This year's Holiday Hack Challenge was just as invigorating and challenging event as usual. Santa and the Elves decided that due to all the cyber shenanigans which have occurred over the years that holding a hacking conference would be a great way to keep everyone safe. The name of this conference is KringleCon and it involved an entire virtual world, complete with a virtual character who can move around and interact with CranberryPi terminals, as well as ventilation shafts, kiosks and door code panels (Figure 1). This challenge was tough as it required knowledge of a vast spectrum of knowledge in computer administration, web services, code cracking, and web servers. Additionally, skills in programming and debugging in languages such as JavaScript, PowerShell, Python, shell scripting, and data analysis. While I have decent amount of knowledge with many of these skills, I wasn't going to be able to complete the challenge in time to submit a report to the Counter Hack team by January 14, 2019 due to a later start than last year. So I recruited a good friend of mine whom I've worked with in the past, who is probably one of the most skilled computer experts and programmers I know. My friend and I worked over the last few days to finish the last four challenges/objectives to submit a report before the deadline. The result is approximately 81 pages (a few typos and errors but nothing serious) for our report describing how to finish the 2018 SANS Holiday Hack Challenge. Below is our report embedded for review. Overall, I found the competition very different from the 2017 version and as it was more of an open-world one the flow of the contest was a bit confusing until I spent a good chunk of time (about an hour) of really exploring and understanding the world, and how we could really navigate around and interact in any order a competitor chooses. This proved to be a really fantastic choice by the Counter Hack team, and upon completing the competition with a solid tying together, I'm pleased to say this was an even better experience than last year. I'm continuously humbled by the organization, skills, and efforts of Ed Skoudis and his team. As usual it was a fun experience and the team did a phenomenal job. I'd like to extend a personal acknowledgement to Jevan Gray for his ability to quickly understand and dissect code and assemble solutions. I doubt I could have accomplished this before the deadline without his knowledge and expertise. Thank you again Jevan!
0 Comments
In my own words, Computer Forensics is the scientific method of obtaining digital evidence from computing devices while maintaining their integrity and authenticity to ensure digital evidence may be accepted in a court of law. I recently completed a Masters course in Computer Forensics at the University of San Diego after having performed previous computer forensic mentor work with high school students for the Air Force Association's CyberPatriot program and Cal Poly's 2018 California Cyber Innovation Challenge. This field is vast, constantly changing, and much more tedious than any movie or television program portrays. However, working as a computer forensic analyst and discovering a clear and consistent timeline of activities or artifacts which tell a story, makes a lot of the labor worthwhile. This is the exciting part.
Computers and the Internet are tools. Tools can be used as they are intended, or they can be abused. Unfortunately, there's a lot of abuse which occurs which is aided by the use of computers and the Internet. Child exploitation, human traffic, terrorism, financial crimes, or even just plain human rights violations leading to murder, prison or torture. The field of Computer Forensics attempts to aide companies and Governments to provide evidence of these serious crimes by analyzing those systems involved. Some wonderful resources I have found for computer forensics include the following in no particular order:
This blog provides resources and suggestions to consider before moving any services to a cloud provider. There has been phenomenal growth in cloud computing with companies like Amazon, IBM, and Microsoft netting billions of dollars in profits while consumers are saving billions as well. With the possibilities of seamless scalable systems, on-demand availability, pay-for-use cost models, and always available access, it has given organizations a new cost-effective alternative to hosting their own servers. Many businesses, governments, and private persons are looking to move services to cloud providers to reduce costs and increase availability of services. However, without understanding the specific threats posed by cloud adoption, we could expose ourselves, and our businesses, to unnecessary risks.
First let's define what cloud computing means for those who may not know. The Cloud Security Alliance and the National Institute of Standards and Technology's (NIST) define a cloud computing provider (e.g. Microsoft/Amazon/IBM) as "exhibit[ing] five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches." These have five characteristics:
However, as a cloud consumer, there are many resources to review and considerations to take as well. Here's a list of items to consider before you "go to the cloud":
In 2008 Flo Rida had a song "Low" featuring T-Pain with a line "Boots with da fur" which my family loved belting out whenever we heard this song on the radio. This blog article has nothing to do with getting your club on. Rather, DFIR (Digital Forensics and Incident Response) pronounced Dee-FUR just reminded me of it. DFIR has a significant place in competitions for cybersecurity. Many of the California and National competitions are composed of a large portion of digital forensics, so having the right tools for the job makes all the difference. Some bright students I've been mentoring have asked, "What OS do you recommend for DFIR?" My default response is typically Kali Linux, but I wanted to take a deeper look into SANS' SIFT workstation.
If you found yourself accidentally, or intentionally, reading my earlier blog postings, you'll note that many of these high school and middle school competitions require that the competitors use Open Source and freely available software. This was another reason why this was a great opportunity to revisit and try out SANS' SIFT Workstation. This Ubuntu distribution based on Debian Linux was developed, and is maintained, by a formidable training group, SANS,' very own Rob T Lee. It features automatic updates, and a plethora of free and often updated tools one can use for Digital Forensics and Incident Response. Learning to use these tools is for other blog postings, this blog discusses getting the most recent version of a great DFIR tool installed and working on this OS build. There are a lot of DFIR tools and Operating Systems available for use A small sampling of them includes Linux
Get your SIFTv3 workstation image/installation and update/upgrade it I'll assume you're familiar with obtaining a virtual image of SIFT and getting it installed. I'll use VirtualBox for my blog, as it's free and feature-rich. You can download a pre-configured SIFT workstation as a Virtual Machine in OVA format at https://digital-forensics.sans.org/community/downloads under the section "Download SIFT Workstation VM Appliance". After you get your workstation up and running (there are other tutorials for that) then update it through it's built in update or open a shell/terminal window and type sudo apt-get update && upgrade to get the build to update. After this, there are only a few other steps to install the required Java version to support TSK and Autopsy 4+. Installing testdisk for photorec functionality Note that I did not find this necessary for versions 4.6 or 4.7 of autopsy, however, it can't hurt for you to test. Enter into a shell the command: sudo apt-get install testdisk Installing Java to support TSK/Autopsy 4+ After you've updated the Operating System and verified that you have installed testdisk, check to see if Java's version is 1.8 or higher by typing in the shell/terminal: javac -version Your output should show something like javac 1.8.0_171 . Ensure it starts with at least version 1.8.0. If not, then add Java's repository to update sources by typing the command: sudo add-apt-repository ppa:webupd8team/java then update your local repository with command: sudo apt-get update and finally install the Java 8 installer with the command: sudo apt-get install oracle-java8-installer When installation completes (it may take one-five minutes or more) then check your Java version again with command and copy the installation path that appears next to Java version 1.8. javac -version Often times you'll have more than one version of Java installed, so another command is required to check which version is the primary one and also show us the file path where it is located. Check this with the command sudo update-alternatives --config java to show a list of Java installations on the system. Check that 1.8 shows the default/primary version with an * in it's row and copy down the path to Java 1.8 as you'll need to add that path to your environmental variables. Type the command sudo nano /etc/environment to open up the nano text editor, and add the JAVA_HOME line below (with your path) as a new line in the /etc/environment file. *Note that you only need to include the path up to /java-8/oracle. JAVA_HOME="/usr/lib/jvm/java-8-oracle" Press CTRL+X to exit, and when asked save the changes. Reload your environmental variables with command source /etc/environment then verify the variable shows the correct path by running the command echo $JAVA_HOME. *Note: These installation instructions comes from the article https://medium.com/coderscorner/installing-oracle-java-8-in-ubuntu-16-10-845507b13343 which you can visit for more details. Getting and Installing the latest version of The Sleuth Kit and Autopsy Visit https://github.com/sleuthkit/sleuthkit/releases and download the latest version of the .deb package, typically named something like sleuthkit-java_4.6.1-1_amd64.deb. Then install this Debian package of sleuth kit by running the command sudo apt install ./sleuthkit-java_4.6.1-1_amd64.deb. Now that we have the latest version of The Sleuth Kit, go download the latest version of Autopsy. It will typically be released in a zip file at https://github.com/sleuthkit/autopsy/releases and be named something like autopsy-4.7.0.zip. Create a directory for Autopsy wherever you prefer mkdir autopsy-4.7.0 and then unzip the file you downloaded there unzip autopsy-4.7.0.zip Finally, run the setup script in that directory sudo sh unix_setup.sh If everything is in order, you'll have a working version of Autopsy and The Sleuth Kit. You may run Autopsy by changing to the ‘bin’ directory in the autopsy folder you created and then typing the command ./autopsy Summary With a recent working version of The Sleuth Kit and Autopsy on SIFTv3 you have many of the tools competitions require for DFIR tasks. There are many things you won't be able to do without additional work, for example extracting specific registry keys and values from forensic images or other tasks. Fortunately Autopsy includes a modular framework which supports both Java and Python, and the community has created many of these tools for us check these out at https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules Today's digital forensic investigators benefit greatly by the ease with which the tools and maintenance of them can be done by an opearting system such as SANS' SIFT Workstation. Combined with great open source tools like The Sleuth Kit and Autopsy the hardest part is now learning how to investigate. For example discovering where you need to look, and what information you need to look for as well as how to get it. I found one great resource shared by a student at Cal Poly's California Cyber Innovation Challenge website which discusses analyzing Windows 7-10 and Android operating systems. The papers here contain great tutorials and basic training. Visit the Cal Poly California Cyber Innovation Challenge site and review their awesome site and the downloadable material at https://cci.calpoly.edu/events/ccichttps://cci.calpoly.edu/events/ccic/2018-df-downloads Happy hunting and many thanks to Cal Poly, The Sleuth Kit and Autopsy developers and SANS Digital Forensics! Introduction
Recently I volunteered and became a CyberPatriot mentor. In this program I work with local area high school students interested in cyber security who compete in cyber security competitions. Side note: If you work in cyber security, please consider being a mentor; there are perks and we need more STEM/cyber interest, especially from young women. One of the more challenging aspects of competitions for these groups, and most administrators, is discovering how a system you are given may be incorrectly configured. Some examples include discovering if telnet is running, no firewall enabled, a blank password on an administrator account, or a root/root username/password on Linux. In most cases, the competitions use a plethora of operating systems very much like most organizations (e.g. Windows 7, Windows 10, Ubuntu 14, Ubuntu 16, OSX) The Challenge In my previous experience, there are a lot of programs out there that automate this process. I began researching products I use, or know of and have used before to share and demonstrate. This is when I learned, that over the past 5 years the automated vulnerability configuration landscape has drastically changed from an open and free one, to a cloud-based, payed one. This proved to be more of a challenge than I anticipated requiring much more time than I allotted. I had to adjust my requirements for products which are here:
I scoured NIST's Computer Resource Security Center (CRSC) website to find products which were Security Content Automation Protocol (SCAP) compliant. SCAP is a method for using standards to automate system configuration checks/compliance. Cyber security software providers want to be SCAP compliant for Government compliance. It also helps in the private sector too. SCAP compliance uses the former OVAL-based standards or the newer XCCDF checklist format to assess system configurations. A tool that is SCAP compliant is going to be easier for students to learn how to use. Unfortunately, as you'll see, I didn't find a single tool. Tools, not a tool In this case, students take a recommended configuration checklist using XML-based evaluation standards (OVAL, XCCDF) and use the file/list with an evaluation tool/program which outputs results showing the difference. The problem is a lot of the tools out there are either no longer free, or, they only work for specific operating systems. This means now having to use not one tool, but two. Note: OpenVAS is a good tool for this, but it is complicated and difficult to learn and use as it has many more features outside of configuration analysis. The Tools I ended up choosing were
As the tools above show, I did find some tools. But there is not one tool. I ended up discovering there were many available but that there wasn't a single inexpensive, or free tool which could help these students assessments during cyber security competitions. I think as young persons learning cyber security, the industry is doing a disservice by not providing readily available tools for them to practice with and to learn to use. Cyber security is tough. There is a lot of overwhelming content, vulnerabilities, system specific caveats, configuration data, network knowledge, and programming information a person has to learn while also trying to do it easily. I hoped there would be an easy way for these students learn I have is that an automated way to review hundreds or thousands of configuration settings Here I present the top 30 passwords taken from Troy Hunts haveibeenpwned.com/passwords website where he provides a great tool and resource to verify if your password is in a breach disclosed to Have I Been Pwned. He also released the SHA-1 hashes of over half a billion disclosed passwords to be downloaded for our own pleasure. From this I did a quick analysis.
Note, Troy did not release the plaintext passwords as some had sensitive materials; thus there was a little searching to convert these, but fortunately for us, or unfortunately depending on how you look at it, these were easy to Google/convert (e.g. put the hash into Google and find a match). It's no surprise that number sequences and keyboard patterns make up the bulk of the list. One outlier was "myspace1" which was identified 707,334 times in breach disclosures. This is likely due to the breach of passwords from the website myspace.com and users using "myspace1" to meet minimum password requirements. The infamous "password", "password1", "iloveyou", "monkey", and "dragon" appear in the top 30. People love password monkey dragons! Enjoy! In this document I analyze the Windows NT Architecture and it's implementation of the Security Reference Monitor model. It identifies gaps and strengths in the implementation from Windows 2000 through Windows 10 and Windows Server 2012R2. The bottom line is, Windows NT is a complex, flexible, robust system, however, it also supports so many capabilities that a simple security model and implementing basic security reference model principles hinder true secure operations. The Operating System can, of course, be hardened, however, the basic structure presents challenges which would need many other systems to provide compensating security controls as well as mitigations and detective controls. I'll still use Windows, however, a complete redesign of their security reference monitor implementation may be required to provide a secure, auditable, and tamper-resistant operating system. This document was created for an assignment in my Cyber Security Operations and Leadership program at the University of San Diego. Kali Linux Training Site: https://kali.training/
Free e-Book PDF: https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf I'm a fan of Kali, for all the reasons Johnny Long mentions in the introduction to the free book for this free course. Ethical hackers (e.g. white hats, the good guys) used to have a MUCH harder time doing our jobs. There was too much work, and up-to-date tools were the tricks of our trade. Keeping those tools organized, up-to-date, and relevant was a beast of a chore. Relieving us of this burden is the greatest gift Kali has given to the community. New cybersecurity professionals are reaping the benefits of their continual hard work today. There still remains one issue technology cannot solve though as it is a purely human trait. That trait being the charge-the-hill ambition of a new cybersecurity person wanting to dive right into using "hacker" tools to do the sexy looking stuff without understanding the basics - I admit it, I'm guilty of this too, sometimes. I'm reminded of this when observing my son learning something new and exciting. He wants to go right into creating his own version of Minecraft with Python without understanding the basics. He'll skip over important foundational information like what a loop or error statement does, why these are important, how they work, or how to fix them when they don't work. Addressing this often frustrating and overwhelming aspect of the job is the premise of Kali Linux Revealed. This course and accompanying PDF/book provides the basic required knowledge which forms the foundation information a new cybersecurity professional needs to know BEFORE they get to do the truly sexy stuff. Understanding, and knowing the information from this course and in this book separates the script kiddies, from the ethical hackers. The girls/boys from the men/women. It's what defines the difference between those you can rely on to give you a decent understanding of your information security posture and those who will lead you astray. So, I gave it a review, and I found it to be very good for the beginner, or as a reference for the experienced cybersecurity professional. You can review the course, download the free eBook, and register all at https://kali.training. The online course, gives you the screenshots/pictures, guides you through what the book reviews, and in essence, if you register you're showing interest, and can save your location while doing the training course over a period of time. The course is a formal walk-through of the book. It will teach you to hack the tools you will use while you hack and also what you need to know before you learn how to really hack - primarily Linux/Unix. If this was an easy task, there would be more hackers; but today we mostly have a plethora of script kiddies. Please don't be a script kiddy! RTFM (Read the Fine/F^@#ing Manual). This job is not for the meager dabbler, it's a long, and quite frankly hard job for most. If this were easier we wouldn't get paid awesome salaries and spend dozens of hours pulling our hair out over a single line of code in a tool that's not working. Hacking and cybersecurity are complex; and Kali made the last parts easy, but when the tools in Kali don't work, and they always fail at some point, you need to know basic Linux system administration, basic programming, shell scripting, and understand how the Linux computer system works in general before you can move forward. Being a hacker isn't a title earned by using some programs or tools you downloaded - that earns the title of "script kiddy". The Hacker title REQUIRES knowing what you downloaded, how it works on the operating system you are using it on, how to use it, and what to do when it does not work or it breaks. Enough preliminary, on to the review. Chapter 1 Runs through a history of the first widely used pen-testing "distributions"; Whoppix, Whax, BackTrack, Kali. It really reminds me of how hard it used to be to do security testing, finding and hoarding tools, then they get outdated, and you have to troubleshoot them. Ugh. What fresh hell that was. Anyway, it describes what Linux is, it's current distribution flavor (Debian), what it does and how it can be used, as well as major features, and Kali Linux policies. A good breakdown of the history of the OS. Chapter 2 Ah the essentials, how do I get this "Kali Linux". This chapter, describes how and where to obtain the stuff you need. Like, where to download Kali Linux and how to prepare using it. It includes configuring a session of VirtualBox to run a Virtual Machine instance of Kali Linux as well as VMWare Workstation. Finally, it describes the importance of validating the downloads via checksums. One area I felt was missing. That is was what I consider the "quick-start" test of Kali Linux. An overview of downloading and test-driving pre-built working virtual machines to use in VMWare Workstation and VirtualBox and fire them up to use Kali immediately; however, this really may have been intentional as the point of this course was to train you to understand and use Kali Linux from start to finish, rather than diving right into using the tools etc. Chapter 3 Describes Linux basics, including the kernel, user space, command line usage, bash, the file-system, and common commands, and Unix permissions. This chapter is a must read for anyone new to Linux/Unix and also is a good reference for the saltier veterans. Do not skip this section. Chapter 4 Describes what you need to run Kali Linux, how much space on your hard drive, memory, processors, and provides step-by-step instructions for installing it onto a hard drive, installing it onto ARM processors, troubleshooting, and unattended installations. It's the advanced Kali Linux installation chapter, with the basics at the forefront. Chapter 5 I would consider this chapter the hacker tool support section, and you'll need it to utilize all the tools properly. Describes how to configure Kali network settings, manage Linux Users and Groups, configuring and managing Services, the Apache web server service and configuration, PostgreSQL database server service and configuration, and using and configuring SSH for remote access to Kali Linux. Chapter 6 The where and how can I get help chapter? At some point everyone is a new person (n00b), and even veterans get caught in a n00b-loop when we let our egos be vulnerable, and ask new person questions. This chapter provides resources to get answers, either on your own (the hacker way), or asking (the community hacker way); usually try to get help in that order though. This chapter reviews help resources and documentation, using Manual pages (man command), apropos command to search man pages, pinfo, the ubiquitous software README file, websites including https://docs.kali.org, Kali official forums, using IRC and Kali, general tips, and how to communicate with "those uber leet hacker d00ds". Chapter 7 So, we've got this powerful collection of hacking tools on an operating system designed to hack the begeebers out of anything one can imagine. So, it makes sense we understand how to secure it, right? That's what this chapter covers, God forbid anyone brings up a default Kali Linux installation on a corporate network with the root/toor default username and password unchanged for any period of time *shudders*. This chapter reviews security policies and securing and monitoring your Kali Linux installation. Topics such as changing default passwords, best practices, reviewing Linux logs, implementing firewall rules, disabling unused services, and how to use iptables (the netfilter firewall config tool). It goes over verifying packages to ensure they're not changed, using top to view activity, using AIDE, Tripwire, and rkhunter/checksecurity/chkrootkit to detect rootkits that may be on your Kali system. Chapter 8 The power of moving BackTrack to a Debian distribution was the ability to keep it, and the thousands of components it has, up-to-date. Kali Linux doesn't do this entirely on it's own, there's some proactive steps we have to perform to maintain it. Our field moves fast, so we needed something to match that pace. This is where this chapter, and the entire project really shines. This chapter discusses Linux Debian Package Management. More importantly, it's an in depth and important review of package management and Repositories. It's a reference for veterans and a must-read for new persons as it reviews managing packages. It discusses maintaining software using basic APT commands to maintain/update packages, alternative dpkg package manager and command, and Aptitude and Synaptic GUI-based package manager. All to keep you up-to-date and secure. Chapter 9 This area is more for an advanced user of Kali Linux. It's targeting modifying the tools on the builds. Probably useful for Red Teams (those who specialize in attacking, legally, networks and systems) as well as dedicated system administrators. It covers more advanced topics including customizing Kali Linux packages, the Linux kernel, images, building live-build systems and maintaining persistent Kali images. The live-build system aspect and maintaining persistent Kali images is probably the most useful to a new professional. Chapter 10 If you're new, you won't need to review this chapter. If you provide Kali to a group of persons or an organization, you're going to need to review this section. It discusses using tools to deploy Kali Linux in enterprise settings. Including booting from the network, centralized management, deploying Kali, configuration management using SaltStack, and the other tools to manage these features. Chapter 11 A key chapter if you're new to cybersecurity. It provides the foundation of terminology so you can ask the right questions and provides useful information to get help more quickly when you need it. If you don't know what to search for in Google, you're going to get a lot of wrong answers. This helps you know what to search for, by using the right words, phrases, and terminology. It gives an overview of security concepts, terms, and how to speak intelligently about the capabilities and activities of cybersecurity. There's great coverage of the types of assessments, vulnerability assessments, compliance penetration tests, traditional penetration tests, application assessments, types of attacks, Denial of Service, Memory corruption, web vulnerabilities, password attacks, and finally client-side attacks. These later items answer the question, "how is it even possible to hack" with a tool? Chapter 12 This chapter goes over what to do after you know a little about Linux. It reviews maintaining Kali via administrative tasks and where to learn more. It does not teach penetration testing. It teaches you what you need to know before you should even think about penetration testing (i.e. avoid jail time). It teaches you how to setup a system which enables you to perform penetration testing. There are hundreds of tools, with hundreds of options, and knowing how they work on the operating system built for them is key to understanding how to use them properly. Summary The twelve chapters and the free online course provide a great introduction to not only Kali, but cybersecurity. It goes over Linux administration, and the basics needed to get into cybersecurity. After you read this book and practice these activities, then you can begin to learn how to hack. Following this, I suggest trying one of the online hack challenges with your newly found Kali knowledge (see SANS Holiday Hack Challenge). I was impressed with the dedication of the authors, the Kali Linux team, and the community in supporting this endeavor. We need more ethical hackers, more white hats. This course and book not only gives you want you want, they give you want you need. Bom Trabalho (Good Work) folks and thank you for providing this awesome resource and service! This article presents more evidence about EquiFax Inc., and the threat they, and others, still pose to our private data. It demonstrates that none will enhance cyber security, until it costs more to not protect our data via fines and penalties implemented in law. As a cyber security professional, I am naturally judgmental and biased towards organizations like EquiFax Inc. when they bumble a breach and continue to have poor cyber security practices. Thus, I'm afraid when our information is handled by any entity related by them. I highly encourage ANY corporation using EquiFax or their subsidiaries to avoid this company until they demonstrably prove they are committed to protecting personal data. A company’s reputation and data is tied to their ineptitude. Without further digressions, I present a case of EquiHack, holding Tax data and asking for more! This investigation started when I received an electronic W-2 is ready email notification. Great I can start the heinous process of doing my taxes now. But in order to obtain said W-2 (oh boy did I ever forget what I was dealing with) I had to go through certain steps with a certain company. "Please visit this website:" https://www.mytaxform.com. "Okay, no problem" until I see the following footer at the bottom of the web site: Damn. Equifax. I have a personal bias and loathing for them. They didn't handle their MONUMENTAL breach well and I don't trust them. So I scrutinize this company/subsidiary of theirs, TALX Inc. which holds my data. See my list of what I found disturbing about this subsidiary of Equifax Inc. followed by varying degrees why each item is disturbing.
1. Their Privacy Policy ...dates to 2013. After Equifax Inc. just had an egregious cyber security breach. It also states they will sell to 3rd party affiliates. This is not okay to me. This is my tax information. I do not want ANY of my tax information sold to 3rd party affiliates. My Tax information is not for sale, at least I thought it wasn't. 2. The Security Policy... ...sounds good to a lay person. But it demonstrates a marketing or inexperienced person wrote it by boasting that "portions of our site make extensive use of Secure Socket Layer (SSL) encryption...password-like identifying information" though there's no reason to not use SSL for all of the data (cost or otherwise) and the term password-like does not mean anything. It's made up? What is a password-like password? A known-word? Anyway, they also boast they take "great care to safeguard all information that is transmitted to us and stored by us...using network intrusion prevention and detection technology as well as other industry accepted security practices...independent auditing firm KPMG completes their SAS 70 Type II audit" which is not true. If they did they'd SSL encrypt the entire site. They would not ask for MORE information, and they would not throw out a large name company who also suffered from an embarrassing cyber security breach, as shared by cyber security professional Graham Cluley, to instill confidence. 3. Uses easily obtained information as a username (SSN) The username for this company is your SSN (Social Security Number), even though Equifax Inc. lost ~154 million of these, and it contradicts their security policy claim as it is not an "industry accepted security practice" at all; it is Personally Identifiable Information not to be used as a username. Higher education had to go through the process of removing SSN as Student Identifiers already. But apparently it's okay for Private companies; there's no law. Why not. 4. and 5. Weak Password policy and process I remember when I originally signed up for an electronic W-2 that I had to do an all numeric 4-16 character password. This is not an industry best practice. So I hoped, when I reset the password recently, it would allow a secure one. But nope, see screenshot below. So, let me try some easy passwords to change it too, such as 1234, or 0000. Both were accepted. One good practice, they did not allow me to reuse old passwords. So they're retaining the passwords used already (hopefully encrypted). They use SMS text messaging for a 2nd factor to login. Our own government states this is a bad idea (June 2017) and why in laymen terms is reported by Wired Inc. here. 6. Requests Additional Personal Information
Upon login with my SSN/Username and Numeric only password, the site then requests additional information to store, for my safety. They want, a personal email address, though I received an email already telling me my W-2 was ready, personal phone number, last 4 of my social (which I already used to login), and my Date of Birth, which umm they already lost via the EquiFax breach and is easily obtainable. This is not extra security. A motivated teenager can hack me at this point. Also, if they're requesting additional information, this means they do not have it, and they are storing it in yet another database/location, which means additional copies of my information are spread around and poses more security risks. 7. Attempts to use Adobe Flash Upon signing in I notice the site attempts to utilize Adobe Flash Player to display information before failing over to alternative methods. Adobe Flash Player is being retired and most security aware companies have already migrated off of it as it has proven it is no longer secure. Yet this site shows additional risk by using it, and another method to display my information and interact with the site. The more complicated a site is, the harder it is secure, and we've already demonstrated cyber security is not this companies forte. 8. Using Symantec SSL Certificate While not inherently bad, in the cyber security realm Symantec SSL certificates have shown a serious lack of integrity. Symantec has some good products, but it's SSL business was not among them. Google and other major web browsers are no longer going to trust them, meaning your site is considered not secure while using SSL technology with Symantec Certificates because of a lack of integrity. An SSL Certificate is the 3rd party responsible for being the trusted entity that assures us our data is secure. Unfortunately, Symantec lost the community trust in 2016/2017 and thus continuing to use their certificates shows a lack of security awareness. Am I being overly hard on EquiFax and it's owned companies. Yes. Do I have a reason to be? Yes. This is yet another reason why we need Federal Regulations enforcing good cybersecurity practices. Organizations WILL NOT do this on their own. Humans have a tendancy to not want to do things until it's painful to them. This seems like the perfect case-study for why we need to create similar laws to that of Europe to protect our personal data, and penalize companies who do not care about it as much as we do. EquiFax has yet to demonstrate they care about me, you, or our data, and property. To that I plead.... Help us US-LEGISLATURE-KENOBI, you're our only hope. Below I present my report on the 2017 Holiday Hack Challenge. It's in PDF, because, well I put a lot of effort into the report to make it pretty and readable for the SANS folks. The challenge was a lot of fun, and I highly encourage anyone even remotely interested to give it a crack, it will always keep you learning. Happy Hacking and best wishes! |
AuthorI am a Doctoral Scholar at Colorado Technical University and a graduate of the Cyber Security Operations and Leadership program from the University of San Diego. I work in cybersecurity, and have accumulated twenty years in the IT industry. There are few IT roles I have not performed, which gives me great insights into making sense of all the IT confusion. Archives
February 2022
Categories
All
|