Week3 Board Notes
Bruce Schneier, who keeps an excellent blog, wrote Applied Security, which is an encyclopedia of cryptographic algorithms, but hasn’t been updated since 1996.
From the class links, we got to talking about cross-border “searches” of your personal computing devices (including phones). This is on par with “show me what’s in your bag”, per case law, although you may not be able to be compelled to turn over passwords. Also talked about “Magic Lantern” (again from links), where FBI could didn’t bother going through the effort of brute-forcing the keys for encrypted disks. This segued to an incident following the San Bernardino case in which the FBI wanted access to an encrypted iPhone.
As a thought exercise we got into how they may have eventually gotten access to the device (latest article suggests an exploit may have been used, rather than the clone-and-brute-force method we got into). Classmate mentions “NAN Cloning”, and this article about *$100 store-bought kit can hack into iPhone passcodes, researcher claims is close to what we discussed. There’s a take-away: the security of the iPhone is proving to hold up well, even when physical access to the device is compromised.
(I can’t find the reference to “PIN bot”, a manual finger-press method, that was mention.)
At some point we got to talking about Snowden and two movies were mentioned, Snowden, the Oliver Stone movie and Citizenfour, a documentary.
Our media-sector classmate wasn’t around so we didn’t go too far into Tor and SecureDrop. We did hit upon a bunch of ways that Tor users can be de-anonymized by adversaries like… the FBI. In one example, they allegedly hacked browsers from compromised sites they controlled.
Someone mentioned another vuln-for-hire case used by a government, where NSO Group’s product was used in the UAE.
The new Verizon Data Breach Investigations Report (VZ DBIR) is coming soon, and in a preview, reports were circulating of a mass IoT hack at a university.
We spent some time talking about Kali Linux, which will be used in the more hands-on lab classes in the rest of the program. You can download this and try it out to get a head start. Browse the bundled tools to find out more about them. We mentioned there’s a lot of overlap between them; nobody knows all of them, you use the ones you know best for the job at hand. VMPlayer and VirtualBox can be used to run virtual machines.
We got into audit, with our guest speaker going into some of the different approaches that can be taken with an “audit” – the terminology is all over the place and varies depending on the goals. Is it an “audit” or an “assessment”; “black box” testing vs “white box” testing (and everything in the middle).
After the Target breach, Trustwave was sued. They were the Qualified Security Assessor (QSA) who allegedly failed to identify issues during their point-in-time review of PCI DSS compliance.
Talking about what happens when access is not properly managed, the SocGen’s rouge trader drove home lessons about segregation of duties.
In an aside we talked about Chelsea Manning who retrieved almost a half-million documents she had authorized access to, but in volumes that exceeded appropriate use of that authorized access.
Side comment about recent Twitter thread re “pen testing is a lemons market” (in a strong economic sense).
Somehow got to talking about Bitcoin, robbing cybercurrency, which led to the Ethereum / DAO hack, which was a protocool-level attack.
I don’t remember how, but we got to talking about Aadhaar/UIDAI, India’s country-wide identity-issuance program.
We got into cyberwarefare with mention of hackers targeting Ukraine’s power grid. The attacks on Estonia a decade ago were significant and led to the Tallinn Manual, a NATO-led study on the topic.
Microsoft recently shared The need for a Digital Geneva Convention – as a classmate quips “please don’t hack Microsoft”.
Have I Been Pwned (to pwn) is Troy Hunt’s site to collect information from breaches into a searchable interface so you can know when your accounts are compromised.
ISACs are threat-intelligence sharing groups aligned by sector, for example FS-ISAC for financial services and REN-ISAC for universities. US-CERT is funded via DHS to provide data-sharing, incident response, and coordination.
We talked about cybercrime laws and looked at Cybercrime.gov.
As an assignment, dig up a case, find some of the court filings, and discuss in the next class.
For example, Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks is a press release and USA vs Gonzalez is the indictment filed in court.