issue infosec times may - abu dhabi · pdf fileof infosec times welcome to the ... leonardo...
TRANSCRIPT
How To Hack The Sky P1
Can a Company Remotely Wipe an Ex-Employee’s De-
vice? P2
Awareness Grows for File Transfer Security, But Still
Work to Do P3
WordPress Under Attack As Double Zero-Day Trouble
Lands P4
HSBC mortgage customer info was publicly accessible on
the internet P5
RSAC: Recruiting the Next-Generation Cyber P5
InfoSEC Times Abu Dhabi Polytechnic’s Monthly Newsletter on Information Security Issues
Welcome to twelfth edition of Infosec Times
Welcome to the twelfth edition
of our new newsletter from the
Abu Dhabi Polytechnic Infor-
mation Security Engineering
Technology (ISET) Department.
In this edition we have collected
news about latest trends in
information security
We would like to encourage
and invite our readers in con-
tributing to the development of
this newsletter so that we may
keep everyone informed with
the current issues that may
affect us all in the ever increas-
ing world of computers and
technology.
How To Hack The Sky Satellites can bring a digital signal to places where the In-
ternet seems like a miracle: off-the-grid desert solar farms,
the Arctic or an aircraft carrier at sea. But in beaming data
to and from the world’s most remote places, satellite Inter-
net may also offer its signal to a less benign recipient: any
digital miscreant within thousands of miles.
In a presentation at the Black Hat security conference in
Arlington, Va., Tuesday, Spanish cybersecurity researcher
Leonardo Nve presented a variety of tricks for gaining
access to and exploiting satellite Internet connections. Us-
ing less than $75 in tools, Nve, a researcher with security
firm S21Sec, says that he can intercept Digital Video Broad-
cast (DVB) signals to get free high-speed Internet. And
while that’s not a particularly new trick–hackers have long
been able to intercept satellite TV or other sky-borne sig-
nals–Nve also went a step further, describing how he was
able to use satellite signals to anonymize his Internet con-
nection, gain access to private networks and even intercept
satellite Internet users’ requests for Web pages and replace
them with spoofed sites.
“What’s interesting about this is that it’s very, very easy,”
says Nve. “Anyone can do it: phishers or Chinese hackers
� it’s like a very big Wi-Fi network that’s easy to access.”
In a penetration test on a client’s network, Nve used a Sky-
star 2 PCI satellite receiver card, a piece of hardware that
can be bought on eBay for $30 or less, along with open
source Linux DVB software applications and the network
data analysis or “sniffing” tool Wireshark.
Nve also reversed the trick, impersonating Web sites that a
satellite user is attempting to visit by intercepting a Do-
main Name System (DNS) request–a request for an Internet
service provider (ISP) to convert a spelled out Web site
name into the numerical IP address where it’s stored–and
sending back an answer faster than the ISP.
In his tests on the client’s network, Nve says he was also
able to hijack signals using GRE or TCP protocols that en-
terprises use to communicate between PCs and servers or
between offices, using the connections to gain access to a
corporation or government agency’s local area network.
The Barcelona-based researcher tested his methods on
geosynchronous satellites aimed at Europe, Africa and
South America. But he says there’s little doubt that the
same tricks would work on satellites facing North America
or anywhere else.
What makes his attacks possible, Nve says, is that DVB
signals are usually left unencrypted. That lack of simple
security, he says, stems from the logistical and legal com-
plications of scrambling the signal, which might make it
harder to share data among companies or agencies and–
given that a satellite signal covers many countries–could
run into red tape surrounding international use of cryp-
tography. “Each [country] can have its own law for cryp-
to,” says Nve. “It’s easier not to have encryption at the
DVB layer.”
Nve isn’t the first to show the vulnerability of supposedly
secure satellite connections. John Walker, a British satellite
enthusiast, told the BBC in 2002 that he could watch unen-
crypted NATO video feeds from surveillance sorties in the
Balkans.
In fact, the techniques that Nve demonstrated are probably
known to other satellite hackers but never publicized, says
Jim Geovedi, a satellite security researcher and consultant
with the firm Bellua in Indonesia. He compares satellite
hacking to early phone hacking or “phreaking,” a practice
that’s not well protected against but performed by only a
small number of people worldwide. “This satellite hacking
thing is still considered blackbox knowledge,” he wrote in
an e-mail to Forbes. “I believe there are many people out
there who conduct similar research. They may have some
cool tricks but have kept them secret for ages.”
At last year’s Black Hat D.C. conference, British cybersecu-
rity researcher Adam Laurie demonstrated how he inter-
cepts satellite signals with techniques similar to Nve, using
a DreamBox satellite receiver and Wireshark. But Nve
argues that his method is far cheaper–Laurie’s DreamBox
setup cost around $750–and that he’s the first to demon-
strate satellite signal hijacking rather than mere intercep-
tion.
“I’m not just talking about watching TV,” says Nve. “I’m
talking about doing some very scary things.”
Andy Greenberg, forbes.com
I S S U E
M a y 2 0 1 5
12
When Can a Company Remotely Wipe an Employee’s Device?
Consider this question: When is it lawful for your company to remote-
ly wipe an employee’s (or former employee’s) device that was con-
nected to your company’s network and contains its proprietary data?
It depends. If your company has a binding agreement with the owner
of the device, such as an effective BYOD (bring your own device) poli-
cy, then it should provide the answer. If not, the only way to find the
answer is through costly and time-consuming litigation.
The dispute in Rajaee v. Design Tech Homes, Ltd. illustrates this point
nicely. In that case, the employee claimed that he had to have constant
access to his email in order to do his job. His employer did not pro-
vide him with a mobile device so he used his own personal iPhone 4
to do his job.
His iPhone was connected to his employer’s network server to allow
him to remotely access the email, contact manager, and calendar pro-
vided by the employer. The employer and employee later disagreed
over who connected the device to the network or whether it was au-
thorized.
The employee resigned his employment and, a few days later, his for-
mer employer’s network administrator remotely wiped his iPhone,
restoring it to factory settings and deleting all the data –- both work-
related and personal –- from the iPhone.
The employee then sued his former employer, claiming that the em-
ployer’s actions caused him to lose more than 600 business contacts
collected during his career, family contacts, family photos, business
records, irreplaceable business and personal photos , and videos, and
numerous passwords.
He asserted claims for violation of the Computer Fraud and Abuse
Act, Electronic Communications Privacy Act, and various claims un-
der Texas state law.
The lawsuit was filed in August 2013. Due in large part to fine lawyer-
ing by my friend Pierre Grosdidier and his colleagues, who represent-
ed the employer, they were able to get the case dismissed in Novem-
ber 2014. While this was a “win” for the employer, that win came at a
significant cost.
An Ounce of Prevention …
Litigation is not only costly, but it is also very time-consuming for
management. It results in lost opportunities to further companies’
business objectives because finite resources must be devoted to the
battle instead of to the company’s business. Of litigation, it is often
said that the only ones who ever really win are the lawyers represent-
ing the parties. That it is usually true.
In the Rajaee case, the employer was represented by a very well-
respected “big” law firm that did an excellent job for their client. But,
good lawyers come at a price and I am quite certain the lawyers in this
case were not working for free. This case was litigated for about 14
months.
There were 43 entries on the court’s docket which shows there was
quite a bit of activity considering only the documents filed with the
Can a Company Remotely Wipe an Ex-Employee’s Device?
court. That does not include the discovery that was conducted
(which is not filed and does not appear on the docket) but motions
listed on the docket show there were discovery disputes and and
the parties were active in discovery.
What all of this means is money — lots of money that the employer
paid in legal fees to get this win. Probably many tens of thousands
of dollars in fees. From a practicing lawyer’s perspective, that is
great because the clients get the win and so do we lawyers!
But the truth is, good lawyers do not want to see their clients waste
money so we look at situations such as this and ask, “could this
have been avoided?” This helps us in advising our clients on how
to avoid such situations in the future.
In this case, were we to have the benefit of 20/20 hindsight and be
able to go back in time to advise companies such as this, before the
underlying situation arose, yes there was a much better way to go.
First and foremost, the company would have listened when told
“an ounce of prevention is cheaper than the very first day of litiga-
tion.”
Then, it would have acted on this advice by taking the following
steps:
There would have been a conversation between the company’s
management, appropriate IT and security leaders, and legal coun-
sel to discuss the company’s position on BYOD.
The conversation would have considered if the workforce
would even be allowed to use their own devices.
If the answer was “no, BYOD will not be permitted” then ap-
propriate policies and procedures would have been adopted and
documented.
If the answer was “yes,” then the discussion would have con-
tinued to address more specifics on how the company would man-
age BYOD and the many risks associated with it, which are numer-
ous. Focusing only on the particular issues in Rajaee, the discussion
would have resulted in the creation and adoption of a BYOD Policy
(or another similar policy) that addressed a key issue as a condition
precedent to authorizing and permitting use of the device: By con-
necting the device to the company network or using it for company
business, the user would expressly agree that he or she authorized,
and would permit, the company to access the device and securely
remove its data at any time company deemed necessary, either
during the relationship, or after. And, if the user did not make the
device available within a certain period of time after demand, the
user authorized company to remotely wipe the entire device and
restore it to its factory settings in order to ensure that its data was
securely removed from the device.
For either answer, yes or no, the company would have imple-
mented and adequately trained its workforce on the policies and
procedures to ensure they were aware of, understood, and agreed
to abide by the policies and procedures.
Source: shawn tuma at blog.norsecorp.com
Security awareness when it comes to file-sharing via services
like Dropbox is beginning to escalate, even in verticals where
compliance requirements are less of a hallmark. But the
healthcare industry still has a lot of work to do.
That’s according to a survey from Biscom, which found that
enterprises across industries, including healthcare, financial
services, retail, computer hardware/software and manufactur-
ing, all see security to be a core feature of their file synchroniza-
tion products. A full 70% of respondents said security was the
No. 1 feature they looked for in file transfer; and 72% named
security as “critical” for sync and share services like Google
Drive and Dropbox.
“Our survey confirmed what we were already starting to see:
that security will be the key focus in all areas of business for
2015,” said Bill Ho, CEO of Biscom. “The data breaches within
the past year have shown us that all businesses are increasingly
at risk and should be actively assessing tools and processes
which can help reduce their exposure.”
But, intent and awareness isn’t necessarily translating into ac-
tion. While 60% of respondents said they use secure file transfer
(SFT) to transfer files at work, 86% of respondents said they use
email, and 51% said they still use FTP.
Interestingly, the healthcare industry is one of the most polariz-
ing when it comes to secure file transfer. The survey shows that
while the healthcare industry is extremely concerned about se-
curity, it is also the least likely to use the most secure methods for
storing, syncing and sharing data. Even for those that ranked
security and encryption as the No. 1 most important feature, 81%
still use email to share files, and 45% still use FTP.
Of those that ranked security as “critical,” 50% report using con-
sumer-oriented sync and share services such as Dropbox for
work. Of those that used low-security consumer tools for work,
82% use it for office documents, 34% for financial documents,
51% for medical documents, and 40% for legal documents.
In contrast, the financial services respondents showed both a
high concern for security and a high likelihood to use the most
secure tools for storing, syncing and sharing data.
When asked to rank importance of SFT features, 90% ranked se-
curity No. 1 or No. 2. When asked how important aspects of sync
and share services were, 67% of respondents ranked security as
“critical” and another 13% said it was “very important.” And of
those that ranked security as “critical,” just 30% report using low
-security sync and share services for work
Source infosecurity-magazine 26th April
Awareness Grows for File Transfer Security, But
Still Work to Do
WordPress Under Attack As Double Zero-Day
Trouble Lands
The WordPress platform is yet again under attack, thanks to vul-
nerabilities across old and new versions of the content manage-
ment system.
The most pressing issue is a fresh zero-day, a previously un-
known and unpatched weakness, affecting the latest version of
WordPress, 4.2, and prior iterations, as revealed by Finnish com-
pany Klikki Oy yester-
day. It released a video
and proof of concept
code for an exploit of
the flaw, which allows a
hacker to store mali-
cious JavaScript code on
WordPress site com-
ments. Under normal
circumstances, this
should be blocked as it
could be abused to send
visitors’ usernames and
passwords to a hack-
er’s site – what’s known
as a cross-site scripting
attack. All that’s re-
quired is for a user’s browser to parse the code when they land
on the affected site.
If a logged-in administrator visits the affected page, the hacker
could acquire access to the server, Klikki Oy warned.
“Alternatively the attacker could change the administrator’s
password, create new administrator accounts, or do whatever
else the currently logged-in administrator can do on the target
system.” For website admins, the advice for now is to disable
comments until a fix is released
Ryan Dewhurst, security researcher and owner of the WordPress
vulnerability database WPScan, told FORBES he’d tested the
attack code and it worked. His own proof of concept hack can be
found on Github. He noted the attack requires the hacker to
have a previously approved comment on the target site so
the comment containing the exploit does not need approving. To
inject a malicious JavaScript script via this zero-day, the hacker
has to make their comment sufficiently long enough so the data
chunk received by the MySQL database for the site is equal
to 64KB. This causes an error allowing for the rogue code to be
placed in the comments. Exactly 65,535 ‘A’ characters would do
the trick, Dewhurst said.
Gary Pendergast, from the WordPress team, said a fix was on the
way, but there was no timeline. He recommended using the
Akismet plugin that
should help block at-
tacks.
Just last week, Word-
Press 4.1.2 was updated
due to a number of vul-
nerabilities, including a
remarkably similar
cross-site scripting issue
reported by researcher
Cedric Van Bock-
haven that was open to
attack for at least 14
months. Users have
been advised to update,
though with the fresh
zero-day they will likely remain unprotected upon upgrading.
CloudFlare, the content delivery network that sees roughly five
per cent of the web’s traffic going through its servers, said on
Friday it had seen malicious emails sent out by hackers trying to
point people to a compromised WordPress site hosted by Blue-
host. It appeared they were abusing one of the critical flaws in
older versions of the CMS, most likely the cross-site scripting
weakness in 4.1.1 and below.
Given WordPress sites have been beleaguered by attacks
throughout recent years, as should be expected when roughly 20
per cent of the web runs on the platform, users should take all
precautions necessary.
Forbes.com 27th April
HSBC mortgage customer in-
fo was publicly accessible on
the internet
An undisclosed number of current and former mortgage
customers of HSBC Finance Corp. in the U.S. are being noti-
fied that their personal information was inadvertently made
publicly accessible on the internet.
How many victims? Altogether undisclosed. 685 customers
in New Hampshire were impacted, and an undisclosed num-
ber of customers were notified in California.
What type of personal information? Names, Social Security
numbers, account numbers, some old account information,
and phone numbers in some cases.
What happened? The personal information of current and
former mortgage customers of HSBC Finance Corp. in the
U.S. was inadvertently made publicly accessible on the inter-
net.
What was the response? HSBC responded immediately to
ensure that the information was no longer publicly accessible
on the internet. Additional security measures were imple-
mented to prevent a similar incident from occurring in the
future. All impacted customers are being notified, and of-
fered a free year of credit monitoring and identity theft pro-
tection services.
Details: HSBC believes that the information was made pub-
licly accessible on the internet towards the end of last year.
HSBC learned of the incident on March 27 and began notify-
ing affected customers on April 9. The incident did not in-
volve an HSBC website.
Quote: “No evidence of fraud or ill-intent at this time,” an
HSBC spokesperson told SCMagazine.com in a Friday email
correspondence.
Source: a Friday email correspondence with an HSBC
spokesperson; doj.nh.gov, “
Source: scmagazine.com April 17th
#RSAC: Recruiting the Next-
Generation Cyber-Workforce
The cybersecurity workforce gap has been well-documented—and
cultivating the next generation of cyber-workers, the Millennials,
from an early age has been widely seen as a mandate for continued
industry viability. Tackling the recruitment conundrum takes a
multipronged approach, according to panelists at RSA 2015, who
took the stage to discuss the challenges and the opportunities for
wooing young people to cyber in the digital age.
Jeffery Jacoby, program engineering director, cybersecurity and
special mission intelligence information and services at govern-
ment contractor Raytheon, noted that the Millennials, typically
considered to be ages 18-26, is an ideal generation to embrace cy-
bersecurity as a career. They’ve grown up in a connected era, are no
stranger to both the wonders and the dangers of the internet, and
they’re at the point in their lives where career decision-making
happens. But there’s a decided lack of awareness at play that’s
hampering the ability to capitalizing on these characteristics.
“The question becomes, what is their interest, how prepared are
they to enter the workforce, and what are their online behaviors,”
Jacoby said. “And here, confusion emerges. Like with anything
else, if you torture numbers long enough they’ll confess to almost
anything.”
To that point, a Raytheon survey found that 25% of Millennials
indicate an interest in cybersecurity as a career. That number hasn’t
changed from the year before, which is encouraging—but, nearly
two-thirds (63%) also indicated that they didn’t really understand
the rules and responsibilities that they would be up against, and
what the day-to-day tasks would be.
Cecily Joseph, vice president of corporate responsibility and chief
diversity officer at Symantec, said that her company has a K-12
workforce development initiative, especially to create a path for
underserved and under-represented young adults.
“There are at least 300,000 jobs that are unfulfilled today,” she said.
“About 20% of those jobs can be filled with people that don’t have
a four-year college degree—and there’s a 16% unemployment rate
among that demographic.”
Infosecurity-magazine 23rd april
InfoSEC Times Issue 12 May 2015
Abu Dhabi Polytechnic, Mohammed Bin Zayed City, PO BOX 111499, Abu Dhabi, UAE
For information and to get involved in the next issue contact :
Dr. Jamal Al-Karaki at:
Phone: +971 2-6951047
Abu Dhabi Polytechnic has success-
fully conducted National Trisec 2015
Cyber security Contest on 20-21
April 2015 from MBZ campus Ab-
udhabi
Students from different universities
and schools in UAE has participated
for coding, hacking and Fixing com-
petition. Welcome note was given by
Dr. Ahmad Al-Awar, managing Di-
rector of IAT.
Winners for the contest were
awarded cash prize. There was
separate competition for Uni-
versity and school level stu-
dents.