This is my last post for this class. Has it really been 10 weeks already??? When did THAT happen!?
I think I will continue on with the DEFCON theme. One of the speakers during DEFCON 101 said something that has stuck in my head. They stated that geeks are typically anti-social and there is high demand for a geek that speak to both management and the techies but they are rare. A person in cybersecurity must be able to communicate. This class has reminded me of that a lot. It is hard to do when you are assuming your audience knows what you are talking about (in this case they did), but you have to take it from the perspective that your audience doesn't.
TOPIC CHANGE (sorry Coach!):
I have also taken XML this semester. While this isn't part of my degree, it was interesting that it did apply. While at DEFCON, I talked to a fellow attendee about XML. He was a pen-tester and told me that when a client tells him they want him to pen-test their XML, he begins to salivate. How funny.
I found out later why. I took in a talk called, "We've Got You By The Gadgets." The talk was about Microsoft Gadgets, but it was mentioned it could apply to apps that we all use on our smart phones and tablets because they are similar concepts. Here is what I wrote for my XML class:
Gadget and apps are very simple programs. They are not complicated at
all. Any web application language can be used to write them and any web
application language can be used to alter existing ones or create
malicious ones. Software like SilverLight makes it all the more easier
to create gadgets and apps, particularly malicious ones.
The
first problem with gadgets and apps is the lack of code signing. Code
signing confirms who the software designer is that guarantees that the
code has not been altered or corrupted. This causes a Microsoft prompt
to come up and display the security warning, "Are you sure you want to
install this...?" The problem is, people will say yes because they do
not see apps or gadgets as software or code, inviting the attacker into
their technology through something that looks deceptively innocent.
Here was an interesting statement regarding gadgets:
"Some
of the things you are actually able to do from a gadget. I can do
anything I want with a gadget. I can execute a code. You can execute
URLs. If you didn't want to carry something with you in the HTML that
you're downloading with the gadget, you can get more. If you want to
change what you downloaded, you can do that too. If you want to update,
no problem. You want to create files with arbitrary content binary or
otherwise on the system, we can do that. You want to be able to read
files, anything the user has permission to you're good for. If you want
to get passed that permission, obviously you can just raise the UAC
prompt and do so. You can make your computer speak."
A demo was
done using a Nyan Cat gadget turned into a proof of concept (POC)
attack. It accessed the gmail account of the user and created a list of
contacts for the attacker to spam. This malicious code was only 16
lines. The key is that it has all of the access it needs to all of your
cookies and all the information in your browser. This means it also has
all your proxy configurations, it can manipulate anything else it wants
on the system.
Gadgets can also remap network drives, delete
mapped network drives, handle mapped network drives, and add mapped
network drives. Everything that Windows supports, it can do.
Gadgets are just code and are typically written by people who not have a bunch of experience writing code.
Also
discussed was the ASN1 bug which was an underlying parsing protocol the
US government defined and offered a reference implementation of it that
nobody bothered to use as a reference. It was used in satellites, ISDN
There was a flaw that showed up everywhere because of the shared code
problem.
Because of the lack of SSL used in gadgets and apps, it
makes it hard to reference the original code of the original app/gadget.
Anyone can "update" the gadget and turn it malicious without the user
being aware of it. Once the update is complete, the gadget is forever
altered. You think you are getting a cool gadget that does one thing,
when it reality, you are getting something completely different.
The
next demo they did was a man-in-the-middle attack. A piano
gadget was used and it was taken from the Microsoft gallery with no
modifications to it. When they put the piano on the Desktop it said
this, "Hello, this is your computer. I am tired of the way you have been
treating me. I am going to self-destruct in 5 seconds! Good-bye." That
was three lines of code for the gadget to yell at you and do a
man-in-the-middle attack.
In the end they offered these tips:
1. Don't take candy from strangers
and
2.
Write your applications properly! Your parser may approve of your code,
but you could inadvertently be writing a damaging code that can create
problems later.
Applications are similar to gadgets. Keep that in mind when you see the next popular app headed your way.
Friday, August 10, 2012
Sunday, August 5, 2012
Week 9 - CYBR 650
This week has been pretty exciting. I ended up in the ER and the ER doctor diagnosed me with "DEFCON" back! LOL After some percocet and rest, I can finally stand up. What I was told, however is that as a geek, it is easy to get absorbed with our machines. WALK periodically because sitting for a long period of time puts stress on the lumbar region on your back. While it may not seem like you have done anything to injure your back, not walking around will actually injure it. Speaking of which, I better get up and walk really quick!
*******
This week I have to write about what I experienced in doing my Action Plan. Playing with a new template, I was limited in what data I could add. I also forget to consider things such as controls and threat risk condition (high, medium, low). This is frustrating because it is not something that I do on a day-to-day basis. That and my brain is still in overload from all the information I got at DEFCON.
This is going to be a short blog due to my drugged up status, but I wanted to let everyone know the Cybersecurity Act of 2012 did NOT pass! However it only failed in a 52-46 vote.
This concerns me. In order for the Act to pass, it needed 60 votes. 8 more votes and it would have succeeded. Unlike the PIPA and SOPA, the Cybersecurity Act of 2012 was not as widely protested by the Internet community. It was, in essence, PIPA 2.0 and yet there was no uproar protesting this Act like the other two.
With only 8 votes away, we can be sure Congress will attempt to pass something similar soon. If the Internet community does not speak up, it will not be hard to make up those 8 votes and start passing legislation that will begin inhibiting our freedom of speech as well as our privacy.
*******
This week I have to write about what I experienced in doing my Action Plan. Playing with a new template, I was limited in what data I could add. I also forget to consider things such as controls and threat risk condition (high, medium, low). This is frustrating because it is not something that I do on a day-to-day basis. That and my brain is still in overload from all the information I got at DEFCON.
This is going to be a short blog due to my drugged up status, but I wanted to let everyone know the Cybersecurity Act of 2012 did NOT pass! However it only failed in a 52-46 vote.
This concerns me. In order for the Act to pass, it needed 60 votes. 8 more votes and it would have succeeded. Unlike the PIPA and SOPA, the Cybersecurity Act of 2012 was not as widely protested by the Internet community. It was, in essence, PIPA 2.0 and yet there was no uproar protesting this Act like the other two.
With only 8 votes away, we can be sure Congress will attempt to pass something similar soon. If the Internet community does not speak up, it will not be hard to make up those 8 votes and start passing legislation that will begin inhibiting our freedom of speech as well as our privacy.
Subscribe to:
Posts (Atom)