How To Hack The Sky P1

Can a Company Remotely Wipe an Ex-Employee’s De-

vice? P2

Awareness Grows for File Transfer Security, But Still

Work to Do P3

WordPress Under Attack As Double Zero-Day Trouble

Lands P4

HSBC mortgage customer info was publicly accessible on

the internet P5

RSAC: Recruiting the Next-Generation Cyber P5

InfoSEC Times Abu Dhabi Polytechnic’s Monthly Newsletter on Information Security Issues

Welcome to twelfth edition of Infosec Times

Welcome to the twelfth edition

of our new newsletter from the

Abu Dhabi Polytechnic Infor-

mation Security Engineering

Technology (ISET) Department.

In this edition we have collected

news about latest trends in

information security

We would like to encourage

and invite our readers in con-

tributing to the development of

this newsletter so that we may

keep everyone informed with

the current issues that may

affect us all in the ever increas-

ing world of computers and

technology.

How To Hack The Sky Satellites can bring a digital signal to places where the In-

ternet seems like a miracle: off-the-grid desert solar farms,

the Arctic or an aircraft carrier at sea. But in beaming data

to and from the world’s most remote places, satellite Inter-

net may also offer its signal to a less benign recipient: any

digital miscreant within thousands of miles.

In a presentation at the Black Hat security conference in

Arlington, Va., Tuesday, Spanish cybersecurity researcher

Leonardo Nve presented a variety of tricks for gaining

access to and exploiting satellite Internet connections. Us-

ing less than $75 in tools, Nve, a researcher with security

firm S21Sec, says that he can intercept Digital Video Broad-

cast (DVB) signals to get free high-speed Internet. And

while that’s not a particularly new trick–hackers have long

been able to intercept satellite TV or other sky-borne sig-

nals–Nve also went a step further, describing how he was

able to use satellite signals to anonymize his Internet con-

nection, gain access to private networks and even intercept

satellite Internet users’ requests for Web pages and replace

them with spoofed sites.

“What’s interesting about this is that it’s very, very easy,”

says Nve. “Anyone can do it: phishers or Chinese hackers

� it’s like a very big Wi-Fi network that’s easy to access.”

In a penetration test on a client’s network, Nve used a Sky-

star 2 PCI satellite receiver card, a piece of hardware that

can be bought on eBay for $30 or less, along with open

source Linux DVB software applications and the network

data analysis or “sniffing” tool Wireshark.

Nve also reversed the trick, impersonating Web sites that a

satellite user is attempting to visit by intercepting a Do-

main Name System (DNS) request–a request for an Internet

service provider (ISP) to convert a spelled out Web site

name into the numerical IP address where it’s stored–and

sending back an answer faster than the ISP.

In his tests on the client’s network, Nve says he was also

able to hijack signals using GRE or TCP protocols that en-

terprises use to communicate between PCs and servers or

between offices, using the connections to gain access to a

corporation or government agency’s local area network.

The Barcelona-based researcher tested his methods on

geosynchronous satellites aimed at Europe, Africa and

South America. But he says there’s little doubt that the

same tricks would work on satellites facing North America

or anywhere else.

What makes his attacks possible, Nve says, is that DVB

signals are usually left unencrypted. That lack of simple

security, he says, stems from the logistical and legal com-

plications of scrambling the signal, which might make it

harder to share data among companies or agencies and–

given that a satellite signal covers many countries–could

run into red tape surrounding international use of cryp-

tography. “Each [country] can have its own law for cryp-

to,” says Nve. “It’s easier not to have encryption at the

DVB layer.”

Nve isn’t the first to show the vulnerability of supposedly

secure satellite connections. John Walker, a British satellite

enthusiast, told the BBC in 2002 that he could watch unen-

crypted NATO video feeds from surveillance sorties in the

Balkans.

In fact, the techniques that Nve demonstrated are probably

known to other satellite hackers but never publicized, says

Jim Geovedi, a satellite security researcher and consultant

with the firm Bellua in Indonesia. He compares satellite

hacking to early phone hacking or “phreaking,” a practice

that’s not well protected against but performed by only a

small number of people worldwide. “This satellite hacking

thing is still considered blackbox knowledge,” he wrote in

an e-mail to Forbes. “I believe there are many people out

there who conduct similar research. They may have some

cool tricks but have kept them secret for ages.”

At last year’s Black Hat D.C. conference, British cybersecu-

rity researcher Adam Laurie demonstrated how he inter-

cepts satellite signals with techniques similar to Nve, using

a DreamBox satellite receiver and Wireshark. But Nve

argues that his method is far cheaper–Laurie’s DreamBox

setup cost around $750–and that he’s the first to demon-

strate satellite signal hijacking rather than mere intercep-

tion.

“I’m not just talking about watching TV,” says Nve. “I’m

talking about doing some very scary things.”

Andy Greenberg, forbes.com

I S S U E

M a y 2 0 1 5

12

When Can a Company Remotely Wipe an Employee’s Device?

Consider this question: When is it lawful for your company to remote-

ly wipe an employee’s (or former employee’s) device that was con-

nected to your company’s network and contains its proprietary data?

It depends. If your company has a binding agreement with the owner

of the device, such as an effective BYOD (bring your own device) poli-

cy, then it should provide the answer. If not, the only way to find the

answer is through costly and time-consuming litigation.

The dispute in Rajaee v. Design Tech Homes, Ltd. illustrates this point

nicely. In that case, the employee claimed that he had to have constant

access to his email in order to do his job. His employer did not pro-

vide him with a mobile device so he used his own personal iPhone 4

to do his job.

His iPhone was connected to his employer’s network server to allow

him to remotely access the email, contact manager, and calendar pro-

vided by the employer. The employer and employee later disagreed

over who connected the device to the network or whether it was au-

thorized.

The employee resigned his employment and, a few days later, his for-

mer employer’s network administrator remotely wiped his iPhone,

restoring it to factory settings and deleting all the data –- both work-

related and personal –- from the iPhone.

The employee then sued his former employer, claiming that the em-

ployer’s actions caused him to lose more than 600 business contacts

collected during his career, family contacts, family photos, business

records, irreplaceable business and personal photos , and videos, and

numerous passwords.

He asserted claims for violation of the Computer Fraud and Abuse

Act, Electronic Communications Privacy Act, and various claims un-

der Texas state law.

The lawsuit was filed in August 2013. Due in large part to fine lawyer-

ing by my friend Pierre Grosdidier and his colleagues, who represent-

ed the employer, they were able to get the case dismissed in Novem-

ber 2014. While this was a “win” for the employer, that win came at a

significant cost.

An Ounce of Prevention …

Litigation is not only costly, but it is also very time-consuming for

management. It results in lost opportunities to further companies’

business objectives because finite resources must be devoted to the

battle instead of to the company’s business. Of litigation, it is often

said that the only ones who ever really win are the lawyers represent-

ing the parties. That it is usually true.

In the Rajaee case, the employer was represented by a very well-

respected “big” law firm that did an excellent job for their client. But,

good lawyers come at a price and I am quite certain the lawyers in this

case were not working for free. This case was litigated for about 14

months.

There were 43 entries on the court’s docket which shows there was

quite a bit of activity considering only the documents filed with the

Can a Company Remotely Wipe an Ex-Employee’s Device?

court. That does not include the discovery that was conducted

(which is not filed and does not appear on the docket) but motions

listed on the docket show there were discovery disputes and and

the parties were active in discovery.

What all of this means is money — lots of money that the employer

paid in legal fees to get this win. Probably many tens of thousands

of dollars in fees. From a practicing lawyer’s perspective, that is

great because the clients get the win and so do we lawyers!

But the truth is, good lawyers do not want to see their clients waste

money so we look at situations such as this and ask, “could this

have been avoided?” This helps us in advising our clients on how

to avoid such situations in the future.

In this case, were we to have the benefit of 20/20 hindsight and be

able to go back in time to advise companies such as this, before the

underlying situation arose, yes there was a much better way to go.

First and foremost, the company would have listened when told

“an ounce of prevention is cheaper than the very first day of litiga-

tion.”

Then, it would have acted on this advice by taking the following

steps:

There would have been a conversation between the company’s

management, appropriate IT and security leaders, and legal coun-

sel to discuss the company’s position on BYOD.

The conversation would have considered if the workforce

would even be allowed to use their own devices.

If the answer was “no, BYOD will not be permitted” then ap-

propriate policies and procedures would have been adopted and

documented.

If the answer was “yes,” then the discussion would have con-

tinued to address more specifics on how the company would man-

age BYOD and the many risks associated with it, which are numer-

ous. Focusing only on the particular issues in Rajaee, the discussion

would have resulted in the creation and adoption of a BYOD Policy

(or another similar policy) that addressed a key issue as a condition

precedent to authorizing and permitting use of the device: By con-

necting the device to the company network or using it for company

business, the user would expressly agree that he or she authorized,

and would permit, the company to access the device and securely

remove its data at any time company deemed necessary, either

during the relationship, or after. And, if the user did not make the

device available within a certain period of time after demand, the

user authorized company to remotely wipe the entire device and

restore it to its factory settings in order to ensure that its data was

securely removed from the device.

For either answer, yes or no, the company would have imple-

mented and adequately trained its workforce on the policies and

procedures to ensure they were aware of, understood, and agreed

to abide by the policies and procedures.

Source: shawn tuma at blog.norsecorp.com

Security awareness when it comes to file-sharing via services

like Dropbox is beginning to escalate, even in verticals where

compliance requirements are less of a hallmark. But the

healthcare industry still has a lot of work to do.

That’s according to a survey from Biscom, which found that

enterprises across industries, including healthcare, financial

services, retail, computer hardware/software and manufactur-

ing, all see security to be a core feature of their file synchroniza-

tion products. A full 70% of respondents said security was the

No. 1 feature they looked for in file transfer; and 72% named

security as “critical” for sync and share services like Google

Drive and Dropbox.

“Our survey confirmed what we were already starting to see:

that security will be the key focus in all areas of business for

2015,” said Bill Ho, CEO of Biscom. “The data breaches within

the past year have shown us that all businesses are increasingly

at risk and should be actively assessing tools and processes

which can help reduce their exposure.”

But, intent and awareness isn’t necessarily translating into ac-

tion. While 60% of respondents said they use secure file transfer

(SFT) to transfer files at work, 86% of respondents said they use

email, and 51% said they still use FTP.

Interestingly, the healthcare industry is one of the most polariz-

ing when it comes to secure file transfer. The survey shows that

while the healthcare industry is extremely concerned about se-

curity, it is also the least likely to use the most secure methods for

storing, syncing and sharing data. Even for those that ranked

security and encryption as the No. 1 most important feature, 81%

still use email to share files, and 45% still use FTP.

Of those that ranked security as “critical,” 50% report using con-

sumer-oriented sync and share services such as Dropbox for

work. Of those that used low-security consumer tools for work,

82% use it for office documents, 34% for financial documents,

51% for medical documents, and 40% for legal documents.

In contrast, the financial services respondents showed both a

high concern for security and a high likelihood to use the most

secure tools for storing, syncing and sharing data.

When asked to rank importance of SFT features, 90% ranked se-

curity No. 1 or No. 2. When asked how important aspects of sync

and share services were, 67% of respondents ranked security as

“critical” and another 13% said it was “very important.” And of

those that ranked security as “critical,” just 30% report using low

-security sync and share services for work

Source infosecurity-magazine 26th April

Awareness Grows for File Transfer Security, But

Still Work to Do

WordPress Under Attack As Double Zero-Day

Trouble Lands

The WordPress platform is yet again under attack, thanks to vul-

nerabilities across old and new versions of the content manage-

ment system.

The most pressing issue is a fresh zero-day, a previously un-

known and unpatched weakness, affecting the latest version of

WordPress, 4.2, and prior iterations, as revealed by Finnish com-

pany Klikki Oy yester-

day. It released a video

and proof of concept

code for an exploit of

the flaw, which allows a

hacker to store mali-

cious JavaScript code on

WordPress site com-

ments. Under normal

circumstances, this

should be blocked as it

could be abused to send

visitors’ usernames and

passwords to a hack-

er’s site – what’s known

as a cross-site scripting

attack. All that’s re-

quired is for a user’s browser to parse the code when they land

on the affected site.

If a logged-in administrator visits the affected page, the hacker

could acquire access to the server, Klikki Oy warned.

“Alternatively the attacker could change the administrator’s

password, create new administrator accounts, or do whatever

else the currently logged-in administrator can do on the target

system.” For website admins, the advice for now is to disable

comments until a fix is released

Ryan Dewhurst, security researcher and owner of the WordPress

vulnerability database WPScan, told FORBES he’d tested the

attack code and it worked. His own proof of concept hack can be

found on Github. He noted the attack requires the hacker to

have a previously approved comment on the target site so

the comment containing the exploit does not need approving. To

inject a malicious JavaScript script via this zero-day, the hacker

has to make their comment sufficiently long enough so the data

chunk received by the MySQL database for the site is equal

to 64KB. This causes an error allowing for the rogue code to be

placed in the comments. Exactly 65,535 ‘A’ characters would do

the trick, Dewhurst said.

Gary Pendergast, from the WordPress team, said a fix was on the

way, but there was no timeline. He recommended using the

Akismet plugin that

should help block at-

tacks.

Just last week, Word-

Press 4.1.2 was updated

due to a number of vul-

nerabilities, including a

remarkably similar

cross-site scripting issue

reported by researcher

Cedric Van Bock-

haven that was open to

attack for at least 14

months. Users have

been advised to update,

though with the fresh

zero-day they will likely remain unprotected upon upgrading.

CloudFlare, the content delivery network that sees roughly five

per cent of the web’s traffic going through its servers, said on

Friday it had seen malicious emails sent out by hackers trying to

point people to a compromised WordPress site hosted by Blue-

host. It appeared they were abusing one of the critical flaws in

older versions of the CMS, most likely the cross-site scripting

weakness in 4.1.1 and below.

Given WordPress sites have been beleaguered by attacks

throughout recent years, as should be expected when roughly 20

per cent of the web runs on the platform, users should take all

precautions necessary.

Forbes.com 27th April

HSBC mortgage customer in-

fo was publicly accessible on

the internet

An undisclosed number of current and former mortgage

customers of HSBC Finance Corp. in the U.S. are being noti-

fied that their personal information was inadvertently made

publicly accessible on the internet.

How many victims? Altogether undisclosed. 685 customers

in New Hampshire were impacted, and an undisclosed num-

ber of customers were notified in California.

What type of personal information? Names, Social Security

numbers, account numbers, some old account information,

and phone numbers in some cases.

What happened? The personal information of current and

former mortgage customers of HSBC Finance Corp. in the

U.S. was inadvertently made publicly accessible on the inter-

net.

What was the response? HSBC responded immediately to

ensure that the information was no longer publicly accessible

on the internet. Additional security measures were imple-

mented to prevent a similar incident from occurring in the

future. All impacted customers are being notified, and of-

fered a free year of credit monitoring and identity theft pro-

tection services.

Details: HSBC believes that the information was made pub-

licly accessible on the internet towards the end of last year.

HSBC learned of the incident on March 27 and began notify-

ing affected customers on April 9. The incident did not in-

volve an HSBC website.

Quote: “No evidence of fraud or ill-intent at this time,” an

HSBC spokesperson told SCMagazine.com in a Friday email

correspondence.

Source: a Friday email correspondence with an HSBC

spokesperson; doj.nh.gov, “

Source: scmagazine.com April 17th

#RSAC: Recruiting the Next-

Generation Cyber-Workforce

The cybersecurity workforce gap has been well-documented—and

cultivating the next generation of cyber-workers, the Millennials,

from an early age has been widely seen as a mandate for continued

industry viability. Tackling the recruitment conundrum takes a

multipronged approach, according to panelists at RSA 2015, who

took the stage to discuss the challenges and the opportunities for

wooing young people to cyber in the digital age.

Jeffery Jacoby, program engineering director, cybersecurity and

special mission intelligence information and services at govern-

ment contractor Raytheon, noted that the Millennials, typically

considered to be ages 18-26, is an ideal generation to embrace cy-

bersecurity as a career. They’ve grown up in a connected era, are no

stranger to both the wonders and the dangers of the internet, and

they’re at the point in their lives where career decision-making

happens. But there’s a decided lack of awareness at play that’s

hampering the ability to capitalizing on these characteristics.

“The question becomes, what is their interest, how prepared are

they to enter the workforce, and what are their online behaviors,”

Jacoby said. “And here, confusion emerges. Like with anything

else, if you torture numbers long enough they’ll confess to almost

anything.”

To that point, a Raytheon survey found that 25% of Millennials

indicate an interest in cybersecurity as a career. That number hasn’t

changed from the year before, which is encouraging—but, nearly

two-thirds (63%) also indicated that they didn’t really understand

the rules and responsibilities that they would be up against, and

what the day-to-day tasks would be.

Cecily Joseph, vice president of corporate responsibility and chief

diversity officer at Symantec, said that her company has a K-12

workforce development initiative, especially to create a path for

underserved and under-represented young adults.

“There are at least 300,000 jobs that are unfulfilled today,” she said.

“About 20% of those jobs can be filled with people that don’t have

a four-year college degree—and there’s a 16% unemployment rate

among that demographic.”

Infosecurity-magazine 23rd april

InfoSEC Times Issue 12 May 2015

Abu Dhabi Polytechnic, Mohammed Bin Zayed City, PO BOX 111499, Abu Dhabi, UAE

For information and to get involved in the next issue contact :

Dr. Jamal Al-Karaki at:

jamal.alkaraki@adpoly.ac.ae

Phone: +971 2-6951047

Abu Dhabi Polytechnic has success-

fully conducted National Trisec 2015

Cyber security Contest on 20-21

April 2015 from MBZ campus Ab-

udhabi

Students from different universities

and schools in UAE has participated

for coding, hacking and Fixing com-

petition. Welcome note was given by

Dr. Ahmad Al-Awar, managing Di-

rector of IAT.

Winners for the contest were

awarded cash prize. There was

separate competition for Uni-

versity and school level stu-

dents.