The Practicality and Danger of Cross-Site Request Forgery (CSRF) attacks

I usually encounter a discussion with software development teams regarding a Medium risk defect finding – Cross-Site Request Forgery (CSRF). A medium-risk would mean persistent attempts may lead to a compromise. The prerequisite for launching a CSRF is quite complicated. I am always bombarded with so many questions and disputes on why we flag this defect.

The Danger

In a nutshell, CSRF is an attack that leverages trust. Burp Suite (Portswigger) explains it in detail. Imagine a phishing email enticing to click on a link that will redirect you to a website you supposedly wanted to visit. But upon clicking, the link triggers a transaction from a website where you have an active session with values on all parameters preset. Without you knowing and without any credentials stolen, a transaction is successfully executed.

An example simulation is shown below using a DVWA (Damn Vulnerable Web Application) and Burp Suite (proxy tool).

In this scenario, the attacker’s target is to be able to change the password of the account in DVWA by setting values on the parameters on the change password function. The victim does not have to go to that specific page. He/she only needs to have an active session when the phishing link is clicked.

When we said the request to the proxy, a GET request to the server looks like this:

The highlighted portion contains the parameters such as the password_new (New Password) and password_conf (Confirm New Password), and Change (Change Password Action). Assuming that the attacker has an idea on this specific request, he can create a prefilled transaction that he will use in his phishing email.

Burp Suite Pro has a Generate CSRF POC feature that will create the transaction:

You can then put the values in the parameters of the change password function. In this simulation, we changed the password to ‘test.’ The parameters and values are highlighted below:

You can test the Generated POC in the web browser. It will be loaded in the browser, similar to a link that you will include in a phishing email.

When you click the button and send it to the proxy tool, you will see the CSRF POC that we created, and the server with a legitimate request will accept it.

The application will tell you that the password has changed.

When validated during a new session (logout then login), the new credentials are accepted.

That’s how the usual CSRF attack will look like. What are the issues then, and why are there discussions on CSRF attacks’ relevance with the development teams?

The Practicality

In the simulation shown in the first part, there are a lot of assumptions.

  1. The assumption that the user has an active session

We are assuming that the user is currently using the session that we are targeting to exploit. Even if the user clicks the link, but the session is not active, the attack will not be successful.

  1. The assumption that the user will fall for the phishing email and click the link

We are also assuming that we can lure the user into clicking the link.

  1. The assumption that 1 and 2 are happening at the same time. This is self-explanatory. They need to co-exist so that the attack will be successful.

The developers, project managers, or even application owners’ argument is the practicality of the CSRF. As mentioned in the introduction, this attack leverages trust, and there is no single successful formula in exploiting the user’s trust. So with a valid argument from the developers, why are we still flagging it as a defect?

The Judgment 

The rating that is given for each defect depends on its severity. Even if there are so many assumptions and prerequisites before successfully launching the attack, the application is still at risk with CSRF. The probability that it will always happen is still there. On the side of security, we know that it is easy to launch an attack; therefore, we say it is medium. It means that persistent attempts may lead to compromise.

Furthermore, security best practices will tell you that CSRF can be mitigated through the code-level layered defense. One of the best mitigations is deploying an Anti-CSRF token generated by the server that the application will use for validation when a transaction is executed. Burp Suite (Portswigger) has a good article about CSRF Tokens.

Here is a code snippet from a remediated change password function in DVWA. It will show you that there is a token validation to the server to check if the user intentionally made the request. At the end of the code, you will see that a generate token function is called to be used for the next transaction.

Conclusion

CSRF attacks are prevalent in applications, and at the same, it is not easy to exploit. However, the security tester’s role is to exhaust all possible ways of controlling the application and checking if there are ways to improve its security. Thorough CSRF checks are done in the admin panel, where a lot of CRUD actions are done with an escalated privilege (such as admin or super admin). Once the defect is exploited, it is imperative that remediation activities be done in the soonest possible time.

How NMAP scan types complement your Vulnerability Scanner

Usual IT organizations utilize vulnerability scanners to help identify weaknesses in the infrastructure. Outsourced security projects also use vulnerability scanners for the same purpose. While there are voluminous results generated, there are some limitations with the use of the vulnerability scanners. To be fair, vulnerability scanners provide a lot of help in determining more or less the status of your security posture. But in reality, we know that not one security tool can have it all. Those who claim that they have the all-in-one tool may be saying it to make a sale! That’s why it’s important to know which tools can help the other to make better results.

Challenges and Limitations of Vulnerability Scanners

Like anti-malware solutions, the effectiveness of the vulnerability scanners is based on their knowledgebase or signatures. The more knowledge it has on the known vulnerabilities, the better. Usually, that also makes the difference between the free versus commercial scanners. 

False-positive results show and it can be a lot. Getting a lot of results may not mean much if the results are not relevant. False positives are findings that do not apply to the target as if there are Linux vulnerabilities found but the target is a Windows machine. That usually happens when part/s of the signature matches that in a file or directory of a target machine. Manual validation should be conducted afterward to filter out false positives.

Missed ports/services due to speed or lack of identification can be another limitation of vulnerability scanners. Because there are already pre-configured settings in the scanners, a high number port (or dynamic ports in general 49152 to 65535) may be open but the scanner might miss it. 

NMAP scan types can help resolve the third limitation. 

NMAP is one of the common tools that you will use when doing your VAPT activity since it can provide a lot of information about your target from open ports, services, and versions to platforms/OS through fingerprinting. 

You can manage to have a quick or thorough and stealthy scan in NMAP. Based on initial observation, you may realize that there might be a firewall or IDS in between you and your target. It will compel you to modify the scan type and adjust the aggregate timing option. In other words, human intervention can be a vital key in arriving at more accurate results. 

Sample: Metasploitable 2

In this example, I did a sample vulnerability scan using Nessus Essentials (it’s free!) targeting Metasploitable 2 in a VM. Here, you can see that majority of the critical findings are related to OS updates. But in reality, there are open ports that can be easily exploited with higher privileges.

We can do a quick scan using NMAP to get the open ports and cross-reference with our Vulnerability Scan results:

nmap 192.168.33.165

We can do a quick scan using NMAP to get the open ports and cross reference with our Vulnerability Scan results:

nmap 192.168.33.165

So, there are a lot of open ports! What can we do with these results? We can dig deeper and check the service version using the -sV parameter. This scan might take longer to finish so we need to use the settings more effectively. As you can see below, you can see the applications and versions listed in the NMAP results. This is very useful and ‘juicy’ especially when you do your gaining access/exploitation phase.  

nmap -sV 192.168.33.165

You may now cross-reference these results with the findings in your vulnerability scanner. There may be open ports or items that may have been missed. You can also check whether the service version has a corresponding known CVE.

More extensive scan

Another scan that you can do is a complete port scan from 1-65535 without doing a service version check. The goal is to just list down all the open ports because there might be ports that the normal scan may have missed that’s why you have explicitly command NMAP to do so.

nmap -p1-65535 192.168.33.165

Comparing the results of the regular scan and service scan to a complete port scan, we can see more open ports mostly high number ports. At the same time, we can see a low number port that was not initially detected by a regular NMAP scan: 3632/tcp distccd.

You can now explore more about these open ports and check whether there are services open or even using default credentials.

We run another service version scan to determine the services running:

nmap -sV -p3632,8787,36964,38859,45861,48981 192.168.33.165

Conclusion

Human intervention in the scanning phase is important in setting up the stage for the next phases – exploitation and post-exploitation. Determining the scan type and customizing it based on the need is crucial in providing a clearer picture of the attack surface and open opportunities in the target. NMAP is a handy and important tool that can assist you in finding those open opportunities in detail. And definitely, it is a big help in complementing the results of the vulnerability scan.

Bypassing SSL Pinning and Traffic Redirection to Burp Suite using MobSF and Genymotion

In the usual web application security testing, testers take advantage of proxy tools such as Burp Suite or OWASP Zap to tamper with the parameter of HTTP requests to the server and observe the traffic. There are also built-in scanning tools and add-on/plugins that can be integrated for more specific tests. For a web application that uses certificates, the resolution is to add Burp’s certificate to the trusted certificates so the traffic can still pass through the proxy.

However, when doing security tests in mobile apps, this can be a problem. A lot of mobile apps that use certificates implement SSL pinning, thus, it will not connect to the proxy as it doesn’t recognize it as a legitimate connection. Installing Burp’s certificate in the browser will not do any good as the mobile app does not pass through the mobile browser. There are different approaches to resolving this issue. One is to root the OS and install Burp’s certificate in the System Certificate list. By default, Burp’s certificate can only be installed in the User Certificate list if the OS is not rooted. The other approach is to disassemble the .apk file (assuming Android) using apktool and Frida, then disabling the SSL pinning there or referring to Burp’s Certificate as valid.

Depending on the setup, approach 1 or 2 may work. But the steps and tools may be complex as you need to disassemble and assemble the code back again. There are times when you need to do trial and error just to find out which approach or tweaks will work.

MobSF Dynamic Analysis

One of the tools I found is the Mobile Security Framework. It is a security tool that contains both static and dynamic analysis for Android, iOS, and Windows. What I like about the tool is that it automates the disassembling part and analysis of the Manifest and other parts of the code. It also has a risk scoring based on OWASP Mobile Top 10 and CVSS.

One of the more important features is the dynamic analysis. It can execute the uploaded APK to an emulator and execute runtime tests. Note that for dynamic analysis to work, MobSF must be installed in the host and not in a Guest/VM.

Bypassing SSL Pinning

Bypassing SSL Pinning is easy once you have set up the Dynamic Analysis feature of MobSF. Frida is already built-in and you can see the logs. In the example, we uploaded Wikipedia’s APK for static and dynamic analysis. When you start to. There are default settings such as API Monitoring, SSL Pinning Bypass, Root Detection Bypass, and Debugger Bypass.

Go to Frida Live Logs to see the status of the functions implemented. Browse through the mobile app in Genymotion and see the updates in the Frida Live Logs. It will also indicate if SSL Pinning has been bypassed.

Sending the HTTP/S Requests to Burp Suite

After bypassing SSL Pinning, we can now redirect the traffic to a proxy such as Burp Suite. You can go to Generate Report and go to HTTP(S) traffic to verify whether requests and responses are recorded. Once verified, you can go to Start HTTPTools to send the repeat the request to a proxy.

From there you can send the captured traffic to the Fuzzer by setting the IP and port used by the proxy (usually localhost:8080). Just make sure that you have the same set up in the proxy and toggle the Intercept button to “off” and you’re good to go.

Conclusion

These key features of MobSF will help security testers in analyzing the traffic of mobile applications. The tedious task of manually disassembling and assembling the app is resolved and more time can now be allocated to testing the logic and flow of the application.

Effectively Conducting Networking & Cybersecurity Distance Learning Courses

Photo by Julia M Cameron on Pexels.com

I had the privilege of sharing some of my experiences on how I conduct my networking and cybersecurity classes online to other IT Educators in a recent webinar hosted by the Philippine Commission on Higher Education (CHED).

Regardless of the Learning Management System (LMS) used by the school, technical subjects like networking and cybersecurity are different because of the need to have a working laboratory to have a complete grasp of the courses. LMS provides storage, collaboration, insights, engagement automation of quizzes. But creating a laboratory might be challenging.

How do I do it online and offline?

  • Search for useful and informative references – Aside from the references that are included in the syllabus, I also add a lot of helpful links, videos, and PDF files that I find relevant for the course. I try to relate it in every module so that students will be provided help in their studies.
  • Customize slides for the class to meet learning objectives – I create my slides for 2 reasons: First, there is so much information out there that cannot be put in a single material. It is important to choose the most important ones and guide students to relate the materials to the other references. For example. if the topic is network architecture, I’ll just discuss the components of it and provide them references on example implementations/practices for each component. They will be given a list of references that can check but the important thing is that the core concepts are properly discussed. Second, publicly available slides from vendors tend to promote their products. I try to make my materials as vendor-neutral as possible and let the students choose which they prefer. In the end, we don’t like students to be exposed to a single brand and then work on a company that uses another brand.
  • Record short lectures to set the context – I also do video recordings of lectures to help explain technical concepts in a way that students will be able to understand easier. Theories are very important because they will be used in any industry or scenario that you may encounter. Another objective is to provide an industrial touch to the discussion. As an industry practitioner, I know that some of the concepts discussed in books are idealistic but some are impractical in the real world. I try to balance both by providing industry insights and let the students make their analysis.
  • Create Virtual Machines (VMs) that students can use to run the tools and exercises, anytime and anywhere. – An important aspect of technical classes is lab exercises. For networking and cybersecurity classes, I create my own VMs that contain the tools, environment, programs that students will need to practice what they learned in the lectures. I set up a web server in one VM and the attack tools on another. The good thing about it is that students will be able to try various ways of accomplishing the exercises in their own time. And if it fails, then they can just delete the current VM and load a new one in an instant.

Rubrics

I try to make the course very straightforward to students especially the expected outputs and outcomes. Here are the grading components I use for the online classes

  • Learning Log – The learning log is sort of a feedback mechanism from the students. It gives them a venue to speak what is in their mind since not everyone is given time to share in class. Usually, they share their thoughts about the lesson and other things that they observe/experience. They also provide feedback on whether their groupmates are working or if they are having problems with the lesson. The only add-on work for the instructor is to have time to read and respond to these learning logs.
  • Lab Exercise – The lab exercises will validate whether you can use the tools given a specific scenario in a practical sense. The good thing about a lab exercise that is in a VM with a plethora of tools is that there are many ways to achieve the objective. Everything will be based on the strategy of the students.
  • Case Analysis – The usual problem for technical people is that they are tool-centric. They are well-versed on how to use the tools and their features. However, the usual problem is deciding when to use them. The case analysis portion helps students analyze various cases so that they will carefully think about how they will resolve the problem methodically.
  • Exam – Of course, the course will not be complete without an assessment. I usually create an objective multiple-choice exam to check if they know the theories and terms discussed. At the same time, they will also be asked situational questions to check how they will analyze and resolve issues. I try to simulate how IT certification exams work since they will be taking some in the future.

Sample Lesson

On the usual lesson, I start with a question to get their attention and interest. Afterward, there will be a discussion and/or debate. For example, What web application attack is the fastest to exploit and difficult to detect? The answer may vary but what I want to discuss is Session Management. But the question will make the students think and spark sharing, discussion, and debate.

Then I go to the discussion proper. I’ll explain the issues on session management and its best practices when developing a web application etc. Afterward, we do lab exercises and simulate how to check the strength of session ID’s and how to exploit them if found to be weak.

Lastly, we then analyze real-world cases of the organization that has applications with poor session management. We’ll do a root cause analysis and provide recommendations on how to fix the issues.

This is just a sample order of instruction that I find helpful for students in their distance education.

Good Course References

  • Cybrary
  • Peerlyst
  • SANS Reading Room
  • Cisco Networking Academy
  • OWASP

Securing the Organization’s IT Assets Amidst COVID-19

man having a video call on his phone
Photo by Edward Jenner on Pexels.com

How should organizations conduct operations during a pandemic? How should organizations secure their IT assets during a pandemic? For big multinational companies, they have their respective Business Continuity Plans (BCP) that assist them in times like lockdowns, quarantines, or any disruptions to normal business activities. However, a lot of companies were caught off-guard and they were not able to smoothly transition to the “quarantine mode.”

How organizations are affected by COVID-19

According to an April 2020 report from Accenture about the effects of COVID-19 to organizations, there are significant impacts on system resilience and business continuity from the perspective of technology.  On a survey that they conducted in 2019 on system resilience, only 10% of the 8,300 respondents answered that their technology is resilient.  They summarized the effects on IT based on the following: business continuity risks, a surge in transaction volumes, workforce productivity challenges, and security risks.
Common cybersecurity issues faced

Phishing, scams, malware, access to malicious/bogus sites unknowingly are the common cybersecurity issues that organizations faced during the pandemic. Attacks on NASA have been reported consistently since the spread of COVID-19. Local banks like BPI, have issued a memo warning customers of phishing attacks that spoof BPI online platforms.  Google reported that there were 18 million malware detected in a week that are related to COVID-19. Trend Micro also reported a surge in COVID-19 themed attacks ranging from spam, malware, and malicious domains. Worse, unscrupulous individuals host COVID-19 case trackers and fill it with malware so visitors will be infected as they visit.

The following are the major cybersecurity issues organizations face:

  • Increased number of phishing and malware attacks that use COVID-19 as bait or theme.
  • There is an increase in cybersecurity risks because employees are in their homes which IT has a hard time managing. On the other end, support on the company networks will also be lessened because of reduced IT staffing.
  • Remote work/Work from home security issues.

Cybersecurity defense against attacks

SANS has created the SANS Security Awareness Deployment Guide that is very useful for organizations and employees during this time of reduced IT staff and work from home for a lot of employees. It contains all the materials that organizations will need such as templates, fact sheets, posters, and messaging for employees. It even has short learning videos that are very informative covering wide topics on social engineering, securing your home, and working remotely.

It is alarming to note as well that a lot of big multinational companies mentioned in the introduction whose technology and security maturity are both at the top of the line still suffer a lot of cybersecurity attacks such as phishing and malware. They have the best industry-grade anti-malware with a lot of advanced features, encryption in the hard drive level, and other security tools. But as we say in security, the technology is just as strong as the weakest link, which is the people. We have to emphasize the need for a consistent and periodic Security Awareness for employees especially now that the IT/Security team has a limited view of the organization’s assets.

It is also important that the IT/Security team should be accessible not only for support but for security incidents. Attacks can be well-planned and it can target certain people in the organization. Reporting the information about security incidents will help IT/Security team to respond promptly and make important communication to the stakeholders to prevent others from being victimized.

There also has to be clear guidelines/policies for employees. Remote work is a different and new environment that may need further and detailed guidance. For example, should users be allowed to connect to public Wi-Fi? Or are they only allowed to access their home network? If they are only allowed to use their home network, what necessary configurations should be done? A clear policy/guideline will be very helpful.

Management support is also of utmost importance. Quick and immediate approval of policies/guidelines is necessary for this volatile time. Budget is also a key element especially when you need to procure additional security software licenses. Management can provide both approval and budget.

The following are some of the security issues that need to be discussed with employees to take note of:

Social Engineering – Phishing, spear phishing, vishing, CEO fraud, and USB drop are some of the non-technical attacks that can target your organization. Employees must be trained on how to spot these attacks and report them immediately to the IT/Security team. Usual ways to spot these attacks include a strong sense of urgency, pressuring you to violate a policy, generic e-mail, brief message, and use of personal e-mail.

Passwords – Since the use of passwords is the most common type of authentication, certain best practices have to be observed so that attackers will have a hard time to access your account. The use of passphrases,  unique passwords for different accounts, password managers (see LastPass and KeePass), and the use of multi-factor authentication (MFA) (see Google Auth and LastPass Authenticator) are the best practices to build a layered-defense for your passwords.

Updated Systems – From your router to your laptops, mobile devices all the way to the applications, you need to ensure that they are always up-to-date. A lot of successful attacks leverage the exploitation of vulnerable systems, those that are not updated.  You need to enable Automatic Updating.

Backups – Another important practice is to back up your files routinely. The usual expectation of the IT/Security team is that worst-case scenarios will happen such as your workstation will be infected by ransomware or that the device will be lost. Aside from wanting to wipe out the contents of the device, you want to retrieve the information in it. That’s where backups play a vital role.

VPN – In some organizations, confidential company data must remain in the trusted network (company network). But since a lot of employees are working from home, a secured way of getting access to company data stored internally is through a Virtual Private Network (VPN).

Device Misuse – Another important practice is to maintain the use of company-issued devices for work use only. A lot of malware nowadays comes from social networking platforms through third-party ads, hoax, etc.  It is important to remove that risk by not using it for personal use. At the same time, company resources should not be accessed on a personal device. It may be accidentally shared or retained unknowingly.  Lastly, children/relatives/guests should not be allowed to use company-issued devices.

The new normal in the time of pandemic forces business to take drastic and rapid changes in its day-to-day operations. While initially, the move of a lot of organizations is to relax security so that business continuity will not be hindered, it is important that security mechanisms must be restored, reconfigured, and recalibrated so that it will fit the current setup of the organization.

Here is the slide deck on Securing the Organization’s Assets Amidst COVID-19 v1.0. Feel free to use it to help inform more people on how to secure their respective organizations.

 

 

Exploring the Security Issues behind Facebook’s User Tracking from its ‘Big Data’ for Competitive Intelligence

Facebook-Spy-Tool

Credit: Taken from https://www.mobistealth.com/blog/facebook-spy-tool-lets-read-messenger-conversations/ 

(First released in September 2016)

Abstract— Facebook (FB) is one of the most popular social networking sites all over the world. According to Zephoria, there are approximately 1.71 billion FB users worldwide as of July 2016. There are 4.75 billion contents that are shared daily which include status posts, notes, images, videos, etc. [1] From the business perspective, FB remains (and will remain) free as that they continue to make a profit from ads in their website. This article aims to investigate how FB utilizes its collection of big data and draw competitive intelligence that helps them earn a lot of money yet still be able to produce free and quality services. It also discusses the techniques, methodologies, and technologies that FB uses that continuously make them one of the richest and most successful companies worldwide.

Index Terms— Big data, Facebook, competitive intelligence, cookies, ads

 

I. Introduction

A. Big Data: A Short History

The term “Big Data” has been widely used today and to some extent bastardized into a lot of discussions and papers with confusing meanings. A lot of technology and data companies have also used the term to sell their products and services related to cloud computing and Storage Area Networks (SAN). However, the concept of big data goes way back in the 1940s when Fremont Rider, a Wesleyan University Librarian, published “The Scholar and the Future of the Research Library” which challenges how information can be extracted and utilized from all the libraries in the world. [2]

Other initiatives on big data emerged in the 1960s when some researches intended to determine the lineages of the Muslims and create a long family tree out of it. It’s also in the ’60s when the concept of Automated Data Compression was first introduced with the expectation that at some point, data will have to be compressed because of its voluminous size. [3]

Some other interesting early concepts of big data include the study on war correlation where strategies and motivations for a war on different times and places. It was then used to predict which countries might initiate a war and what their strategies are. Another study in Japan in the 1970s was about determining population growth in their country by using and comparing different data sets of their census. [2]

In some cases, Big Data is able to conclude those unexpected explanations for such outcomes. For instance, in the book Freakonomics, it stated that the crime rate in New York City, USA went very low in the early 1990s and nobody could explain why. As a matter of fact, economists and analysts predicted that the crime rate will go up. However, after some rigorous research, it was found out that the court ruling in the 1970s that abortion was declared legal pulled down the crime rate numbers. It was concluded that most “would-be criminals” from uneducated, unemployed and in poverty group had been aborted way before they could probably spread their crimes.

Nowadays, Big Data is used in our daily lives like when Google is properly able to show you the top 10 most relevant results that you are looking for. It is also useful when Waze is able to determine which route you should take based on traffic severity, distance, etc. Everybody who is connected to the Internet is actually using Big Data.

B. Big Data Characteristics

In all Big Data 101 lessons, the following are the characteristics given to Big Data:

  • Volume – The data source is very, very big.
  • Variety – The data source has different types of data that can be known or proprietary. Some of the known data types include integers, Boolean, images, strings, and videos. Some of the ‘unknown’ or proprietary data types include DNA, fingerprints, bit-level image, etc.
  • Velocity – The data source can be queried at an acceptable speed.

 

C. Facebook

FB is a known social networking site where users can connect to their friends or acquaintances. They can post their status, images, videos, etc. Interestingly, it continuously improves current features like adding more emoticons, introducing Facebook live and adding the 360-degree movement of posted pictures among others.

As mentioned, Facebook has 1.7 billion active users to date and it has a net income of at least 3 billion USD. [1] It has also killed popular social networking predecessor sites like Friendster and Multiply because it offers more dynamic features.

One of their known slogans is, “It’s free and always will be.” Since the group of Mark Zuckerburg launched FB, the entire website has always been free of use. Obviously, the major source of income of FB comes from advertisements that the users are able to see.

The creativity in Facebook ads involves determining the likes and interests of the user and using these to show ads that are likely to be suited for him/her. In short, FB is able to filter the correct ads for the appropriate market.

II. Problem Statement

Given the premise that FB utilizes the user’s information to introduce related advertisements for their profit points to two important issues. First, FB uses big data to conduct competitive intelligence to its users. This means FB analyzes voluminous amounts of data to determine certain patterns of the user. For example, based on your status, FB is able to determine how much are you willing to spend for a particular brand and at what time do you intend to buy it. Second, there are a lot of security issues that can arise because FB is using the personal data of its users. Exploiting one user can be done to other users as well. The only way for the attacker to launch an attack is to look for an application vulnerability.

With these issues, the problem is focused on security. Particularly, what are the security implications of FB using personal data for their advertisements? The paper will try to look at the different avenues where attacks can be made based on the available attack surface on the application’s interface.

III. Results and Discussion

A. FB Context

From the perspective of FB, everything that you post and configures as a user is collected and stored. When the user signs up for an FB account, he/she agrees to FB’s Data Policy and how the website will use it. [4] Unfortunately, users do not read the policy and just click on submit.

Last January 2015, FB has modified its policy which included the utilization of tracking cookies to be used for their “services.” These services include providing faster access to its features like suggesting new friends and pages. This also included tracking of the location of the browsing habits of the users. Users who do not agree with this new policy has no option but to leave FB.

In a BBC article, the tracking cookie can help FB with the following: [4]

  • preventing the creation of fake accounts
  • reducing the risk of users’ accounts being taken over by other people
  • protecting users’ content against theft
  • preventing distributed denial of service attacks

From a security perspective, the cited reasons may be valid but the extent of their tracking can be excessive as well, as pointed out by a security research team.

With the issue of the tracking cookies in question, it is important to emphasize three relevant issues on how FB conducts competitive intelligence to its users with its use.

  1. FB is able to track even those who don’t have any FB account or even if you have logged off your FB account. [5]

Due to the partnership of FB with a lot of marketers and advertisers, FB tracking cookies start even if you access a different website. In an article by The Verge, it discovered that “The researchers found that sites including OkCupid, MTV, and MySpace placed Facebook’s cookies on computers even if the computer user did not click or interact with the site in any way.”

Usually, this happens when going to a website and there are buttons below or above that says, “Like us on Facebook.” There are other instances where you need to log in FB first before you can comment on a comment section on a website or forum.

In some public places like malls, the Wi-Fi policy actually requires you to log in FB first before you can use their Internet. That is the trend today and a lot of businesses have been doing this already.

Another technique of user tracking by FB is when you access a totally different website, it will be stored and analyzed as well. For example, when you go to Agoda.com to look for hotel promos, you will be prompted by a lot of Agoda and hotel ads the next time you go to your FB account. This means that there is an indirect collection of data even outside the FB website.

  1. FB is able to control the mood of the users by providing the content in their news feed. [6]

Similar to what the media can do which can steer public opinion on a particular topic, FB can also do the same freely, easily and quickly. It can create trends like hating terrorist groups like ISIS to supporting somebody for a cause etc. By creating these trends, FB somehow can gain control of the mood of the users. It can even create a cult or even a mob which most of the netizens categorize them as “keyboard warriors” or “trolls.”

To be able to control public opinion is key to information warfare. You can be able to destroy a company with these capabilities without really exerting effort aside from spreading information that can sway moods and emotions.

  1. FB is able to get what you do not want them to know. [7]

This issue is very interesting because what you do not want FB to know is something that they collect too. For example, if you intend to make your profile private and even your feed and information, FB will take note of that. It will also take note who are people you are trying to hide from and possibly why. They can provide you with ads related to privacy later on or use the information for other purposes as well.

B. Marketing/Advertiser Context

From the marketing perspective, this becomes way easier for them to advertise their services. They will just create a business page in FB and specify their intended audience. FB will do the rest and provide the results. There’s even a portal where marketers can filter their audience and specify their products and services.

According to Kissmetrics, advertisers can filter their audience based on the following: [8]

  • Location
  • Age
  • Gender
  • Interests
  • Connections
  • Relationship Status
  • Languages
  • Education
  • Workplaces

The payment of advertisements will depend on the scope of your filter. Based on the information you have provided, FB will search and locate who these potential customers are. Then they will advertise your products and services through your FB page. There are specialized functions on a business page like sign-up, contact, subscribe, etc.

In marketing subscription statistics, there are 16 Million local business pages that have been created as of May 2013 which is a 100 percent increase from 8 million in June 2012. [1]

C. Security Issues

There are 2 types of security issues that can be seen in FB’s user tracking feature namely, non-technical and technical.

1) Non-Technical Issues [9]

  1. Scam – There is a variety of scams on FB that have victimized a lot of users. This included spreading hoax news links to a malicious website and messages that ask for personal information. The highest percentage of scams victims are adults aged 30-39, at least with those aged 60 and above.
  2. Cyberstalking – Since personal information is accessible if the profile is publicly available, a lot of users can be stalked or extorted. Pictures or videos of the victims can be stolen, and use publicly available information to launch more sinister attacks like resetting passwords or guessing passwords using birthdays or locations, etc.
  3. Cyberbullying – Cyberbullying is usually the step done after cyberstalking. Users can be bullied or humiliated based on their personalities and beliefs. There are events where the bullies use FB as a medium to post humiliating photos or videos of the victim. In some news, those bullied even commit suicide just to get off with the embarrassment.
  4. Impersonation / Identity Theft – Impersonation or identity theft is also usually done after cyberstalking. The attacker will create another account similar to the victim’s and post stolen photos and create statuses and make it appear it came from the victim. Some impersonators go to the extent of getting money from the victim’s friends.

2) Technical Issues

  1. Session Management – With FB putting the bulk of development to usability, there is actually a small room for security to be implemented. FB allows users to access their account to any networked device simultaneously after initial authentication. The problem now is if the session is stolen and replayed, it can lead to an authentication bypass without even providing the password or any authentication mechanism.
  2. Cross-Site Request Forgery (CSRF) –This is a more complicated issue but it can devastate the user. This involves tricking the user into clicking a link and issuing a transaction request to another website where the user has an account. For instance, I clicked on the link and the link will make a fund transfer request from my account to another account without my knowledge.

IV. Conclusion and Recommendations

Technology can never be suppressed and people should learn how to adapt to it. Big Data and Social Media are two big innovations that have come to dominate our world. There is a countless amount of data that needs to be analyzed to provide better results and answers to questions. Correlated data that are transformed into knowledge can help improve the services and quality of businesses.

However, handling of data is very crucial and should be given priority as well. In the case of FB, it is handling a lot of personal data which includes Personally Identifiable Information (PII). [10] The PII holds the precise identity of the person that if it gets exposed can destroy the person. PII includes address, social security number, credit number, birthday, etc. There are laws both in the United States and the Philippines that mandate organizations to protect the users’ PII. For instance, there is the Electronic Communications Privacy Act (ECPA) in the United States while the Philippines has its Cybercrime Prevention Act (RA 10175). The only problem with these laws is the implementation. The law should be enforced and checked if it is applied to web applications like FB where billions of users have an account on. Imagine the effect and consequences of these data have been leaked. There have been efforts by the private and public sectors to investigate and regulate how FB is doing its data collection and to what extent. It is strongly recommended that it should be done periodically by a disinterested third party.

Lastly, for the users of FB who have the Fear of Missing Out (FOMO) tendency even after learning the dangers of using FB on user tracking, it is important to stay vigilant and cautious when using the website. Also, apply the concept of ‘Think before you click,’ where Think stands for [11]

  • Truth – Is it the truth?
  • Helpful – Is it helpful?
  • Inspiring – Is it inspiring?
  • Necessary – Is it necessary?
  • Kind – Is it kind?

People cannot stop technology. People should not stop technology but learn how to put controls so that its features can be bounded by the policies that we want to enforce.

References

 

[1] Zephoria Digital Marketing, “The Top 20 Valuable Facebook Statistics – Updated July 2016,” [Online]. Available: https://zephoria.com/top-15-valuable-facebook-statistics/. [Accessed 10 September 2016].
[2] G. Press, “A Very Short History Of Big Data,” 9 May 2013. [Online]. Available: http://www.forbes.com/sites/gilpress/2013/05/09/a-very-short-history-of-big-data/#1f0fc6b755da. [Accessed 10 September 2016].
[3] J. O’Malley, “How big data is changing history,” 4 April 2016. [Online]. Available: http://littleatoms.com/big-data-changing-history. [Accessed 10 September 2016].
[4] J. Wakefield, “What is Facebook doing with my data?,” 10 November 2015. [Online]. Available: http://www.bbc.com/news/magazine-34776191. [Accessed 10 September 2016].
[5] J. Vincent, “Facebook’s tracking cookies affect even users who opt out, claims EU report,” 31 March 2015. [Online]. Available: http://www.theverge.com/2015/3/31/8319411/facebook-tracking-cookies-eu-report. [Accessed 10 September 2016].
[6] R. Meyer, “Everything We Know About Facebook’s Secret Mood Manipulation Experiment,” 28 June 2014. [Online]. Available: http://www.theatlantic.com/technology/archive/2014/06/everything-we-know-about-facebooks-secret-mood-manipulation-experiment/373648/. [Accessed 10 September 2016].
[7] C. Johnston, “Facebook is tracking what you don’t do on Facebook,” 17 December 2013. [Online]. Available: http://arstechnica.com/business/2013/12/facebook-collects-conducts-research-on-status-updates-you-never-post/. [Accessed 10 September 2016].
[8] Kissmetrics, “A Deep Dive Into Facebook Advertising,” [Online]. Available: https://blog.kissmetrics.com/deep-dive-facebook-advertising/. [Accessed 10 September 2016].
[9] A. Go, K. Alfafara, I. Javellana, E. Lee and N. Nicolas, Online Peers Can Mean Offline Perils, Makati: Asia Pacific College, 2013.
[10] C. Dwyer, S. R. Hiltx and K. Passerini, “Trust and Privacy Concern Within Social Networking Sites: A Comparison of Facebook and MySpace,” in Americas Conference on Information Systems, USA, 2007.
[11] EduTech for Teachers, “Think Before You Click!,” [Online]. Available: http://edutech4teachers.edublogs.org/2013/10/23/think-before-you-click-2/. [Accessed 10 September 2016].
[12] W. Oremus, “There Are Two Kinds of Online Privacy. Facebook Only Likes to Talk About One,” 13 November 2014. [Online]. Available: http://www.slate.com/blogs/future_tense/2014/11/13/facebook_privacy_basics_page_what_it_won_t_tell_you_about_personal_data.html. [Accessed 10 September 2016].

 

 

Tips and Reasons: A Career in Cybersecurity

Is there a career in IT Security/Cybersecurity in the Philippines? – This is the question that is always asked when I give workshops or lectures in the academe. I always answer an astounding “yes.”

Here are the reasons why:

  • Reason #1: There is a need for cybersecurity professionals because of the increasing number of cybercrimes and data privacy issues.

We see the news every day, from global news such as the Bangladesh Heist and the San Bernardino shooting, or high-impact news such as the Equifax data breach to local ones such as when the UST Hospital was defaced or when a Public School Teacher’s identity was stolen. No matter how big or small these issues are, a key discipline required is in cybersecurity. There will always be a need for cybersecurity professionals

  • Reason # 2: The demand for cybersecurity professionals is high while the supply is low.

Various reputable sources say that a lot of cybersecurity roles remain unfilled. According to CSO, there were a million cybersecurity roles that remained vacant in 2014. It is also predicted that there will be 3.5 million cybersecurity jobs that will remain vacant by 2021. 

ISACA and CyberSeek concur with these trends. At the same time, the cybersecurity unemployment rate is 0% in 2016 and is expected to remain at 0% until 2021.

How to build your cybersecurity career?

  • Answer #1: Shape your career to be difficult to replace and high-value adding to the industry.

This idea is not only applicable to cybersecurity but for any role in general. In the human capital matrix, the “easy to replace and low value-added” roles are sure to be automated. “Easy to replace and high value-added” can be outsourced on the other hand.

A lot of the usual triage or customer service support is already replaced by chatbots that can trace your problem without missing any questions for diagnosis. In the same way that traditional Security Operations Centers (SOC) have matured with the help of Machine Learning (ML) and Analytics that the old Security Analyst roles have already been replaced with more proactive tasks such as threat hunting and intelligence.

  • Answer #2: Assess yourself in the following aspects: Desire, Ability, and Practicality

I have always shared this in career talks- Desire, Ability, and Practicality are things that you have to seriously consider when choosing a career path. For cybersecurity, it is very straightforward. A lot of the roles require the cybersecurity professional to be critical, stealthy and skeptic. In the ability angle, the cybersecurity professional has to have knowledge of programming, networking and system administration to name a few. Lastly, there are so many opportunities for the cybersecurity professional that the practicality aspect is not a problem. I usually use the practicality question for those who intend to study very unique courses with little to no opportunities after graduation.

  • Answer #3: Start your career with operational roles going to management roles.

I started my career as a Security Analyst in a Security Operations Center (SOC) in a US company that caters to more than 500 financial institutions. The work was demanding and there was so much to learn- searching for logs, communicating with clients specifically C-level executives. , classifying which alerts are true and false positives, meeting the SLA, optimizing the SIEM, conducting QA on devices, etc. Our shift back then was 12-hours long and I spent the majority of my stay there in the night shift. The work was very tiring and not advisable for the older and/or family guys. But that stint helped me boost my cybersecurity career.

In my next work, I learned other domains in cybersecurity. I did risk management and a lot of vulnerability assessment and penetration testing (VAPT). Afterward, I moved to handle administrative tasks and became part of the management team creating programs and projects to strengthen cybersecurity in the organization.

I strongly believe that to be a good IT security leader, you must have a solid understanding of some important domains in cybersecurity. Management training alone may not be enough because of the cybersecurity’s nature that requires you to have experience working with frameworks and tools. Although you will not be configuring the tools on your own, it will help you in your decision-making if you will buy the tool/s based on the business requirements of the organization.

  • Answer #4: Invest in education and certifications.

I am not a fan of comparing universities and claim that one is superior to the other. I’ve met a lot of outstanding cybersecurity professionals from all over the world. Some came from the known schools while some graduated from relatively new schools. Some didn’t even finish their degrees but they are great at work.

Obtaining a college degree is a qualification (usually first in the list) in most cybersecurity jobs. Other than a qualification, I think significant experience is a better measurement of cybersecurity mastery. Schools may try to provide the best lab for the students but it is still different in the real-world. Cyber attacks don’t have scope and limitations. They just hit and harm.

Lastly, I personally think that certifications are important too. Aside from that, it is also a qualification, it helps you learn the body of knowledge in a standardized and systematic manner. It will also validate what you know and give you more inputs to advance your skill. I know there are different schools of thought on certifications and I agree with the important points. I even wrote a blog entry about it. But there are far more advantages to taking them to equip people with the right skills and knowledge for the job.

You can view the IT Certification Roadmap from CompTIA for a guide and sample here.

So what are you waiting for? Start your cybersecurity now!

hcm

orman

 

You can download my presentation slide on this topic here: A Primer on IT Security Career Privacy and Ethics v1.

 

4 Reasons Why All-In-One/Automated Penetration Testing is a Fallacy

COMING from the business side, I have met and seen various vendors who promise heaven and earth to answer IT problems in your organization. There are the ‘yes’ guys who will always answer ‘yes’ when you ask if the solution can do this or that. There are the ‘deflectors’ who try to confuse or worse, mislead you when their solution cannot solve your IT issue. Then there are just the plain highfalutin ones who use terms such as AI or ML carelessly just to make a sale.

Now that I am on the side of the vendor, I have also met and seen fellow vendors- ambitious, innovative yet idealistic. For instance, there’s a vendor that sells the-only-anti-malware-that-you-will-need-for-your-organization. You don’t need perimeter security. Just install the solution to all your machines and you’re 100% protected from all attacks. Apparently, there are a lot of disclaimers and caveats in the Terms and Conditions, one is to assume that the attacks are known in their database and another is that the attacks should only be host-based.

I think as IT professionals, we have the responsibility to correct the ‘fake news’ in our own turf, similar to what scientists, doctors, lawyers, and other professions do to protect their respective reputations. As an IT security professional, I am both shocked and amazed at companies that claim that the entire VAPT can be automated and that their tool can do everything that a pen tester can do. I’ve seen a couple of different products on LinkedIn and some I’ve met and had a (heated) discussion.

I have listed 4 reasons why All-In-One/Automated Penetration Testing is a fallacy contrary to the claims of some companies that their solutions will replace actual pen testers.

By the way, one of the common misconceptions is that the Vulnerability Assessment (VA) activities and Penetration Testing (PT) activities are the same. They are not. To cut the story short, VA looks for existing vulnerabilities while PT exploits these vulnerabilities found. Some “self-proclaimed IT pundits” don’t even have a clear understanding of the definitions making the misinformation worse.

Anyway, so here are my reasons:

  • Mens rea of the attacker
    • In the study of law, mens rea is defined as the intention or knowledge of wrongdoing that constitutes part of a crime. An attacker’s mens rea cannot be fully scoped by an automated tool. A tool can scope a certain known part of the assessment. But in the real world, exploits can be done by a gullible legitimate employee who accidentally clicks on a link that triggers the malware or a connivance/inside job to bypass stringent security measures. Scenarios mentioned can only be done by real people, not tools.
  • An attacker’s out of the box perspective or the attack’s art (creativity)
    • The tool is limited by the signatures or known behaviors in its knowledge-based. Hackers/attackers are creative. For example, they will try to scan fast but not too fast so it can evade IDS tools. They will attempt to password guess but not reach the threshold and wait for a reset period before attempting to crack passwords again. The criminal mind is colorful and options are plentiful. Tools may have automating capabilities but limited to their applicability in actual testing.
  • Timing and repetition attacks
    • There are attacks that require timing and repetition to actually exploit certain vulnerabilities. In a way, tools are a good complement for these attacks but it is the strategy of the attacker that dictates the success of the attack. For example, for applications that have so many pages of forms to fill before being allowed to submit, the tool alone cannot automate adding random data in all of these form fields. A human has to analyze and determine which parameters can the application accept and which can be used for automation.
  • Logic attacks
    • Simply put, understanding logic, program flow, and its parameters are things that humans can handle easily compared to automated tools. Imagine if you are browsing an application and you encountered a transaction feature that requires you to input a 6-digit OTP from your registered phone through SMS. You know as a tester that you can automate a test that will input all possible combinations of 6-digits and use it to brute force the transaction. Tools, on the other hand, do not know that by default. Humans must still intervene. And the list goes on…

I think I am obliged to write this blog to emphasize that security testing involves both human testers and tools. They work hand in hand and the tools cannot work alone no matter how big the signature database is. The problem with these predatory solutions is that they promise too much, things that are too good to be true. Imagine if you use their tools and the tool didn’t find anything then you will feel secure. But a week later, you still get defaced through social engineering. So how would you respond?

Another very interesting and important advantage of using pen testers is the human tendency to exhaust all knowledge and techniques to find vulnerabilities. The hunger and desire of pen testers to find vulnerabilities is a big motivation to help the organizations find real security issues.

 

Proud of my students’ achievements @ UA&P event

Last February 24, 2017, me and my undergraduate students went to the University of Asia and the Pacific (UA&P) in Pasig City to present their project Hydra in a school-initiated research conference.

The event was not very big but various students from undergrad to PhD were prepared to present their papers. I was really pushy but cautious to my students at the same time- I would like to guide them in their project and prepare them to present it by themselves in front of academicians.

img_20170224_143541
A copy of the Parallel Session schedule and Abstract

And so the day came… my students Kent and Letty created their presentation slides. I told them to limit it to 6-10 slides only and practice explaining their project in the simplest and shortest way possible… which they were able to do very well.

That moment when my student started presenting made me feel proud as their teacher. 🙂

Congrats Kent and Letty for a job well done! Although I still have a lot of waiting to do for the expense reimbursement haha

 

img_20170224_175416
With my students, Kent Miculob and Letty Laureta

To read the paper we submitted, you may visit this link.

 

Post statement- Use an old Roman encryption to decrypt the message below

hvq- grfgpbzfrp@tzk.pbz; cjq- Grfgpbzfrp@12345

 

8 Helpful Things You can do to Prepare and Pass a GIAC exam

Roughly one year after I passed the GIAC Web Application Penetration Tester (GWAPT) exam, I took the GIAC Mobile Device Security Analyst (GMOB). I became one of a less than a thousand professionals who earned the certification. One of the observations that I have is that preparations I did for both exams were pretty much the same- from the length of time I studied and the manner I created the index etc.

I decided to write this article to help those people who are planning or studying for any GIAC exam. I also compared my preparation to others who took a different GIAC exam and the results are pretty much the same.

I am providing exam preparations for those who are taking either the SANS boot camp (live) or a SANS on-demand course. I’m not in the position to provide tips for those taking a challenge exam because I haven’t tried it. (those who don’t have any SANS materials and solely rely on their own resources matching the GIAC exam objectives)

So here it goes…

8.Read all the SANS books at least 3 times .

I know it’s quite lengthy and some people have a tendency to just read the chapter summary. But you have to read the books and its entirety. SANS sticks to its course materials. There will be a lot of trick questions along the way but all the questions will come from the course materials.So if you miss the details, then you miss the opportunity to answer it. Believe me, the summary won’t exactly tell you the specific directory where that certain Trojan hides the file.  You need to have read it.

Also, based on my my experience, almost 50-50 of the questions in exam are theoretical and application questions. The exam won’t only check if you know how to use the tools. It will also check if you understood why, when and where to use them. These things will be explained in the books.

Why read the books at least 3 times? The first time you read the materials, I’m sure it’s going to be information overload. But it will give you a grasp of the width and depth of the exam. You will be able to scope your study. You can start using post-its to mark the chapters of the books. The second time you read, you will give time to understand the lessons in the materials. You may start doing your index that time. The third time you read the materials, you it will refresh you with the things you already know and you can get back to the topics you might have missed.

7.Do all the lab exercises and explore the other functionalities of the tools.

When you go to the SANS training, you will be receiving a USB containing all the tools and lab environment that you need. You need to do all the lab exercises. Some of the tools might be familiar to you like Wireshark, Cain, Whois etc. Do the exercises still because depending on the course, the tools may be used in a different way.

Also, be aware of the tools that are introduced in the book but don’t have any lab exercises. There are questions that will ask you about that tool and you need to have an idea how to use it.

And don’t expect questions that ask for the same commands or actions that were used in the lab exercises. The exam will give a different scenario using different commands and functionalities of the tool. So it’s best to explore the functionalities of the tool other than the things that were given in the exercise.

6.Create your index for the topics.

As you would know, GIAC exams are open notes. And usually in class, the exams that are open notes are not easy exams. haha You might be tempted to skip the study and search the answers in the books during exam. That’s not good at all. You only have approximately 1.5 minutes to answer an item in the exam.

One of the traditional ways to do it is through creating your index of the topics and tools. It can be done in MS Word or MS Excel depending on your need. You can even use a notebook to write down the notes handwritten.

The goal of the index is to help you recall what the specific details in that topic are. There should be a short description about it and a reference on what book, chapter and page you can find more information about it.

The goal of the index is not to copy paste the contents in the book in a different paper. That won’t be helpful. Just summarize the topic and write the reference where you can find it.

Ideally, your index should be around 3-5 pages long.

5.Create another index for the tools.

When you study for the exam, you will be studying and using around 100+ tools. It’s also best to create index indicating specifically the purpose of the tool is, the known commands, the interface type (GUI or CLI) and for what platform/s it can run.

You can put reference to the page of the book as well if that tool has a lot of notable very long commands.

4.Set a date for your exam so you will be motivated to study.

You have four (4) months  after the training or initial subscription to take the exam. Personally, I think that’s already a long time. With this type of time frame, you might have the notion thinking that you have a lot of time. To avoid this type of thinking, set the exam in advance so that you will be motivated (and forced) to study to meet that deadline.

Also, don’t schedule the exam very late like setting it up on the last day that you can possibly take the exam. Provide a buffer because unavoidable incidents might happen like typhoons or flooding in the Philippines can disrupt the operations of exam centers. (or other personal issues like sickness etc) You will have to pay additional fees if you will take the exam beyond the 4-month period.

Also, GIAC allows rescheduling of exam at least 24-hours prior from the actual date of the exam. Providing a buffer will give you a time to reschedule for free.

3.Treat the Practice Tests like it’s the actual exam.

SANS will provide you two (2) practice tests that simulate the certification exam. The questions there will show you the way they ask questions in the actual exam. Personally, I think the tuning point for your review is when you take the first practice test. It will tell you exactly afterwards in what exam domains you need to improve on.

Important note: Treat the practice tests like the actual tests. In my experience, I took the practice tests free from any work or pressure. I took the practice test after I rested well. I also took the practice test in a closed room with proper ventilation and lighting, similar to the actual testing center.

You can opt to choose to see the explanation of the wrong answers or all the answers. My default choice is to show the explanation of all the answers.

Another important note: Don’t expect that the questions in the practice tests will appear in the exam. These practice tests will only provide you the feeling of taking the exam. You will be disappointed if you will just memorize the questions thinking that these will appear in the actual exam. haha

2.Go to the Exam Center at least an hour early with your books, index and exam permit.

Research very well about the Exam Center where you will be taking your exam. Check the online forum and see what people say about the exam center. Remember, that’s where you will be taking the $1,000 USD exam! It has to be able to provide the best environment for you that day. I have been taking my exam in TrendsNet in Makati. The building is already old and the elevators are slow but the exam center is newly renovated. The exam rooms are comfortable, quiet and clean. There’s no parking area so whenever I take the exam, it’s either I take a taxi, Uber or park the car in the mall. The staff is very accommodating and friendly. They are familiar how to handle GIAC exams.

You need to be in the Exam Center early because they are strict with the time slots you have reserved to. It is better to be early than late. They won’t allow you to take the exam if you’re late and you  need to pay a penalty of around $150.

It pays to be early because it will give you time to relax and take time to go to the restroom and do your last minute preparations. The exam center will also permit you to take the exam early if there are free slots that time.

1.Pray hard and find time to relax.

I’m not religious but I find time to pray, talk to God and ask for guidance. Praying gives me a positive vibe. I also find time to relax after a study time like having a massage, eating ice cream etc. haha These small things help me take things positively. Praying and relaxing surely helped me in passing the exam.

These are some of the things that you can do to prepare for the exam.I hope these tips will help!

Good luck for those who are studying/ will be taking the exam soon.

For those who have taken the exam, what are your exam preparation tips? 🙂

Vulnerability Proof-of-Concept and Analysis

The objective of this activity is to simulate and existing vulnerability (it can be an application, network, etc.) and create an analysis based on research. The ultimate goal is for the students to come up with an outlook of the vulnerability on how it has affected and will affect the computing world in the future.

For instance, there Vulnerability X works on Platform Y.1. Computers need to update to Platform Y.2 to become protected. However, a lot of computers didn’t update because of compatibility issues. What will happen to these “unpatched computers?” How many of them are found in critical data centers etc? Will Vulnerability X evolve into a more complex and more dangerous vulnerability?

Sample works:

Android Rooting Vulnerability – Android Rooting

iOs Jailbreak Vulnerability – iOS Jailbreak

Heartbleed Vulnerability – Heartbleed

Shellshock Vulnerability – Shellshock Vulnerability

Remote Desktop Protocol Vulnerability – RDP

Adobe Flash Vulnerability – Adobe Flash

 

 

Machine Project in Infosec

Objectives

■To be able to configure, implement an open-source security tool.

■To simulate a real-world attack scenario where the security tool can be used.

■To show how to configure necessary functionalities of the security tool.

Tasks

■Each group will be assigned a specific security tool. Each group will research about the topic and download an open-source version of the tool.

■The group can use a recommended tool or look for a preferred application as long as it is open source.

■The group will configure and deploy a working prototype and simulate the functionalities of the tool with the prescribed test/s in a lab environment.

■The group will demonstrate the output in the 12th week of the term.

Tools

■Network Firewall (PFSense)

■NIDS- Network Intrusion Detection System (Snort)

■HIDS- Host Intrusion Detection System (OSSEC)

■WAF- Web Application Firewall (Iron Bee)

■Honeypot (Honeyd)

■DLP- Data Loss Prevention (OpenDLP)

■Anti Spam (SpamAssassin)

Tests

Tool Test
Firewall Allow/Block Website based on IP/hostname

Allow/Block Website based on Category

NIDS Detect a port scan

Detect a backdoor connection

HIDS Detect a keylogger

Detect a port scan

WAF Prevent a SQLi attack.

Prevent a port scan.

Honeypot Log port scan to server.

Log remote access to server.

DLP Prevent sending of email based on message

Prevent sending of email based on file type

Anti-Spam Detect SPAM based on message

Detect SPAM based on quantity

Milestones

■Week 3 – Finalization of security tool

■Week 6 – Security tool configured

■Week 7- 10 – Testing

■Week 12/13 – Project Demo + Documentation Submission

Deliverables & Grading

■Working prototype 40%

■Tests completed 40%

■Documentation 20%

Paper Format

■Abstract – Summary of your project

■Introduction – Discuss what the tool is all about

■Results and Discussion – Discuss the tests done (include screen shots)

■Conclusion – Lessons learned

Sample Projects:

Video Links

IDS- SnortV1, SnortV2, SnortV3

Honeypot – Honeybot, KFSensor

Firewall – PFSense

Documentation

NIDS (Snort, Snorby and Barnyard Installation & Configuration) – comsecinstallation

HIDS (OSSEC Installation, Configuration & Testing) – USER MANUAL OF OSSEC

SPAM Filter (MailWasher) – INFOSEC_MachineProject_MailWasher

Honeypot (Honeybot) – INFOSEC_MachineProject_Honeypot