Ex-filtration cyber attack

Introduction

There was an incident where an attacker successfully transferred files from the web server. The attack is known as ex-filtration and it was detected by the hosting nation intrusion detection system. The type of attack might result in web servers being vulnerable to other attacks such as denial of services. The attack is from within the member nations attending the conference and it should be stopped before it spreads further. Ex-filtration is a dangerous type of attack because it enables an attack to access resources they are not authorized. The kind of attack might result in major problems since nations keep highly classified information that should never be accessible to other nations at any given period of time. The source of data leak and the tools used to perform the attack should be identified and necessary steps put in place to stop such an attack from happening in the coming future. The resources being targeted should be made unavailable until the web server targeted and the whole network has be secured. The protocols for accessing the resources should be changed so as to give the team an ample time to solve the problem.

Analysis

Wireshark is a dynamic tool capable of sniffing and capturing network activities. Using the tool it is established that a total of 1,907,899 packets were sent over the period of the attack. The participants were computer A and B, computer A sent a total of 1,864,853 and computer B sent a total of 43,046 packets. A total of 170 mega bytes were sent over the total conversation, computer A sent a total of 143 mega bytes and computer B sent a total of 26 mega bytes.  The conversation took a total of 358.3253 seconds; this is the total time the ex-filtration took place.

After the wireshark capture is parsed the process of identifying the time the attack begin starts and it is indicated as 21:59:17.432035000. That is the period the attackers were able to actively copy files from the web server. The protocol the attackers utilized is the UDP and the destination port affected was port 55. Port 55 makes it possible for messages to be transferred from one computer to another and it is utilized in the internet network layer, transport layer and session layer.  The IP address of the web server affected is 192.168.19.111 and the IP addresses for the system the attackers used is 192.168.10.101. The total size of the packet transferred successfully by the attackers to their system is 74 bytes. The system administrator was alerted by the host monitoring system using the user datagram protocol.

Using UDP flood unicorn to perform the denial of service attack is relatively easy. It is done by entering the target IP address and for our case the target is 192.168.19.111 and the target port is 55. The packet size for the attack can be any amount but for testing case 1 KB is enough. Performing a denial of service attack is simple because there are different types of tools available to aid in the process. There is a increase in HTTP request sent to the internal web server and it might be linked to the attack. The resources that is receiving more requests is the /worldpress/randomfile1 HTTP/1.1\r\n. That is the targeted resource in the internal web server and the attackers might be aiming at copying the file or making it inaccessible through the denial of service attack.

The servers’ HTTP response code is 500 and it means the internal server encountered a problem and could not fulfill the required request. The error means that the resource cannot be accessed by legitimate users of the resource due to a problem the server is encountering and it might be linked to the increase in requests to the server. The IP of the computer requesting the resource resulting in the error is 192.168.10.101 and it is the attacking computer. The attacker user-agent for the request is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n.

The type of web server that is occurring is distributed denial of service attack this is because the resource targeted cannot be accessed by legitimate users. The attackers are also performing a SQL injection to the web server. The abnormal requests send by attackers is 404 not fount (text/html). This is because the request send by attackers are not available hence the error code is displayed. The URL being used by the attackers to perform on distributed denial of service is /wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_.

More attacks are being performed to the web server by sending of abnormal GET requests. The nature of the attack is brute force hacking. This is evident due to the HTTP response code returned for the abnormal requests. The HTTP/1.1 Bad Request (text/html) signifies that the server is receiver bad requests from the attackers. The user-agent for the request received from the attackers is Mozilla/5.00.

There is a repetition of username and password being used by the attacker during the brute force attack. The password and usernames being repeated are located in the root/password folder it is evident by the traffic captured using wireshark tool. The user-agents contained in the attack requests is Mozilla/5.00. The HTTP response code returned for the attack requests sent is HTTP/1.1 404 Not Found (text/html).

The interesting repetition string value is responsible for the denial of service experienced. The user-agent for the interesting string is Mozilla/5.00 and the HTTP response code for the request is HTTP/1.1 Not Found (text/html). The user-agent Mozilla/5.00 points at Nikto web server testing tool. The tool is the one responsible for the attacks the web server is under-going at the moment.

Findings

·         The system is under the following types of attack.

1.      Distributed denial of service

2.      SQL injection

3.      Brute force attack

·         Nikto tool is being used by the attackers to hack the web server

·         The IP address for the victim web server is 192.168.19.111

·         The IP address of the computer being used by attackers is 192.168.10.101

·         The port number affected by the attack is 55

Recommendations

I would recommend that the system administrator blocks traffic from IP address 192.168.10.101 for accessing the network. It can be done by adding the policy on the firewall or configuring the intrusion detection system to drop traffic from the IP address. The port 55 should be blocked using the firewall to reduce its vulnerability of leaking data through ex-filtration. The system administrator should also configure their firewall and intrusion detection and penetration systems to drop traffic to /wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_ and /worldpress/randomfile1 HTTP/1.1\r\n. This should be done until the problem is resolved so as to reduce more attacks to the network resulting in major damages.

Works Cited

Jaiswal, A., Raj, G., & Singh, D. (2014). Security Testing of Web Applications: Issues and

Challenges. International Journal of Computer Applications , 26-30.

Ullah, F., Edwards, M. a., Ramdhany, R., Chitchyan, R., Babar, M. A., & Awais, R. (2018). Data

Exfiltration:A Review of External Attack Vectors and Countermeasures. Journal of Network and Computer Applications , 18-54.

Ullah, F., Edwards, M., Ramdhany, R., & Chitchyan, R. (2017). Data Exfiltration: A Review of

External Attack Vectors and Countermeasures. Journal of Network and Computer Applications , 2-13.

Big Data and its Business Impacts

Research paper basics:

•      8 pages inlength

•      APAformatted

•      Minimum six (6) sources – at least two (2)from peer reviewedjournals

•      Include an abstract, introduction, andconclusion

•      Use an Compelling Chart, Table, or Map to Illustrate Something in the Paper

•      Intext citations

Don’t forget the headings.

Functions of DNS and DHCP in Windows(R) Server 2012

Description

write a 1- to 2-page (400 words)`24678 technical document on the installation and configuration of DNS and DHCP in Windows®Server 2012 for Wadley, Inc. This will become part of the final install, configuration, and support plan for Wadley.

Include the following:

How to install DNS and configure it, including the DNS tree
Explain ongoing monitoring and management of server installation
Recommendations for utilizing Hyper-V®
Format according to APA guidelines.

Security & Safety in IFF – Assessment Task 2

Scenario for questions 1 - 10
Your company provides freight forwarding services along with operating a freight storage warehouse in Sydney.
You have been asked by your manager to review the Transport Security Plan (TSP) for your company.
Question 1
Briefly describe the purpose of a TSP.
Question 2
What are 2 INTERNAL (within your company) resources that you can use to do the TSP assessment?
Question 3
What are 2 EXTERNAL (outside of your company) resources that you can use to do the TSP assessment?
Question 4
Provide a link or contact information for your responses to question #3.
Question 5
How often and why should the TSP be reviewed?
Question 6
Who is accountable for ensuring the TSP is reviewed and contains the correct information to resolve a safety or security situation?
Question
7 What is your recommendation on how to train the employees in your company on the content of the TSP?
Question 8
What is a key performance indicator (KPI) that you can use to determine the effectiveness of the SAFETY section of your TSP?
Question 9
What is a key performance indicator (KPI) that you can use to determine the effectiveness of the SECURITY section of your TSP?
Question 10
You have a security concern about the upcoming storage of several high value containers in your warehouse for the next 2 days. You do not have time or the budget to purchase and install new security equipment. Your warehouse does have basic security measures installed such as internal and external lighting, door locks and video cameras. Given the budget and timing constraints, outline at least 3 security measures that can you implement to reduce risk of theft or damage to these high valued containers?
Question 11
A. What current Australian legislation applies to:
I. ASIC (Aviation Security Identification Card)
II. MSIC (Maritime Security Identification Card)
B. Who are the issuing bodies for?
I. ASIC Identification Card
II. MSIC Identification card

UNIFIED COMMUNICATIONS AT BOEING

Discussion Points
1. Some virtual teams at Boeing have discussions focused on military aircraft. Do some Internet research on UC security mechanisms and identify and briefly describe several that Boeing should have in place to ensure the privacy and integrity of such discussions.

2. To what extent do the UC benefits experienced by Boeing mirror those of other firms that have deployed UC capabilities over converged IP networks?

3. To date, Boeing has not implemented the full range of capabilities available through UC systems. If you were the CIO at Boeing, what additional UC capabilities would you implement? What benefits would you expect Boeing to derive from deploying these capabilities?

Sources
[MICR10] Microsoft Case Studies. “Boeing Expects to Lower Costs and Improve Productivity with Messaging Solution.” March 16, 2010. Retrieved online at: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid =4000006703.
[MICR11] Microsoft Case Studies. “Boeing Promotes Knowledge Sharing for Global Workforce with Communications Solution.” April 29, 2011. Retrieved online at: http://www.microsoft.com/casestudies/Microsoft-Lync-Server2010/Boeing/Boeing-Promotes-Knowledge-Sharing-for-Global-Workforcewith-Communications-Solution/4000009654.
[REED08] Reed, B. “AT&T snags big Boeing voice/data contract.” NetworkWorld. August 12, 2008. Retrieved online at: http://www.networkworld.com/news/2008/081208-boeing-att-contract.html

Project

Name

Course Title

Course Code

Submission Date

One

The article is direct to the point regarding the issue of communication when it comes to incident response team. The task involves trying to solve a problem after a breach into the network as occurred. The team should be able to understand each other as it has been specified by the writer. The writer perfectly addresses the future of computers and goes to the depth of even giving an example of a movie which tries to give a picture of how the future will look like. The future of technology with perfect utilization of huge data available will bring different advantages to us.

Two

According to the writer computer forensic keeps on changing and growing every single day. It is a fact which I as an individual agree with. The computer forensic field keeps growing every single day and as a result an individual needs to keep on researching and reading new materials. The writer also highlights the issue of certificate and experience which is required to work in the computer forensic field. The aspect of block chain technology used by cryptocurrencies such as Bitcoin is a mirror of how our future will look like. The technology gives additional security to the system which makes it impossible to get into the system.

Three

According to the writer the incident response team should be equipped with necessary personal knowledge to handle the challenge which is brought around with the task. They should posses’ personal technical skills to handle different types of breaches into the network. They should also be able to communicate perfectly. This will enable the team members to reduce the risk of the hack by mitigating the issue quick.  The writer also highlights the impact which computer forensic has brought to the world. The application of the computer forensic to the general technology world also is a part which is critical in ensuring security.

Four

The writer highlights the key logger type of attacks which keeps tracks of all keyboard strokes and sends it to the attacker. They exist in both software and hardware types, the one which is the most dangerous is the software type. This is because it is very hard to detect making unless an antivirus scan Is conducted. The hardware can be detected physically and hence it can be removed. Black box testing is conducted without prior information about the network and it is conducted by hackers while white box testing is conducted by security officers with an aim of testing the network. Port scanning can be stopped using different security installations has put across by the writer.  Port scanning can be divestating to a network when done to get

Five

Antivirus and anti-malwares are the first line of defense but they don’t detect every threat towards a computers system as implied by the writer. Some threats are physical and are to be detected through a physical security sweep which is tasked to look for the threats and delete them. These kind of physical threats exist as mostly key loggers which track all the key strokes made on a computer system. Black box testing popular among hackers is done without knowing the logic behind how the system operates the attacker has no knowledge about how the network work which makes it a black box testing. A white box testing the attacker knows how the system works and tries to test if they can withstand a real attack from hackers. Port scan is stopped by installing a good security system such as intrusion prevention system, intrusion detection system and a good firewall.

Six

INSY 3400 (Programming Assignment 1)

INSY 3400
Programming Assignment 1

It is not always practical to compute the steady state or absorbing probabilities analytically for
complex systems. In this assignment, you will use the programming language of your choosing
to compute the specified probabilities. It is recommended that you use python, but if you have
not yet taken INSY 3010 you may prefer to use matlab or another language that you have used
before.
Consider the skittle and m&m problem from the homework (and exam), that is restated below.
Three mini bags of skittles and three mini bags of M&Ms are distributed in two candy
bowls (one red, one brown) in such a way that each bowl contains three bags of candy. At
each step we draw one candy bag from each dish and exchange them. Let Xn be the
number of bags of skittles in the red candy bowl at time n.
The recommended steps to solve for the steady state probabilities empirically are listed below.
• Create a list of lists for the one-step transition probability matrix P using the appropriate
values. Keep in mind that this is a problem you have already worked, so you may refer
back to your homework to obtain P.
• Generate a random starting state, s, from {0,1,2,3} and record it in the list of states visited
• Create list, referred to as lim below, populated with 0s, to store the number of times each
state has been visited.
• Execute a transition 10,000 times:
o Generate a random uniform number between 0 and 1.
o Depending on what the current state is, determine what the next state will be by
using the conditional pmf for the given state.
 Remember that you can convert the conditional pmf to a cdf, and then find
the bracket containing the generated random number
 For the row of the transition matrix that corresponds to the current state,
add the transition probabilities one by one from left to right until the sum
exceeds the value of the random number. The first time when that happens
determines the next state.
o Add 1 to the entry in lim corresponding to the selected state.
• Divide each entry in lim by the total number of transitions executed to obtain the
estimated steady state probabilities.
Submission Instructions
Upload a code file with all of your code and a pdf with your submission report.
For your code file:
• Put your name in the comments at the top of the file
• Include your empirically determined steady state probabilities in the comments at the top
of the file
• Your code must be commented
• If you are using python, submit a single py file
• If you are not using python, submit all of the files needed to execute your experiment.
For the report:
• The header should include your name (as it appears on canvas) and the name of the
assignment.
• Write a one paragraph introduction that outlines the problem, objective, and states which
programming language you are choosing to use. If you are not using python, include
brief instructions for how to use your submitted files to re-create your results.
• Write a one paragraph analysis of the results. Clearly state what your randomly selected
initial state is, and what computed steady-state values are. Discuss any similarities and/or
differences to the steady state values you have computed by hand in previous
assignments.