Category Archives: cybersecurity

FBI Internship Information – How to Apply

Leave a reply

The FBI has opened the call for applications for the 2016 Honors and Cyber Internship programs. You must apply by November 24. All educational backgrounds will be considered for the internships. To qualify for the Honors or Cyber Internship Programs, candidates must:

  • Be a second-semester freshman or above; candidates cannot have graduated before June 13, 2016;
  • Be available 40 hours per week from June 13, 2016 to August 19, 2016 (10 weeks); and
  • Have a minimum cumulative 3.0 GPA.

How to Complete a Submission:

  • Step 1 – Choose a Talent Network
  • Step 2 – Create an Account
    • Click “Register Here”.
    • Pick a user name and password, and enter an email address.
    • Click “I Agree” and then “Register”.
    • From the Careers page, click “My Profile” to add your preferred method of contact, name, address, and phone number; click “Save”.
  • Step 3 – Submit Resume, Answer Questionnaires, and Complete Your Application
    • After you clicked “Apply Now”, the “Choose Resume” screen will be displayed.
    • Click “Copy and paste resume text” and “Continue”; from there, paste your resume.
    • Next, click “Continue” and complete the “Pre-Application Questionnaire”.
    • When you are finished, click “Save & Return”.
    • When finished filling out your application, click “Submit”.
    • Click “Yes” on the confirmation message that displays.
    • Review the Terms and Agreements; if you agree, click the “I agree to these terms” checkbox.
    • Once you have submitted your application, refer to the Careers page, and click “My Career Tool” link. You will then see your Applications in Progress.

Only candidates in the network by November 24 will be considered for the 2016 program.

FBI Internship Information

Leave a reply

The FBI has opened the call for applications for the 2015 Honors and Cyber Internship programs and launched a new application process. All intern candidates must go to www.fbijobs.gov, register and complete a profile, and then select their profile to be added to the Intern Talent Network (ID Number 1023) by November 24.

After selecting the Intern Talent Network, intern candidates must attach their resumes and answer suitability questions. Only those candidates in the network by November 24 will be considered for the 2016 program.

All educational backgrounds will be considered for the internships. To qualify for the Honors or Cyber Internship Programs, candidates must:

  • Be a second-semester freshman or above; candidates cannot have graduated before June 13, 2016;
  • Be available 40 hours per week from June 13, 2016 to August 19, 2016 (10 weeks); and
  • Have a minimum cumulative 3.0 GPA.

Hacking – Breaches and password dumps

Leave a reply

Call it what you want – hacking, cracking, a dump, a data breach, whatever.  The fact is that these events are becoming more and more common, and as IT professionals we need to know how to deal with the fallout.  There is a great visualization that illustrates this recent trend on informationisbeautiful.net.

Often, one of the results of these breaches are that the public gets some insight into the security protections that a company uses (or lack thereof).  In the case of the recent 000Webhost breach, we discovered that passwords for over 13 million of their customers were stored in plaintext; that is to say, with no protection whatsoever.

Also in recent news, users of the Ashley Madison service had a large amount of their information disclosed, including account details and password hashes.  The primary protection mechanism for password storage that was in use here is a technology called bcrypt (a very strong password protection mechanism – you can find more details here and here), however due to a legacy function that had numerous flaws (for all of the details, check out this blog post) some user passwords were also simplified and stored as MD5.  Due to how MD5 functions, hardware like GPUs and ASICs are able to be used to quickly and efficiently crack the passwords, and in this case they were then able to use information gathered from cracking the MD5 hashes to significantly speed up the attacks on bcrypt-stored passwords.

One of the major problems with password hashes getting dumped is that password reuse is a real problem, and without the use of a password safe (like LastPass, KeePass, 1Password, or more enterprise products such as CyberArk or ERPM) it’s not realistic to think that end users will ever fix this on their own.

There are numerous websites and password managers available where you can check if your password has been a part of a breach, where the companies behind those websites seek out and collect password dumps to perform password cracking on them.  Simulating the attacks that malicious individuals use in this way allows them to provide a security monitoring and alerting service to their customers.  Many companies with a significant web presence, including Facebook, Twitter, and LinkedIn, will also scour the Internet for dumps and attempt to crack the passwords, then compare the cracked passwords to the information they have stored for your account.  If they get a match, they can take steps to protect your account by doing things like expiring your sessions, forcing a password reset on your account, etc.

I recently developed a lab focused on how to perform these password cracking attacks for a local security group called Steel City InfoSec.  The lab is available here on my GitHub, and if you aren’t familiar with password cracking, I suggest trying out the Beginner lab.  That difficulty level includes additional details about how to complete the lab, including a hints area that contains explanations and commands to run for each the steps of password cracking.  There is also a recording of my presentation and my slides available (along with additional information on the Steel City InfoSec message boards) if you are interested in a bit more background.

If you’ve done this sort of thing before and want to experiment with different tools or just download a bunch of word lists, feel free to try out the Intermediate lab.  Specifically, take a look at the downloads readme file to get a clean listing of everything that I’ve provided as a part of the lab.

If you have a GPU cracking rig or a cluster of machines at your disposal, and you’ve done this sort of things a few times in the past, take a crack at the competition.  It’s important to note that with the competition you will need to be a bit more creative about how you create a word list than just using the dumps that I’ve provided, and GPUs/ASICs will not help you as much as if you were cracking something stored with MD5 or even SHA-256.  Also, please note that the competition prizes were for the Steel City InfoSec event is are no longer available.

While working on the lab, if you find anything that isn’t clear or may be incorrect, please feel free to reach out to me directly (via a GitHub issue or pull request) and I can either lend a hand or fix any bugs as appropriate.  In addition, I will be available on RMU campus on November 10th in the evening in Hale 304, presenting this material to Dr. Paullet’s class.

Jon Zeolla

Senate Passes Cybersecurity Bill

Leave a reply

The Senate passed a bill Tuesday aimed at improving cybersecurity by encouraging companies and the government to share information about threats. It took roughly six years to win approval for such a program.

The Cybersecurity Information Sharing Act passed by a 74-21 vote. It overcame concerns about privacy and transparency from some senators and technology companies, such as Apple and Yelp.

The bill’s co-sponsors, Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., said the measure was needed to limit high-profile cyberattacks, such as the one on Sony Pictures last year.

Companies would receive legal protections from antitrust and consumer privacy liabilities for participating in the voluntary program.

Despite the lengthy road to pass the Senate bill, it’s unclear whether it would improve Internet security. Participation is voluntary and companies have long been reluctant to tell the U.S. government about their security failures.

“Passing the bill will have no effect on improving cybersecurity,” said Alan Paller, director of research for the SANS Institute. “That’s been demonstrated each time sharing legislation has been passed. The cost to companies of disclosing their failings is so great that they avoid it even if there is a major benefit to them of learning about other peoples’ failings.”

Cyberattacks have affected an increasing number of Americans who shop at Target, use Anthem medical insurance or saw doctors at medical centers at the University of California, Los Angeles.

More than 21 million Americans recently had their personal information stolen when the Office of Personnel Management was hacked in what that the U.S. believes was a Chinese espionage operation.

Sen. John McCain, R-Az., chairman of the Senate Committee on Armed Services, called the bill’s passage an important first step. He noted that in the past year the United States has been attacked in cyberspace by Iran, North Korea, China and Russia and that there had been attacks against the Joint Chiefs of Staff, the Pentagon, OPM and an email hacking of the director of the Central Intelligence Agency.

The U.S. and the technology industry already operate groups intended to improve sharing of information among the government and businesses, including the Homeland Security Department’s U.S. Computer Emergency Readiness Team.

Reference: Associated Press. (October 28, 2015). Retrieved from http://www.foxnews.com/politics/2015/10/28/senate-passes-cybersecurity-bill-pushing-sharing-info-on-hacker-threats/