube Link: https://www.youtube.com/watch?v=20jp-teI5no

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Prediction #7 – Starfleet Academy Targeted

Information security is all about protecting data, because at the end of the day, stolen data is what makes the cyber criminals rich. Criminals started with the basics. Monetizing stolen credit card (CC) information was easy.  You just needed the basic CC information and a few personal details to make a purchase with a stolen card. We saw this in 2014—the year of the retail breach—as cyber criminals stole millions of CC records through point-of-sale systems.

Prediction video link: https://youtu.be/eATe_am6A6E

However, as fraud systems got better, making false CC purchases became harder and today stolen CC information is barely worth the effort to steal it. Meanwhile, the personally identifying information (PII) required to steal a full identity has become much more valuable. PII value in the underground directly increases in relation to how many individual pieces of data you have in a corresponding set. As you can imagine: a name, email, address, CC, date of birth, and social security number (SSN) is much more valuable than just a name and email address. That’s why CCs may only fetch 50 cents to a dollar on the underground, while a full set PII (which the underground calls a fullz) can bring in 10 to 20 dollars, especially since it includes a SSN. That’s also why healthcare records are so valuable—they’re rich in PII data and include SSNs. In 2015, we saw many attacks targeting healthcare data.

So what’s even better than a healthcare record? Apparently, student records! We are learning that the amount of data collected about our kids over their lifetime as a student is staggering. It even includes some of their health records to boot, which is already one of the richest PII datasets. This, combined with the more open network environment found in educational facilities is why we expect cyber criminals to target student data systems in 2016.

If you run IT for an educational facility, look out for hackers next year.

Visit our WatchGuard security predictions site

— Corey Nachreiner, CISSP (@SecAdept)

Attacker DDoSes the Internet – Daily Security Byte EP. 190

Can hackers knock out the Internet? Probably not, but it look like attackers tried to disrupt DNS recent by launching a distributed denial of service attack against the root DNS servers. Watch today’s video to learn how the IT community can make it harder for attackers to launch reflected attacks.

(Episode Runtime: 4:04)

Direct YouTube Link: https://www.youtube.com/watch?v=o3BbYBb4hl4

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Prediction #6 – Jango Fett and the Clone Army are Coming

Security experts have always realized that information security is a constant arms race. Attackers discover new methods to evade defenses, we update our defenses, and the cycle continues and repeats. In fact, much of our legacy defense is reactive. It relies on us having seen a particular attack, and creating a specific defense for that particular attack. The problem is, reactive defenses do little good for new attacks.

Prediction video link: https://youtu.be/PXG-nty1XR0

Today’s attackers have automated their attacks, ensuring they constantly evade our reactive defenses. Signature-based protection is no longer effective. While human analysts can identify new threats by monitoring for suspicious behaviors, cyber criminals release new threats in such volume that humans can’t keep up. The solution? Artificial Intelligence (AI) and machine learning that can automatically recognize malicious behavior.

At a very high level, statisticians and mathematicians have begun to develop big data algorithms that can identify very complex behaviors and trends. The security industry is starting to see a new level of security controls that can proactively find new threats in real-time, without human interaction. We’ll always be one step behind the latest attack, so these more proactive security technologies are the only way we might stop the newest threat.

Expect 2016 to be the year of machine learning and behavioral detection security controls.

Visit our WatchGuard security predictions site

— Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: