Crypto-Jacking Tesla

Tesla just mined some bitcoin for hackers.

Hackers accessed Tesla’s Kubernetes administration console which was not password protected. Kubernetes is an open-source system for automating deployment, scaling and management of containerized applications.  As it turns out, companies that use Kubernetes are known to lake password protection – so It’s a known exploit.

Once inside Kubernetes, hackers then accessed servers run from within Kubernetes, on Amazon AWS.  They installed mining pool software using a version of WannaMine and created a server that sent completed cryptocurrency calculations to a private IP which thwarted malicious IP detection.  The hackers also configured the server to run at a lower CPU usage setting to avoid usage alarms and CPU usage spikes.

It’s clear that a more lucrative business model for hackers is to steal computer resources to mine bitcoin rather than to steal and sell data, especially when bitcoin prices trend higher.

According to WENY News, “As bitcoin and other cryptocurrency prices soar, “cryptojacking” attackers surreptitiously take over web browsers, phones and servers to make some serious profit.”

If you suspect your computer is running too many resources, check your CPU usage and act.  The simplest way to stop a malicious crypto-miner installed on your machine is to simply kill the process by closing the application you think has been hijacked.

Sources:

https://motherboard.vice.com/en_us/article/yw5yp7/monero-mining-wannamine-wannacry-nsa

https://nakedsecurity.sophos.com/2018/02/22/tesla-cryptojacked-by-currency-miners/

http://www.weny.com/story/37567379/cryptojackers-are-hacking-websites-to-mine-cryptocurrencies

The Philadelphia Cyber Security Job Market

Since the University’s Computer Science Department offers a Computer Security Certificate and Cyber Security is a growing area of interest for college grads, I was curious how many entry level jobs are currently available in the Cyber Security field, especially in the Philadelphia region.

I decided to check two sources; Dice.com and Indeed.com using a general search on “Cyber Security” to capture most types of jobs related to the field.   I started with a search on Indeed which returned 491 full time jobs within 25 miles of Philadelphia, PA.   I was surprised there were so many.  Cyber is popular right now but that seemed high.  If it wasn’t high, then local grads might be well positioned to capitalize on a favorable job market!  How many Cyber jobs in New York City I wondered? Indeed returned 1653 full-time jobs.  There’s literally four times the number of Cyber jobs in New York City than in Philadelphia. I then decided to check the region that should have the most Cyber jobs: Silicon Valley of course.  I searched all of California and noted 3525 full-time jobs in Cyber Security.  I expected there to be more.  Finally, I was struck by the idea of checking Washington, DC for Cyber jobs and there it was – the Cyber jackpot: 9197 full-time jobs!  The Government sector is clearly the largest Cyber employer.

It was time to compare these results to Dice.com which is known as a jobsite for the tech industry.    I searched Philadelphia for ‘Cyber Security’ and was surprised:  only 205 full-time jobs!  I searched New York and only found 824 jobs.  California returned 1310 jobs and the Cyber Holy Grail in Washington, DC, returned 1960 jobs.  To my surprise, there’s a very significant discrepancy, a factor of 4 or greater, between the two job ad sites.

I needed to figure out why.  Here’s where job sites get murky; they need to monetize their platforms.  Indeed monetizes by inserting ‘sponsored’ job ads inside your search results.  This simply means there are multiple duplicates of the same job ad on each page you view which means it completely inflates the number of available jobs in your search results.  Dice monetizes their platform by charging per ad and with banner and sidebar ads.  Trying to interpret which sight would have the most accurate data is subjective without more data. I’ll assume for this post that Dice has more accurate job posting volumes simply because each ad costs a company $395 to post from an HR budget.  The negative of Dice is that searched are less granular; Searching Cyber jobs in Philadelphia also serves job posting from New York.  Very perplexing algorithm – obviously intentional – so even Dice has inflated job posting numbers because of this.

As I looked closer, I also noticed a problem for aspiring Cyber graduates:  There’s a discrepancy in the volume of entry level positions against the mid-level positions.  Translation:  most jobs are mid-level tier requiring experience.  This holds true across the entire industry.  I’ll use Indeed data because they differentiate entry level, mid-level and senior level jobs.  The ratio of entry level jobs to available jobs is about 23%.  In New York and California, the ratio is 18%.  In Washington, DC, the ratio dips to 12%.  A generic conclusion is there’s fewer entry level jobs in Cyber.

There’s also a geographical consideration with jobs in Cyber.  New York is clearly focused on Financial – Goldman Sachs has the most job offerings.   In California, Cyber jobs are very granular and niched at the largest tech companies.  In Washington, DC, almost all jobs are Government sector jobs.  In Philadelphia, Cyber isn’t financial; it’s Lockheed Martin and Comcast along with a diverse spread of postings from many regional companies in various business sectors.

Are they Cyber jobs available? Absolutely.  Are there a lot of Cyber jobs available?  Yes – but your ability to land one is likely related to the amount of experience you have.

Sources:

Dice.com

Indeed.com

AutoSploit – Automated Hacking

AutoSploit recently made news as a potential cyber security threat.  The threat comes from the perspective that AutoSploit is an automated version of the metsploit package found in Kali Linux, a popular open source Linux distro popular with pen testing.

I was curious to read peoples reaction to AutoSploit – I was wondering why automating features of a Kali Linux distro would be a problem.    I didn’t understand the threat of configuring and using 5  tools manually versus configuring the same 5 tools and hitting one button to start the process.

AutoSploit was authored by Real_Vectors, who announced the release on Twitter and made the code available on GitHub.  I read the comments and determined there’s generally two camps of responses; one is ‘this is a terrible!’ and the second is, ‘nice tool’.

The nay-sayers surface arguments about empowering the ‘Script Kiddies’ with automated hacking and how unethical it is.   Those who view it as a useful tool couldn’t wait to use it in their current workflows.

There’s nothing new here.  Automated scripts are nothing new in computer security,  the necessary discussion is one of ethics and intended use.   Anyone can take a valid tool or service and use it for criminal purposes – be it a car, a gun, a pencil sharpener or a hairdryer.  Keeping products and services out of the hands of ill-intended individuals isn’t realistic, especially from an open-source perspective where we want people to have and use the tools others have made.    It’s what makes open-source so powerful and useful.  Without open-source, we wouldn’t have Kali or Parrot, we’d only have expensive proprietary products.

It’s up to the individual to either use pen tools ethically or to cross the line.  An automated process isn’t going to change a person’s character.

There will always be people seeking more efficient ways to perform a task.  If networks are protected against individual metaspoilt attacks, then automating these attacks shouldn’t matter.

 

Sources:

https://twitter.com/Real__Vector/status/958412549044801536

https://www.youtube.com/watch?v=_CztCSkt48g  “Threatwire”

https://motherboard.vice.com/en_us/article/xw4emj/autosploit-automated-hacking-tool

 

The End of the Password Era is Another Step Closer.

This post was the result of an article I read dated February 8, 2018 by Lee Mathews at Forbes.com titled, “Microsoft Ditches Passwords In New Version Of Windows 10”

Passwords are hassle for everyone; for the user and for the company who must securely maintain them in their databases.  No one cares if a single person loses their password due to poor security on their own PC or is scammed/phished into surrendering their password – we think ‘shame on them’ for not keeping their machine up to date.  But if a company loses it for the same reasons – it is a company-value-crushing event.  At least until we heard about the next large data breach.

Passwords are such a nuisance to create and remember.  Different companies have different rules for generating ‘strong’ passwords.  It’s like a game, each time you satisfy their special characters, length, repetition and capitalization requirements your green progress bar grows fuller – you feel like you’re winning the computer security game and creating a secure password at the same time.  You smugly think to yourself, “Take that you hackers”.  Study computer security for longer than five minutes and you quickly learn it’s a false sense of security.  Trying to remember them isn’t a trivial task either – especially if need to remember numerous passwords created using different generation rules for each site you need to log into.  I actually wouldn’t be able to remember a single computer generated password of 16 characters; can you remember ‘wzdHgV5D}X!Eme.9’?  (Thank-you passwordsgenerator.net, but I’ll pass)

You’re not supposed to write passwords down.  Not even at home where they should be most safe.  I use a secure app to store mine, but If I lose my phone, I’ll spend half a day resetting all my passwords after buying a new expensive phone.  Of course, trying to use the silly validation questions because I need to reset the password for a specific site is arguably a futile practice; I can remember a pet’s name – but which one did I use?  What was my favorite vacation destination?  Chain a few of these useless queries together and I start to laugh.  So 90’s…

 

Passwords need to become a thing of the past.

Saying goodbye to passwords would be fantastic – though I don’t expect it to happen anytime soon.  What we’re talking about in the article is simplifying the login process on a single account or computer.  We’re still some distance from using a coordinated cloud with a single AAAS provider to access all of your apps one place.  That implies the concept of Authentication As-A-Service.  Big companies are starting to do it – Amazon AWS and now Microsoft, but only for their own accounts.  It’s exciting to watch – It’s my opinion that Authentication will eventually be a single point process in the cloud which will provide all my apps and services.

To illustrate; To log into my AWS console I simply enter an email address and use Googles Authenticator app that generates numeric codes linked to my specific AWS account.  I have 25 seconds to enter the correct code before it generates a new 6-digit code.   I appreciate the simplicity.   If Amazon(or Microsoft) were to become the single repository of all the apps I use and offer a single login, I would declare such a service to be “brilliant!”.

According to Lee Mathews, who penned the article that got my attention, “ In the new version, you simply tap a notification on your phone to authorize your account.

That app is the Microsoft Authenticator, and it, too, has been in app stores for quite a while. While you can use it to sign yourself in to a number of Microsoft’s services, you couldn’t use it to authenticate yourself on a Windows computer.

That’s changed with the arrival of Windows 10 Build 17093, which Windows Insiders are testing now. Install Microsoft Authenticator on your phone and sign in with your Microsoft account. Sign in with the same account on your computer. When Microsoft sees that you’re trying to sign in, it will send an alert to your phone and ask you to approve the request.”

Of course, there are also biometric ways to log into accounts which financial services seem to prefer right now.   I appreciate those too.  The key take-away is that it’s nice to take a step in the right direction, but the reality is I’m still faced with the same basic problem; redundant layers of Authentication for each computer, app or service I use.   There will be a better way in the future…after large companies finally realize that a coordinated single platform for Authentication will be more secure and convenient for everyone.

Resources:

https://www.forbes.com/sites/leemathews/2018/02/08/microsoft-ditches-passwords-in-new-version-of-windows-10/#4befe7f32549

https://passwordsgenerator.net/

My WordPress Security Process and AWS Lambda

WordPress is a popular content management system(CMS) that allows people to quickly launch a web property online without building one from scratch using HTML and CCS.  I chose to use WordPress as the CMS for my CSC301 Computer Security blog.

My experience with WordPress has been positive.  WordPress has a shallow learning curve and the platform is customizable with countless themes and plugins available.  In short order, you can get your web property looking the way you want.  But there is a downside to any CMS – security is an issue.

Since the WordPress CMS usage and community are so large, the primary vulnerability with WordPress is that there are literally tens of thousands of themes and plugins written by thousands (or more) developers that allow you to customize your site with the functionality you desire – there’s a plugin for it.  Herein lies the problem.  Thousands of developers of all skill levels are writing great plugins as well as complete garbage.  In fairness, I see that most of the popular plugins have gone through many iterations and are reputable.  New and untested plugins are a cause for alarm.

I decided to look into WordPress security further.  How does someone secure their WordPress site?   Searching ‘WordPress Security scan’ is an immediate quagmire of monthly services offering everything from malware scan, DDOS attack protection to personalized pen testing.  It’s a rabbit hole.  Searching WordPress Security plugins is also a rabbit hole – many offer free basic service but charge premiums for more encompassing services.    You can take a hands-off approach and have a third party manage the hosting of your site at $29.99 a month.   These hosts all say the same thing, if they anything at all about security – we scan for malware, SQL injections and have backend rules to ban offending IP addresses.  Those companies rely on whatever service they subscribe to that protects their own network. Like I said, WordPress is a large platform with many people angling for financial success.

I decided that perhaps I should read the docs about security at WordPress.org to learn more about WordPress security, the security of the WordPress API or security best practices for a developer.  Guess what I found? I was surprised to find nothing about security in the docs.  I suspect there’s an internal process for managing security for the platform itself at the organizational level, but at the developer level, there is none.   It’s the developer’s responsibility to write a secure theme or plugin and the communities responsibility to report bugs.  I’m still disappointed at the lack of security discussion at WordPress.org.  A constructive suggestion would be for them to create a security tab and at link some resources or create a simple best practices doc.

What’s my security solution for WordPress (Because I do appreciate it as a platform)?  I’m using Amazon’s AWS Lambda.  What is Lambda?  It’s a Serverless instance configured by AWS.  I simply click the application I’d like to initiate and I’m done.   AWS offers a WordPress Application for Lambda that I was curious to try since leveraging the AWS backend seems to make sense, especially if I don’t have to configure a thing.   When I decided to read the docs about security at AWS, I was presented with multiple resources and services.  There’s enough to be confused about especially if you’re not familiar with their ever-evolving services.

I launched my blog in less than 30 minutes.  It would have been faster, but I had to wait about 10 minutes for “attackworm.com” to clear through the AWS Route53 domain name system and I had to skim a couple articles about AWS Lambda applications and FAQ.

My WordPress security strategy is to host my blog for $5 a month at AWS with a Serverless instance.  The other part of my strategy is to use the most popular, simple and vanilla theme with as few plugins as possible so to limit my exposure to vulnerabilities.  It’s not difficult to do my part and keep a simple theme and one or two plugins up to date without breakage.

The rest of my strategy involves integrating and testing additional AWS security offerings and discussing my thoughts on this blog as an interesting security project and learning experience.

In my next article:  A deeper discussion of AWS Lambda and my WordPress security adventure.

https://developer.wordpress.org/

https://aws.amazon.com/security/?nc1=f_cc

https://aws.amazon.com/lambda/faqs/

https://themeisle.com/blog/common-wordpress-attacks/

https://piotrminkowski.wordpress.com/2017/06/23/serverless-on-aws-lambda/

https://read.acloud.guru/security-and-serverless-ec52817385c4

https://www.slideshare.net/AmazonWebServices/security-best-practices-for-serverless-applications-july-2017-aws-online-tech-talks

 

Chronicle: Alphabet’s Cyber Security Company

According to USA Today, Chronicle, a Cyber Security offering, was incubated and just spun out of Alphabet’s experimental lab X, known as the “Moonshot Factory” for its pursuit of big challenges such as driverless cars.

The global cyber security market is worth nearly $100 billion according to Gartner.  That number continues to climb since Cyber Security continues its climb up the funding ladder of many companies.  There is an ever-growing list of companies offering Cyber Security services ranging from simple PC monitoring to comprehensive network log analysis and audit.  Chronicle is the first from a company deep rooted in Artificial Intelligence of the magnitude of Alphabet.

My initial reaction to the announcement was curiosity and to wonder if Chronicle is a Machine Learning(ML) solution that integrates with their open-sourced Tensor Flow platform.  The USA Today article was vague.   Being one of Alphabet’s primary strengths, ML makes sense as the next logical iteration in Cyber Security — an algorithmic learning component tailored to a company’s or sector’s unique attack/threat vectors.  For example, it would make sense that Chronicle would offer a ML service that identifies and defends against attacks on the financial sector; Whomever is attacking Vanguard is likely attacking Fidelity and Schwab.  In other words, Chronicle may be able to quickly specialize in any business sector.

Digging further, it was clear the USA Today article missed how Alphabet plans to incorporate ML into their Chronicle offering:  According to Reuters, “Chronicle is betting on the premise that machine learning software, a type of artificial intelligence, can sift and analyze massive stores of data to detect cyber threats more quickly and precisely than is possible with traditional methods”.

Initial speculation has the service focused on log analysis across large networks.  Since there’s already many companies offering logs analysis, there should be more than one facet to their service; unless the speed at which they identify attacks is superior to competitors.

I wonder if Chronicle is supposed to be a enterprise sized offering or is the roadmap heading toward a could offering even at the PC level?  Time will tell.

Interestingly, Alphabet enters the Cyber Security market laterally instead of from the ground up meaning their solution is unproven.  I don’t believe it hurts their business case since they are leveraging well-established resources –  which in this, is superior ML.  Google is a ML Goliath; if they have a bona fide solution, they could easily leverage their brand into businesses worldwide with a Cyber Security solution that should cost markedly less than existing offerings because the backend is already in place and profitable.  Look out Check Point, Symantec and Palo Alto, you need to take notice – Alphabet is eyeing your lunch!

If Chronicle has early success, Microsoft and Amazon will take notice quickly and rush to leverage their AI platforms into Cyber Security offerings.  I you’d like to peruse a clever article on the subject, read Steve Morgan’s article about who will be the players in Cyber Security in 2018.  It’s short, succinct and clever.

The premise of using ML quickly and at scale in Cyber Security makes perfect sense; especially since Tensor Flow is currently the de-facto ML platform – likely because it has been open-sourced for several years.  A clear advantage.  I think Chronicle will initially be successful, but themselves will get their lunch eaten by Amazon.  I’m not sure if Amazon’s ML offering would be on par with Alphabets at first, but I am very certain that Amazon’s AWS services can provision a Cyber Security service anywhere in the world within minutes.  They will certainly change the way Cyber Security services are delivered.   That’s the real story, which has been missed.

Sources:

https://www.usatoday.com/story/tech/2018/01/24/google-parent-alphabet-unveils-cybersecurity-unit-chronicle/1062933001/

https://www.reuters.com/article/us-alphabet-chronicle/alphabet-unveils-business-unit-devoted-to-cyber-security-idUSKBN1FD2U3

https://www.gartner.com/newsroom/id/3784965

https://www.csoonline.com/article/3243293/security/whos-who-in-the-cybersecurity-market-the-inside-scoop-for-2018.html