Sunday, February 21, 2016

Many of my articles have been linked from the Defensive Information Security podcast. I didn't write here last week, so I just want to reference a few noteworthy reads I skipped. Please ignore any autocorrect errors you see here, I'm limited to writing on my phone at the moment.

They include ransomware used as a distraction, where it was believed that an attack was meant to divert attention away from the real endgame. I thought this was fascinating, almost another level of social engineering. It reminds me of how instead of using data encryption, one could use data obscufication.  It shows me that as much as network security is about implementing a solid network and maintaining it,  that it is just as much a mind game against fellow humans.

The next was that many windows flaws are mitagated by disabling the admin account. Now it is interesting looking again at this a week later, after two days ago I read an article stating that one of the top ten important GPOs was quite simply disabling the Guest account. Anyhow, the article may be right, but we don't live in a perfect world. Most of the time, we want those admin privileges to enhance productivity, and we are all aware of the security tradeoff whether we like it or not. As a youngun, I do like to speculate about the future and I have to wonder about there being a smarter solution to using computers than simply admin or non-admin rights, perhaps an adaptable system based on each user and security concerns?

The next article was that hackers attacked 20 million accounts on Alibaba's Taobao shopping site. Essentially an Aliexpress type site or any other. I wouldn't normally discuss this, we hear about these mass attacks all that time. Defensive Security reported on it due to the sheer scale of this attack, but that's not what is relevant to me. For me, I have ordered many items from these (mainly Korean in my experience) sites. I have seen tons of reviews about how customers items never showed up to their door, and many reviews that were obviously from the seller himself, using disposable accounts. Anyway, why this relates to me, is for years, my father, who is not in IT,  always had a policy of never ordering anything from any of those foreign countries. He never told me why. Whatever his reason was, he was right. Simply put, it is questionable whether or not the site itself is safe. These sites have not garnered trust. I wouldn't be surprised if they were in on the breach, or less dramatically, having next to no security and not caring about it. As worrisome as that is, shouldn't I be more worried about T-Mobile's recent attack where there was a fair chance my SS number was compromised? One massive Asian corporation might have leaked my credit card info, but my cell phone provider leaked the only number that truly matters to a citizen of the U.S. Which is the bigger deal?

Once again, it's neat to see what I've been learning about used in the real world.

Sunday, February 7, 2016

This week the "head hacker" of the NSA gave a talk about defending against nation state attackers. The full talk is hosted on YouTube, The Register has a write up of the speech, and Defensive Security Podcast Episode 147 also has some comments. This NSA briefing stood out to me because so much of what the speaker, Rob Joyce, had to say is exactly what's we've been covering in this Network Administration class. For example, the six stage process ("reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, ex-filtrate and exploit the data") the NSA uses to crack its targets is parallel to the attack strategy mentioned in the Comp-Tia+ Network Security textbook.

Most of the talk is just review at this point, patching vulnerabilities, keeping access to confidential information or system privileges/rights to only isolated systems/essential personnel. The article and podcast I linked above focus on some of the more useful advice in the talk like using white-listing and possibly the most important tip in the talk, using reputation-based tools before you run code.

What stood out to me however, was that Joyce explains that these nation state hackers don't really focus on exploits. They wait to strike, patiently and persistently, they wait and wait until they find your weak spot and exploit it. I may have already known this, but hearing the warning come from the top has raised my paranoia level and alertness. You're waiting for someone outside your network to attack you, but they're right on the outside waiting on you. Or they may already be inside, right under your nose. It's a change of thinking from waiting for a sign that you're under attack to assuming from the start that you may already be compromised. It's how you're going to look for the attacker inside your network, isolate him, kick him out, keep him from your sensitive data and make sure you make the changes necessary to keep your doors locked.

Another interesting read came out this week on hacking an SQL server without a password. It was appealing for me because I'm just starting to see how attacks play out, what has always been a foreign language to me is turning into concepts I can grasp, and my thinking patterns are beginning to shift towards a hacker's mindset. The penetration tester used Kali Linux, ARP Spoofing, Wireshark, a Man-in-the-Middle attack strategy and commands that filtered out strings and replaced them with his own user credentials to gain access to the server. He knew the information he needed to collect to have all the pieces he needed to get in and then devised a method of getting in. Redditors on Netsec were quick to bash the man for his "l33t haX0r skillz" on an unencrypted machine, but this applied to me because I'm seeing all of these different aspects of computer information I've been learning about come together in practical use.

The last for this week is just a simple overview of how Windows 10 is built to be secure (with NSA backdoors or not), from its architecture to the fact that it's going to be constantly patched and updated. Some of the most important features listed directly from Microsoft are UEFI Secure Boot, better use of TPM, Virtualization Based Security, Enterprise Data Collection, Rights Management Services, SmartScreen and Device Guard.

The reason I focused on the last two articles is because I've been putting some thought into my home setup. I'm very comfortable with Windows 7 on my desktop, but I think it's time to upgrade. I may be switching to Windows 10 (my laptop already made the jump at launch), and dual booting Kali Linux on the side. Windows 10 for security reasons and Kali because I hear it referenced all the time, and I'd like to try my hand at penetration testing. Security on one side, attacking on the other.