ISSA Chapter Meeting 4 June 2024:
Opening remarks: Hybrid meeting: Meeting held in-person at ECPI and virtually on Zoom. For questions, please raise your virtual hand or use the chat feature. Charles is attending virtually today. Please give us feedback after the meeting what did you like? What could we improve?
Agenda: Welcome/Membership/Education/Presentation/Business Meeting/Q&A/ Feedback/Adjourn
Organization Chart:
Elections will be happening soon, election committee members wanted!
Elected board positions are President, Vice president, Secretary and Treasurer; all other positions are appointed.
ISSA-HR Professional Association Benefits: Build professional relationships, stay current on developments in areas of information security/risk/privacy, professional development, education opportunities, (looking forward to our presentation today!) Earn CPE/CEU continuing education credits, (Membership chair can handle CPE/CEU inquiries) learn practical and best practice solutions, career information and employment opportunities
Whether you’re a pre-professional, entry-level, mid-career, senior practitioner or security leader, ISSA offers strategic resources and guidance to successive career levels.
Membership Annual Cost: Professional (Not a student) $95, Student 30, (Chapter Dues $30) Professional = $125 total, Student = $60– Your company May even reimburse these dues! Does not hurt to ask.
*Select Hampton roads as your chapter
New Members: Welcome: Joseph A, James Y, Alec B!
Joseph and James are here! Welcome! Thank you for joining.
Education: Resources on website, we do now have a separate mentorship program; we are passionate about what resources are out there!
Goals: Provide educational resources, mentorship opportunities, teambuilding/collaboration, hands-on industry tool familiarization, certification tracking/pipeline
Free Certification and Training:
SANS Cloud Diversity Academy:
Brought to you by SANS and Google is a U.S. Cyber Academy for U.S. Citizens and permanent legal residents with work authorization. This academy offers skills to secure cloud infrastructure and sensitive data through SANS OnDemand training and hands-on labs with industry experts. Launch your career in cloud security by earning globally recognized GIAC certifications with the support of a dedicated community manager and post-career placement with access to an alumni network.
Encouraged to apply:
Women; Non-Binary; Transgender, Black; Hispanic; Latino; Indigenous, PoC
Unemployed, or underemployed and interested in a career change (Priority may be given to applicants who are unemployed, underemployed or career changers)
Must be a US Citizen or permanent legal resident (Green card holder) with work authorization and currently living in the US.https://sans.org/cyber-academy/cloud-diversity-academy/
EC-Council’s $7 Million Scholarship for Cybersecurity Career Technician (C|CT):
Launched in May 2023 with an initial investment of $3.5 Million, the CCT Scholarship Program received a significant response with applicants pouring in from 170 countries. This global interest highlights the widespread demand for cybersecurity expertise and ensures a diverse pool of candidates with varied perspectives, essential for effectively addressing cyber threats.
The scholarship program has become a cornerstone in tackling the global cybersecurity workforce deficit. By nurturing a diverse and skilled talent pool, EC-Council is actively strengthening global cybersecurity resilience. Our continued commitment to this initiative, aligned with our mission to empower individuals and organizations with cybersecurity expertise, signals a future where digital environments are safer for everyone.
Successful awardees will receive a scholarship to cover the cost of education and certification resources. The scholarship will not cover the certification exams proctoring and technology fee of $199, which the awardees will be required to pay to avail the benefits of this program.
https://campaigns.eccouncil.org/cyber-career-starter-scholarship?utm_source=cybersecurity-exchange&utm_medium=pop-up&utm_campaign=cct-global-scholarship
Reading List: Blog of the Month:
The Ticketmaster Data Breach May Be Just the Beginning:
Data breaches at Ticketmaster and financial services company Santander have been linked to attacks against cloud provider Snowflake
The Connection between Ticketmaster cyber breach and Snowflake, a cloud storage company, is that the hacker group allegedly gained access to Ticketmaster’s data though Snowflake.
The Department of Home Affairs has confirmed a cyber incident impacting Ticketmaster customers. The notorious hacker group ShinyHunters is reported to have stolen personal information of customers1. The data leak is expected to impact millions of customers globally.
The personal details of 560 million Ticketmaster customers may have been leaked in this data breach. The leaked data, which is up for sale, includes names, addresses, credit card numbers, phone numbers, and payment details1. ShinyHunters is reportedly asking for $US500,000 ($750,000) for this data.
The Department of Home Affairs is working with Ticketmaster to understand the incident1. Cybersecurity expert Mark Lukie has warned that this hack could have major implications for Australian customers, including the potential risk of identity fraud.
This isn’t the first time ShinyHunters has been involved in a data breach. Last year, they allegedly accessed the personal information of 193K Pizza Hut customers. –Wired
Social Media Resources:
Zeffy is used for event registrations, we sent an email out if you are signed up for those
with Eventbrite, we were limited a certain number of sign-ups as well as they have begun to charge for the service. Eventbrite is still being used, though it has a 25-attendee limit.
Feel free to pitch in and share ideas on our discord!
Discord (QR below), can use QR code, link or search “ISSA-HR”
(https://discord.com/invite/Jt3m7TWQzQ)
LinkedIn: great resource to get in touch with us:
Click the QR code (Above), link or search for “Information Systems Security Association – Hampton Roads Chapter” https://www.linkedin.com/company/information-systems-security-association-issa-hampton-roads-chapter/
Website: Be sure to also check out the Meeting recap on the ISSA-HR webpage!
Been blogging on the LinkedIn! Thanks Faith! We love feedback!
https://issa-hr.org/issa-hr-chapter-meeting-9-april-2024/
Meetings and Social Events:
4 June: Evan Larson, Millennium Project Manager: Review of recent Facebook/Meta hack: timeline and recommendations.
9 July: Daniel Weiss, IT Manager of Standard Calibrations Incorporated: Adventures in ZFS: Keeping data through hardware failures
6 August: Patrick Currie, Cyber Security Engineer (NAVSEA): A Deep Dive: Penetration Testing Techniques for UUVs
Looking for speakers for September, October, November:
(As well as in-house back up speakers)
If you’ve been to, or go to conferences, and find anyone, or if you want to speak yourself! Practice something you’ve been working on or dig into something, such as a class presentation, an experience you’ve encountered or anything else related to cyber! Evan L is the point of contact for presentation inquiries.
After-Meeting Networking Happy Hour: After ISSA meeting at plaza Degollado. (Around at the corner from ECPI).
Cyber Social: Wednesday June 26th 5:30-8:30, it’s a great casual (non formal) event, always a good turnout. No expectations, great place to network. Definitely a good time. Be advised we will not get the side room this time, we will be there, come out for a beer, we might (weather permitting) be able to be outside You can sign up for emails to stay in the know about these events!
Jobs: (Have a job/Need a job Next slide):
Need a job: Type of Job, Elevator Pitch (Value you bring, qualifications, additional info)
Have a Job: Title of Job, basic requirements, contact information
ISSA has a job search page http://iz1.me/XJU31zUSeBV
https://issa-jobs.careerwebsite.com/jobseeker/search/results/
Government Jobs: USAJOBS.gov:
Government job resource: Great resource for fed resumes: federal resume Guidebook by Kathryn Troutman
Best way to get a job is through networking, as always.
Need a Job: If you’re looking for work, now’s your chance to let us know! Let us hear your elevator pitch: an Introduction, summary of what you do: current role and why you are doing well there, relevant experience, explain your value/what problem you can solve, and a Call to action for what you’d want to do next. Whether you are currently employed or just want to practice, now is a great opportunity.
Optionally, for an extra 30 seconds you can add other details such as clearance status, remote, on-site or relocation preference, additional education/certs not already mentioned, and other short details. We can post your email in the chat if you want, we will ensure it gets to the right people.
-Evan has his CISSP/ TS/CSI and a few other certifications, looking for something more technical than what he is currently in.
Have a Job:
Job title/Company/Type (Contractor, Government, Private sector, Internship, Full time, Part time)/Requirements (Years’ work experience, Education, Certs, Clearance)/Desired experience, qualifications and any other information desired (keep it short)
Monthly Presentation: Real World Lessons Learned from a Facebook and Meta Hack
Evan will break down a recent Facebook hack he has experienced, and the complications that a rouge Meta account can cause.Evan Larsen retired from the Navy after 20 years, during which time he
supported the Navy Red Team (NRT) in several positions to include leading
the team as the NRT Director. During his time in the Navy Evan primarily
served as a P-3 Naval Flight Officer, supporting efforts in Asia and the middle
East throughout his career. Since his “retirement” he has supported a
Security Operations Center, as well as his current role of managing the
contract and people supporting DoD Red Teams.
This presentation will guide us through how his Facebook was hacked, how he responded, and why he was unable to easily recover from the incident. Evan will share some of his biggest Lessons Learned in the process.
He will also be discussing the methods on how to remove the persistence established on his Facebook account by linking a Meta account that he had no control over, but rather the hijacker.
Thank you Evan!
How My Facebook Got PWNED: (And how I recovered from it):
Summary:
“Playing it as in phases of Star Wars: Phantom Menace: initial hack/ Attack of the Clones: Discoveries, continued flight for access, trouble tickets/ Revenge of the Sith: Hacker did something, changed their posture/ A New Hope: using unconventional means to get access back/ The Empire Strikes Back: Hacker re-did attack to keep persistence, no solid solution, in process of figuring out how to burn it all down/ Return of the Jedi: Found solution (with sister’s help) and resolution, going to wrap up with Lessons Learned from the endeavor and Recommendations.”
The Phantom Menace, (the Initial Hack):
“A communications disruption can mean only one thing. Invasion!” -Sio Bibble
Threat Actor possibly compromised an old email account attached to Evan’s Facebook.
“Saw an email address associated with my Facebook, did a recovery and got in but saw two email addresses, mine and the hackers. Changed password and thought I was good. (insert Morgan Freeman voice: he was in fact, NOT good)|”
“Kept trying to find ways to get intruder out. Did not initially approach this dilemma as an analyst. Trying to kick him, and re-add myself. At first did not notice the hacker had added a Meta Account. Possibly done within the first few minutes but did not notice until later.
Hacker logged in a few days earlier, and I did not notice, they updated the session (as implied by Facebook logs), they added their email, reset my password and changed the password and logged in. When I changed my password, immediately after they logged in again.
Constant in/out/removing/re-adding. They knew way more about the process than me.”
Jon B: This two day window in April, is this when they created the Meta Account?
“You don’t notice the Meta account unless you go into system, into settings. You check the left side for ‘Meta Security Center’ and that is where you take notice. Otherwise you may not even know.”
“No notification to indicate a Meta account had ever been created. Possibly inferred by the “session updated” log. Facebook logs tie a cookie to devices. Which is how I noticed logins took place from London, Ohio and California. Possibly a VPN.”
Roops: Had you gotten any password reset code emails? I get them a lot.
“I may have got indications, but never knew someone actually got in. Just because you are being targeted does not necessarily mean they have information. They got into my Facebook via the weakest link– an email from the mid 90’s, my Facebook had multiple emails attached– more recent email, used more often– unfortunately I left my 90’s email on there and that’s how they got in.
PAY Attention to your WEAKEST LINK. The hacker used this to create a Meta Account.
What is a Meta Account?:
A Meta account is an online service that allows users to log into virtual reality (VR) devices; manage purchased content, and unlock connected experiences across Meta platforms. It is NOT a social media profile but it can be linked to a Facebook or Instagram account.
Once linked to Meta account, it’s required that you know the Meta login and 2FA (if enabled) to do any ‘major’ settings changes: suspend account, delete account, etc.
“If a hacker gets into your Facebook and creates a Meta account, this restricts you, as they can get into your Facebook but you cannot get into the Meta. Meta accounts can be linked to Facebook and Instagram.”
“I could see the hacker’s email, they could see my information too. They set up a Meta Account based off my email, every time I tried to get in they had 2FA and I could not get in. trying to find a backwards way to do it, was not able.”
Attack of the Clones (My counter Attack):
“I’m just a simple man trying to make my way in the universe” – Jango Fett “After the back and forth, I kept trying to find steps to remove the hacker. Went to the Meta page, not a lot available for customer service. I tried that avenue and never got a response. I have a buddy who works for Meta who was able to put in a Friends and Family ticket. OTP codes were generated and ticket was closed, I tried them and NONE of them worked. I went back to my friend at Meta, he sent a follow-up and they never got back to him.”
“I sent an inquiry to hotmail (the hijacked email’s host) and never got a response. Hotmail’s recovery email was a different email. I kept trying to recover; by the time I got there it had already been shut down. It was a “throwaway” email address. I tried to log into his email by initiating a recovery, the backup email was obscured which matched up to an ‘inbox.com’ host. Tried the Meta, didn’t work, tried disconnecting the Meta, tried disconnecting myself, realized when trying to reset passwords, one time codes were being generated—did try to change a setting to remove ability to log into one from the other, but got hit with ‘enter Meta Password’ After about a week of getting kicked out, I decided to remove my Facebook account, tried to deactivate it to shut it down, but you cannot without a Meta Password. At this point I was quite frustrated.
Revenge of the Sith:
“Execute Order 66” — Palpatine
“The hacker changed his posture, changed my name and date of birth, completely kicked my email out, HARD this time. Couldn’t access anything; you can do certain things that I’m not comfortable with, (sending drivers license to fb help) but I did it anyway. It took about a day, had to go through that multiple times, each time took less time. Kept getting kicked out, back and forth. So, They’re starting to change stuff and I was dead-set on deleting everything. But I do not Know the Meta password the hacker set up.
A New Hope:
“You don’t need to see his identification…These aren’t the droids you’re looking for.” – Obi Wan Kenobi
“At this point I was approaching it a little more unconventionally– I tried to hack into the hacker’s email (grosvenorenix2864us@hotmail.com) to get access to the rogue Meta. Tried getting a password reset email sent to the email I had access too (grosvenorenix2864us@getnada.com) but no luck. Tried resetting recovery email to my email but only found a Microsoft recovery form..which I had no idea how to access.
The Hotmail I was using the intruder probably had information from, Names, Date of birth, past used passwords, a lot of information he had because it was on my Facebook. Just trying no find a way get into their Meta, Facebook, everything I could, and kept hitting brick walls. Tried recovering their email to mine, didn’t work, They probably had more information on me than I had on them. I assumed they had some recovery emails I used as subjects….No luck….Hope Crushed.
The Empire Strikes Back:
“Do or do not. There is no try.” — Yoda
“After lots of back and forth with no solid solution, I went back to the plan of destroying my old Facebook and creating a new one. Call it for a loss. When trying to create a second Facebook, I never got the confirmation email to properly set it up, unsure why. The next day the hacker got in and changed my family photos I was tagged in from my wife (they are nice), The Facebook hacker changed my original Facebook name and once again, hard kicked me out, prompting me to do the ID thing again. At this point was just trying to figure out what to do.
“During this whole month, there was a couple times I saw my account was locked, I would leave it for a couple days, after those few days I would use my drivers license to unlock the account and here we go again.
Return of the Jedi:
“Luke, you’re going to find that many of the truths we cling to depend greatly on our own point of view” – Obi Wan Kenobi
“On mother’s day I called my sister, offhandedly let her know I was locked out of Facebook. Two hours later she showed me a forum where someone else has the same issue and a fix. (https://www.reddit.com/r/facebook/comments/1b1hqs3/how_I_recovered_my_hijacked_facebook_account_and/)
This helped provide the missing piece of the puzzle That I had been trying to solve for upward of a month.
When my Facebook was removed it took the Rouge Meta account with it.
Tried logging in with every device I ever logged in on and could not get past this message. In this time the hacker had opportunity to change all the progress I made.
SO, I made my OWN Meta account, I was able to do this since the rouge Meta was connected to the Facebook I disconnected.
If you have an Instagram attached to your Facebook and Meta, be aware this may give you trouble is you experience this issue.
“If you have a Facebook attached to Meta you can’t disconnect it, BUT if you have an Instagram account you can tie that in too. The Facebook as locked down at this point, I read all the Reddit details and set up a fake Instagram (‘killroy737’ to troll a little bit.) After linking that to my Facebook and the hacker’s Meta account, I was able to unlock it that way by then unlinking my Facebook from the rogue Meta, changing the login info immediately and re-linking to my own Meta account.
“I was worried the rigamarole would kick off again. Hopefully the hacker doesn’t see it so I could remove the rogue account in time. I go in, add the Instagram account, disconnected my Facebook account, (FINALLY!) then went in to remove their Meta l from my Facebook, and ran into another issue.
“While my Facebook is finally freed up, the issue “You can’t make this change at the moment” was all I had.
“Got somewhat of a warm and fuzzy… but could not set up 2FA, unnerving, went to sleep hoping I still had my account in the morning. I was able to get in the next morning, hacker could possibly have lost interest since I was no longer considered ‘low hanging fruit.’ Checked logs occasionally to verify the hack was truly, over. If it weren’t for my sister I would not have been able to conclude this dilemma.
Lessons Learned/Recommendations:
Must do’s: change your Facebook passwords often! I never do, it took a few minutes for me to get to where to reset my password… a few minutes too long. If you have Meta set up, top left is settings, and Meta security, passwords, 2FA and other measures are here, Login alerts can be set up (HIGHLY recommend 2FA and Login alerts.) If someone logs in and you’re not expecting it, you can recover quickly,
Know your weakest link, if you have older email addresses associated, change therm! If you ave multiple, reduce it to one.
Recommend: Set up a Meta in case someone every gets into your Facebook so it can’t be generated by a rouge actor. Will strike adding Instagram. If you have two accounts under Meta, one can be removed. Technically, recommend having Meta tied to most used account (either Facebook or Instagram, make that one attached to your Meta) TA’s could attach it, but it’s that many more extra steps that may dissuade the threat entirely.
“You know how you can add family– get rid of all that. (Who cares really?) It’s a vulnerability. Change information regularly. most cybersecurity professionals won’t put their high school, real date of birth, just put fake stuff.
“For security questions, make up fake information and keep that fake information dafe in a password vault. (DO NOT use the same Fake information more than once.)
Meta settings: “You can request logs. it may take a few days or a few weeks depending on the age of your account”
Questions?:
Q: how many collective hours did you put into recovering your Facebook?
A: about 20 hours. After back and forth and parsing the logs and deleting as much as I could to sanitize.
Q: Are you saying your hotmail was possibly compromised beforehand?
A: yes. There was a lot of Facebook emails in there. Hotmail must have been their avenue.
Q: do you have access to your hotmail?
A: I do, I’m unsure how to get the logs. To go back a month and a half/two months of logs would take a lot of parsing without an aggregator.
Logs are downloaded via zip file, which can be opened in any browser to parse, messages, posts, gaming, places you’ve been, comments, groups, if you go down, connections, you can see all this information, even security, Connectivity, is the real money maker, on the 18th, the hacker (email address) showed up as a login. In the first 20 minutes of the hack, so much went on, email added, session updated, login. They had to have logged in the first time on the 16th, not sure how they would have done it other than inferencing. IP address shows VPN activity.
You can go through these logs and see this kind of information. Can be a major rabbit hole.
In activity center you can see where geographically you are actually logged in.
Q: what all did they do with your account?
A: when they first got in, they used my old email and got into my Facebook, when they got in they created a Meta account, which gave them persistence. I didn’t realize and when I did, I could not remove it initially. They tried to change Name, DOB and Pictures. Since I was so active I was able to counteract regularly, they would go a day without any activity then go in and change something. Rarely were they on there as long as I was but they would consistently keep coming back. Since I kept counter acting, it prevented them from doing anything truly obscene like spamming my friends list. The easiest way to recover via my phone is to take a selfie photo at multiple angles. My Kilroy (fake) Instagram account creation helped too.
Without a friends and family ticket, the average Meta user seems SOL, as Meta has virtually no help desk.
This is a fantastic brief, Thank you for sharing your experience with out Evan!
Business Meeting:
Old business/New business/Membership Updates/Secretary: Meeting Minutes/Treasury Report/Social Media Updates
Old Business: Social Event, Casual Pint May 22nd
New Business:
Conferences
Volunteer Events: Volunteer Events: What would members like to participate in? Who can volunteer to lead?
ISSA Mentorship program:
Desmond Graham: Mentorship Chair
Call for volunteers on the mentorship Program committee
Call for Mentors: reaching out to schools and companies in the area
Mentorship Mixers: Learn about how to get into cybersecurity with no previous background
Meet and learn from cybersecurity SME mentors
Network with hiring managers and the cybersecurity ecosystem.
Conferences:
RVASEC: June 4th-6th in Richmond VA: $375-, https://rvasec.com/ right now oops
TECHSPO 2024: July 1st-2nd in Washington D.C.: $0-, https://techspowashingtondc.com/register/
Bsides Roanoke 2024: July 12th : Pricing not available but not expensive according to Jon: https://bsidesroa.org/
DC Metro Cybersecurity Summit: July 18th in McLean VA: $195-$250, https://cybersecuritysummit.com/summit/dcmetro24/
DISA J6 Cyber Awareness Forum 2024: July 25th in Alexandria VA: $Free, but DoD only. https://www.fbcinc.com/event.aspx/Q6UJ9A01YF2W
Zero Trust Government Symposium: July 17-18 in National Harbor, MD: $0-$1290
https://zerotrust.dsigroup.org/
Black Hat USA 2024: August 3rd-8th in Las Vegas, NV: $2,499
https://www.blackhat.com/us-24/DEF CON 32: August 8th-11th in Las Vegas, NV: $480
https://www.defdonf.org/
FutureCon: August 22-24 in Washington DC: $50-$200https://futureconevents.com/events/washington-dc-2024/
ISC2 event: Look into Maritime conference. Early reg is $1250, way cheaper to attend virtually.
We love to volunteer at local conferences! Great way to network, garner interest in our chapter. Some of the best networking opportunities compared to merely being a guest. We are always looking for people!
ISSA Mentorship program:
Desmond Graham – Mentorship Chair
Call for Volunteers on the Mentorship program committee
Call for Mentors: reaching out to schools and organizations in the area
Mentorship Mixers: Learn how to get into cybersecurity with no previous background/ Meet and learn from cybersecurity SMEs/ Network with hiring managers and the cybersecurity ecosystem
Membership Update:
Number of members: 45
Last meeting: 13 members, 5 visitors in attendance
May 7thMeeting Minutes: Meeting recap on website:
https://issa-hr.org/issa-hr-chapter-meeting-7-may-2024
Presentation Speaker: Alex Reid: Red Team Tooling
Business Meeting:
Old Business: Cyber Social @ Casual Pint, Mentorship Program
New Business: Conferences, Volunteer Outreach
$4,441.71 recorded.
Treasurer Report:
Balance: $4,346.71
Still trying to get back to 5k
2024 Events Calendar:
July will be the second Tuesday instead of the first to allocate for the holiday.
We also need to start thinking about elections. Will be looking for who is aiming to retain their roles and who would like to volunteer to be nominated. We are looking always for new energy, something to contribute to add more to the club!
Email Addresses:
Adjourn:
After Meeting: Networking Happy Hour @ Plaza Dellogado
Please give us feedback!: What did you like? Recommendations for future meetings? What could make your experience better?
Send your feedback to President @ ISSA-HR. Org
You must be logged in to post a comment.