Fundamentals of Cybersecurity: 2 much Fun 2 Count

Community Town Square
1

Sidenote: Dare I emulate the beloved FatF movie franchise??? Thoughts and feels in the down downbelow!! :oncoming_automobile:

Now to be honest I haven’t progressed much further in the topics yet because I did not want to give phishin’ :fishing_pole_and_fish: and email short shrift.

This is the additional notes I wanted to give on the Malware section which seems to be really dedicated to Phishing and is completely valid. I believe the statistic is roughly that 60%ish of emails sent are considered spam. Though that does point to having a lot of source data to which to train models on which should be a comfort in a weird way.

Phishing emails
Phishing emails532×578 80 KB

Honestly one of my favorite arts from a course the Academy has produced. Huge Finding Nemo fan :tropical_fish: but again I digress.

Phishing emails Knight
Phishing emails Knight507×609 310 KB

Phishing is honestly the edgiest of edge cases because an organization’ security system is only as good as the people understanding the problem. Hopefully bolstered by decent cybersecurity awareness training but realistically: the human part in cybersecurity is always going to be the softer underbelly.

Would highly recommend the Google Phishing Test to test your skillz right here.

While it is crucial for emerging cyber folks and non cyber folks to be aware of all the skullduggery that can occur in terms of Trojans and rootkits, as the curriculum demonstrates, I feel like I would like to add why you should be extra wary of adware.

adware
adware1055×589 80.1 KB

If say this person was feeling in say an extra goofy and silly mood, there is nothing to say that kind of person wouldn’t click on one of the ads. Beyond making your computer slow, there is additionally malicious things lurking in annoying banners and popups.

While they expression “it goes without saying” could apply here I’m going to be more explicit and say: Do not click on any banners or popups. While yes, it could be something innocuous a protein powder to get your arms ready to point at things in the best buff squiward fashion.
Squid

There is a chance these banners are also a BeEF hook. BeEF (weird capitalization intended) stands for Browser Exploitation Framework while it was designed as a tool for lawful security research and pentesting (Red Team), hackers do leverage it as an attack tool.

There’s this great explanation here.

Long story short, if you don’t have time for a YouTube Adventure right now, that it can mimic a website like your gmail or your meta just because you know how you clicked through to that protein powder site. It would then throw you an “OH NOES YOU’RE ABOUT TO BE LOGGED OUT OF BOOK OF FACES!!!” and get you to enter your credentials so you wouldn’t inconveniently logged out and oops… Guess who just got hacked? Not you because you read through this and are an informed clever lightbulb. :bulb:

Now while it’s crucial to know all the different types of malware that the curriculum goes over, and this is definitely my art history nerd taking over, I would like to bring your attention to the computer sad face.

Smile Through the Tears
Smile Through the Tears979×633 178 KB

The thing is if a cybercriminal has gained a backdoor into your system: your computer will be wearing their happy little face. You won’t know until it’s too late. Through privilege escalation (that is basically for Windows when you get the annoying: You need admin… or Linux system Root) a hacker can and will “live off the land”. This means they can just be there like bigfoot: you know they’re there but good luck trying to find them :see_no_evil:. They can easily erase any nefarious wrongdoing by editing the system logs and can and will 1) Turn your computer into a Zombie in their botnet army (not an obscure KPOP reference) and 2) if they don’t find you and your computer interesting laterally move though the network (lateral movement) to say a computer that is.

Now all that being said about the perils of Phishing … as a cyber folk you’re additionally going to have to learn how email works, \ the ports it involves, and, how it fits into the OSI Model… So Let’s get into that:

email headers

  1. First there is your DNS or Domain Name Server for short:
    This means instead of all us internet adventurers needing to know IP addresses for everything, we can just google.com instead of knowing Google’s IP address which is 64. 223.117.39. Makes life easier. Though you look instantly cooler/more pro doing it IP style. And to be clear and IP address is an example of a DNS record.

  • When you send an email to someone your email server, the example through this will gmail.com to outlook.com. Gmail.com needs to find the corresponding outlook.com server. This lookup happens by looking at all the other DNS record types. Though most of the handling information is stored in the server’s DNS zone file.

  • There are a lot of files in the DNS zone file but some key ones are:
    A record: that does the name to the IP addresses mentioned earlier
    Google.com → 64. 223.117.39
    • PTR record or Pointer Record: Provides the IP address associated with a domain name
    ○ 64. 223.117.39-> google.com
    • CNAME or Canonical Name: An alias used to point one domain to another
    ○ So google.com might own googletoo.com there doesn’t have to be yet another DNS record for googletoo. com… Also I don’t know if google own googletoo so don’t click it.
    • SOA Start of Authority : This contains the email address of the admin of google.com, a TTL (time To Live --that just says how long each computer can talk to each other before a new copy is request from the DNS/Server and when the information was last updated
    • NS Record or Name Server Record: This indicates which server has all these details. It is also knowsnas the authoritative name server. Most large domain like google have multiple servers on board for a whole variety of reasons. The NS records will also have subdomains like say google has a whole cow department: cows.google.com (again I don’t know if Alphabet/Google has a cow department but my guess if they do it’s top secret)

  1. Within DNS there are some servers will be designated as MX servers or Mail exchange servers. This can have multiple servers as well. The real reason for multiple servers is let’s one stops working another one can step in. This is called redundancy. Anyhow, if you accept that there are multiple servers which server gets to handle the mail? This is all figured out by giving a lower number like say 5 vs. 20 so server 5 will kick in before the server with a 20.

  • So when you send an email from [email protected] to [email protected] the whole process begins of looking up the DNS and the servers will then direct the email to the mail server.

  • This process isn’t particularly human readable so behind all of this is something called the TXT Record or Text Record. And this is where you find what was mentioned in the curriculum the SPF (Sender Policy Framework) DKIM (Domain Keys Identified Mail) that the curriculum is talking about. Though tbh I want to dig in more to SPF in this post over DKIM but both are pretty essential.

  • The SPF organizes which servers are allowed to deal in emails and mainly in charge of rooting out spam, email spoofing and most crucially phishing.

  • SPF records generally look like this:
    V=spf1 ipv4 : 192.168.1.1

  • The V stands for Version. The next part ipV4 indicates the type of the IP address. There are two btw: ipv4 mostly in North America whereas ipv6 which is longer and mostly used in Europe and is actually a little bit more secure.

  • So since we’re using the gmail to outlook email route: The IP address for gmail’s MX server is 192.168.1.1 so when outlook.com receives an email:

Outlook will be like:
First: Let’s check that it’s from 192.168.1.1
Second: Validate the DNS check from gmail.com that is the mail server’s IP
Third: Yep, let’s put that in the inbox.

Conversely let’s say this is the new IP 192.168.1.89(so not gmail’s MX Server):
First: Let’s check that it’s from 192.168.1.1
Second: Validate the DNS check from gmail.com that is the mail server’s IP
Third: NAUR!!! THAT’S SPAM!!!

3.After all that series of checks and balances, the messages will be transferred to an inbox (or not) through SMTP (Simple Mail Transfer Protocol) and you have yourself an email.

  • For this particular point you are going to need to know that this is done over port 25 because there are legit multiple-choice questions from Comptia on port numbers. Also you’re going to have to know what layer in the OSI model this is so 1) live laugh love the OSI model and know that 2) This is a layer 7 or application layer.

4)Now that the email made it to the server. Outlook.com will hnow need to pull the message from the server. This is done two ways: Either through POP3 or Post Office Protocol or IMAP or Internet Messages Protocol.

  • Pop3 is considered a smidge more private because POP3 generally doesn’t keep a copy of the email and will not exist on server. Whereas, IMAP a copy is kept on the server which means access wise you can log in from another computer and peruse it. This also mean in terms of data stored and kept IMAP is useful.

  • Port Wise Pop3 uses port 101 and IMAP uses port 143.

Now that … wait for it … You’ve got mail :envelope_with_arrow: It is useful to point out that there’s actually a useful linux command nslookup or name server lookup that will give you all the information if you want to do a double check on your own … you can even set it up look for MX records:
Nslookup set type=mx

NsLook

But what will really help you out there in the wild is actually understanding the guts of just what is in this part of an email:

mercutio
mercutio729×660 34 KB

So this is a dummied up email between Mercutio and Juliet.

The first line of the header is the Delivered To field. This is who the message was sent to in this case [email protected]

6 lines down is the Return Path field. This is specifying the return email so in this case [email protected] which should already have you going: NOPE NOT TODAY!!! Especially in addition to the email looking sketchy, it does not match the sender of Mercutio. There’s no guarantee but would not [email protected] look more legitimate to you ?

Right under that is the Received showing the perilous path the email took to get to your spam file. If you look even closer in there is an IP address 74.6.130.141 which of course you can use any number of IP address lookup tools on the internet. Though would recommend ARIN which is the American Registry for Internet Numbers.

ARIN lookup
ARIN lookup966×496 19.2 KB

In this case the IP address is legit ARIN but that won’t be what you uncover each and every time.

On the last line right before the new section with Tp: starts you can see where the SPF didn’t work as planned and it in fact passed.

Okay now let take another look at these messages to Juliet here and try this one on for size:

Message to Juliet
Message to Juliet733×567 50.6 KB

Here’s the Tea and or Coffee :coffee::
It was delivered to: [email protected]
The return path is: [email protected]
Received Path source IP is: 64.71.74.115

West Palm
West Palm867×463 9.81 KB

And the SPF failed.

And some of the other tip offs would be: The IRS is many things, but do you really think they would use emojis?
Would the IRS email you instead of sending you something by say the good ol’ USPS if they really needed to contact you?
Maybe if everything works out someday, you’ll be able to pay your taxes by Bitcoin but today is not that day.
Also, you’d think considering the IRS is literally a fleet of government accountants, they would give you a precise amount instead of a “large sum of funds”.

So hopefully after wading through all this: You sort of understands how email works :email: in addition to being able to spot Spam :space_invader: a mile away and while you’re at it don’t click on any banner ads or download anything in your inbox unless you specifically requested it… and now that I’ve tackled email I feel free to keep on keepin’ on my quest through the curriculum. And hey: Happy Tuesday :disguised_face:

2 Likes
2

Part 1: