By Anthony Berrios

Blog Post #10

A man by the name of John Strand is a penetration tester for Black Hills Information Security. As a pen tester, he was hired by an organization to test the security of a South Dakota correctional facility. But instead of going in himself, he did something that most likely hasn’t been done before. He sent his own mother. To provide some background, John’s mother in question Rita just recently became a chief financial officer for Black Hills after spending three decades in the food service industry. She expressed to her son John that she wanted to break in somewhere, so of course he had to grant his mother’s wishes. Rita had confidence, and plenty of professional experience, but she was certainly no hacker. Although, John knew that she could pose as a state health inspector, and with the right credentials, make her way inside the prison.

Since Rita had no technical experience, the digital pen test side had to be done remotely. To do this, Rita was given a USB flash drive that would plug into the prisons devices and give John an his team access to the prison’s systems remotely. After sending in her mother and waiting for almost an hour, John still hadn’t heard back yet. At this point John is feeling idiotic for sending his mother with no pen testing or IT hacking experience whatsoever into an environment such as this.

All of a sudden John an his teams laptops start flashing frantically. Rita had been successful. Their laptops had started creating web shells that gave them access to the prison’s computer network from the comfort of the local cafe they were sitting at just miles down the road. What is truly astounding is that Rita was given no trouble at all as she entered the prison. She pretended to check the kitchen for health risks and even made her way to the server room where she planted the USB drives all with no supervision or anyone watching her.

The real surprise however happens when the Warden calls Rita into his office for advice on the prison’s food service practices. This is where Rita’s past experience in the food industry really shined. She was able to walk him through it all and even handed him a flash drive that she told him contained a self assessment checklist that the prison could look over before inspectors visited. What the warden didn’t know is that the checklist was really a Word document swarmed with malware that instantly took access of his computer.

This is a remarkable story because it shows how important pen testers are to improve the security of not only prisons for important buildings and companies all over the country. Also, it’s not every day that an untrained pen tester is able to successfully infiltrate a prison’s network.

By Anthony Berrios

Blog Post #9

Recently a phishing scheme was discovered that abused, OneNote, which for those of you that may not know is Microsoft’s cloud based note taking software. The campaign was able to bypass detection tools and download malware onto victim’s computers. Included in the campaign were agent Telsa key-logger and a linked phishing page. The attacks originally started with an email to unsuspecting victims that contained a link to a OneNote document. The threat was able to update a phishing notebook multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls,” said researchers with Cofense in a Tuesday analysis. “Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign.” Once the systems were infected, the keyloggers were able to successfully document the victim’s keystrokes which can lead to account information being exposed as well as banking information and computer login info. This is scary because a hacker can easily end someones whole life before the victim even knows what is happening. By the time the victim would find out the cyber criminal would have already had all the information needed to use the victims accounts without him/her knowing. This topic is significant and relevant because although I personally do not use One Note, many students across the country do use this software and I could see many students falling victim to an auto verification phishing scheme like this one.

By Anthony Berrios

Blog Post #8

Researchers at the Massachusetts Institute of Technology have made bold claims against Tech Company Voatz and their newly proposed voting software that is supposed to be used from the comfort of voters smartphones. The MIT researchers said that one of the apps was so insecure that no state should use it for their upcoming 2020 elections. Voatz is a tech startup, and according to the NY Times, they have planned on test benching their new voting app in a small experiment. But the researchers at MIT have said they were able to reverse engineer the app and found out that security flaws would allow cyber attackers to view votes being cast and potentially change ballots or block ballots without voters realizing. The Times also added in that conducting a reliable audit would be difficult because there would be no paper trail of how the votes were cast originally. I personally like the idea of voting from a mobile device but the security issues that come along with doing so, no matter how secure the app being used is quite scary. Not to mention the fear of your vote potentially being altered to benefit a candidate you didn’t vote for takes away our right as citizens to elect our own officials. An app would make it more convenient and possibly voter outcome would increase as a result, but why would it matter if there was a larger group at work altering Americans votes?

By Anthony Berrios

Blog Post #7

2/24/20

Do you own one of Amazon’s market grabbing Ring doorbells? Because millions of Americans do, and they may be watching much more than just your front porch. There have been many headlines in the news lately about the device, and they’re rather alarming. Lets start off with the news of four employees being fired over the last four years due to them watching customer’s video feeds from their Ring Doorbell devices. Security researchers were also able to find that Ring’s app contained a hidden code which contained shared customer data with third party marketers. Due to this, this past December, hackers were able to hijack the Ring cameras of multiple families, using the devices to watch their camera feeds and to also verbally assault them in some cases. Another red flag is that Amazon is cooperating with law enforcement agencies to provide footage that could help them in investigations. While this sounds like a good idea, privacy concerns arise from this as well. Amazon simply sends your phone a notification when they are requested by law enforcement to send your footage. This is concerning because most people simply click on or swipe away notifications to get rid of them quickly without paying attention. At the end of the day, Ring users should do research on how to protect themselves further because unfortunately Amazon doesn’t do it enough. And if you currently do not own one and are looking to purchase one, be aware of the potential security risks that are involved.

By Anthony Berrios

Blog #6

2/20/20

A new scam was found recently that specifically targeted Russian wanna be entrepreneurs by promising to send large amounts of money for an initial investment in hope to get money back to start their business. Around 200,000 people viewed these messages since the phishing campaign started. The hacker group even went as far to allegedly craft a fake presidential decree that promises payment amount for citizens willing to embark on their new business journey. Mulitple cyber experts have even gone on to say that the cyber criminals behind this campaign have put in a lot of time making their announcement look as legit as possible. In this process of receiving the money from unsuspecting people, the hackers also get access to the users card information when they pay them online. The scam uses a “registration” process where the user is asked to pay a fee of $5 before approving them to also provide more details like their number and payment card information. The hackers also were able to get real messages from actual news releases and televisions show that also proved the campaigns legitimacy.

This story is both said and mind boggling at the same time. The fact that hackers are creative enough to go to this great of a length to swindle money from unsuspecting future business owners is unfathomable. If this story interests you at all feel free to click on the picture link below to find out more information.

• 

By Anthony Berrios

Blog #5

2/20/20

Of course, the general public will probably never know who the individual is that was able to Solve the Canadian Spy Agency’s Escape Room, and according to Escape Manor co-owner Steve Wilson, he’s not at liberty to say.” He even disclosed that CBC reached out to this person for an interview and was forced to decline. Well what is this room you might ask? the Escape Room is a result of a partnership with Communications Security Establishment, who is responsible for stopping foreign cyber attacks on Canadian government’s computer systems. CSE explains that it has been having trouble staffing qualified code breakers to put on their team. They even say how the block close to 1 billion malicious cyber attacks a day. This is all happening without the public knowing as they said that most Canadians have no clue what CSE even does. Therefore, CSE pitched an idea to Wilson’s team to collaborate on an idea that could help recruit potential code breakers to help build innovative tools that can help decrypt communications. Their goal was to create the a realistic yet fictional escape room scenario. There are three rooms in “The Recruit” the name that they gave the escape room. Although not many make it through, Wilson says that this project has helped the company bond friendships and gel as a single unit. It’s interesting to see companies take on ideas like this especially in an attempt to recruit potential computer professionals. Sound like one fun job interview to me.

By Anthony Berrios

Blog Post #4

2/11/2020

This past September the stat of Iowa hired two security experts to test the physical and network security of its judicial system. While looking into the security of the Iowa county courthouse however, they were arrested and charges with burglary and given bail at $100,000. Seems like an unexpected turn for considering the Iowa state government hired them right? Well this past month Iowa announced that they had dropped the charges.

The two men, Gary DeMercurio, and Justin Wynn, of Naples Fla, are both professional penetration testers and are employed by Coalfire Labs, a security firm based out of Colorado. Iowa had hired Coalfire, and in turn DeMercurio and Wynn, to test the security of its judicial buildings. Under their contract terms, the two were to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force open doors, or access areas that required protective equipment.

All was fine and well until the day the two men decided to test the security of the courthouse on September 11th. An alarm was set off and the police came. Knowing they were under contract, DeMercurio and Wynn waited for the police to arrive so they could explain to them the situation. After explaining the deputies were about to let the two men leave until a Dallas County Sheriff by the name of Chad Leonard showed up. Leonard seemed to think that the two men violated the terms in their contract and hence hauled them off to jail. The charges did in fact end up being dropped because of a massive miscommunication between the county and state officials in Iowa. Iowa’s state government specifically told Coalfire not to alert police about the test. This turned out to be a problem because although the courthouse is a State ran building, it was actually owned by the county, not the state, which had no previous knowledge of a third party security test. Because of this lack of communication on Iowa’s part, the charges were dropped.

This story is important to the security community because it is not uncommon for governments, and big companies to hire third party companies to test their security systems whether it is physical security or online firewalls. This is a normal practice in which both parties agree and benefit from. This story is a good example however of what can happen when not enough people are aware about the security attempt and also terms in the contract are not explicitly clear.

By Anthony Berrios

Blog Post #3

2/11/2020

An early domain invester by the name of Mike O’Connor got ahold of many popular online domains. One of these called Corp.com is currently up for sale. Unlike many domains, Corp.com contains years of sensitive information including passwords, emails, and other proprietary data belonging to thousands of systems at major companies around the world. Now in O’Connor’s old age at 70, he is looking to sell this sensitive domain. This could be a potential problem for a couple of reasons.

First off, whoever purchases this domain will have access to a ton of private information and passwords to who knows how many confidential accounts. There is really no way to tell how important these accounts are without being or knowing O’Connor but one thing is for sure, big companies could, or should be worried about this sale. O’Connor already publicly stated that he hopes that Microsoft purchases his domain but obviously there is no way to insure that this would happen. If criminal groups or foreign countries that are not our allies see this domain up for sale, there is a chance that they could potentially buy it if they believe they could take advantage of the information that they would get access to from this domain.

This is important to pc security because domains are sold everyday but it’s not everyday that domains with sensitive information and possible privacy infractions is openly sold to the public. Since this is a breaking story I think it will be interesting to see how this sale of this domain plays out.

By Anthony Berrios

Blog Post #2

2/6/2020

Article writer Fleming Shi talks about the increasing ransomware attacks and how paying ransom to these hackers only makes the problem much, much, worse. Often times there is no way to insure that the hacker will keep his end of the bargain after a ransom payment is made. This leads to more future payments as the hacker never loses his leverage. Instead of paying, Shi insists that companies and municipalities need to fight back by making ransom payments illegal and instead develop computer professionals and make a “digital army” to increase cyber security and avoid future attacks.

Shi then states how ransomware has been around for nearly 20 years but that it has been growing at a rapid pace. Shi reports that as of 2019, more than 70 state and local governments have been hit with ransomware that year alone. The main problem with these ransom ware attacks is that hackers don’t discriminate. State governments, local governments, small municipalities, and local boroughs have all been hit. When cities fold and give in to these ransoms, the hacker become more powerful. They use this money to grow and create a bigger network and infrastructure that leads to more hacking in the future. Shi describes the relationship between ransoms perfectly by stating “Ransom payments fuel the efforts of the cyber-criminals. Hackers use that money to become more capable, commit more crimes, and expand their operations. This helps feed into the activities of the Dark Web economy.”

Personally I think that the dark web and hackers for hire like the ones that use ransomware to hack local government and cities is a major issue. This also ties into the dark web economy previously mentioned by Shi in which the more we give in to this illegal activity, the more money criminals will have access to on the dark web where it is much harder to prosecute them. Efforts are going to have to be made to at least slow these hackers down, but I’m not sure if making paying ransoms illegal will solve this issue. This will only make it more difficult for the government to track hacking activity because now local governments will be more hesitant to cooperate with the federal government if they know that paying the ransom is illegal.

01/23/2020

The Epilepsy Foundation fell victim to a cyber crime recently on their twitter page. The account was hacked and posted seizure inducing gifs that flashed quickly strobing lights to its thousands of followers to see. This is far from the first time hackers have targeted Twitter as a means of harming others. This is particularly important for the public to see because this is one of the first times that a Twitter “troll” as many call them could have had a serious impact on peoples lives.

According to the foundation they have not been contacted by anyone that has been affected by the posts but that it is a possibility and that the investigation is still ongoing. This story immediately caught my eye because Twitter seems to constantly be in the news lately for cyber security reasons like DDDosing and accounts being hacked. These type of stories are common but it’s not very often we hear a story regarding Twitter where others have or could have been physically injured due to cyber trolling. As the report says there are no recorded injuries that occurred from the seizure inducing gifs, but the fact that whoever did this was able to hack an account and negatively impact their mass following is a scary thought.

The foundation later revealed that the attacks on their page were similar to another attack on a man named Kurt Eichenwald, an author who actually has epilepsy received a a seizure inducing message stating “You deserve to have a seizure for your posts” referring to his criticism of the once candidate and now president Donald Trump back in 2016.

This all circles back to the fact that we now live in a world where technology is so advanced that we as a society need to prepare ourselves for the ever increasing cyber crime rate. Twitter is just the beginning of it all, as illegal activity occurs on all modern social media platforms these days and we need to train our law enforcement how to handle these cyber disputes and to prosecute people accordingly.