Tag Archives: Hacking

Tony DePrato

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

Leave a comment
By Tony DePrato | Follow Me on LinkedIn

Cybersecurity Part 2 will be featured in the Tie Magazine. After it is released, I will post the article on the blog.

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline. 

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops. 

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable. 

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc. 

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources. 

TestDefinition
Subscription and Services DiscoveryCan your subscriptions and services be easily discovered?
Files Exposed to the PublicAre there files publicly available that supposed to be private?
Calendars Exposed to the PublicIs calendar data that should be private, private?
Staff and/or Student Email HarvestingCan your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SISAre your portals and SIS properly secured and difficult to brute force attack?
Websites and Social MediaAre websites and social media properly secured; is the media being used legally and correctly?
Cloud ServicesHave cloud services been properly secured?
Third-Party SharingIs anyone sharing your content and do they have permission?
FTP, SSH, and TelnetAre any of these protocols a threat to your school via publically accessible information?
Email BlacklistIs your email domain blacklisted?
Email Header CheckIs there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent EmailsIs your email set up to catch any email that does not exist and alert someone?
SMTP RelayIs your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error CheckDo the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML FormsAre any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents. 

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous. 

Tony DePrato

Understanding Ransomeware

Leave a comment


                     By: Tony DePrato | Follow me on Twitter @tdeprato

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.

The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.

Ransomeware Targets Everyone

Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.

For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.

IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.

Managing network and data security is a discipline that must be followed regardless of an organizational mission or definition. Best practice scenarios need to be studied as universal best practice scenarios. Studying best practice scenarios for only a single type of organization (like a K-12 International School) limits exposure to case-studies, creative ideas, and threat assessment.

Ransomeware Prevention and Protection

Investing money and IT security planning have something in common. If a person makes a future decision, strictly on past performance, they are very likely to be investing in a plan that is expensive with lower future yield. IT security threats work because they are original, and because a purchasable defensive solution was not available at the time of the threat.

Many organizations make the mistake of preparing for the future by buying protection for a threat that is no longer unique.  This is useful if the threat resurfaces, but it is useless against new threats.

If an organization truly wants to be well prepared for ransomeware threats, everyone in the organization should be able to answer ‘Yes’ to this statement:

“I can take my laptop/desktop/primary device and throw it away right now without severely impacting my work or life.”

Answering ‘Yes’ to that statement means that a person understands the data  is more important than the machine is resides on. Just like investing in retirement, only diversification will save someone during a new and aggressive IT security threat.

There are numerous ways to achieve a high level of data diversity and redundancy. Here are a few that can be implemented with policy and practice:

  • The standard for file storage should be in the cloud.
  • Do not use SYNC software such as Google Drive Sync or OneDrive sync.
  • Laptops given to staff and students should have very small hard drives to discourage hoarding data and storing old files.
  • Weekly or Monthly archiving of data should not be in the same environment as data for daily work. For example, I use Google Drive everyday for work, but once a month I backup the important data to DropBox. The larger archives are for emergencies, and held within a different environment.
  • Offline backups on external drives are good, but hardware can fail. Consider what data is critical and make sure the offline backup is not the primary copy.
  • Systems like TimeMachine can actually corrupt data if they are backing-up automatically. Consider manually initiating backups, only after you have scanned your machine/servers for malware.
  • Photos and media can be challenging to keep organized in the cloud. Services like Google Photos, Instagram, etc. are designed for media. Use media centric services to manage media.
  • Email is not for data storage. If email is compromised, the communication threads should be all that is lost.
  • Schools using local network shared drives and NAS systems (Synology etc.) need to be restrictive and vigilant with permissions. If these services have been planned with “Ease of Use” as the driving force, they are at risk of being turned into an engine that will rapidly spread a threat.
  • Limit non-cloud based data sharing to special groups or departments to reduce the need to constantly update and patch these systems.

A final note to those who are making and enforcing policy. A single human vector who introduces one of these threats onto a network can create a cascade of destruction. Allowing anyone to circumvent a policy because of their title or position is placing everyone at risk.

WannaCry RansomeWare Impact
The ransomware campaign was unprecedented in scale according to Europol.[9] The attack affected many National Health Service hospitals in England and Scotland,[50] and up to 70,000 devices — including computers, MRI scanners, blood-storage refrigerators and theatre equipment — may have been affected.[51] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[12][52] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[46] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[10][12]
Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe‘s most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[53][54]
According to experts[who?] the attack’s impact could have been much worse if no kill-switch was built in by the malware’s creators.[55][56]
Cybersecurity expert Ori Eisen said that the attack appears to be “low-level” stuff, given the ransom demands of $300 and states that the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.[57]
List of affected organization
São Paulo Court of Justice (Brazil)[58]
Vivo Telefônica Brasil) (Brazil)[58]
Lakeridge Health (Canada)[59]
PetroChina (China)[16]
Public Security Bureaus (China)[60]
Sun Yat-sen University (China)[61]
Instituto Nacional de Salud (Colombia)[62]
Renault (France)[63]
Deutsche Bahn (Germany)[64]
Telenor Hungary (Hungary)[65]
Andhra Pradesh Police (India)[66]
Dharmais Hospital (Indonesia)[61]
Harapan Kita Hospital (Indonesia)[61]
University of Milano-Bicocca (Italy)[67]
Q-Park (The Netherlands)[68]
Portugal Telecom (Portugal)[69]
Automobile Dacia (Romania)[70]
Ministry of Foreign Affairs (Romania)[71]
MegaFon (Russia)[72]
Ministry of Internal Affairs (Russia)[73]
Russian Railways (Russia)[74]
LATAM Airlines Group (Chile)[75]
Banco Bilbao Vizcaya Argentaria (Spain)[76]
Telefónica (Spain)[76]
Sandvik (Sweden)[61]
Garena Blade and Soul (Thailand)[77]
National Health Service (England) (United Kingdom)[78][12][10]
NHS Scotland (United Kingdom)[12][10]
Nissan UK (United Kingdom)[78]
FedEx (United States)[79]
Massachusetts Institute of Technology (United States)
Saudi Telecom (Saudi Arabia)[80]