Week 4 - CYBR 650

Well, this week had me rather perplexed. Last week, I misunderstood a portion of the assignment and had shifted into the Disaster Recover/Business Continuity gear. I think I did that because I understood that really well!

As I produce deliverables in my class, I get to review my peers' work and tell them what I think or ask questions for clarification. The scenario we are working on has already dealt with a series of breaches and it is our job to secure the business. For the subheading "Information Storage," many in my class listed SQL. I thought this was interesting. In getting ready for DEFCON 20, I found several talks regarding SQL:


SQL Injection to MIPS Overflows: Rooting SOHO Routers
ZACHARY CUTLIP SECURITY RESEARCHER, TACTICAL NETWORK SOLUTIONS

Three easy steps to world domination:

1. Pwn a bunch of SOHO routers
2. ???
3. Profit

I can help you with Step 1. In this talk, I'll describe several 0-day vulnerabilities in Netgear wireless routers. I'll show you how to exploit an unexposed buffer overflow using nothing but a SQL injection and your bare hands. Additionally, I'll show how to use the same SQL injection to extract arbitrary files from the file systems of the wifi routers. This presentation guides the audience through the vulnerability discovery and exploitation process, concluding with a live demonstration. In the course of describing several vulnerabilities, I present effective investigation and exploitation techniques of interest to anyone analyzing SOHO routers and other embedded devices.

Zachar Cutlip is a security researcher with Tactical Network Solutions, in Columbia, MD. At TNS, Zach develops exploitation techniques targeting embedded systems and network infrastructure. Since 2003, Zach has worked either directly for or with the National Security Agency in various capacities. Before becoming a slacker, he spent six years in the US Air Force, parting ways at the rank of Captain. Zach holds an undergraduate degree from Texas A&M University and a master's degree from Johns Hopkins University.
Twitter:@zcutlip


New Techniuqes in SQLi Obfuscation: SQL never before used in SQLi
NICK GALBREATH

SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source cod, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense.

Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in a number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internal and Database Applications" (Wiley), and was awarded a number of patents in the area of social netowrking. He holds a master's degree in mathematics from Boston University.
Twitter: @ngalbreath
http://client9.com
https://github.com/client9



SQL ReInjector - Automated Exfiltrated Data Identification
JASON A. NOVAK ASSISTANT DIRECTOR, DIGITAL FORENSICS; STROZ FRIEDBERG, LLC
ANDREA (DREA) LONDON DIGITAL FORENSIC EXAMINER; STROZ FRIEDBERG, LLC

In 2011, SQL injections became front page news as ever more high profile companies were victims of automated SQL injection attacks. Responders spent countless hours looking at values in log files like "0x31303235343830303536" trying to figure out what was being exfiltrated by whom. Incident response costs skyrocketed while the cost of attacking fell.

This presentation will debut SQL ReInjector, a tool for the rapid assessment of logs from SQL injection attacks to determine what data was exfiltrated.

When responding to an SQL injection attack, responders have to determine what was exfiltrated by manually parsing the web server logs from the victimized host. This is a time consuming process that requires a significant amount of a responder’s time. Moreover, manual replay of the SQL injection does not account for system level discrepancies in how queries are executed by the system – running SQL against a SQL server directly doesn’t account for the behavior of any intermediary systems – e.g. any application layer logic or nuances in how the web application and database server interact.

SQL ReInjector uses the log files from the machine that has been subject to a SQL injection attack to replay the attack against the server (or a virtualized forensic image thereof) and captures the data returned by the SQL injection web site requests, reducing the amount of time responders have to spend looking at web server logs and allows for responders to recreate the data exfiltrated through a SQL injection attack.

This text will be used for the web site and printed materials. In a nutshell, what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use these paragraphs to tell people how technical the talk is, what tools will be used, what materials to read in advance to get the most out of your presentation. This abstract is the primary way people will be drawn to your session. Presentations that are submitted without abstracts (eg that have only ppt or white papers attached or only point to a URL) will not be considered.

Jason A. Novak is an Assistant Director of Digital Forensics in Stroz Friedberg's Chicago office. At Stroz Friedberg, Mr. Novak has been lead examiner in a wide range of cases involving digital forensics, incident response, application testing, source code analysis, and data analytics, and has developed numerous tools to expedite the firm's analysis and response capabilities. The proprietary tools developed by Mr. Novak have included: an anti-money laundering data analytics platform and tools to process electronically stored information to respond to forensic and electronic discovery requests. As a co-writer of the Google Street View report, Mr. Novak analyzed the source code to gstumbler, the WiFi device geolocation application used by Google as part of the Street View project, and documented its structure and functionality in a publicly released report; Mr. Novak has responded to inquiries about the report from domestic and foreign regulators. 

Twitter: @strozfriedberg

http://www.strozfriedberg.com 

Andrea (Drea) London is a Digital Forensic Examiner in Stroz Friedberg's Dallas office. At Stroz Friedberg, Ms. London acquires and examines digital evidence from laptops, desktops and mobile phones in support of legal proceedings, criminal matters, and/or corporate investigations. Additionally she is responsible for implementing large-scale, end-to-end electronic discovery for both civil and criminal litigation. Ms. London previously held positions at Arsenal Security Group and IBM’s Internet Security Systems Emergency Response Team. At Arsenal, Ms. London was an integral part of the company’s immediate response team for worldwide cyber security incidents. During this time she completed and has maintained certification as a Payment Application Qualified Security Assessor (PA QSA), Payment Card Industry (PCI QSA), and PCI Forensic Investigators (PFI), one of the first appointed by the PCI Council. At IBM, she acted as an official Quality Incident Response Assessor (QIRA) reporting PCI breaches to major card brands. Prior to her work for IBM, Ms. London was with the Air Force Office of Special Investigations (AFOSI), where she was one of two Airmen chosen for special duty assignment at the Defense Cyber Crime Center, and where she was tasked with testing and evaluating forensic software and hardware for the Center.

Rapid Blind SQL Injection Exploitation with BBQSQL
BEN TOEWS SECURITY CONSULTANT, NEOHAPSIS
SCOTT BEHRENS SECURITY CONSULTANT, NEOHAPSIS

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. This talk will be introducing a new tool called BBQSQL that attempts to address these concerns. This talk will start with a brief discussion of SQL Injection and Blind SQL Injection. It will then segue into a discussion of how BBQSQL can be useful in exploiting these vulnerabilities. This talk will cover how features like evented concurrency and character frequency based searching can greatly improve the performance of a SQL Injection tool. This talk should leave you with enough knowledge to begin using BBQSQL to simplify and speed up your application pentests.

Ben Toews is a Security Consultant at Neohapsis where he specializes in application and network pentesting. Previously, Ben has worked as a sysadmin and as a developer. Ben has spoken at Thotcon 0x03 and has been published in HITB Magazine. Ben has a BS in Information Assurance and Security Engineering from DePaul University.
Twitter: @mastahyeti
http://btoe.ws 


Scott Behrens is currently employed as a Security Consultant at Neohapsis and an Adjunct Professor at DePaul University. Before Neohapsis, Scott Behrens was an Open Systems Architect for a financial consulting firm, as well as a Network Administrator at Argonne National Laboratories. Scott Behrens’ expertise lies in software security assessment, network penetration testing, social engineering, security architecture, and security research. Scott is also the co-developer of NeoPI, a framework to aid in the detection of obfuscated malware. Scott has also presented at Chicago B-sides and has published numerous articles in various security outlets. Scott Behrens has a Master’s of Science in Network Security from DePaul University.
Twitter: @HelloArbit
http://www.scottbehrens.com



*******************************

This got me thinking. That's a lot of talks on one topic! If the class is to find a way to harden our scenario's security, is SQL the answer?

Since it is relatively new to me, I reference one of my favorites sites: w3 schools. Don't know about SQL yourself? Here ya go: Introduction to SQL.

This got me thinking really hard. When considering a solution to some potential problems, we have to able to consider the insecurities of our solution. We can try to be as secure as possible, but there is no way to prevent a determined attacker unless we stay one step ahead of the game.

Talks like the one I mentioned above help keep us aware of vulnerabilities we may not have been aware of. It also proves the importance of due diligence in the world of Cybersecurity. As attackers evolve, so must the defenders. Failure to do so, no matter what system you have, could result in catastrophe. In my other course regarding Business Continuity and Disaster Recovery, the main cost is usually financial and the loss of consumer confidence. Both could cause the demise of an organization.

In regards to the regular person though, security is all the more important. After all, identity theft can take a long time to resolve. If you access this blog, then you are accessing the World Wide Web. Check your security, update your security software, secure your WiFi router, do not answer those silly questions on FaceBook, do what is necessary to protect yourself. Most importantly, as you learn about security measures, tell people. Education is the best way to keep things secure.

Week 3 - CYBR 650

It's MONDAY! Wait a second!!!

Ok, so last week was a total bust!

Things I learned last week:

1. Jet skis are not as easy to fix as you think
2. Baskin Robbins ice cream cakes do not fare well in an ice chest
3. Even though you are playing in the water, you can suffer from heat exhaustion
4. Even though you are playing in the water, you can suffer from dehydration
5. You can get 2nd degree sunburn playing on the water with jet skis
6. Nurses don't like 2nd degree sunburns on the back of your hands (caused by holding on to the jet ski throttle) because there is no place to put the IV
7. Despite it all, it was one heck of a great time!!!!! 7 extremely happy and yet very exhausted (and wore more sunblock than me) children: PRICELESS!!! :-)

One of my assignments for this class had me read about an event or news article about something to do with Cybersecurity. Human nature has always fascinated me and those of you locals who know me, also know this.

This leads me to social engineering. In essence, fooling others to get what you want. We see this every day. Locally, a tax increase was passed based on written intentions, but we just recently found out otherwise. The City played it well. They used a survey company to call the residents (I was actually one of them) about what was important to me in regards to what the local government should provide. They issued a "fiscal emergency." They hired a consultant to print out informative brochures about the new tax measure. It passed.

The City is now discussing ending the "fiscal emergency," hiring a federal lobbyist, putting a certain amount of the new funds into parks and rec instead of police and streets, losing one police position, and all before impaneling the oversight committee.

What does this have to do with Cybersecurity? Think about it. How many times have we been duped?

You know those questions that people like you to answer on Facebook? The ones about your favorite vacation spot? Your favorite color? Where your wedding rehearsal dinner was held? Who your favorite author is?

Have you ever stopped to wonder where those questions came from? Probably not. You think, "Hey! I know these people! They are my friends and probably know those answers already!" and then you answer them. These questions that you are answering for the world to see are based off of biometric security questions that can access your personal accounts! DOH! Don't feel bad though because it has been discovered that even CISSPs have been known to fill out those "surveys" without realizing what they were!!!

Without social engineering, there would be no need for Cybersecurity. Hackers, criminals, terrorists, and even national enemies rely on social engineering to obtain their objectives.

Recently, I was discussing with a friend about how the Navy issues colors for its passes on vehicles. The colors indicate what department the driver works in for the Navy. It also states what region they do it in! During this discussion, she told me that the Navy was going to change that. I asked her, "Really? What color?" She responded, "I'm not going to tell you!" I guess I need to practice this a bit more.

There is an advantage to posting this a little bit late. "Coach" presented me some interesting links to my assignment I submitted:

Institute for Competitive Intelligence

Confidential: Business Secrets - Getting Theirs, Keeping Yours

Switch: How to Change Things When Change Is Hard

Cybersecurity, while it seems to be centered around technology really isn't. Think about it. What are the motives of most our threats? Greed? Power? Maliciousness? Corporate Advantage?

Human nature has not changed and that includes its negative aspects. It is because of these negative aspects of human nature that the need for Cybersecurity was ever designed. As technology advanced, so did how people do things to get bad things done. Without human nature, there would never be a need for Cybersecurity, or computer forensics, or police, well, you get my drift.

Week 2 - CYBR 650

This week's assignment is based on finding reliable references from which to draw valuable information. For those of you who know me, you know I am excellent at finding information in places that local government doesn't want me to find. This makes this week's assignment right up my alley.

But another question I was posed is, what happens if I have two reliable sources that contradict each other?

During one of my classes, a discussion commenced regarding the security of cloud technology. I went to my usual sources and found there were indeed conflicting data regarding whether or not cloud technology is secure or not. This got me really thinking hard. I began to evaluate who wrote what and discovered that those who supported cloud technology as a secure alternative for business continuity and disaster recover were the very companies that offered services in that  technology!

It has been my experience that when there is something new that is developed, while most bugs are worked out, not all bugs are found. This is something I experienced as a Beta testers for Photoshop CS 5. I played with the software, found bugs, reported them and installed any patches that fixed those bugs. However, despite this, Adobe later released 5.5 because there were so many fixes that needed to be made, they had to release a .5 version of their new release. It is the same with new car technology. My husband and I just recently bought a new Hyundai. It has a new technology in it that helps conserve gas on long trips. It's a great commuter car! We are hoping the bugs are worked out, but like any new model, we are prepared for that very thing.

Anyways, when it came to figuring out who was the more reliable source, I tend to err on the side of caution. People who provide such technologies would never promote their flaws. That's suicide for any organization. However, some thing need to be considered.

Cybersecurity is a constant cycle. New threats will always present themselves. There is no such thing as true security. Benjamin Franklin told us that at the birth of our nation! Things have not changed much since then, just the methods used to violate security.

So, here are some sources I have found to be pretty reliable. They have been my best friends throughout my Master's program and I even found some new friends. I will most likely find more sources during my Defcon adventure!

One of the greatest weapons a hacker has is human behavior. People are predictable. A hacker understand that a majority of the people using computers do not understand security except they do know to buy virus software. So, what happens when a pop-up comes up on your screen and says, "You have 1,023,038 viruses!!!! Press here to get rid of them!" The initial response to someone who does not know is to download the software to get rid of all those viruses! What they do not know is they are downloading a virus. My daughter did this to my desktop. After I fixed it, I released my fury and gave her a class on social engineering.

Social-Engineer: Security Through Education is one of my favorite sources. It even offers a certification in Social Engineering Pentesting and once I have $3500, I'm going to get it! Anyways, this site offers newsletters that can be read and there is some really good stuff on that. After all, the reason computers are fallible is because humans are. Social engineering is the very foundation in which the hacker world lives in.

The Hacker Academy gets a person to consider, "Are you thinking like a hacker yet?" Membership is $150/month or $1495/year. Again, that money thing, darn it! However, there is Research and Blogs available to the public that contains interesting information.

Electronic Frontier Foundation has some interesting information regarding the digital world and our civil liberties. As a person that is highly involved in both topics, this site really excited me! Like other political sites though, one must take each article with a grain of salt. In other words, if you don't understand current laws and our Constitution, don't bother.

These three above sites are just a couple I have discovered in researching Defcon and they will be there this year! I intend to meet them! Maybe even get a Defcon discount!??? One can hope! But those are my new "friends" in regards to resources.

Of course, you can never have enough resources. These sources have been my best friends throughout my Master's Cybersecurity program. They are a wealth of information and have been invaluable in my education.


The National Institute of Standards and Technology has been an invaluable resource to me as well as SANS documentation.

I also have some listed below in previous blogs that have been so helpful in finding articles to write about.

Google is another wealth of information when doing basic searches. However, always take a look at your resources before using them as a viable source. The bad information will also surface with the good information!

Week 1 - CYBR 650

Hello again! I have once again been subjected to posting blogs on Cybersecurity. This will probably most likely be a reference point for me, since I do tend to look back on past classes to help with future ones.

As stated in the last set of blogs for my CIS 608 course, I intend to attend the DEFCON conference in Vegas! I am hoping that blog will be a fun one for anyone who happens to stumble on this blog and read it.

"Coach" wants me to introduce myself to the cybersecurity world, but as I look down, I wonder if that is necessary. Well, probably, just in case. I am getting graded on this you know!

My experience in cybersecurity is personal experience. I have a nice little secure home network setup. After that, the idea of corporations, government, and other large entities that need cybersecurity seems almost overwhelming! Organizations like the government, medical industry, and others contain a mass amount of information that must be protected. All I got are my weekly assignments and a wannabe budget. But this is a field that I am passionate about and I am hoping that eventually I will get to finally dip my foot in the cybersecurity pool and gain the experience needed to do my job excellently.

This type of work can be tedious, but it is fun in trying to play cat-and-mouse with the bad guys trying to keep them out while they try and get in. Also, trying to think of what might happen and protect against that threat as well, like tornadoes, earthquakes, fires, etc.

I love solving puzzles and how many people get to say that the career they chose,  they are paid to play? Cybersecurity is exactly that. A big puzzle. An intricate riddle. I can't wait until I can get a job where I am paid to play!

Like last time, I posted a list for my own personal reference that was recommended by the University. I will be posting that as well for me mostly, but you have my permission to use it too! ;-)

Also, I tend to go all over the place. I am a very random person so expect random posts. The University recommends sticking to a topic. Well, Cybersecurity is a topic and I'm sticking to it! HA!

 Cybersecurity Center at Bellevue University - http://blogs.bellevue.edu/cybersecurity/
Security Bloggers Network - http://www.securitybloggersnetwork.com/
infosec Island - http://www.infosecisland.com/
 Security Wizardry - http://www.securitywizardry.com/radar.htm
McAfee Threat Intelligence - http://www.mcafee.com/us/threat_center/default.asp
SANS News summary - http://isc.sans.edu/newssummary.xml
CNET Security and Privacy - http://news.cnet.com/security/
NebrasksaCERT - http://www.nebraskacert.org/CSF/
ISACA Knowledge Center - http://www.isaca.org/Knowledge-Center/Pages/default.aspx
Norton Security Resources - http://us.norton.com/yoursecurityresource/?prod=NIS.18.6.0.29&layout=esd&ssdcat=180&lcid=1033
Privacy Rights Clearinghouse - http://www.privacyrights.org/
National Cyber-Forensics & Training Alliance - http://www.ncfta.net/
Identity Theft Resource Center - http://www.idtheftcenter.org/
FBI Cyber Crime Stories - http://www.fbi.gov/news/stories/story-index/cyber-crimes
Security Week - http://www.securityweek.com/

See you next week!