Category Archives: student editorial

Tips to Get Through Finals Week

Leave a reply

As we get through the last day of classes; there is only two things that are on our minds. Finals and summer, but before we can think of summer there’s the finals to tackle. While finals cause some major stress and overwhelm us, here are some tips to do while we enter into this week:

  1. Study, study study!
  2. Create a study schedule.
  3. Priority your study time.
  4. Color code your notes.
  5. Take study breaks, go for a walk, play volleyball, etc,.
  6. Make sure you get plenty of water and food in your body.
  7. Get plenty of sleep; lack of sleep can cause you to not do well.
  8. RELAX!Remember that no one is perfect but if you truly give it all you’ve got and study hard, finals week seems a little less stressful whenever you follow these tips. Good luck everyone and have a great summer! Congratulations to all the seniors who are graduating this year!

Cats Being Used in the IT Field

Leave a reply

In this year’s Def Con convention this year showcase had a different twist on IT work. One that merged animals and IT working together. It sounds like a crazy combination and a highly unlikely one that would work well but it did. Gene Bransfield used his friend’s cat, he put on the cat’s color a kit that had Spark Core Wi-Fi development board and had Internet connectivity where ever the cat ended up going.

Now this may sound stupid because cats are going to wander around and do whatever they want to do. But the purpose of the experiment was to see how many people had unsecured, or weak Wi-Fi in their homes. In simple terms who could easily access their Internet just from being on their street.

When the cat was sent out, there was 23 Wi-Fi hotspots found and what they found was more interesting. Four of the networks had been completely open with no security what so ever and four using WEP rather than the WPA-2 standard. The purpose of this was to show that people need to be more aware of the fact that when it comes to Internet you have to have the right safety and protective measures when using the Internet. You never know when a cat or dog with a pack on them will be lurking around to see if you have secure Internet.

Don’t fall for this ‘highly effective’ Gmail scam

Leave a reply

For several months, a phishing scam has been tricking Gmail users into sharing their passwords. Recently, the security company WordFence released an alert about this scam.

The attack starts when the attacker sends an email to the victim’s Gmail account. The email address of the “sender” usually belongs to someone that the victim knows; however, the sender’s account has already been compromised by the attacker. The email contains what appears to be an image for the victim to click on.

When the victim clicks on the “image”, they are taken to a new tab which prompts for their Gmail account information. Once the victim signs in on this page, their account is compromised. The attacker then has access to the victim’s emails and personal documents. Once the attacker has access to the victim’s account, they will use this account to send the scam to more victims.

What makes this scam “highly effective” is that it is uses email addresses of people that the victim knows. Also, the fake Gmail sign-in page appears to be legitimate, containing the Google logo and normal entry fields for username and password.

In order to prevent yourself from becoming a victim of this scam, it is important to note the following:

  • Although the false attachment contains “accounts.google.com” in its URL, it also has “data:text/htm” at the beginning, which is not found on a normal Gmail URL.
  • When signing into any service, you should check the browser bar to verify the protocol and hostname. The URL should begin with “https:” and there should be a green lock icon next to the URL.
  • Gmail users can also enable two-factor authentication or “2-step verification” to make their account more secure.

For more information: Don’t fall for this ‘highly effective’ Gmail scam and WordFence Article

Beware, iPhone Users: Fake Retail Apps Are Surging Before Holidays

Leave a reply

In the past few weeks, there have been hundreds of fake retail and product applications in Apple’s App Store. The fake apps have pretended to be companies such as Dollar Tree, Foot Locker, Nordstrom, and Dillard’s. A company that tracks new shopping apps, Branding Brand, reported a large increase in these fake applications in the past few weeks.

The apps are being created to trick Black Friday shoppers into clicking them. Some apps seem to be harmless, just displaying pop-up ads whenever users click on them. Others, however, are dangerous because users can have their credit card information stolen if the app asks them to input it. Also, some of the apps can contain malware that can steal personal information and even lock the victim’s phone.

The fake apps came from developers in China; they were somehow able to get past Apple’s review process for new apps. Apple’s app screening process is less strict than Android’s; Apple focuses more on blocking malicious software and does not routinely examine the thousands of new apps that are sent to them everyday. It is important for brands and companies themselves to search for and report these fake apps, similar to how they search for and report fake websites. Last week, however, Apple did remove hundreds of fake apps after an article was published about the apps. A spokesperson for Apple claims that they have set up ways for customers to report fake apps. In September, Apple started to look through their two million apps to remove fake and unnecessary ones. Despite this, new fake apps continue to appear.

A recent example of a fake app was one called Overstock Inc. – apparently named to let customers believe that it was the real company app for Overstock.com. The developer of the app is the Chinese company Cloaker Apps. The CEO of Cloaker, Jack Lin, claims that the company only provides the back-end technology for the apps; they do not investigate their clients. However, not even Cloaker is what it seems; the company’s website states that its headquarters is in the middle of Facebook’s campus in Menlo Park, California. When Jack Lin was first interviewed, he claimed that the company only had offices in China and Japan. When asked about the office in California, he claimed to have “tens of employees” there.

China is, by far, the biggest source of fake applications. Many of the fake apps have red flags to show that they are not real, including: nonsensical menus in broken English, no reviews, and no history of previous versions of the app. So far, thousands of individuals have apparently fallen prey to the newest fake apps. However, in most cases, no serious problems have occurred. The fake apps usually target companies either with no apps or multiple apps. Some have even used Apple’s paid search ads to put their fake apps at the top of the search results.

Fake apps on Apple are a new problem, occurring more commonly in the past few months. However, with Black Friday soon approaching, it is important to remember to check the applications that you are planning to download. Also, if possible, try to use alternative methods to applications that ask for banking or personal information. For example, try to use the company’s website on your laptop or computer; also, remember to check the security on the website itself. Criminals are obviously going to take advantage of whatever situation becomes available to them. Therefore, you should always be careful of what you click or download on your phone or computer.

Article Link: Beware, iPhone Users

Top 5 Skills Employers Look For

1 Reply

If you are anything like me, the job hunt following graduation is one of the top stressors currently on your mind. Finding a position that pays well and is what you truly love to do takes a backseat to just getting your foot in somewhere. I often worry that I do not possess the technical knowledge to land even an entry-level position. According to Zachary Scott, NRI Secure Technologies’ VP of business security, “soft skills” are oftentimes just as important to employers as “hard skills.” The following are the top 5 skills that companies look for in entry level computer security employees:

1. Troubleshooting
Troubleshooting skills are vital in all potential candidates. Any detected problem or anomaly can be viewed as something that troubleshooting skills can be applied to. Security pros with exceptional troubleshooting skills can figure out where things are broken, what’s still working, and how to fix the problem. This is vital in the field.

2. Innate Curiosity
Innate curiosity refers to a person’s willingness to dive deeper into a subject. Companies look for potential candidates who want to get deep into an issue and discover not just how to fix it, but what is causing it and to learn the best method to deal with said issue. “This is a trait that can not be learned, but is a monster that needs constantly fed.”

3. Knowledge of the Latest Attack Trends
Computer security is constantly changing and evolving. It is important that candidates have a rudimentary knowledge of how attacks are being perpetrated and who/what the common targets are.

4. Knowledge of the Latest Vulnerabilities
Knowledge of modern vulnerabilities helps employees determine the path that was taken by the hacker pre-breach, and where in the system hackers could be heading. In short, it increases awareness and helps to get a foot up on hackers to help prepare the system against them.

5. Data Analysis and Visualization Creation
In short, candidates who are able to create and implement systems that monitor and parse the vast arrays of data that enter a system. This is part development and part visionary in the sense that it helps to be able to plan the system and also how to create it.

I can’t stress enough that this is not a be-all/end-all definitive list, but these are areas that graduates and really anyone in the hunt for a job in the IT security field should look into and become familiar with. As I mentioned earlier, as a soon-to-be graduate still looking for a job in the field, tips like these are always helpful. Hopefully they will be of aid to you!

Best of luck!

Spotify Services Hit by Malicious Advertisements

Leave a reply

Over the past few weeks, users have been reporting that advertisements inherent in the free version of Spotify have been leading to malware links and even automated malware downloads on a handful of user’s devices. For those who are unaware, Spotify provides its free music streaming service by interrupting streams between songs with commercials and clickable links. The ad revenue generated by this practice makes up for the money lost in allowing the option of free usage of the service.

This practice, known as “Malvertising”, has hit numerous companies since the inception of “free” subscriptoin options became popular a few years ago. Yahoo, the New York Times, and BBC are three major entities that have been hit by malware-infected advertisements. The problem is relatively common because ad space is typically sold via third-party auctioneers to the highest buyer. If malicious code makes its way through the auctioning process, then it can potentially bypass the screening of the site that it will be advertised on.

Spotify claims that it has looked into the situation and has removed the malicious advertisements but the safest bet for users is to fork over the cash to unlock the premium service.

Ransomware Dundee: A Report on Cyber Crime Down Under

Leave a reply

Taking advice from the internet and using it in real-life situations is not usually a lifehack that I would advise; that being said, I am here to offer a bit of advice. If you ever open your mailbox and find a USB flash drive, please do not insert said drive into your computer unless you know who put it there and why they didn’t just deliver it to you directly. This may seem like common sense to most people, but residents of a Melbourne, Australia suburb did not seem to possess this rudimentary level of technological knowledge.

Police in Pakenham, Australia are currently investigating reports from numerous residents that mysterious USB drives have been appearing in mailboxes throughout the community. When inserted into a computer, the flash drive runs a program offering a free Netflix subscription. Once the user initiates the process of signing up for the service, ransomware installs itself onto the machine. For those unfamiliar with the technology, ransomware has become a relatively common method of predatory cyber activity. Ransomware works by encrypting files stored on the user’s computer, then charging the user a fee to unlock their personal files. The ransomware forces the user to pay the fee in Bitcoin so there is no trace as to where the funds are going to or who is receiving them.

So far, only three residents have stepped forward and admitted to being duped into installing the application, though police believe that others have been impacted and are too embarrassed to step forward. Over the past few years, large-scale organizations have been impacted by ransomware and have paid extreme amounts of money to unlock their files. One of the more popular targets of ransomware purveyors are healthcare organizations. One prominent example of this is an attack earlier this year on the Kansas Heart Hospital. Ransomware forced the hospital to pay over $17,000 (miniscule compared to the original request of $3.4 million) to unlock patient and personnel files and then demanded a second payment to unlock the rest of the files that were still being held captive. Experts claim that the ransomware problem will “get worse before it gets better.”

As students, and as humans in general, we love free stuff. Next time you come across a free flash drive in your mailbox, take a second to think of the potential costs that this “free” piece of technology may bring on you. Personally, I’d much rather pay the $10 for a new flash drive than run the risk of obliterating my computer’s integrity for free.

Cybersecurity in the Automotive Industry

2 Replies

Over the past decade or two, RMU has grown into a rather diverse university in regards to the variety of degrees available. With the influx of new technology during this time period, the need for cybersecurity has risen exponentially. RMU’s cyberforensics and information security program has done nothing but grow since its inception. If you were to ask students in the program where their dream job would be, most would probably respond with a government, law enforcement, or financial institution of some sort. If you happen to ask the same question at some point in the near future, you may be surprised to discover students who are looking for work in the automotive industry.

As I mentioned before, the growth of technology and integration of tech into our everyday lives has created new weak points for cyber criminals to exploit. Computers are increasingly being used in vehicles to control and operate basic functions and a number of features, such as remote engine start, can now be controlled through the use of smartphone apps. To combat the risk that modern vehicles are threatened with, Volkswagen is teaming up with Yuval Diskin, the former head of Israel’s intelligence agency. The joint venture was created with the goal of protecting the next generation of cars from hackers. The new company, called CyMotive Technologies, will be primarily run by acting chairman, Diskin, while Volkswagen will possess a 40% stake in the company.

This may be the first time you have heard of a cybersecurity firm dedicated specifically to automotive security, but it won’t be the last. IBM and Harman are two other major companies that have previously invested money in other Israeli firms focused on automotive security. These companies are hoping to restrict and limit automotive hacking while it is still in its infant stages. While we do not know what automotive advances will look like in the future, or what kind of features will become the new standard, one thing can be assumed for sure: the need for competent cybersecurity professionals will continue to increase.

Galaxy Note S7: Is It Safe?

Leave a reply

Unless you’ve somehow been able to avoid social media and the news over the past few weeks, there’s a good chance that you’ve heard about the two hottest (literally and figuratively) pieces of recent tech news. I, of course, am referring to the announcement of the iPhone 7/7s and the spontaneous combustion of Samsung Galaxy Note 7 batteries. I won’t waste your time by touching on my opinion of the new iPhone in this article but will instead give you a summary of what is going wrong with the Note 7’s.

When I first heard about the exploding Note 7 batteries, my immediate reaction was along the lines of “just like those hoverboards!” I’m sure we all remember the emails from last year informing students that they were no longer allowed to ride or even store hoverboards on campus grounds. It turns out that the Note 7’s are having the same exact issue as some of the cheaper hoverboard models did.

Much like hoverboards, cell phones utilize lithium ion battery packs as their primary power source. The science behind lithium ion battery packs is fairly simple and has been around for many years. Issues arise when the thin piece of plastic separating the positive and negative ends of the battery becomes punctured. This forces the battery to short circuit and, in turn, forces the point where the separating plastic was ruptured to become the path of least resistance for the electrical current. When this happens, the liquid electrolyte, which makes up most of the battery internals and also happens to be very flammable, heats up. If the electrolyte solution heats up too quickly, it can cause the phone to heat up to an extreme temperature or even explode in rare cases.

As I mentioned before, the Note 7 is by no means the first phone to encounter this issue. The reason that it is affecting Note 7’s in particular is because of too much external pressure during the manufacturing process. The pressure plates used during the manufacturing process squeezed the battery too tightly and forced the positive and negative poles of the battery to come into contact. These poles can only come into contact if the piece of separating plastic is punctured, thus creating the path of least resistance directly between the two poles.

The phone industry is well aware of the potential risks that lithium ion battery packs can cause but most likely will not move away from the use of the packs until a better (affordable) technology comes along. Frankly, the lithium ion route is cheap and relatively safe, so advancement in terms of power supply will only happen when alternatives can be produced cheaply. Samsung is not the only company to have had issues with lithium ion battery technology. Nokia and Apple have both had issues with dangerous batteries in the past (in 2004 and 2009 respectively).

The risk of your battery exploding is very small but it is better to be safe than sorry. Independent analysis states that less than 1,000 of the 2.5 million Galaxy Note 7’s (.01%) that were previously manufactured have experienced issues.  Samsung is offering refunds to users who have purchased the faulty Galaxy Note 7’s and has already switched battery suppliers. If you happen to have a Galaxy Note 7, it is within your best interest to return the phone as soon as possible to eliminate potential risk. You will either receive a full refund or you can trade it in for a different Samsung smartphone.

Hacking – Breaches and password dumps

Leave a reply

Call it what you want – hacking, cracking, a dump, a data breach, whatever.  The fact is that these events are becoming more and more common, and as IT professionals we need to know how to deal with the fallout.  There is a great visualization that illustrates this recent trend on informationisbeautiful.net.

Often, one of the results of these breaches are that the public gets some insight into the security protections that a company uses (or lack thereof).  In the case of the recent 000Webhost breach, we discovered that passwords for over 13 million of their customers were stored in plaintext; that is to say, with no protection whatsoever.

Also in recent news, users of the Ashley Madison service had a large amount of their information disclosed, including account details and password hashes.  The primary protection mechanism for password storage that was in use here is a technology called bcrypt (a very strong password protection mechanism – you can find more details here and here), however due to a legacy function that had numerous flaws (for all of the details, check out this blog post) some user passwords were also simplified and stored as MD5.  Due to how MD5 functions, hardware like GPUs and ASICs are able to be used to quickly and efficiently crack the passwords, and in this case they were then able to use information gathered from cracking the MD5 hashes to significantly speed up the attacks on bcrypt-stored passwords.

One of the major problems with password hashes getting dumped is that password reuse is a real problem, and without the use of a password safe (like LastPass, KeePass, 1Password, or more enterprise products such as CyberArk or ERPM) it’s not realistic to think that end users will ever fix this on their own.

There are numerous websites and password managers available where you can check if your password has been a part of a breach, where the companies behind those websites seek out and collect password dumps to perform password cracking on them.  Simulating the attacks that malicious individuals use in this way allows them to provide a security monitoring and alerting service to their customers.  Many companies with a significant web presence, including Facebook, Twitter, and LinkedIn, will also scour the Internet for dumps and attempt to crack the passwords, then compare the cracked passwords to the information they have stored for your account.  If they get a match, they can take steps to protect your account by doing things like expiring your sessions, forcing a password reset on your account, etc.

I recently developed a lab focused on how to perform these password cracking attacks for a local security group called Steel City InfoSec.  The lab is available here on my GitHub, and if you aren’t familiar with password cracking, I suggest trying out the Beginner lab.  That difficulty level includes additional details about how to complete the lab, including a hints area that contains explanations and commands to run for each the steps of password cracking.  There is also a recording of my presentation and my slides available (along with additional information on the Steel City InfoSec message boards) if you are interested in a bit more background.

If you’ve done this sort of thing before and want to experiment with different tools or just download a bunch of word lists, feel free to try out the Intermediate lab.  Specifically, take a look at the downloads readme file to get a clean listing of everything that I’ve provided as a part of the lab.

If you have a GPU cracking rig or a cluster of machines at your disposal, and you’ve done this sort of things a few times in the past, take a crack at the competition.  It’s important to note that with the competition you will need to be a bit more creative about how you create a word list than just using the dumps that I’ve provided, and GPUs/ASICs will not help you as much as if you were cracking something stored with MD5 or even SHA-256.  Also, please note that the competition prizes were for the Steel City InfoSec event is are no longer available.

While working on the lab, if you find anything that isn’t clear or may be incorrect, please feel free to reach out to me directly (via a GitHub issue or pull request) and I can either lend a hand or fix any bugs as appropriate.  In addition, I will be available on RMU campus on November 10th in the evening in Hale 304, presenting this material to Dr. Paullet’s class.

Jon Zeolla