Brute Force techniques with MITRE ATT&CK

Dear readers,

In this month’s edition, we wanted to come back to the topic of password security. And that’s why we prepared a few articles that will show you a slightly different approach to this area. 

We start with “Brute Force techniques with MITRE ATT&CK” that goes straight into the action and presents various hacking techniques to uncover passwords. Additionally, the authors show two methods that can be used, either online or offline.

To learn more about offensive techniques, check out the next article: “Exploration of Passwords on Wireless Security”. The authors perform an experiment that will use available hacking tools to attempt to gain access to a lab wireless network. 

Moving forward, there are two other articles that present a slightly different approach to the password topic. First, we will take a closer look at the problem of securing passwords. In “Password Security Problems”, the authors prepared amazing research where they review each potential threat and mistake made by everyday users and security specialists. The second article will focus on the situation after the attack. The majority of users change their password to something very similar or don’t change it at all. How does that influence the security process after a breach? You will find out in the research. 

As always there are other articles that we hope you will find interesting! Automotive hacking, SOCMINT, DPAPI-in-depth with tooling, and more awaits you! 

We hope that you will enjoy this edition and all the articles we prepared. Before you dive into hacking passwords, a small note:  As the times grow uncertain and troubling, remember - If you’re feeling overwhelmed or stressed by it all, be reassured that this is a very normal response. However, it’s important to go easy on yourself. Make sure to make time for self-care and have fun hacking ;-)

Enjoy the reading,

Hakin9 Editorial Team

TABLE OF CONTENTS

Brute Force techniques with MITRE ATT&CK

Isabella Leal, Joas Antonio

Brute Force is a technique that consists of discovering a password and trying to crack it, using random combinations or a wordlist. In addition, you have two methods that can be used, either online or offline. Attackers can use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained through exploitation. Without knowledge of the password for an account or set of accounts, an attacker can systematically guess the password using a repetitive or iterative mechanism. The brute force of passwords can occur through interaction with a service that will check the validity of these credentials or offline against the credential data acquired in the form of password hashes.

---

Exploration of Passwords on Wireless Security

James C. Duvall

In this research project, the topic of password length within the context of wireless networking security will be explored. An experiment will be undertaken that will use available hacking tools and modest equipment to attempt to gain access to a lab wireless network. The lab wireless network will be built to mimic a production wireless network that could be found in a small business setting.

---

Password Security Problems

Marjan Heričko, Viktor Taneski 

The objective of this article is to perform a systematic literature review in the area of passwords and passwords security, in order to determine whether alphanumeric passwords are still weak, short and simple. The results show that only 42 out of 63 relevant studies propose a solid solution to deal with the identified problems with alphanumeric passwords, but only 17 have statistically verified it. We find that only three studies have a representative sample, which may indicate that the results of the majority of the studies cannot be generalized. We conclude that users and their alphanumeric passwords are still the “weakest link” in the “security chain”. Careless security behavior, involving password reuse, writing down and sharing passwords, along with an erroneous knowledge concerning what constitutes a secure password, are the main problems related to the issue of password security.

---

Do people change their passwords after a breach?

Sruti Bhagavatula, Apu Kapadia 

To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in place to mitigate harm. To study the effectiveness of password-related breach notifications and practices enforced after a breach, we examine— based on real-world password data from 249 participants— whether and how constructively participants changed their passwords after a breach announcement.

---

Hacking Automotive Systems

Omar Alasmar

Cars are one of the most widely used transportation methods. According to OICA, more than 72 million cars were manufactured in 2016. It is estimated that, by 2035, the number of vehicles worldwide will reach more than 2 billion. Due to people’s massive dependency on vehicles for transportation, the technology utilized in cars have advanced greatly over the years. From entirely mechanical to fully autonomous, cars now heavily depend on computers and connectivity. This paper focuses on the security of cars nowadays. It investigates the weaknesses within cars and illustrates some of the hacking techniques possible.

---

DPAPI-in-depth with tooling: standalone DPAPI

Tijl Deneut

The Microsoft Data Protection Application Programming Interface, or DPAPI for short, is a Windows API tool for developers to enable them to store sensitive data in a way that it is encrypted but still decryptable. It has been around since Windows 2000, which makes it more or less ancient in computer terms. However, it has since been tweaked to such an extent that it is no longer recognizable, things like RSA, AES256, SHA512 and even PBKDF2 have been added or increased in rounds.  This article will go in depth on how Stand Alone DPAPI works: only local Windows accounts (so no Active Directory nor Microsoft Live) and no TPM. It has been developed and verified on the latest version of Windows 10 x64 (v2004, 19041.508 at the time of writing). This article will exclusively focus on local User and System DPAPI encryption and provides some in depth cryptographical insights.

---

SOCMINT -  Data Protection Risks in Social Media 

Andrei Șandor 

Intelligence-related disciplines may inquire personal information, statements and conversations posted voluntarily on websites or social platforms in order to profile people, identify social networks and organizational structures, and uncover vulnerabilities and threats/ risks that can jeopardize the security of individuals or organizations. In this respect, the Internet - as an environment - can provide valuable information from both technical and social sides. This is why the World Wide Web is and will remain an important place to search for data and information that can be processed into Intelligence, and represents the reason why people working in sensitive domains (e.g. Intelligence) should be aware of their vulnerabilities and the risks and threats posed by this environment.

---

Factoring Asset Growth in System Development Life Cycle Implementation

Wael Alagi, Sultan Al-Sharif 

The scaling of an enterprise changes the risk profile associated with its cyber-infrastructure. Consequently, the changes expose an organization to new security risks due to the adoption of new infrastructure and the expansion of the network, as well as new interactions between systems. Increasing the number of contact points between the information architecture of an organization and the Internet increases its complexity and the associated risk profile. The integration of an asset growth assessment during the system development life cycle is a crucial process that ensures that the organization can respond effectively to the evolving security risks.

---

Cyber Threat Intelligence and Hackers 

Azene D Zenebe, Mufaro Shumba

Current techniques for dealing with cyber breaches are reactive, meaning once a breach occurs then cyber professionals take actions. This is no longer acceptable because breaches are only detected on average after about six months and only 10% of breaches are detected in the first 24 hours. When dealing with hackers, it is important to note that hackers spend a lot of time sharing information in online communities. One of these communities is the darknet. The darknet is a network with restricted access where people can stay anonymous for legal and illegal reasons.

---

Cyber Crimes on the Internet of Things

Mohan Krishna Kagita, Navod Thilakarathne

n estimated 328 million dollar annual losses are from the cyber-attacks in Australia itself. Various steps are taken to slow down these attacks but, unfortunately, are not able to achieve success properly. Therefore, secure IoT is the need of this time and understanding of attacks and threats in the IoT structure should be studied. The reasons for cyber-attacks can be 1. Countries having weak cyber security, 2. Cybercriminals use new technologies to attack. 3. Cybercrime is possible with services and other business schemes. MSP (Managed Service Providers) face different difficulties in fighting Cybercrime. They have to ensure their customers’ security as well as their security in terms of their servers, devices, and systems. Hence, they must use effective, fast, and easily usable antivirus and anti-malware tools.