The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), published an advisory in the March issue of its “Cybersecurity Newsletter” warning of a well-known attack method known as the man-in-the-middle (MitM) attack. This type of attack is used by attackers to, exactly as it sounds, become a man in the middle of a secure connection. So, while the victim thinks they are connecting to their destination website (e.g. bank, social media, email, etc), the attacker is taking over the connection and can see any data “in the clear” before it is forwarded on to the actual destination.
While researching future blog post topics, I discovered that many people are searching on Google in the hopes of better understanding the benefits of having a penetration test done. This is a great question, and it is especially important to understand the answer even if your organization is not governed by regulatory or compliance requirements to have a penetration test done. There are plenty of reasons to conduct a pen test, or red team assessment, on your organization’s technical environment.
If you are reading this blog post, you have survived 2016. By most accounts, it was a rough year in regards to the state of security in healthcare. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in U.S. politics through attacks on IT security.
There are many important aspects to consider in any given penetration test. I have talked at length in other blog posts about many of these considerations. There is one important aspect I have not written much about. It is critically important to determine the amount of foreknowledge that the tester should get. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. Many, including CynergisTek, use the term “crystal” in place of “white”. Really, the names are just descriptors – the concept remains the same and that is what’s most crucial.
Background Around 8:00 p.m. on September 20th hackers who were upset about being outed by Brian Krebs, a well-known security and IT journalist, attacked his website with what was then the largest Distributed Denial of Service (DDoS) attack in history. The attack against krebsonsecurity.com was perpetrated using a previously hypothesized piece of malware that takes control of Internet of Things (IoT) devices and uses them to create a powerful bot net (a network of infected
Most corporate systems, whether end-user systems or core servers, are guarded by various malicious software protections. These usually present in the form of anti-virus (AV), data-loss protection (DLP), and host-based intrusion detection (HIDS). These protections are useful for the defenders as they help the systems to remain safe, secure, and free from malicious code. At the very least, the hard drive, or non-volatile memory, is typically kept safe.
Recently, in performing my daily due diligence to keep up with the latest news and changes in information security, one article in particular caught my attention. Its topic of SSL encryption, and the related research, are particularly fascinating and nascent to me as an offensive security professional. The first article was in Dark Reading, and while its title was a bit “click-bait like” it is still true: more than 40% of attacks abuse SSL encryption. This did not catch my attention
Serious Vulnerability in Non-Bluetooth Wireless Human Interface Devices (HIDs) Overview Over the last week, I have been working to better understand the MouseJack hack and how easily it could be exploited. It turns out that this is a very concerning attack. Without purchasing any hardware (mostly because I have several different Logitech keyboards and mice), I was able to re-flash the firmware on a standard Logitech Unifying receiver.
Black Hat Last week marked my third year in Las Vegas for the annual “hacker conferences,” BSides Las Vegas (which I was unable to attend), DEF CON and Black Hat. Black Hat is two days of briefings, tool demos, workshops, and a very large array of security vendors. Finally, the week affectionately known as “hacker summer camp” by attendees is capped off with the largest, longest-running, hacker conference in the world – DEF CON.
As I am writing this particular blog post, I am just eight days from flying to fabulous Las Vegas, Nevada. Why on earth would I, or anyone not required to, go to the middle of the desert during the hottest possible time of the year (the first week in August)? Because that weekend is the biggest, and oldest, hacker gathering in the world. The gathering I am talking about is the 24th annual DEF CON where more than 10,000 hackers