Phishing News: Windows Live Digital Certificate Risk

Looking to spend a little bit of that tax return on some sweet online deals? The latest news from Microsoft should make you do a double take before entering your credit card data. There is anew report of a windows live digital certificate risk making the rounds. They are reporting that an unauthorized SSL certificate was issued for “live.fi” that could have been used to leverage man-in-the-middle attacks or even spoof official Microsoft announcements.

Defending against the Man in the Middle

I remember as a child trying to eavesdrop on conversations I would hear in school. They usually were centered around who kissed whom or who had a crush on someone. As an adult, like most others, I still listen in on other people’s conversations from time-to-time. Usually this happens when you’re standing in line somewhere, and it is hard to not listen in on the people next to you. After talking with a colleague over the weekend about man-in-the-middle (MITM) attacks, I found some similarities to the more typical activity of eavesdropping on others conversations.

FREAK and Geeks: Attack and Defense

The Best Offense is a Good Defense

Glass houses are always the worst choice to live in; unless, of course, you want to share your most private secrets with your neighbors.  Most people prefer a house with stronger, thicker, and less ‘see all’ walls where they can protect themselves and their personal information.  Neighbors can throw stones all they want, but they’re not going to crack the walls of an ancient, brick-mortar Victorian. 

It’s an issue as old as time: people will always want to protect their personal data from prying eyes.  Whether that means a thicker flap over the entrance to a straw hut, or a high-end security system that monitors every entrance and exit to a mansion on a hill. But as Hollywood has shown us time and again, where there is extra security, there is usually somebody trying to take what’s hiding inside. 

The digital age has only exacerbated this issue for most users and companies around the world.  The stronger the information security in place, the more vigorous hackers attack in order to find out what is hiding behind the high stone walls on the top of the hill.  Every so often, these hackers find a spot where the mortar is weak, and they drill and drill, under cover of night, until a hole is formed. Then, just out of sight, they sneak in and quietly make away with everything you value most.  So how do you stop somebody coming through the walls around your data? Find the holes, and seal them back up.

Did you know Sony Pictures was Hacked?

Unless you have been living under a rock for the past month, you know that Sony Pictures was hacked, not just a little . . . They were hacked a lot! Now as a movie goer, blogger, and hacking nut, I was not surprised that Sony got hacked. Companies get hacked all the time; heck, the US Government gets hacked a lot too. But the Sony hacking was much more than meets the eye.

What Do Hackers Do With Our Data?

In the past couple of years, there have been more and more hacker attacks, leading us as consumers to feel a little uneasy. As a society, we almost seem desensitized to the news on TV at this point, and the only time we take real notice is when the brand that has been hacked is one that we frequent. Even then our brain signals us to be concerned for a little while, but as a group, we continue to shop ‘til we drop. From time-to-time we wonder, where does our information go once it is stolen?

They sell it.

End of story, but really, that is what they do with it. Everything has a price tag on it these days and like a knockoff Rolex, you can buy it on the black market. There are international trading sites that are the marketplace of choice for those both shopping for and selling the stolen data.

In early 2014, RAND Corporation’s National Security and Research Division reported that the trade of names and information has become more profitable than illegal drug trading.  

Like trading baseball cards, in these black market trading grounds some information is more valuable than others. For instance, medical records are worth far more money than credit card information. Why you may ask?

Unlike a credit card number that can easily be canceled at any point in time, medical records are solid and cannot be changed. Gaining someone’s personal health information exposes things like date of birth, full name, social security number, address, and even more information that can allow someone to create a fake you. This allows the person to apply for credit cards, loans, heck even government issued ID’s. Now that is scary.

According to Don Jackson, Director of Threat Intelligence at PhishLabs, medical records can trade at more than 10 times the dollar amount of a credit card or user name and password credentials. 

The social network effect

In 2012, Russian Hackers stole 6 million passwords from LinkedIn and eHarmony, this may not seem very serious since there is not a lot of pertinent information that could be had from these websites. Both are social networks, one with your work history and the other with descriptions that may sound more like the classic Rupert Holmes song about Pina Coladas, but that is not the data they are after. Breaking in and obtaining these passwords has more to do with gaining the user names and passwords than anything else. The hackers have hopes that you are like the typical computer user and use those credentials on other sites allowing them to access your accounts freely and sell them on the black market.

Personal insight

While researching to write this blog article it made me think about my account information and passwords, it inspired me to go in and change almost all of my passwords to unique account passwords. I suggest you do the same to protect yourself from identity theft. This can be a very effective way to protect yourself, and on accounts that offer a two-step or two-factor authentication option it is definitely a best practice to enable this feature. By adding two-factor authentication to your account you can ensure that you are doing everything you can to protect yourself online.

How many passwords do you use?

Book Review - Hacking: The Art of Exploitation

The general public today would not think of hacking (that is the black hat hacking or better called security crackers) as an art form. I would submit that it is an ingenious art form, an art form that requires expertise, crafting, and practice. Like painters or musicians, you have those that dabble in the art form, not ever really perfecting it. Then you have those that push the boundaries, opening up a whole new appreciation or even genre. In my research of hackers and crackers, I came across Jon Erickson’s book, Hacking: The Art of Exploitation and found a master of  in the art of exploitation.

Author

With a formal education in computer science, Jon Erickson has been programming and hacking since he was 5 and speaks around the world on computer security regularly. He wrote the book Hacking: The Art of Exploitation in 2003, and it was revised in 2008 in a second edition. Erickson is currently working in Northern California as a computer security specialist and vulnerability researcher.

The book

This book received 4 stars on Amazon and 4.1 stars on gooreads.com.

Both easy to read and clear on explaining how computer hacking works, Hacking: The Art of Exploitation at the very least will give you a great respect for those that understand the inner workings of technology. The 2^nd edition opens up with a clear statement against illegal hacking. Erickson stresses following the law, and he does not condone hacking that is used in the end for wrong reasons.

The book encourages you to be creative, think outside the box, and use the knowledge of hacking to protect your own personal computer against network attacks. This is not a book on how to run existing exploits, but rather, gives you an understanding on how these exploits work. The book is intended to give you the foundation needed to really push the envelope and advance technology by finding the weaknesses within the technology and encouraging you to be creative. The book will give you an understanding of network communications, machine architecture, programming, and hacking techniques.

A closer look

• Program computers using C, assembly language, and shell scripts
• Corrupt system memory to run arbitrary code using buffer overflows and format strings Inspect processor registers and system memory with a debugger to gain a real understanding of what is happening
• Outsmart common security measures like nonexecutable stacks and intrusion detection systems
• Gain access to a remote server using port-binding or connect-back shellcode, and alter a server's logging behavior to hide your presence
• Redirect network traffic, conceal open ports, and hijack TCP connections
• Crack encrypted wireless traffic using the FMS attack, and speed up brute-force attacks using a password probability matrix

List taken from amazon.com

http://books.google.com/books/about/Hacking.html?id=0FW3DMNhl1EC

http://www.goodreads.com/book/show/61619.Hacking

http://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitation

TedTalk - Hackers: The Internet's Immune System

Do we really know what happens behind the scenes of the cyber world? If we don't slow down, open our eyes, and take a closer look at things around us, we could be influenced in many different directions and led to believe almost anything. I am not saying to question or doubt everything, but I am saying that you must NOT be spoon-fed beliefs or perspectives.

So go ahead . . . ask the right questions and educate your self.

TedTalks is a great place to get another perspective on controversial topics, one eye opening  talk  I recently watched was Karen Elzari’s “Hackers: The Internet’s Immune System.” .

Are some hackers justified in their actions?

Her TedTalk,  takes on the controversial topic of the “robin hood hackers” and sheds some light on our rapid growing technology and the role that hackers must play.

Karen Elzari is a cyber-security expert. Her love for science fiction and her overwhelming curiosity fueled her exploration of the underground world of the hacktivists. She is currently an industry analysis with GIGAOM Reseach. She is also a sought after speaker at conferences such as TedTalk, DEFCON, WIRED, and more.

Elzari does not call them hackers but rather “Security Researchers.” She believes that the hacker must decide what they are going to do with this powerful information. With technology becoming our future, the credit for exposing gaps and weaknesses in the security is accredited to hackers and hacktivists groups. Because they have unearthed these problems, Elzari states that it “has an evolving effect to our technology. . . and if we fight hackers, we are stifling innovation.”

Maybe, just maybe, hackers are not ALL as malicious as the general public has been led to believe. “Security Researchers have impacted civil liberties, innovation, and internet freedom,” states Elzari.

What are you doing to protect civil liberties, innovation, and Internet freedom?

http://www.ted.com/talks/keren_elazari_hackers_the_internet_s_immune_system?language=en#t-49461

Hacker Attacked: Behind the Bars

“In just one day in 2008, an American credit card processor was hacked in perhaps one of the most sophisticated and organized computer fraud attacks ever conducted,” according to a release published by the FBI.

Sentenced. Slammed. Served.

Back in 2008, RBS WorldPay, an electronic payment processing service had fallen victim to a data breach.  An unauthorized user gained access into the companies computer system and obtained personal information of 1.5 million gift card and payroll cardholders. This included names, addresses, dates of birth, and social security numbers. A critical amount of personal data was compromised.

These cyber criminals used highly sophisticated hacking techniques to compromise the data encryption that was used to protect customers against potential hackers. Officials were determined to sentence the leader of this cyber attack, and eventually did, 6 years later.

An Estonian man, Sergei Tsurikov, has been sentenced to 11 years in prison for the role he played in the 9.4 million dollar data breach. The FBI has detailed the hacker’s involvement in this breach in a press release they published.

“A leader of one of the most sophisticated cyber crime rings in the world has been brought to justice and sentenced,” said United States Attorney Sally Quillian Yates.

Thanks to the corporation of various law enforcement agencies worldwide, this prosecution was successful. The FBI informs the public that on top of the 11-year sentence that Tsurikov must complete, he must top it off with three years of supervised release, as well as pay out a restitution fee of $8.4 million.

Let this be a lesson that Security cracking does not pay always pay off . . . sometimes you get caught.

http://www.scmagazine.com/an-estonian-man-who-hacked-rbs-worldplay-received-11-years/article/379555/

http://www.scmagazine.com/an-estonian-man-who-hacked-rbs-worldplay-received-11-years/article/379555/

http://www.fbi.gov/atlanta/press-releases/2014/international-hacker-sentenced