Phishing not Fishing

Phishing attacks have risen dramatically since it's inception and anyone is a target. What is phishing? Phishing is an attack which attempts to acquire information like user name, passwords, credit card details and bank account information by impersonation a trustworthy entity in electronic communications ie.emails. The email could contain a link to what appears to be a trustworthy website, like your bank or credit card company, but the site is actually infected with malware. The site can capture keystrokes, in order to get user name and password, pin numbers to accounts along with infecting the users computer with malware and virus'.

There are different types of Phishing techniques. The most common is sent as mentioned above and directed at numerous victims. There is Spear Phishing which is direct at specific individuals or companies. The correspondence spam appears to be from the company's human resource department or technical department and may ask a user to update user name and password. Once hackers have received this information they have gained access to the network and can attack it. The spam may also direct the victim to click on a link which will launch an attack that could steal personal information.

There is also Whaling. This type attacks upper management in private in companies. The content will be crafted to target an upper manager and the person's role in the company. The attack email is often written as a legal subpoena, customer complaint, or executive issue. The attack appears to be critical email sent from a legitimate business source. There is usually a link that can look very legitimate and once user clicks it will launch a phishing attack.

Phishing was reported as early as early 1990's and hit AOL. The software provided an automated password and credit card-stealing mechanism with was dubbed AOHELL.What began as a scheme by rebellious teenagers to steal passwords evolved into one of the top computer security threats affecting people, corporations, and governments.

When phishing first begin the email was full of text, had misspelled words and poor grammar so they were much easier to recognize as being spam. Through out the years tactics have changed. Around 2003 E-mail fraudsters register dozens of lookalike domain names. They also create Web sites that contain the names of well-known companies and brands like microsoft.checkinfo.com.. Unaware of the attack a recipient would click on the link causing their personal information, network information, and various other things to be compromised.

How do you stop Phishing? The most important part is for ALL users to be aware of these tactics. If you receive an email from someone you don't know, delete it. Your bank, ISP, credit card company, will NEVER send an email to you asking to provide user name and password. If you receive this type of email on a business email address, send it to the IT department for further action. At home it's important to keep your system safe. To do this always make sure your firewall is set for Phishing filtering, does not allow suspicious items through the network. Also make certain the anti virus is up to date and running in protection mode. Even with these steps in place you may get attacked so make certain all your invaluable data is back up and you have a plan for recovery. 

CIA,Bot nets and other client side attacks.

CIA and Client Side Attacks

The first line of defense is user awareness and education. A client's account should be set to only the level of access required to perform their job without any problems. This is why Confidentiality, Integrity and Availability are key in the digital world. A client should protect all their sensitive information for unauthorized access. Protecting confidentiality hinges upon defining and enforcing appropriate access levels for information. This is the “need to know” theory. Integrity represents data integrity. How accurate is the data being used? Has it been changed or manipulated by unauthorized parties and if it has had changed made can the changes be undone? This leads to the next, Availability. Systems, access channels, and authentication mechanisms must all be working properly for the information they provide and protect to be available when needed. Even with awareness education and strict polices in place there can still be network attacks.

Client Side attacks are the most common and easiest way for malicious threats to enter a network. A user will click a link that looks harmless or download and open an email with an affect attachment. A client can even visit a seemingly harmless website which will inject malicious data, root kits virus's, bot nets, etc. without the client knowing. Web plug ins, Java, Adobe, ActiveX, Flash and many media are common targets for malicious data injection and other attacks. The lack of firewall protection from the “inside-out” is a way threats can enter the network also. This happens when malicious code passes thru the firewall undetected, the code is launched inside the network and then is free to infect the entire network. Technical methods include code injecting, cross-site scripting XSS, phishing scams, email attachments and social networking. Two primary client side attacks include emailing malicious content which can cause the client to host the malicious content without users knowledge.

Bot-nets is another client side attack where computers are infected with a malicious application called a bot and is now a 'zombie'. The hidden code enable a person “bot herder” to control the bot. Bot-nets are groups of zombie computers being remotely controlled by the bot herder. A bot herder, also referred to as a bot master, can be one person or a group of people. Their primary goal is make certain the the bot net stays intact. The herder sends out malicious  code to the C2C servers (what a user assumes is the DNS server) which in turn infects client computers, thus a zombie computer and a group of zombie computers is a bot-net. Bots can be used to recover sensitive information, bank account information, user names and passwords, record keystrokes and send spam emails. This is also a popular way to launch a DoS attack and to poison search results which spreads the infection. One way to detect bots is by viewing packets which contain an executable in a text editor. There are some common bot net entries to look for. “Load Library” is a common reference by bots and malicious code. The string “Kernel32.dll” could mean a bot is attempting to alter a kernel.

Bot-nets are difficult to detect because malicious, packed an sometimes encrypted bot net code passes unfiltered through the firewall to the zombie computer on the internal network.

Sniffers and Wiresharks and other fun stuff

In the network world there are many tools for doing lots of stuff but Sniffers and Wireshark are not terms you would expect to use but they're both an important part to network security. Sniffers, also referred to as Network Pack Analyzer or Network Protocol Analyzer, are used to capture and “sniff” packets of data coming into your network. They can capture and record data traffic for analyzing and can decrypt packets to display in clear text. This will show important information such as IP address, protocol, host or server name among other things.

In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing all packets traversing the network regardless of destination.


By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.

With these three things in mind you can see how helpful of a tool it is in combating malicious activity. A sniffer requires to be run in promiscuous mode to collect data. Promiscuous mode allows the system to capture frames that aren't intended to be delivered to the system. Sniffer's can either run by CLI (Command Line Interface) or a GUI (Graphic User Interface). A CLI sniffer can write to file and then be viewed by a GUI sniffer. Advantages to CL sniffers is they are open source, had fewer vulnerabilities and can write date to a file for later analyzes. Some disadvantages are they only show header fields and it requires a knowledgeable analysis to know how to read the packet data.

Detecting malicious packets on your network can be difficult. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers

The GUI is also available as open source. It is able to analyze complex protocols. They can identify the header fields for intrusion along with the payload. One draw back to GUI sniffers is they are susceptible to coding errors. Wireshark is on open source GUI network analyzer that is available for cross platforms. It can be used to analyze network traffic, has a network troubleshooting tool and security analysis. It can analyze and dissect hundreds of protocols, analyze payload and header fields, capture packets and save as text files for later analysis. Wireshark requires elevated privileges to deploy and use but a non-elevated account can be read and view the logs and analyze them.

There are many options for Sniffers, Network Package Analyzers and Network Protocol Analyzers. Picking the correct one for your network can be a difficult but with research and knowing the needs of your network is a good step in the right direction.

IDS-Intrusion Detection System and other Odds N Ends

IDS-Intrusion Detection System and other Odds N Ends

Intrusion Detection Systems (IDS) are an important part to keeping the DoD network systems protected. IDS is a tool to help identify when system defenses have failed and they monitor for suspicious and malicious activity which provides alerts when suspicious activities or anomalies occur. This allows for mitigation and to limit damage to information systems by identifying intrusions.

There many types of attacks which can affect information systems. Black Hats, Hactivists,
Script-Kiddies,crackers, client side attacks and server side attacks to name a few.

There are steps to preventing Server Side attacks which include proper DMZ design and firewalls
applying patches in a timely matter.

Server Hardening-Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. With these types of steps Server-Side Attacks have been less frequent but still must be protected against.


Preventing Client Side

Frequent patches to all client software to include Windows, Microsoft Office, 3rd party software such as Flash, Adobe and alternate browsers. It is also important to keep anti-virus up to date to include the definitions database. A thorough scan should be preformed on a regular basis.

There are 2 types of IDS, Host based and Network based.

Host based IDS only monitors the host which the software is installed. This is helpful for monitoring the file system integrity, file permissions and it can log specific actions of each person who has logged onto the system. Host based IDS systems are used to monitor any intrusion attempts on critical servers. One of the drawbacks of Host Intrusion Detection Systems (HIDS) are difficult to analyze the intrusion attempts on multiple computers.

A Network based IDS run on the entire network and monitor the analyze the patterns and report any suspicious activity. Network IDS usually consists of network appliance (sensor) or the NIC card. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.

There are 3 types of Network IDS.

Signature Based-which monitors and compares packets against pre-determined signatures or “attack patterns”;A signature-based system cannot detect attacks for which is has no signature


Protocol Based-which monitors the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting.

Anomaly Based-a normal baseline is determined and set. Anything out of this “baseline” is considered an anomaly and therefore considers those as possible attacks. Higher false alarms are reported with using Anomaly Based IDS.

When using any type of IDS it is import to know the short comings of each type and be prepared to handle any threat. It's important to use HID along with NID to prevent penetration into a network. The two different type work hand in hand to protect the client, host, servers and inter network from malicious activity.

DMZ-Not what you think it is

What is a DMZ and how to protect your network

Demilitarized Zone (DMZ) is a buffer zone that prevents unwanted communications without jeopardizing or interrupting services. The DMZ receives all incoming packets from the outer network, verifies them and then takes appropriate action as per the firewall rules defined by the security administrators.

There is a classic DMZ which consist of 2 firewalls, perimeter,which allows traffic into DMZ only zone and the second allows traffic from DMZ to internal network. This type of zone is considered more secure since 2 devices would have to be compromised to gain access. It is even more secure if 2 different vendors are used for the devices since it would be less likely that both devices would have the same vulnerabilities. A drawback to this type is cost of equipment. The DMZ configuration is a key aspect for it work effectively.

Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly communication between hosts in the DMZ and to the external network is also restricted, to make the DMZ more secure than the Internet, and suitable for housing these special purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.

Another type of DMZ is a Service Leg. This is for small business or home networks. The “3 legged” DMZ is constructed with 1 external firewall and is configured for 3 different zones. One zone is the internal network, another is the DMZ network and finally the internet. All of the zones are configured to only “see” or “receive” traffic for it's zone. These configurations are accomplished by rules assigned in the firewall. Each zone has it's own set of rules.

You'll probably want to block traffic from the Internet to the internal computers. You should also restrict traffic from the DMZ to the internal network, as well as traffic from the Internet to the DMZ. Allow only the traffic that is necessary for your users to access the resources they need. This means using the "principle of least privilege" in that your default is to start by denying all traffic and then allowing protocols and opening ports on a "need to know" basis

There is a special use for the anonymous DMZ that's being more popular: creating a "honeynet." This is a network that consists of one or more "honeypot" computers that are designed to lure hackers, either so they can be caught or tracked, or to divert them from the network's real resources. Unlike with other DMZs, you actually want this network to be compromised.

Often the computers on the honeynet are virtual machines that are all installed on a single physical machine, and intrusion detection systems and other monitoring systems are put in place to gather information about the hackers' techniques, tactics and identities.




So as you can see DMZ is not only a place in Korea but also an important part of protecting a network.

Keep your PII to yourself

IA security is every person's responsibility. Criminals will go to great lengths to get Personal Identifying Information (PII) to steal a person's credit, bank accounts, and identity for their own personal gain. Almost every a person does online requires PII. From logging onto a social network to checking your bank account balance, some form of PII is required to access the information. What is PII? It can be a first name, last name, birth date, gender, address, or phone number to name a few. Just knowing a first name may seem innocent enough but a criminal can take the first name added with a picture of you from social media and put together to target your identity. There are safeguards to help keep a person's PII safe but it's up to each person to follow the correct measures in doing so. A few dont's would be: Don't post your full name on a public website. For social media, allows follow the rule of, the less they see, the less they know. Posting family pictures for your family to see is wonderful but not if security settings are set for public viewing. Do not post publicly you are leaving on vacation. This is an open door for criminals. Be aware of your surroundings while using an ATM. Even if it's inside a large store. If something seems suspicious report it to the proper authorities. Be aware of the phone calls asking for your bank account or credit card information. Neither one will ask for your PIN.

In the digital world, identity theft is a world wide problem. There are networks of criminals waiting to take advantage of a person who forgot to log off their computer, or didn't pay attention while walking into a secure area at work and they “shoulder surfed” in behind you. There are people who cruise through neighborhoods looking for an open home network to hack into. If this is done, they can steal your PII from your computer at home without you even knowing it. One way to prevent this is to secure your home network by using WPA/WEP Encryption. Do not broadcast network SSID, change the default password. As you can see there are many layers to protecting a home network. There are ways to also protect your computer (anti-virus software, firewall, etc) but there are also ways for the criminals to work around these measures. There will always be a threat of “digital intrusion” therefore it's up to each person to know what risks are there. Do keep your anti-virus updates, do shred mail or other things that contains PII, do log off computer when not in use. The job of protecting your PII starts with YOU.

Another area of concern is allowing young children online without supervision. They can click on a pop up without even realizing they had and download a virus which can log your ever keystroke. As you can imagine this would case a huge risk to you and your families PII. Always supervise an online session with children and teach them the safe way to “surf the web”.

Keep your PII to yourself please :-)