Hill Top Security selected by Mach37 cyber accelerator!

Hill Top Security is proud to announce the company’s selection as a Spring 2016 cohort in the Mach37 cyber accelerator program.  The company’s founder’s Steve Baker, Neil Wright and Tom Gilmore will participate in the 90 day intensive accelerator program at the Center for Innovative Technology (CIT) in Dulles, VA.

 

See the Mach37 Press Release at: https://www.mach37.com/assets/1/13/MACH37_Spring16_Release.pdf

Patching is your first line of defense

Hacking has become as routine as the common cold and it seems as if there is no defense against hackers.  It only “seems” that way though.  Most network intrusions are fairly low tech and have little in common with the exploits portrayed in movies like Swordfish and Blackhat.   According to the latest data, 75% of intrusions have exploited unpatched hardware and software.  Unlike the attacks portrayed in the movies, the typical attacker scans his target to determine what systems are in use.   We refer to this phase of the attack as reconnaissance, and during this phase, the attacker does what we call footprinting and enumeration.

Footprinting entails identifying what hardware and software is in use by the target, and enumeration identifies the specific versions of software including the latest builds or releases.  This is critical information for the attacker because he can use this intelligence to determine if the target has any known vulnerabilities.   What the attacker is looking for is any systems that are unpatched with vulnerabilities that can be exploited.  It is those unpatched vulnerabilities that are usually the way hackers get in.

Vendors are continuously releasing security updates to fix vulnerabilities, but many organizations fail to implement them in time to prevent the vulnerability from being exploited.  This is unfortunate since by simply implementing the most critical patches on time can drastically reduce an organizations vulnerability and increase its security posture.  Regardless of size or type, patching is every organization’s first, and most important line of defense.

 

Hacking and Penetration Testing with Low Power Devices Written by Dr. Philip Polstra Reviewed by Bob Monroe

When you think of low power devices you may tend to focus on tablets, smart phones or portable gaming systems like the iPod Touch. Before you shout that the iPod isn’t a gaming platform, tell me how many adults versus kids you see using those things. Yeah, its a toy alright. The book Hacking and Penetration Testing with Low Power Devices written by Dr. Philip Polstra is all about the Beagle Bone Board (BBB). I hope you’ve heard of BBBs because they are a cool minicomputer. BBB represents a collection of boards ranging from the BeagleBoard, BeagleBoard-xM and the BeagleBone Black. For the purposes of clarity, when you see BBB in this review, I’m referring to the BeagleBone Black.

Because I’ve been working with minicomputers like the BBB, the Raspberry Pi B+ and old Android phones, I’ve got my favorites just like you have your favorite socks. The author, Dr. Phil, makes plenty of evidence-based arguments as to why the BBB is his favorite. The only problem with his logic is that with any technology, it is outdated the moment he typed it out. One day the Beagle might be the top dog and the next day it’s the Pi. These particular brands of small computers are being beefed up with newer hardware on a regular basis.

You should know though, that this book is aimed at teaching you how to use the BBB as a pen testing tool. The first chapter introduces you to the author’s pride and joy, a compilation of devices that make up “the Deck.” The Deck has been showcased at several hacking conventions over the years. The Deck is a system of tools that can be used as portable drones, air deployable remote control aircraft sensor and even an awesome looking Guitar-Hero platform. The information about building my own Deck was peppered throughout the book. There wasn’t one section that tells you how to build a Deck but rather bits and pieces are discussed throughout the 237 page book. No cheat sheet was provided.

As with any professional hacker/pen tester, the author has to walk an ethical tightrope to ensure they don’t teach everyone how to be criminal hackers yet still give the readers enough details to quench their desire for knowledge. Hacking is not about criminal activities, it is about learning new ways to do things beyond what the manufacture intended the product to do. You must learn and think on your own.

This book is filled with plenty of incredible knowledge that you may not find anywhere else. For example, chapter five Powering The Deck, covers the critical information needed to determine how to power your low power device. Anyone who has picked up a soldering iron, a voltmeter and some electronic component that requires a magnifying glass to lay down a perfect bead knows how easy it is to fry that device. Pay close attention to Dr. Phil’s research and advice when it comes to providing juice to your low power project.

I like to be mobile so I use an Anker 5V 13000mA small charger, which has enough juice to jump start a car and power my devices. The Dr. Polstra provides the reader with plenty of options and plenty of cautions about under powering your device. Most of the newer mini computers have built-in power management hardware to keep the current regulated. The Anker has built-in technology to ensure your device gets exactly what it asks for even as the device environment changes due to the addition of a WiFi adapter, WiFi keyboard, Bluetooth dongle, touch screen, or refrigerator to keep your snacks cold. Dr. Phil warns the user about plugging in any old power adapter you have laying around. Most smart phone power adapters will gladly give the device 5V but it won’t push past 1.5 A. Any drop in amps means your device shuts down or reboots or just allocates power to where it thinks it is important. Your pen tool could become worthless just because you went cheap on the power supply.

Don’t do it. Respect the power! Ipad and tablet adapters should be used if you are going to rely on a wall outlet. The BBB can be powered by your computer or laptop via USB but you run the risk of lower amps. Again, respect the power and use the properly rated power adapter or supply if you are going to add on goodies to your board. When you do buy your computer, you are going to want to add on all kinds of neat capes or stuff to fill up the USB ports. The Pi B+ has four while the BBB has one USB port. The Pi B+ wasn’t available when the book was sent to the printers so this is not covered.

Another nice aspect of the book that I was surprised to see was a really good overview of different Linux, Unix, Android and Windows CE operating systems. This was a wonderful learning opportunity simple because I use Ubuntu, Debian, Windows CE and Android for portable systems. Dr. Phil provides great advice on why you would want to follow his footsteps in using Ubuntu (unless you like Kali (Debian) which I prefer)). He covers each distro fork as well as which ones have the best repositories or support community.

This is essential when using low power devices because you don’t want useless fluff (bloatware) taking up precious space or resources on your credit card sized project. Yes, these devices are credit card sized just a bit thicker and much cooler to work with. Each basic device runs about $35-$45 U.S., whether you buy a Pi or a BBB. These devices have more computing potential than many laptops and desktops yet use a fraction of the space. Many people ask me “what do you do with this little thing.” I tell them that I can run them as a home media, web, email or FTP server. I can swap out operating systems just by changing out microSD cards. If you want to use the boards to be the brains of a robotics project, easy. Don’t expect to plug and play, though. Maybe you want to replace your desktop with an ultra portable machine. I know the Pi will run Libre Office so I would imagine the BBB could too. Just buy a larger screen or plug in the HDMI to your TV to ease your eye strain.

Hacking and Penetration Testing with Low Power Devices is not entirely light reading. There are areas where the author drops a 100 meter anchor in the ocean of technology and then guides the reader on how far you need to go to retrieve this information. You will be thrown into a Linux terminal of piped commands to install the Deck OS and configure the basics for your BBB. Right from the start, the commands are very clean coding and well documented. I would have never thought to use || (dual piping) in a script. Luckily, Dr. Phil explains his process and shows the reader some basic python language (a must for any security professional to learn). He also explains why some conditions will work in certain shells but not others. If you ever wanted to know what a digital security professor reads, there are plenty of reference books cited along the way.

You need to consider that working with low power devices is a mis-mash of hardware building, software coding, scripting languages, learning by breaking (as it should be to separate the dedicated from the joyriders) and doing a hell of a lot more research on your own. Dr. Phil is not going to spoon fed you. He provides a path and the choices but it is up to the reader to dive into that ocean and learn the inner workings of low power hacking. This is cutting edge technology so don’t expect easy answers to your questions. Dr Phil is a teacher who knows that the reader must invest time and effort on their own to make any hacking project.

I’m not sure if it was deliberate but some of the hacking tools he suggest are outdated. Backtrack is mentioned and discussed. Kali is another story since it was built to completely replace Backtrack from scratch. Kali is ported into anything including your kitchen toaster. I was interested to read his use of Xbee communication hardware. There are several new communication protocols going through the RFC stage, including 802.11p for vehicle communications. The Deck uses the Xbee chips for data transfers that, guess what, use very low power. RFC’s aren’t exciting to read but the last chapters of this book is focused on sensors, capturing traffic, as well as sending that information back to the mothership. This chapter will make you swallow your gum once you realize the potential and implications of this technology. Imagine a remote control plane flying over your house collecting (war driving) all your WiFi, cellular, Bluetooth, NFC data from people not working for the NSA.

Overall, I found some information caused me to sit up straight in my chair when I started to see the puzzle pieces forming into a picture of our privacy future. In full disclosure, I had worked with Dr. Phil on a project for the Institute for Security and Open Methodologies (ISECOM). No bodily fluids or money changed hands during that project. There are several nods to important pioneers of technology where Dr. Phil either gives you the persons name or sneaks in that acknowledgment. As I found out, if a sentence doesn’t exactly make sense, there is a reason because the author is throwing a tongue and cheek remark at you to see if you’re paying attention.

Hacking and Penetration Testing with Low Power Devices is aimed at teaching the reader how to work with the Beagle Bone Board to create the Deck or project of your choice. Low power computers are built for multiple uses. Once you have one in your hands, you can do numerous custom configurations to suite your interests. If you take the Deck project out of the book you still have a ton of great information on how to build and play with the inexpensive device. Due to the release of many other similar devices (Intel, Texas Instruments, AMD, Arm Cortex and more), the author provides you with ample details you will need to get the most out of whatever you purchase.

Respect the power!

Bob Monroe is a guest writer for Check-6.

About Bob Monroe:

Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. One of Bob’s first military assignments introduced him to the world of hacking. His prankster ways ended abruptly in 1996 when he was almost caught hacking by an eighty-two year old librarian. This incident led to a renewed interest in cyber security, as a good guy. Since then, he has written several articles for publication and maintains a passion for digital security. Bob holds a Master of Science in Information Assurance from Norwich University.

Bob’s specialty is digital security teaching and awareness training. Along with work for the U.S. Army, he has taught security classes for the Veterans Administration, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. This patent does not impress the TSA folks at all and usually gives them a reason to strip search him instead.

Bob works with the Institute for Security and Open Methodologies (ISECOM.org) and Hacker High School as an editor and writer. Both organizations are non-profit, with the mission of teaching computer security methods across a global audience. In his spare time, Bob makes children’s toys in his small woodshop. He still has all nine fingers, too. Oops, make that seven fingers

Need Web Developer at Ft. Washington, MD

Hill Top Security Inc. is an SDVOSB with an immediate opening for a Visualization Specialist/ Web Developer at Fort Washington, MD. A Bachelor’s Degree in Computer Science or related field is preferred, with 5 + years’ experience in data visualization, visual analytics, information graphics, and computer visualization development (10 years experience if pursuing degree). The candidate must possess the following skills:

1. Demonstrated experience in developing SharePoint sites and SharePoint Customization
2. Demonstrated experience working with complex data sets, database use and management, structured and unstructured data
3. Experienced in software application development and coding
4. Demonstrated experience in web programming, scripting, application development as well as systems design, security, and networking
5. Experience in database management and integration and administration of search engine optimization
6. Demonstrated skills in HTML, CSS, and JavaScript knowledge
7. Knowledge in latest trends and tools available for web content management systems.

Salary commensurate on experience. Benefits include Paid Time Off, 401k, Tuition Assistance, Medical, Dental, Life, and Disability Insurance.

To apply, please send resume to jobs@hilltopsi.com.

Cyber Imperatives

The US Director of National Intelligence ranked cyber crime as the top national security threat in 2014; eclipsing terrorism, espionage, and weapons of mass destruction. Cyber crime statistics and the related economic impact of data breaches have become staples on prime time news and in trade journals. The business impact has been significant for many organizations (see Target’s recent settlement news) and may ultimately “tip the scales” with respect to competitive advantage.

The ever-growing list of cautionary tales have a few common threads:

  • Information technology has the ability to enable, drive or inhibit every other business function on a daily basis
  • The vast majority of cyber crime can be prevented with vigilance and training
  • Privacy and security must be integrated by design in your organization’s culture and business processes
  • A robust testing framework must be in place to verify the design and proper function of your security and privacy programs

Another factor that has the potential to “fan the flames” of cyber crime is the acceleration of new business models that harness the choreography of third party services. Offerings such as Uber are disrupting existing value chains and forcing organizations to create or rethink their digital strategy. Despite the virtues of this evolving API-economy, the surface area available for malicious attacks is also increasing. Services and data that cross departmental, organizational and national boundaries require greater scrutiny, stronger partnerships and rigorous adherence to shared security and privacy policies.

Beyond the risk of getting hacked, there are weighty legal and compliance issues awaiting organizations that have not scrupulously deliberated their privacy policy and its enforcement across the third party landscape. An increasing number of jurisdictions throughout the world have data protection laws and privacy directives that are largely ignored.

Addressing security and privacy issues is simpler and less costly if they are “baked in” at an early stage of product development and business process design. The way most organizations handle security is topically with firewalls, “Patch Tuesdays” and on-line coursework. While these are important aspects of a comprehensive approach, there must be a culture of “constructive dissatisfaction” when it comes to implementing and managing security and privacy programs. Areas such as vendor management, mobile security, data loss prevention, privacy compliance and insider threat are only growing in relevance and will become key strategic battle zones that will test organizational foresight and resolve.

Expose Your Risks through Your Assets

Sun Tzu stated “know yourself, and know your enemy, and in 100 battles you will win 99”. What he meant was that you must have a thorough understanding of your own strengths, weaknesses and capabilities as well as those of your opponent in order to persevere in any conflict.

There has been a lot of discussion of late about risk management. The topic of risk management can be in itself overwhelming. The focus here will be what every manager needs to know to get started on a path to reducing and managing risk.

Before you can determine your risks, you have to know what threats exist. To do that, you will need to review your assets to identify what exactly someone may want to steal, destroy, or otherwise tamper with. You will need to inventory your assets and value them. Typically, managers tend to think of hard assets when you mention an asset inventory, but there are other assets you have to consider when addressing risk. There are information assets like intellectual property, trade secrets, and business processes that have to be protected. Some of these, if compromised, could be catastrophic to your organization. What about human capital assets? Are there key employees that would pose a risk to the organization if they are lost? Do you have a mitigation plan for dealing with the operational risk of losing a key employee? If you do not, you are vulnerable to some level of operational impact which could be significant.

Keep in mind, with respect to risk, we are not only concerned with security risks, but we also need to identify operational, financial, and legal risks. For example, your HR department stores personally identifiable information on all the organization’s employees. This information, if comprised, can expose the organization to possible fines under Sarbanes-Oxley (SoX) and the Health Insurance Portability and Accountability Act (HIPAA). In addition, some of the fines and punitive measures can be personally levied against senior management. C suite executives are especially at risk due recent regulations passed that allow them to be held personal responsible for not establishing adequate controls to protect information, particularly in publicly traded companies.

An asset inventory and assessment will help you to identify all the tangible and non-tangible assets that your organization has and what value they represent. Asset value is not always as apparent as it would seem, and requires an understanding of what business functions and activities the asset supports. For example, a web server might be improperly valued at replacement cost if its main purpose is overlooked. If the purpose of the web server is running the company’s e-commerce site, the value would need to be based on the revenue the server generated in addition to physical replacement value. Knowing the true value of the asset will give you the best chance for making right decisions with regard to risk management. After conducting a cost-benefit analysis, you will know what risk mitigation measures need to be in place to respond to any risk that materializes.

Not all risks can be eliminated. The simple fact is, that we cannot control all the forces that generate threats. However, we can manage risk and increase our ability to survive the risks that do occur while simultaneously preventing many from even happening. Know yourself by understanding your assets and you will be better prepared.

Have Your PII, But Protect It Too

According to a recent GAO report, “The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years.”

When PII is mentioned we normally think of employee HR files, or we worry about someone misusing our credit card information and identity theft. There are other ways in which PII can be mishandled.

As a football coach for a local high school I was required to maintain Emergency Data Forms for each student traveling with us, including football players, cheerleaders and equipment managers. Long gone are the days of just showing up at an emergency room with an injury and getting treatment without consent forms, liability release signatures and proof of insurance. HIPAA rules and liability concerns require precise procedures for handling any accident or injury, especially regarding the treatment of someone who is not a primary family member.

A significant amount of personal data was contained in these forms not only to insure prompt access to treatment for an injured student, but they also have details on how to contact parents/guardians in case of an emergency. This data includes student names, DOB, contact names, home address, phone numbers (work and home), insurance company name, policy number, primary doctor names, etc.

The forms for my students were kept in a folder inside of a flat canvas carry bag that was kept inside of the football equipment room. The forms were maintained and updated by the school’s athletic trainer and whenever we traveled it was up to the head coach to either keep track of the bag or assign it to someone else. Control procedures were not clear and not in writing. After the bag was nearly left behind at one game, I took it upon myself to carry the bag over my shoulder from the time we left the school until the time we returned.

These forms are required for every sport and other events . Many families have 2 or more kids in the school and if they each stay for four years, then the potential for the compromise of PII is very significant. This situation puts the school at high risk for loss of public trust (the parents are in fact the customers), bad publicity and of course potential legal consequences.

The following quote from a website offering free printable forms indicates the indifference of some educators who collect and handle PII:

“When trying to contact parents, most teachers would agree that it is far better to have too much information than to not have enough. It is interesting how many times a teacher’s records proves to be more thorough than those kept by the building’s administration. This is because parents fill out the contact cards that are filed in the office, and students fill out the ones kept by the classroom teacher. Unsurprisingly, kids tend to be far more forthcoming with teachers about the ways in which their parents can be contacted than they are about anything regarding themselves!”

The implication of this statement is that some faculty are encouraging students to divulge more personal information than is available through official administration records. This makes the challenge of protecting PII even more difficult, especially if the administration and the parents are unaware of an additional source of untracked and unmonitored personal information. If a parent’s company or business has taken all of the precautions to protect their PII, but their child’s school has not, then the damage can be just as severe.

The solution to protecting both the school and their customer’s information is to implement a Risk Management Plan that includes an assessment regarding all PII (including staff, students and parents). The personal information collected should be the minimum required and more importantly, written policies should be in place to determine not only who can gather/maintain PII, but also to establish strict custody control procedures for PII including “check out – check in” for all Emergency Data Forms that leave the facility.