The Growth of Cybercrime

The news these days is often filled with reports of cybercrime. Data breaches seem to occur every week, as major corporations constantly report about hackers stealing customer data. Most recently, Home Depot went under siege as it was reported that the debit and credit card information of estimated 56 million customers had been compromised by POS malware.

With major corporations having access to advanced technology, how do crimes like this manage to escape advanced security software systems? Many times, its human error: phishing, social engineering and software flaws that have gone overlooked have all been blamed for data breach. And human error, along with other forms of malware, is costly—U.S. officials have confirmed that over $445 billion has been lost in 2014 as a result of data breach, and there is no sign that the frequency or probability of this crime will lessen. The focus now then, is retaining talent that can help solve the issues surrounding this subset of criminal activity. But are those sort of individuals easy to come by?

Identified formally as Computer Hacking Forensic Investigators, these individuals study the ins and outs of computer forensics, a form of forensics in which digital evidence is used to solve crimes that occur using computers. The process includes identifying potential illegal activity then providing the applicable legal evidence that a crime has been committed. These specialized criminal investigators are not widely prevalent in the job market—but it’s that fact that makes them extremely desirable to employers.

Becoming a computer hacking forensic investigator doesn’t take years and years of secondary schooling—a simple week of intense, boot-camp training is sufficient for an aspiring cyber-sleuth. CHFI training educates students on how to create sterile examination media, how to legally gain access to classified data, and how to recover “deleted” data for use as evidence.

If today’s prevalent news topics on cybercrime, are any indication of what’s to come in the future, computer hacking forensics investigators will be in demand for a long time to come.

Hunting Cyber Threats with Data – A Free Webinar

Check out the upcoming free webinar in late February on hunting cyber threats with big data. Obviously, the use of data for cyber security is quickly emerging. Cyber professionals need to be equipped with a baseline knowledge on how to handle these emerging skills and how to apply them to your environment.

The webinar will be held on 2/26 from 1-2pm. You can register for free here: Hunting Cyber Threats with Data

All About Process Injection

If you’ve ever been the victim of malware infection, chances are that you and your devices were duped by process injection. One of the most popular techniques used by hackers, process injection conceals malicious code to bypass firewalls and process-specific security mechanisms to launch damaging malware onto your devices. The bad guys inject code into another running process, and that process executes the hidden malicious code. Process injection is particularly dangerous because unlike other malware infections, victims have no way to potentially identify the threat—there is no suspicious clickable banner or pop-up—just concealed code.  Because this technique is so prevalent in the hacker community, experts have uploaded demo videos on process injection so that people can understand the intricate methodology behind it.

Process injection can exist in a variety of forms. DLL injection and direct injection are two different types of process injection that involve alternative techniques to load malicious code into a process. DLL injection, or dynamic-link library injection, occurs when a malware author injects code into a remote process, causing a DLL to be loaded. The DLL, which contains malicious code, then infects the system and grants the author access to the system. Similar to DLL injection, direct injection involves allocating and inserting code into a remote process’ memory space to distribute malicious code. However, direct injection malware injects the malicious code directly into the remote process rather than requiring the remote process to load it. Direct injection, while more flexible than DLL injection, requires a significant amount of customized code in order to run without affecting the host process negatively.

Though process injection has been around for decades, it remains of the top techniques employed by those in the hacker community.

Secure Coding for Maximum Trust

Secure coding is the aspect of application development dedicated to hardening the application (as opposed to the network, operating system or database) against malicious penetration. Unfortunately, secure coding is rarely taught in college or professional classes as an integral part of the development process. Gartner analysis concluded that 90% of all vulnerabilities are now in the application layer. Secure coding standards and practices are more important than ever, as shown by the US Department of Homeland Security’s efforts to sponsor secure development.

Knowledge is Power

First, programmers must learn the vulnerabilities in their programming language and the techniques to avoid them. For example, a program in a language with buffer overflow vulnerabilities should always have server-side bounds checking on input values to ensure hackers cannot penetrate the system with bad data input. CERT, the computer security program of Carnegie Mellon’s Software Engineering Institute, keeps a public database of such vulnerabilities. The Department of Homeland Security developed a program devoted to avoiding the 25 most commonly exploited weaknesses. MITRE’s Common Weakness Enumeration (CWE) list is exhaustive. Programmers must use these resources to understand their language’s weaknesses and how to compensate with good coding.

Several organizations devoted to IT security developed security-focused training classes for developers. Companies like SANS and TrainACE offer hands-on secure coding training courses that are designed for no specific language, they encompass overall best practices. CERT has a course for secure coding for C and C++ developers. (ISC)2 grants the CSLLP (Certified Secure Software Lifecycle Professional) certification and lays out a road map of required knowledge and experience to qualify. Programmers lacking time or money for classes have a variety of online resources available to them, from the CERT vulnerability database and security wiki to a variety of how-to white papers from the SANS Institute InfoSec reading room.

Trust but Verify

Second, organizations must check code for common vulnerabilities before releasing it into production. Vulnerabilities are not easily picked out by the untrained eye, so it is important for organizations to dedicate some resources to this part of the process, in training or tools or, preferably, both.

Process Matters

Third, implement good SDLC practices. Fixes are still made in test and not promoted into production, or made in production and overlaid with back-level code not containing the patch. The SCLC process was specifically created to prevent careless and amateurish mistakes of this kind, and it is important for system security and reliability that processes be followed, preferably using enabling tools instead of relying on tedious manual effort.

Test to Destruction

Finally, critical applications should periodically be audited and tested by a third party. Penetration testers are professionals experienced at breaking into systems to discover vulnerabilities, not for malicious reasons. Hire penetration testers only after the application development is complete and all the in-house security reviews, audits, and tests are finished, so testers see the product just as a malicious hacker would.

Ignoring application security is a recipe for disaster. Fortunately, secure coding is growing as a practice and discipline, as is awareness of its importance. Organizations who recognize this and act on it will benefit in the long run with increased client trust and reduced liability.

Startling Government Phone Alerts: Too Invasive or A Necessary Precaution?

For some cell phone users, the first time that they found out about the government’s new alert system was when James Lee DiMaggio kidnapped 16-year-old Hannah Anderson. The alert system startled many California residents.

About the Wireless Emergency Alert System
The Wireless Emergency Alert, or WEA, system is a division of the government’s public safety network. It was launched in April of 2012, and since its introduction, carriers have been implementing the program to different phones and regions throughout the country. When an emergency occurs, the system will automatically alert the owners of certain wireless phones. The system also notifies people who have other types of mobile devices such as tablets.

How Does the Government Alert System Work?
Once state or local governments become preauthorized, they can deliver emergency alerts to people in their area. For instance, local officials can send out orders to evacuate a location. They can also notify residents about a terrorist threat. Officials contact the Federal Emergency Management Agency, or FEMA, to issue the alert through the Integrated Public Alert and Warning System, which has connections to participating wireless carriers. Wireless providers then send the alerts through cell towers to mobile devices in the region. When wireless device users see the message, it will display like a text. The notifications are different from the Short Message Service, or SMS, as they are not delayed by network traffic. However, the SMS system is less intrusive.

Alert Types
The government is using the WEA system to notify citizens of disasters like floods, toxic spills or fires. In addition, officials use the network to send out Amber Alerts, but they only use it for the most ominous child abduction incidents. According to the director of the National Center for Missing and Exploited Children, Amber Alerts have assisted in the safe return of 656 abducted children throughout the country. However, for the alerts to be effective, people must see or hear them.

What is the Public’s Opinion of the Alert System?
After California sent out the alert for Hannah Anderson, many people were annoyed. They reported that the messaging system was noisy and intrusive. They also claimed that the text left their messaging screen too quickly for them to assess the situation and that the alert repeated the message too many times. Some people are threatening to remove their phone from the alert, but California officials are asking them not to because the rescue of the 16-year-old proves the successfulness of the program.

This fall, California’s local government will be assessing the alert system to confirm that it is working properly. In addition, they may make a few minor changes to address consumer complaints. They also intend to create a support campaign for the program to highlight its benefits.

Improving the System
The government could make the program better by emitting different tones for different kinds of alerts. Furthermore, most people would appreciate an update on an emergency situation. The system could be more precise and narrow the messages down to neighborhoods or even a building. In addition, a referral website with detailed information would be helpful. It will be unfortunate if people choose to opt out of the alerts because when more eyes search for kidnapped victims, rescues are more likely to happen.

Upcoming Cyber Education Symposium in the Washington DC Area

Cyber security has no doubt made strides over the last few years. Many of our readers are international. Our stats show that more readers of this website come from Europe and Asia than they do from the USA. In our travels and consulting experiences around the globe we have found that many countries in Europe and Asia seem to take cyber security a bit more seriously than the USA.

Recently, the USA Gov and DoD has been hindered by the sequestration. This sequestration has put a hold on the training budgets of many professionals in the space. What’s ironic about this timing is that Cyber Security is emerging more and more into the spotlight and the United States’ cyber workforce on the Public and Private sector side is falling behind the cyber workforce of many other countries because of this slow period.

Fortunately, coming to the Washington DC area in November is a cyber education awareness conference called the Cyber Education Symposium. This conference will feature speakers, presentations and discussion sessions on important factors that organizations and Gov agencies have to face when it comes to cyber security education.

CyberEd Symposium

Those of you out there in the Washington DC area that read this blog should definitely check out the symposium. Information on the event can be found here: Cyber Education Symposium.

Ethical Hacking Training Leads to a Wide Variety of Advanced Cyber Security Skill Sets

Have you received your Certified Ethical Hacker (CEH) certification or are you in the process of training to do so? After completion of baseline ethical hacking training, penetration testers have a number of choices for further security education and training to develop a variety of cyber security skills. Let’s take a look at some of these options:

Exploit Development

The development of exploits is a technique used to explore software vulnerabilities. Exploits themselves are flaws within a program that can cause unintended behavior to happen within the software, hardware, or electronic. By learning about the vulnerabilities of different types of software, penetration testers can learn how to take advantage of them to better understand the workings of the computer software and ultimately better protect the target of the exploits. Exploits are categorized by how they target software, remotely or locally, as well as the types of vulnerabilities they exploit. As there is a variety of computer software available, exploits can be varied for different types of software as well. Exploit development classes cover a variety of topics from stack overflows and shellcoding tricks to PDF and ROP exploits.

Malware Analysis

Malware analysis sometimes referred to as “reverse engineering” of malware programs, examines how malware works in order to protect computers from malware attacks. Like the approach behind so many ethical hacking activities, penetration testers will get to learn how an attack is built and executed so that they can know how to defend networks from such attacks in the future. Malware analysis will explore different types of malicious software including viruses, worms, Trojans, spyware, adware, and rootkits. Ultimately the goal will be to learn the versatility of the software and how to combat attacks through similarly versatile and efficient methods. Malware analysis courses may cover fundamentals of PE headers and DLL interactions, identification of malware characteristics, identification of the malware’s level of the malicious capability, and even browser script analysis.

Mobile App Hacking

Mobile hacking and mobile application hacking explore how cell phones are vulnerable to break-ins and teaches penetration testers how to secure mobile devices. With smartphone usage becoming commonplace and increasing numbers of communication and financial services becoming available through mobile versions of websites or mobile apps, it is important to learn how to hack into mobile devices and then how to secure them. Ethical hackers can take what they’ve learned about computers and expand their knowledge to learn on entirely new platforms, from popular Android and Apple smartphones to tablets and iPods as well. Mobile hacking courses cover topics such as Android and Apple device forensics, exploitation of mobile apps, jail breaking, attacking web services through mobile apps, and penetration testing for mobile operating systems.

Wireless Security

Wireless security training provides ethical hackers with the opportunity to gain a skill set that is valuable due to the current technological industry relying on wireless connections for networks. Wireless fidelity, or Wifi, allows electronic devices to exchange data and connect via a wireless local area network (WLAN). Most modern Wifi connections abide by the IEEE 802.11ac standard, so penetration testers would first engage in learning about wireless security by learning about the basics of 802.11 wireless networking. Following the introductory topics would be the exploration of wireless network encryption, of which there are two main types: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). Wireless security training includes topics like encryption cracking, encryption defense and circumvention of attacks, and the differences in wireless security for more protected networks, such as those found in the government.


Get every new post delivered to your Inbox.