Cybercrime

Apparently cybercriminals are getting smarter. Some of the more interesting facts in this story include:
Spam accounts for 90% of e-mail.
There are now businesses in China and India whose employees are tasked with typing in those text picture tests that you have to fill out to open some accounts online.
E-mail attachment attacks have decreased significantly over the years.

It is hard to believe that so much of the world's email is spam, but I suppose we should not be surprised. The majority of e-mail I get on my regular G-Mail account is spam. It should also be disheartening that even the picture tests are not enough to stop spammers from getting new accounts. At least we can be consoled by the fact that there are less attachment attacks, although it is possible they have just been replaced with more sinister types of attacks.

Cisco: Cybercriminals more savvy than ever in 2008
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342560,00.html

Security Review: Xbox and Playstation.

With the new advancement in gaming systems and numerous uses of the new Xbox or playstation, can these devices be another tool for hackers to use to violate our lives and gain personal information. Within the last two or three years both the Xbox 360 and the Playstation 3 have been hacked into. In January of 2006 “Sources say that a group calling themselves Team Pi have discovered a vulnerability in the Xbox 360, or more specifically in the kiosk CD being used in retailers displays. It seems that though the executable on the disk is signed, the other media on the disk is not signed allowing someone to swap the Project Gotham Racing 3 demo video with a WMV-HD rip of a full length movie. This is far from being a complete hack of the Xbox 360 but it is one little step closer to a full hack.”

This month “PlayStation Home, a 3D social gaming community available on PS3 that allows users to interact communicate and share gaming experiences, launched last Thursday and over the weekend it was hacked multiple times. Hackers found several vulnerabilities that allowed them to run some code to bypass advertisement, replace content originally placed by Sony with the user's own images. Another hack allows uploading files to hack the Home server or deleting any file from the Home server.”

Although these events were both of the minor variety, this leaves a lot to be questioned. On Both consoles people can purchase movies, games, and music by using their online accounts. On these online accounts people provide very sensitive information to be granted access to the following features. Internet access, Movie download center, and music download center. Although not necessary all the features are desired by every user. My question is can these devices, which are operated over the web, be possible hacking opportunities?

Articles : http://news.teamxbox.com/xbox/18394/PlayStation-Home-Hacked-Already/

http://theconsolewars.blogspot.com/2006/01/impossible-to-hack-xbox-360.html

Adobe PDF and Flash are source of web attacks

"Attackers are finding new ways to stay one step ahead of security, exploiting ubiquitous Adobe Flash applications and PDF files, which many organizations and end users incorrectly assume are safe against compromise." was quoted in an article describing Adobe attacks on December 9th, 2008.

"In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines." Flash is an application that allows animations in webpages. Flash is a specific type of webpage coding. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities. Flash malware can be delivered through malicious banner ads. "Although most networks inspect the ads for security risks, their efforts are often insufficient." Adobe advises uses to set a parameter, "AllowScriptAccess," to "never," but is more typically set to "always." "This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine."

PDF a mistakenly considered as a safe file format to many. However they can be exploited through a pair of buffer overflow vulnerabilities. Adobe has patches for these flaws, but many machines aren't up to date. Starting with version 1.4, the PDF format includes JavaScript capabilities. The problem grew by the emergence of simply crimeware toolkits, such as Neosploit and Fiesta, which include PDF components that "enable attackers to obfuscate scripts within PDF files to execute Web exploits. Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection."

The best way to prevent these attacks seem to be by simply updating these programs since there are patches available. Perhaps Adobe should come up with an automatic software update, like Microsoft uses. This article is interesting to me because I use Flash coding all the time and I always felt like it was safer, even though I had nothing to support this reasoning. I also think this is interesting since we recently learned about web based attacks. It would be interesting to see if these programs are exploited in ways similar to cross-site scripting. I think it is also important that antivirus and spyware detection programs update their software to protect users against these attacks.

Sources:

Flash, PDF are growing malware targets
By Neil Roiter, Senior Technology Editor, Information Security magazine09 Dec 2008 SearchSecurity.com

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1341749,00.html

Web Security Notes

Someone pointed out that I hadn't posted the web security note) online. Here they are:

Web Security slides

Oooops they did it again

Microsoft has made itself the joker of the modern computer world once again. No, I'm not talking about windows vista aka "mojave" I'm referring to a new vulnerability on the Internet Explorer program that runs on all of Microsoft's operating systems. On Friday, Microsoft released a statement about a number of "zero day" attacks that occur as a result of a vulnerability in the way the browser processes XML (a way of writing information to websites). Verisign released an announcement late last week that a group of Chinese security researches discovered an accidentally released the flaw in IE. The main idea of the attacks is to load malicious software onto computer that are vulnerable to the attack. These programs can give the hacker all the normal privileges that the user would have including access to sensitive records and files. Below are links to two articles including one that talks specifically about ACL's and how to block the vulnerability at the server before it enters the network. This does not completely block the threat but it does lower the risk until a patch is made available.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342278,00.html

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1342135,00.html

Facebook revisited

As the other posters have mentioned facebook is really in no way secure. First you can setup an account claiming to be someone else. This can cause slanderous things to be posted on someone's facebook page that isn't really theirs. People can also pretend to someone and hit on girls or boys and then in person the person who thinks they are being hit can be extremely hurt because everything is hoax. Facebook needs to develop a system of verification to make sure these things do not happen.

As for the virus attack i am constantly bombared with these phishing attacks. Some of them come as wall posts from friends who have "zombie computers". Recently facebook added a new feature called "facebook chat". This is the faceboook equivalent of instant messaging. Many of the most recent phishing attacks I have receiver have come via facebook chat. Facebook needs to come up with a way to prevent this virys from spreading further. Most of the attacks are extremely obvious such as "click here to reduce your debt". None of my friends would care about debt nor would they advise me on how to lower it. The other attacks about tagging and adding photos etc is much more harmful because it could seem legitimate and could end up being malicious.

Security Review: Off-Campus Housing Door Security

In the dorms on campus, doors play a crucial role in terms of security. A number of security features are intended to keep the dorm and residents safe (ID card scanners, restricted access hours, and PIN keypads). Furthermore, doors to individual rooms make use of locks and keys, and strong physical construction to maintain the security of a room. Unfortunately these measures are not always enough to prevent theft and unauthorized access.

What happens, then, when students live outside of the Notre Dame bubble in the neighborhoods surrounding campus? What measures are used on doors to maintain the security of off campus houses? In this security review, I will assess some common methods of securing the doors and overall safety of an off campus house.

Exterior doors can be equipped with different types of locks (handle locks, single-cylinder deadbolts, double-cylinder deadbolts), construction materials (metal, solid-wood, composites), and sensors (surface door contacts, recessed contacts). Not all methods provide the optimal security condition as the integrity of the physical barrier can be compromised. Ideally for the home owner or resident, the door will of course prohibit unauthorized entry and will not readily expose to view (disclose) the contents of the house. This also addresses the integrity of the house and its residents and associated property. In addition, the door should allow authorized individuals entry.

Would-be attackers would be interested in knowing what methods are used to secure the door. Do the residents make actually use the installed deadbolt lock when leaving? An underutilized deadbolt is pointless in keeping attackers out. Is the deadbolt a single cylinder (key used only on exterior), or a double cylinder (key needed on inside and outside) lock? A single cylinder lock located right next to a large glass window would provide easy entry after breaking the glass (alteration). Is there an associated alarm system that is actually activated? The presence of alarm equipment does not guarantee that residents turn on the system. Furthermore, some alarms are disconnected and only emit a loud noise. While this may scare an intruder away, he or she still has time to grab property before fleeing.

The overall construction of the door is something that most tenants can do little about. This vulnerability of really only a small piece of the puzzle. The quality of door design is null if users fail to adequately lock the door using the deadbolt. Seemingly the largest vulnerability in this case is human action. For instance, even if a door is well protected, there may be other means of entry. An open window (or a closed,yet unlocked window) or secondary door could prove the main door security measures unimportant. It would be like beefing up security on HTTP ports while ignoring the POP3 port in a computer system.

Attempts to secure the door through multiple and sometimes extreme ways must be tempered by sensitivity to the ease of entry by authorized individuals. Ultimately some risk acceptance is inherent in a system that literally opens doors. Nevertheless, the amount of risk can be reduced and transferred. Installing double-cylinder deadbolts (especially when doors are adjacent to windows or glass panels) and always making use of the deadbolt clearly demonstrate good protocol. By making a home doorway harder to breach homeowners can deter would-be attackers. Risk transference can be achieved by obtaining homeowner's or renter's insurance for property potentially lost to burglary.

alarmsystemreviews.com
homesecurityguru.com

Security Review: Credit Card Security

The use of credit cards to make purchases is becoming more and more common, but what is being done to ensure its security? When you make a purchase, you have no idea what is being done with the information. Where is it being sent? Where is it being stored? Who has access to it? What is being done to protect it? Credit card fraud affects everybody – the card companies, the stores, and the customers. As a result, a number of new methods have emerged in the past few years that are designed to increase security. Discover Card developed the Secure Online Account Number Program for online purchases. This produces a random number for each transaction to be used instead of the credit card number when an online purchase is made. The merchant gets Discover Card to verify it, before it is connected to your account, so the business you are buying from doesn’t see your real credit card number. Additionally, a combined effort between Visa and MasterCard developed the Payment Card Industry Data Security Standards which is a set of guidelines put in place between the credit card companies and the merchants. Some online retailers are now requiring the shipping address to be the same as the one associated with your credit card. This may reduce the risk of fraud, but it is a huge inconvenience to the customer and may hurt the merchant’s sales. Finally, VeriSign’s provides merchants with up to 256-bit encryption using Secure Sockets Layer (SSL) technology.

With the addition of various types of Card Verification Codes (CVC), the security of transactions has improved. For transactions at physical stores, CVC1 is used for verification. This is a code that is in the magnetic strip on the back of the credit card. On the other hand, CVC2, a three or four digit number on the card, is used for many online, mail order, and over the phone transactions to help prevent fraud. The CVC is created using a key that only the bank knows that includes using a hash function on the expiration date and the card number. The information in the magnetic strip is very valuable because it allows fraudulent credit cards to be made. Therefore, credit card companies are making a greater effort to make sure merchants are not storing this information.

However, CVC2 is still vulnerable to phishing scams. This can be done by either using a typical phishing scam (developing a fake website requesting sensitive information) or by already having the credit card number, giving it back to the cardholder, and requesting the CVC2. In addition to phishing attacks, there are countless other ways to obtain credit card information. A store’s employee could very easily write down a customer’s credit card information and copy the signature, especially at the type of place where they take your card out of sight for a short time (such as a restaurant). With the name of the person, it would be easy to obtain their address and then make online transactions using the stolen card information.

Because credit card information is so valuable (the cardholder’s money is a risk), it is essential to protect the information. In order to mitigate the risk of information being stolen and fraudulent transactions made, I think that a few steps should be taken. First of all, all online merchants should be required to ask for the CVC2 when a transaction is being made. For in person transactions, merchants should not be allowed to store the information on the magnetic strip. They should also be required to ask for another form of ID to make sure it matches the name on the card as well as get a signature. The Luhn Algorithm that we discussed in class helps to verify the integrity of credit card numbers while CVC is used to verify integrity of the user of the credit card information. When credit card fraud is committed, the confidentiality of the cardholders’ information is lost and their money may no longer be available when they need it. The physical card will always be at risk for theft, especially in a situation like the dorms where the mail is left in a pile in the lobby. Despite the numerous ways to commit credit card fraud, I think that the actions card companies are taking will help to decrease the risk. However, there is no way to completely ensure the security of information.

http://news.cnet.com/Putting-the-squeeze-on-credit-card-fraud/2100-7349_3-5856625.html

http://www.creditorweb.com/articles/credit-card-security.html

Facebook Virus

In light of the recent security review on Facebook(see earlier post), I thought this article would be of particular interest. PC World Reports that a Facebook Virus is spreading rapidly. The virus turns an infected computer into a zombie, for potential use in a botnet. This is achieved by setting the affected machine to access the internet via a proxy set up by the hacker.

The virus is being spread through Facebook messages with bizarre titles like "Hey, I have this hilarious video of you dancing" and "You look awesome in this new movie." When users click on the link to the 'video' they are prompted by a Flash Player update download. The download, while something most people would routinely click, actually has a malicious file embedded.

Although this tactic seems obvious and ridiculous, the rate of success is alarming not only with regard to security, but also when the gullibility of internet users is concerned.

Apple posts, then removes, suggestion for use of anti-virus software

"Shortly after updating a security bulletin recommending widespread use of antivirus software on Macs, Apple took it down." (wired.com)

Apple's initial recommendation was surprising to many Mac enthusiasts, who, for years had been told their systems were not threatened by malicious software. The advice was given in Apple's "Knowledge Base" collection of articles. The original post advocated the use of "multiple antivirus utilities so that virus programmers have more than one application to circumvent." (Although the article was removed, you can still read excerpts).

Clearly the author of the article was advocating defense in depth; however, it seems that the PR machine at Apple was concerned about the implication that encouraging the use of anti-virus software on Macs was an admission of system vulnerability.

One observer states, "The benefit of Apple's tight control over its operating system and hardware is the ability it gives the company to implementing effective, reliable security measures." And until Apple's market share increases significantly, it is unlikely that hackers will target the Mac platform.

While this may well be the case, I certainly wouldn't want to play guinea pig for the security team.

Security Review: Facebook

Social networking sites allow millions of people around the world to communicate with each other, in addition to sharing pictures, videos, stories, and other useful information. By far, the two most well known social networking sites are MySpace and Facebook. As if you did not already know, users on Facebook mainly communicate via short written messages on the “Facebook walls” of other users. Users can communicate more privately with “Facebook messages”, and can also create “Facebook events” that describe pertinent information regarding upcoming community events. Facebook has even become a place of social activism: multi-member “Facebook groups” can be created for a wide variety of social, political, economic, and environmental causes.

Depending on the privacy settings of a particular user, other users can see the user profile that user. Facebook accounts contain information that would be useful to potential employers, coworkers, friends, family members, and “romantic interests”. As a result, Facebook users and administrators require a high-level of integrity—if the information contained within Facebook cannot be mostly accurate, the appeal of the social networking site would markedly diminish. In addition, there would also be information, pictures, or notes that Facebook users want to keep away from potential employers, nosy coworkers, and family members. As such, confidentiality is also important. Facebook administrators also want authorized users to be able to access the information stored on Facebook as easily as possible without jeopardizing security.

However, cyber-attackers may want to achieve alteration or disclosure of important Facebook information, because the hackers could use that information for personal financial gain—for instance, they could sell other users’ e-mail addresses and phone numbers—or to make other job applicants appear less favorable, etc. Furthermore, if hackers gain access to a Facebook account, they can easily “spam” the friends of the compromised user with links to phishing scams, pornography, or the like. Also, if a denial of service attack was implemented, there would be an uproar from millions of Facebook users.

As a Facebook user for the past two and a half years, I have not once been asked to change my password. Therefore, I run the risk of hackers determining my password, which would lead to my account being compromised. In addition to that, another vulnerability that Facebook cannot easily address is the very nature of social networking systems. If one account becomes compromised, that account could enable other accounts to be compromised. Furthermore, since Facebook has no method for ensuring that passwords are “strong” as opposed to “weak,” it is vulnerable to a brute force attack. Facebook is even vulnerable to XSS attacks that infect users with spyware, adware, and other types of malware.

In the end, Facebook is prone to the various vulnerabilities, risks, and threats to which all large social networks are prone. However, the Facebook network complicates these vulnerabilities by allowing so many users easy access to the account information of other users. The networking and information-sharing capabilities of Facebook users are necessary for a successful social networking site, though, and should not be truly avoided or transferred. In fact, I believe a combination of risk mitigation and risk acceptance would be more proper. Facebook must simply accept that it will be prone to the security vulnerabilities and threats common to social networking sites. However, Facebook can take preventative measures to make itself less vulnerable to brute force attacks and XSS attacks. For example, it can mandate that passwords be “strong” and be updated regularly.

Infrared Communications - Utility and Security

I was first introduced to infrared communications when purchasing my first cell phone (3 1/2 years ago). I favored the Bluetooth, but it is not a technology that should be overlooked. My understanding is that Bluetooth was invented as an enhancement to Infrared (in terms of energy efficiency and increased range). Infrared finds utility in direct connections.

Reportedly, Infrared technology allows computing devices to communicate via short-range wireless signals (approximately 5 meter range limit). The infrared transmission technology used in computers is similar to that used in consumer product remote control units. In comparison with about 100Mbps maximum communication speed in wireless communications, there is a possibility of 1Gbps with infrared communications (due to its much shorter wavelength than wireless communications, broadband communications are available). In this way, infrared communications are suitable for transmitting large amounts of data such as animations. The most common use for infrared ports is to transfer files between devices. For example, you can transfer files between a Windows CE device and a desktop PC or between two notebook PCs.

The two main problems with Infrared are the sun and line-of-sight (similar to a TV remote, devices must be point directly at eachother to communicate). The sun gives off a lot of infrared light. In direct sunlight, the IR receiver can be "flooded" and won't be able to see any incoming messages (best used indoors).

Now onto security issues - Because infrared operates at such a short distance (and a narrow angle), it is relatively difficult for an attacker to intercept data that is being transmitted. Infrared communication is secure with high concealment in its ability to specify its receivers, based on the strong directivity of infrared communication. However, infrared does not provide data encryption. Because data is sent in plaintext, it is vulnerable to packet sniffing attacks.

There is a plethora of communication options available; Infrared's lack of data encryption is certainly a major downfall, but I believe that there are viable uses for this technology (a quick exchange of contact information/virtual business cards, for example). I am uncertain as to its popularity in the professional world, but would bet it has its place.


Sources:
http://compnetworking.about.com/od/homenetworking/g/bldef_infrared.htm
http://www.contrib.andrew.cmu.edu/~rgockley/legos/ir.html
http://technet.microsoft.com/en-us/library/cc775941.aspx
http://linkevolution.e-globaledge.com/english/infrared/aboutir.html

Empire State Building Stolen

Apparently releasing prisoners from jail isn't the only thing that has slipped through the cracks:

The Daily News, in an attempt to expose New York City's vulnerability to deed-, mortgage-, and property-fraud, drew up fake notarized documents and filed them with the city; effectively transferring ownership of the Empire State Building from Empire State Land Associates to the fake "Nelots Properties LLC" (Nelots="stolen" spelled backwards).

This was a part of a larger expose by the Daily News aimed at illuminating the very real possibility of more modest property fraud that can go unnoticed or unchecked by the City of New York.

The FBI has found a 31% rise in mortgage fraud and Suspicious Activity reports and over $813 million in loses has been sustained by lenders since 2006.

Here's the story:

http://www.nydailynews.com/money/2008/12/02/2008-12-02_it_took_90_minutes_for_daily_news_to_ste.html

Obama Trojan

Ever since the end of the election, there has been a Trojan virus that has been riding the coattails of the Obama victory speech. here is a quote from the article " Several security tool vendors -- including Cloudmark, Sophos, and Websense -- today are reporting massive amounts of spam messages that promise video clips of an "amazing" Obama speech, election news results, or interviews with Obama's advisers. These messages are carriers of malware that can compromise users' PC, researchers say. The three vendors offered differing descriptions of the attack, which suggests it may be working under different disguises. But screen shots provided by both Cloudmark and Sophos contained identical photos and text, indicating that much of the traffic is being generated by a single exploit."

here is the website with more news
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212000783&cid=nl_DR_WEEKLY_H



With every big event there are huge malware attacks reported. So my question is why aren't there more arrest made or more of an attempt to catch these people and have them made an example of. And on the other side of things, what are some techniques that are being used to hide the identity of the hackers sending out these viruses. How have these people hide their foot prints

Virus attack on London hospitals hits patient care

During the week of November 19 three London hospitals were down because of infection of malware.

No patient data was at risk of disclosure, said William Mach, an NHS spokesman. As a precaution, computers were shut down at St Bartholomew's, the Royal London Hospital and The London Chest Hospital.

When the infection became known, ambulances were diverted to other hospitals, as it was easier to admit patients using unaffected computer systems rather than revert to a paper-based admission systems, Mach said.

The hospitals are now taking emergency patients again, he said.

Official are investigating how the infection occurred, although it did not appear to be malicious, Mach said.

Here is a site with more information:

http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=12031


Question:
If there are Malware infection with no threat what are some other reasons for malware to be put in place if there not negative effects?

ND Stadium Security - A Unique Case Study

One thing nearly all of us take part in during the Fall on campus is Notre Dame football. The student security at the stadium is rather simple - you hand them your ticket and show a student ID. The ID card is the chief security check that you, as a student, are entitled to be there. Your clearance is a photo and a name to match the name on the ticket. It's easy to see that a ticket booklet name could be forged and a fake ID made to match it, but is all that really necessary to get past stadium security?

A friend of mine and I wore chicken and gorilla suits to the game this weekend against Syracuse. Maybe you saw us... As you can see below, we were fully masked. You may be surprised to learn that we wore the masks all the way from his room in Morrissey up to around the end of the first quarter. We were able to walk past a number of ushers, many of whom acknowledged us, without removing the masks on our way into the stadium and our seating section. We could have been anybody. Our photo IDs certainly did not match our gameday appearance. I'm not particularly serious or worried about threats from criminals in animal costumes, but I do think it's something to think about and, if nothing else, pretty funny.

Final Exam

The final exam for this course will be on Tuesday, December 16th from 8AM-10AM. This time and the location are set by the Registrar's Office. If you have a conflict, you need to see me as soon as possible.

The Registrar's Office has not yet announced our room assignment. Please pay careful attention to this announcement when it is made. I have had semesters where the final exam room was different from my normal classroom.

I've posted a review sheet that outlines the material covered by the exam. We will also use the last class meeting to review any questions that you may have, so please take some time to prepare in advance.

Pentagon Hit By Cyberattack

The original articles for the subsequent post can be found here and here.

According to two news articles from Foxnews.com, the Department of Defense--specifcally, the Pentagon--has been the target of a serious cyberattack. The cyberattack has, reportedly, affected some of the 17 million computers that store sensitive information on the Global Information Grid. According to the articles, the cyberattack came in "the form of a global virus or worm that is spreading rapidly through a number of military networks." As a result of this attack by commercial malware, use of external hardware devices such as flash drives, external hard drives, and DVD's has been banned.

As to the cause of this cyberattack, not many specifics are known. A rear admiral in the United States Navy has reportedly attributed the introduction of the global worm "to a service member with access to classified information [that] inadvertently loaded the virus onto his computer via a flash drive." This also explains why external devices such as flash drives have been banned. The authors of the malware--and the architects of the cyberattack--are as yet unknown. In fact, the cyberattack could have come "from a number of foreign countries, possibly Russia, though the military is dismissing earlier reports that China was the source of the threat."

Now that the Department of Defense has detected the virus, the next thing they need to do is follow the incident handling process described in class. Namely, they should contain the virus by removing the ways in which the virus is thought to have entered the network. I believe that the Department of Defense has done that very thing by prohibiting the use of external drives. They then must restore their systems to a "known good state," but the details of that may be difficult since we do not know the extent to which the network has been damaged by this cyberattack. In restoring their systems to a "known good state," they may have to rebuild their systems entirely or they may just have to redesign their information security environment. Finally, they must analyze how to prevent further such cyberattacks. That may require further restricting access to sensitive information, or permanently enforcing the ban on all external devices.

Assignment 6

Assignment 6 is now available. It is due on December 8th. The first part of the assignment involves tracking down IP addresses. The second part of the assignment is the analysis of the iPremier case, which I will distribute in class on Monday.

Class Slides

Here are a number of the slides I've used in recent classes:

• Wireless Security


• Network Security


• Operating System Security


• Firewalls


• Incident Handling

So Long, Blackberry

Obama transition officials have reported that it is very unlikely that he will continue to carry his Blackberry while in office. This is mainly due to security issues. The data contained on most PDAs can be compromised with nominal effort, e-mail can potentially be monitored, and these devices are trackable.

I don't personally own a portable e-mail device, however many will attest to how addicting (and convenient) it can become to regularly check and manage one's e-mail: "Definitely he's going to feel an electronic detoxing," said Reed Dickens, former assistant press secretary to President George W. Bush. Users have even been referred to as "crackberry addicts". Obama's attachment to his PDA is illustrated by the following: "This past summer, news cameras recorded him checking his BlackBerry while watching his daughter's soccer game, only to have Michelle Obama slap at his hands, prompting him to return the device to its holster."

The other issue, less relevant to this course, is the possibility of a president's e-mail being subpoenaed and made public record: "The president's e-mail can be subpoenaed by Congress and courts and may be subject to public records laws, so if a president doesn't want his e-mail public, he shouldn't e-mail, experts said." E-mailing is just another channel for his words and personal communications to become public record; this must be taken into consideration. On this note, Presidents Bush and Clinton set a precedent by not e-mailing in office and it will ultimately be up to Obama to follow it or not.

I find it comforting to hear that PDA security is a priority for Obama and his officials. It may be a less-pressing concern, but definitely an important one.


http://www.google.com/hostednews/ap/article/ALeqM5iw25dERohJoJUYwISzNoOsSd1VCwD94GBFTO0

Bluetooth

Here is some information I gathered about bluetooth wireless networking.

Definition: Bluetooth is a specification for the use of low-power radio communications to wirelessly link phones, computers and other network devices over short distances. The name Bluetooth is borrowed from Harald Bluetooth, a king in Denmark more than 1,000 years ago.
Bluetooth technology was designed primarily to support simple wireless networking of personal consumer devices and peripherals, including cell phones, PDAs, and wireless headsets. Wireless signals transmitted with Bluetooth cover short distances, typically up to 30 feet (10 meters). Bluetooth devices generally communicate at less than 1 Mbps.
Bluetooth networks feature a dynamic topology called a piconet or PAN. Piconets contain a minimum of two and a maximum of eight Bluetooth peer devices. Devices communicate using protocols that are part of the Bluetooth Specification. Definitions for multiple versions of the Bluetooth specification exist including versions 1.1, 1.2 and 2.0.
Although the Bluetooth standard utilizes the same 2.4 Ghz range as 802.11b and 802.11g, Bluetooth technology is not a suitable Wi-Fi replacement. Compared to Wi-Fi, Bluetooth networking is much slower, a bit more limited in range, and supports many fewer devices.
As is true for Wi-Fi and other wireless technologies today, concerns with Bluetooth technology include security and interoperability with other networking standards. Bluetooth was ratified as IEEE 802.15.1.



I thought it was interesting that it uses a standard similar to the one we learned in class (IEEE...) and that concerns with Bluetooth include security and interoperability. So I looked up the standards and if you want to check out this super long document here it is.

http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf



After doing this I went to youtube... and oh buddy is it easy to hack bluetooth phones. There are a million videos and programs available to download so that you can hack someone's phone. You can make calls, send texts, and turn off their phone.

Here are two videos I found interesting:
http://www.youtube.com/watch?v=5WRLtBl-lqo
http://www.youtube.com/watch?v=XlTEIYGk3Ro

What do you guys think? I don't have bluetooth on my phone but I do have it on my computer. I never use it for anything, so I wonder if people can connect to my computer in the same way the phones are being hacked.

-Cassie

Club Security

Along the same lines as Katie's post, I wanted to examine an emerging technology (IDetect) that club bouncers have been utilizing and the effect that it has on customers. This handheld device essentially stores the club goers drivers license information (and takes a picture of the customer) while readily detecting fake IDs. The main goal of these devices is to eliminate anonymity and to cut down on underage drinking. The gadget scans an ID (with recognition from all 50 states) via the magnetic strip. The device also features a touchscreen and built-in camera.

"The scanner catches fake IDs and records a person's driver's license number, birth date, address, height, weight, eye and hair colors. It also saves a photo of what the patron was wearing that night." This information is easily downloaded to the club's computer.

If necessary, the machine can then search for people by name, gender, description or number of visits. Furthermore, it can provide statistics regarding the number of patrons the club has each night, their age and gender (which can then be used to influence marketing strategy).

A major benefit of this device is to deter unruly and violent behavior. "One of the main reasons people will misbehave is because they have anonymity," Carpenter said. "But when you can record their name and take their photo, they no longer have that anonymity. When problems do occur, suspects can be easily identified in the device; their personal information can then be sent to the police. Bouncers can also place a message next to the person's name in the computer, allowing for a reminder the next time they try to enter.

However it is important to remember that this is sensitive information and should be treated as such. As we have seen in class, when in the wrong hands, data as innocent as e-mail addresses can lead to finicanial woes. I believe that if this information was downloaded to a computer, access to it would have to be limited to one or two people; if necessary read-only access could be granted to others. Additionally, there should only be one bouncer with this device per club. A thorough background check would be required for the position. The club would also have to determine how long these personal records should be stored in their database, or if it is only necessary to keep information on their most active customers (defined as one who visits once a month minimum). And as with all technology, one must determine if the benefits outweigh the risks.

http://gazettextra.com/news/2008/sep/09/high-tech-gadgets-new-security-feature-bars/

"In Era of Blog Sniping, Companies Shoot First"

Last week, The New York Times published an article regarding the use of blogs by companies for announcing layoffs. With the market crisis that has been developing in the past several weeks, a number of companies have been forced to let part of their workforce go. However, information is getting leaked to the public faster and faster. Many of these layoffs reach the public before the company even has a chance to inform their employees of the layoff. Some employees are learning that they are being laid-off through reading blogs about their companies. As a result, many companies are beginning to post stories such as layoffs on company blogs so that their employees and the public are informed by the company rather than by somebody outside the company who managed to get the story.

This article clearly addresses the confidentiality and integrity of information. Many blog posts by people outside these companies are not completely accurate and accuse companies of poor management. This in turn is creating a negative image for these companies who are clearly already struggling. So, do you think that companies are addressing this problem in the best way possible? What else could they do to protect both their employees and reputation?

http://www.nytimes.com/2008/11/05/technology/start-ups/05blog.html?_r=3&ref=technology&oref=slogin&oref=slogin&oref=slogin

Security Review: ID Scanners

After our discussion in class about skimmers, I thought about how they might be able to used to capture personal information that you may not want others to have. At many bars and liqour stores, they scan our IDs to make sure that we are of legal age. A malicious employee could easily use a skimmer and pretend it was an id scanner and capture all of the information that is stored on teh barcode of your ID. I know that several states offer the option to put your Social Security number on your IDs, which would make an easy target for identity theft. With thousands of customers coming in and out of bars and liqour stores (especially during football season), someone could collect a ton of personal data.

On the other hand, bars could use this information for 'good' by collecting information on visitors in order to market their bar towards the target customer. For example, if a bar realizes a lot of 21-one-year olds are attending the bar, they might look into having an 18+ night since 21-year-olds likely have many 20-year-old friends. The bars should though, make it voluntary to give this information, rather than just taking it without telling anyone.

There really isn't a way to stop these types of data theft, except by refusing to allow your ID to be swiped (which will most likely mean not getting into a bar or buying beer). Businesses should be responsible for ensuring employees are not misusing ID information. One way to do this would be to ensure at least 2 people are checking IDs or selling alcohol, so that 1 malicious employee couldn't take advantage of this skimming.

Vista Security is Looking Up

The latest Security Intelligence Report from Microsoft says that vulnerabilities to the Vista operating system have gone down. Most of the threats to users now lie with third-party software. One issue, however, is that the vulnerabilities being found in Vista these days are more critical. Part of the credit for the security of Vista is due to amount of restrictive features in the operating system. On the other hand these features are blamed for user dissatisfaction with Vista (they can be bothersome - I especially find User Account Control annoying!) and subsequently hindering the increase of its popularity.

Source article:
Microsoft sees OS flaws drop, application breaches rise
By Robert Westervelt, SearchSecurity.com
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1337532,00.html

New Comprehensive Information Security Laws

I was in Boston this weekend for the game, and during my time in Massachusetts I heard about the state's attempts to curb information breaches by setting several minimum-standards for companies to put in place to ensure their clients' personal information is secure.

Although these standards are already used by many companies, Massachusetts is one of the first (behind California) to step up the standards required to secure information.

State legislators and security officials are hopeful that the new Massachusetts regulations will have a ripple effect because any company that does business with clients in Mass., regardless of where it is based or its other clients reside, will have to abide by these new standards; meaning several companies will have to enact the new safer standards for client information.

Some of the new regulations include:

-More than one employee required to operate information security program

-More/advanced training for employees on the subject of information security

-Preventing terminated employees from accessing data or records

These regulations (and others) go into effect on January 1, 2009

Risk Management in the Digital Age

Check out Russ Banham's "Risk Management in the Digital Age" article in today's Wall Street Journal. It's pretty scary to hear the ease with which sophisticated cyber criminals are able to steal financial information and make themselves a whole lot of money.

Brendan

Election Hacking

Maybe there was a little election-related security news this year after all. Here are two interesting news excerpts from ComputerWorld:

Report: Obama, McCain campaign computers were hacked by 'foreign entity' An unidentified 'foreign entity' stole a large number of policy-related files from computer systems used by the Obama and McCain campaigns, according to a Newsweek story.

Hackers leverage Obama win for massive malware campaign Hackers are using the results of the U.S. presidential election to launch a major malware campaign that aims to trick users into installing a Flash update that actually plants a Trojan horse on unprotected PCs.

Countries Debate Proposals for National Firewalls

A few days ago, an article appeared in the New York Times regarding national firewalls, so I thought it fit in well with our recent class discussions. There is currently a controversy in Australia about the possibility of establishing a national firewall. Other countries have had similar discussions come up as a result including the possibility of a firewall that not only includes Russia, but a number of the smaller countries surrounding it. The Thai government is in support of a national firewall as well. Because it is illegal to speak ill of the Royal Family in Thailand, the firewall would target about 1,000 sites that do so. It can also be set to block porn-sites, terrorism sites, gambling sites, or other offensive content. Many people are opposed to the government’s proposal because they feel that a national firewall would be providing censorship. The Australian Parliament is also looking to increase the number of ISPs that are blocked to include a broader range of potentially offensive content.

It’s been several years since China put their national firewall in place and it has ended up causing a number of problems. Among these are trade scandals because companies weren’t able to access information that could have prevented them. China has actually unblocked a number of sites over the years, but the firewall still prevents a huge amount of content from being seen in China. So, what do you think about the idea of national firewalls? Where do you draw the line when censoring content? Who has the right to make the decision and is this kind of censorship a violation of rights?

http://www.nytimes.com/2008/11/05/technology/start-ups/05blog.html?_r=1&ref=technology&oref=slogin

Assignment 4 Extension

As we didn't get to the firewall configuration material I had hoped to cover on Monday, I'm going to extend the due date for Assignment 4. It is now due on Monday 11/17 instead of Monday 11/10. Assignment 5 remains due on Wednesday 11/12.

IBM Sticking it to Hackers

In a recent article on searchfinancialsecurity.com, IBM revealed that they are testing a new device that operates similarily to a USB mass storage device. After the device gets plugged in to the USB port the stick runs a windows internet window that allows the user to conduct secure banking transactions. The crux of the program is in that it completely bypasses computer completely. Therefore, in theory even if malacious spyware is used to find key strokes on the computer, it will not register because the internet window is being run completely outside of the computer's processes. The biggest question that remains assuming everything works is how will it be priced and if people will buy it?
In the past similar devices such as smart cards have provided banks and customers with a form of external validation before conducting secure transfers. These devices however are very expensive and sometimes not easy to use. IBM's device is different its easy to use, just plug and play, and a secure internet connection is set up to conduct transactions. Given the huge drop in the price of memory space over the years IBM could produce a production model for a relatively cheap price that will provide security to bankers and their customers in the future.

http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1337090,00.html

Networking Slides

The networking slides I used in class are available online.

Also, if you want more information on using Wireshark, you may wish to read an article I wrote for SearchSecurity: WireShark tutorial: How to sniff network traffic.

As a reminder, it is illegal in many jurisdictions to monitor traffic on a network that does not belong to you. I am providing this tool to you for educational purposes only and suggest that you run it only to capture traffic on a local network that belongs to you.

Hackers breach World Bank servers

According to the news cast Foxnews hacker were able to hack into the world bank servers and had access to a lot of sensitive material. "The hackers were able to gain access to the entire World Bank network, including the institution's "highly-restricted treasury unit." The breach comes as World Bank President Robert Zoellick is attempting to position the Bank as a major player in ensuring global financial stability."

The hackers had access to servers that contained "scanned images of staff documents" as well as one that included contract procurement data, according to the FOXNews.com story. The World Bank has been attempting to downplay the situation as well as reassure its staff that no sensitive information had been accessed and that their personal information was not at risk. However, after the breach was discovered, the Bank's senior technology manager was quoted as calling the situation an "unprecedented crisis." Another senior Bank staffer revealed that the FBI had become involved and that the hackers had "access to everything," particularly all of the worldwide information of the International Finance Corporation (IFC), the private sector arm of the World Bank"



The Rest of the Article is here
:http://www.bicusa.org/en/Article.3915.aspx

Security Review Virtual Private Networks

Source: http://computer.howstuffworks.com/vpn.htm

Since we have been talking about networking I found this new form of networking called Virtual Private Networks (VPN). They are made mainly for businesses and provide remote access to other computers/servers through a web browser, instead of a remote access program. This is important for businesses because many business people are constantly traveling. VPN are secured with a firewall and it integrates with your system which will allow you to have remote access to your business computers/ corporate networks via a web browser. It also allows your customers to access your network. The security goals I would have for the technology is that all the information sent through the VPN is secure and cannot be hacked into. Also I would want to make sure that only people who have permission to access the network are the only ones granted access. And I would want the network to be reliable so that it is not down. According to the video it allows up to 25 people to connect to the network using VPN. One problem with this is what if you have more than just 25 people traveling who need access? Will the system crash and not be able to handle everyone’s requests. Threats that may exist could be people gaining access to sensitive business information if they can crack your user name and password, or if they can monitor the computer you use to access the corporate network using VPN. Since it is all web browser based, if someone hacks onto your computer network they may be able to steal/view information from the corporate network. VPN are relatively cheap for businesses to use and seem to be more efficient. So the risk of people hacking into the system can be managed by implementing other security measures on the VPN, such as a timed logout. If you are a business person and are at a coffee shop and you have to get up to go to the bathroom or something, there could be a set amount of idle time before the browser automatically logs you out so that other people can no jump on you computer and view your business information. VPN are also helpful since it can be accessed using PDAs so in meetings or other places where you only have a phone/PDA available, it would be very convenient. As far as the risks, the company would need to secure the network and encrypt the information sent. Also monitoring the VPN networks to see who is actually using it would help keep hackers at bay. I think this product is worth the risk acceptance because it seems to be very helpful to people who travel constantly for business and need access to the company’s network. I don’t know how many companies actually use this but for the article and the video, VPN seem like an efficient safe technology.

Security Flaw in New Google Phone

T-mobile's new Google phone, which was released last Wednesday for sale to consumers as an alternative to the I-Phone, is found to have a serious security flaw. This flaw will effect both the people who own Google phones, as well as consumers considering purchase. Although the Google phone has improved security by compartilizing applications so that one breach cannot cause too much harm, the flaw lies in the web-browser application included in the phone. The web-browser does not protect against viruses that can be installed just one time, but can remain on the phone forever. For instance, a person with one-time access to the phone can install a program that will record the key strokes that a user inputs. This means that passwords, as well as personal information such as credit card numbers could be stolen.
There is also some controversy as to whether or not this flaw should have been revealed, as companies are generally given some time to fix flaws before the are publicized. I believe that it is best that this flaw was pointed out, especially since now people are able to avoid entering sensitive information into the web browser. If it was kept quiet, people could have been attacked without even knowing there was a risk. I believe that this could be a huge security threat if it is not fixed. People buy the phones, in large part, because of the ability to connect to the Internet, and many could be at risk.

Take a look at the article: http://www.nytimes.com/2008/10/25/technology/internet/25phone.html?_r=1&ref=technology&oref=slogin

New Wave of "Zombies" Intensifies Web Attacks

I recently read this article regarding “botnets” and “zombies” and found it pretty disturbing. It discusses the vulnerability of any computer connected to the internet. Although network security professionals constantly insist on the use of detection programs and firewalls to protect your computer, it is not always enough. In a matter of minutes an unprotected computer can be turned into a “zombie” by automated programs that hide in the internet waiting to take over computers. A “botnet” is formed by taking multiple “zombie” computers and linking them together. This chain is then used to search for sensitive information, send spam e-mail, and turn other computers into “zombies”.

While none of this surprised me, some of the statistics did. Although security professionals such as Microsoft have drastically decreased the number of detected botnets from about 500,000 to 300,000 in 2008, they are still causing a large amount of damage. A single botnet is capable of controlling millions of computers. A study by a computer security firm called Secunia found that detection programs have limited effectiveness. The most effective program they test only caught 64 of 300 ways in which the computer was vulnerable to malware. I found that to be an unsettling number. I knew that detection software didn’t catch everything, but I’m surprised that even the best program only detects a little over 20 percent of the vulnerabilities.

Some of the new “features” of botnets are even more intriguing. One particular botnet actually activated Microsoft Windows Update on computers that took over in order to wipe out competing malware. Other botnets even install anti-spyware software on the computers they infect in order to ensure their sole control of the machine. With more advanced features such as this, botnets are becoming increasingly difficult to find and therefore destroy. Although there are organizations such as the International botnet Task Force that are attempting to fight against these attackers, they face a number of challenges. For example, depending on the source of the botnet, it may be outside the legal jurisdiction of the United States. However, Microsoft teams, among others, are doing everything that they can to prosecute the people creating these botnets.

http://www.toptechnews.com/story.xhtml?story_id=1200044YU4Y0&page=1

French President's Bank Account Hacked

If you thought Sarah Palin's e-mail being hacked was interesting...

"Cyberthieves have stolen money from the personal bank account of France's president, Nicolas Sarkozy.

The criminals reportedly managed to obtain Sarkozy's online username and password, and removed several small sums of money from the account.

Reports state Sarkozy noticed that small amounts of money had disappeared from his account last month, and informed the police of the losses."

The full article is available at: French President Sarkozy's bank account hacked

Assignments 4 and 5 Available

Assignments 4 and 5 are now available. Both are due the same week, so I wanted to make sure they were posted early enough to give you time to work on them. For planning purposes, there will only be one more assignment after these two.

Assignment 4 covers the networking material we began before break and will finish when we return.

Assignment 5 covers the Boss, I Think Someone Stole Our Customer Data case study.

For Assignment 5, you need to read the case study, which was published in the Harvard Business Review. Due to copyright restrictions, I cannot give you the file just yet. I am working on getting electronic copies for you. In the meantime, if you want to get a head start, you can read and/or copy it in the periodicals room at the library. There is an electronic database containing the article available through the library website, but the copyright conditions on that article state that those copies cannot be used as "assigned course material."

The case appears in the September 2007 issue of Harvard Business Review on pages 37-50.

Security and Keyless Entry

I recently saw a commercial for a new Lincoln sedan (MKS) which markets an keyless invisible touchpad called SECURICODE KEYLESS ENTRY. In addition to the touchpad, the car also includes an option for keyless engine starting.

I'm aware of earlier models of cars (particularly on Ford vehicles) that provide an entry touchpad similar to that found on garage doors. Thus, I don't imagine the concept provides any new security risk. I am, however, curious about any new possible risks in light of the design change. The new design houses touch-sensitive controls under a weatherproof acrylic panel. A five digit code is entered into the panel. It seems to me that consistent use of the particular buttons would lead to excessive smudging or weathering on a given section of the cover. Would this theoretically make it easier for would-be thieves to figure out the entry code? Furthermore, does the use of keyless-start make it even easier to steal the car after gaining entry?

Security concerns regarding keyless entry have been documented for many years now. I am curious to see if the combination of these technologies (keypad-entry and keyless start) will have any detrimental effects.

If anyone has experience using keypad-entry, I'd enjoy hearing how reliable the system is, how easy it is to change the code, and how often the code is changed.

IT Security & The Law

For those of you who wish to review Tim Flanagan's presentation from Wednesday, here is his slide presentation.

World Bank Victim of Numerous Cyberattacks

Link: http://www.foxnews.com/story/0,2933,435681,00.html

The computer network of the World Bank--"one of the largest repositories of sensitive data about the economies of every nation"--has been the target of an unspecified amount of successful cyberattacks. In fact, recent e-mails from a senior technology advisor state that these cyberattacks have put the World Bank's computer network into an 'unprecedented crisis.'

While the type and amount of stolen information are not yet known--or, at least, have not yet been made public--"sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July."

Memos also indicate that anywhere between eighteen and forty servers have been hacked, including some which contained "scanned images of staff documents" and sensitive information on contract-procurement data.

Beyond such memos and a few announcements by World Bank officials, the World Bank has tried very hard to classify the details of these cyberattakcs. The World Bank has tried especially hard to calm the thousands of employees who are now worried about the security of their personal and professional information.

The identities of the hackers, and the cause of the cyberattacks, are also obscure. According to FOXnews, however, "at least six major intrusions--two of them using the same group of IP addresses originating from China-—have been detected at the World Bank since the summer of 2007."

Since information on these cyberattacks is so limited, I can only recommend that the World Bank discover how hackers gained access to the network and determine how to prevent future intrusions. While the article mentions various attempts by the World Bank to do just that, it is, of course, far easier said than done.

Ford to Introduce MyKey

This is indirectly related to Information Security, mostly the confidentiality aspect of the triad. GPS that allows parents to track the whereabouts of their teenage drivers isn't enough to reassure some parents, so Ford has developed a product called MyKey. It allows parents to have more control over teenage drivers with the following features:

• maximum speed of 80mph
• maximum audio of 44% of the volume
• audio system won't work when seat belts are not buckled
• warning when the gas tank gets to 75 miles remaining
  
• cannot floor the accelerator over 45mph
  
• warning sounds when speed hits 45mph, 55mph, & 65mph (optional)

Starting in 2010, MyKey will be a free standard feature on several Ford, Lincoln, and Mercury models. The product has been met with mixed feelings. Teenagers reject the idea of being watched over by so closely by their parents and argue that with such tight restrictions they won't learn to be good drivers. Parents, on the other hand are attracted by the safety reinforcements that MyKey provides. Many are willing to let their children drive more often with these added safety features. Some insurance companies are also offering discounts for teenagers driving cars with MyKey.

However, if there was an emergency and a teenager needed to get to the hospital or something quickly, they wouldn't be able to go above 80mph. Related to this, a teenage driver could be driving 80mph and need to speed up in order to avoid an accident, but they wouldn't be able to.

http://afp.google.com/article/ALeqM5g-u0NJvY16BTLrFTI38fWkVU6Vnw

Interest in Cyber-crime treaty growing

Searching the web some time last week, I stumbled along some updated news on the cyber-crime treaty. For those who don’t know the cyber-crime treaty is. It's an agreement between different countries that when ratified “will bind countries to creating a minimum set of laws to deal with high-tech crimes, including unauthorized access to a network, data interference, computer-related fraud and forgery, child pornography, and digital copyright infringement. The treaty will also have provisions that will ensure surveillance powers for governments and bind nations to helping each other gather evidence and enforce laws. The treaty also helps the pursuing of criminals on an international scale” Although the treaty’s last draft was signed off on June 22, 2001, many countries have yet to jump on. Many have said that it is a violation of the rights of privacy and certain sections violate the rights of freedom of speech. The treaty was done with the right intentions at hand. However there are more barriers in cyber-crime and international pursuit of criminals than expected.

With that said the information I found was that the treaty was actually getting more interest from the rest of the world. Many other countries are beginning to follow suit and sign this treaty stating that they will conform to the agreement. Making it harder for people to commit crimes over seas without fear of being prosecuted. here are some more articles I found on the matter.

http://www.networkworld.com/news/2008/040108-cybercrime-treaty-gains-more-interest.html?fsrc=rss-security

http://news.cnet.com/2100-1001-268894.html

http://happyhacker.org/news/cybercrimetreatya.shtml

"Xerox Selects VeriSign Managed Security Services to Help Protect Their Corporate Network"

After talking about VeriSign and digital certificates the other day, this article caught my eye when I was on CNNMoney.com.

Xerox Corp. has chosen VeriSign Inc. to provide Managed Security Services to help maximize the value of its information and network security investments, while minimizing its security risks. VeriSign will use a number of tools to help protect Xerox's network security, such as Firewall Monitoring, Network and Host-Based Intrusion Prevention Systems (IPS) Management and Log Management Services. Xerox will also use VeriSign's iDefense Security Intelligence Services to look for and manage vulnerabilities, malicious code, and other threats facing the network.

The Director of Information Security and Risk Management at Xerox said, "Teaming with VeriSign Enterprise Security Services allows us to work with a trusted security partner, enabling our IT security teams to focus on only critical and actionable events." VeriSign is a well-known name in helping organizations more effectively manage risk, monitor compliance and identify and mitigate evolving security threats.

**I just thought this article was interesting because we had just talked about VeriSign in class and I had mentioned them in my presentation. After our class discussions, I find that I pick up on a lot more security news now that I am more knowledgable on such issues.

PDA Security

Today in class, we briefly touched upon the information security risk that PDAs pose. Besides the threat of physically losing your PDA, there are other security risks which one should take into consideration when using these hand held devices. The reason for this risk comes from the fact that most of these devices have both bluetooth and wi-fi capabilities; such wireless connections open the door to the risk of malicious code.

When considering such security threats, one could take Blackberry for example. I have seen many students with these devices on campus and e-mail security is definitely a concern. The threat comes from the user downloading certain files - for example opening an e-mail which contains a trojan horse - allowing a hacker to monitor/access the e-mails that the recipient is receiving (and therefore gaining complete access to the information incoming and outgoing).

On a corporate level, there is the risk of espionage between companies; trade secrets and future deals being leaked. Senior executives use these devices and in their calendar alone there may be fragile company information such as key customer information and merger/acquisition info which could lead to humiliation or a drop in the material value of the organization.
On a more severe level, government and military employees use these devices; a leak of vital information could result in the loss of life.

Third party programs are the cause of many of these viruses. When using Blackberries and the like at work, security directly relates to the level of protection/restriction the corporation is administrating. Blackhats love trying to penetrate new devices (such as the iPhone) while exploiting their flaws/vulnerabilities.

Some tips to stay safe when using PDAs: don't keep any information on your PDA that you can't afford to lose, utilize the "power on" password setting (a prompt to input your password disallowing access to those who are without it), take advantage of firewall and security packages (such as those offered by BlueFire), consider encrypting your data.

Since users have the option of multiple operating systems when using PDAs, combined with the fact that hackers typically have access to more data via victims' computers, PDAs haven't been targeted so heavily yet. But as their capabilities advance, so will their draw from blackhats.

Hacking Passports

Current Event: According to Schneier’s blog hackers have come up with a way to make fake electronic passports. An electronic passport is a passport with a chip that reads the information pertinent to your passport. According to the United States’ government website, “The U.S. Electronic Passport uses the digital image of the passport photograph as the biometric identifier that is used with face recognition technology to verify the identity of the passport bearer. “ However as we have seen in class (Myth Busters) this doesn’t really provide a strong security. The original benefit of the passport was that it would allow travelers to get through customs and travel inspection much quicker because there are machines that read the passport, so the traveler would not have to wait in line to get their passport checked. On Schneier’s blog he links to a news story explaining how to modify and clone passports because the chip is not secure. The blog links to this website http://freeworld.thc.org/thc-epassport/ which explains how to modify a passport and make fake information in a few easy steps. There is even a video included. This is obviously a HUGE security problem, as the point of passports is to protect each country. With terrorism at a high right now, this should be a major concern to government officials. While this technology is flawed, it should not be thrown out, because people use to fake passports when they were normal no technical documents, so that is not the problem. The problem is that we put too much trust into letting machines do the jobs people should have. If at every machine there were security guards that confirm the passport is valid, many amateurs trying to fake the passport would be caught. Since the chip is part of the problem and can be altered previous to being inspected, we should only work to make a more advanced technology to address this issue, perhaps a stronger encryption is needs on the chips. The government should invest time and money into this issue if they want to keep their borders safe, since we now know of this problem.

Sources:
http://www.schneier.com/blog/
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html
http://freeworld.thc.org/thc-epassport/
http://travel.state.gov/passport/eppt/eppt_2498.html

What do you think about this? I know it slightly scares me.
-Cassie

Information security around the world

A recent study by Cisco has revealed that some countries do not take information security as seriously as one might expect. According to the article the awareness level is tied up with culture. Some corporations allow third-parties entrance into their facilities with no oversight of their activity once inside. Talking about corporate matters with family and strangers are also shockingly common in some nations. Personal use of computers is also present, presenting a security risk. Marie Hattar cites one interesting example: work mobile phones. A lot of companies give corporate cell phones to employees that are used around the clock, even when the employee is not at work. According to Hattar, combined with young workers, these are "completely blurring between what's personal and what's your work life." Another shocking detail is that a large amount of employees make settings changes that make their information less secure. According to the report, "[a] majority of IT professionals said employees accessing unauthorized websites and programs contributed to up to 25% of corporate data leakage. IT pros in the U.S., Brazil and India were the most likely to express this view." One important issue that needs to be considered is what to do about data shared between nations when the cultural security standards are different? How to companies address these situations?

Source articles:
http://news.cnet.com/8301-1009_3-10054314-83.html
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332760,00.html#
http://www.forbes.com/technology/2008/09/29/outsourcing-data-breaches-security-tech-cx_ag_0930outsource.html

Midterm and Assignment 3 Updates

I've posted the lecture notes from the last week's discussion of symmetric cryptography and Monday's discussion of asymmetric cryptography to the web.

The website we used in class today to create a MD5 hash may be useful to you for assignment 3.

Finally, you should take a look at the review sheet and practice test for the midterm. The actual exam will consist of between 8-10 questions similar in style to those on the review sheet. Assignment 3 is also a good source of sample material that you should review.

Assignment 3

Assignment 3 is now available for download. It is due on October 8th.

Hacking For Fun?

On the first day if class this year we were introduced to not only information security but also the threats to the security of computers. Specifically we talked about Hackers and the three main classes- White hat, black hat and grey hat. But my question is what if there is another class of grey hat hackers? I am talking about a group of people who although may create a mess for other people to deal with an clean up but still are just doing stupid things that are just an inconvenience to people if nothing else.

One specific group of these hackers call themselves g00ns. I have fallen victim to one of their attacks on a popular lacrosse forum that rerouted all requests to the forum homepage to a Bob Marley fan site. Although I was frustrated and inconvenienced by what they did I also realized the comic value of what they did and moved on without giving what had happened a second thought. They did eventually restore the url so that the site could be located, so no harm no foul in my opinion.

There are petitions that want to bring legal actions against these mischievous little punks such as http://www.petitiononline.com/ccd0722/petition.html. It seems that they don't attack large organizations and for the most part they are just around to bother people and have what they consider fun. My question for everyone is what would you consider these hackers to be and why most people find them so offensive.

Malware Grabs Personal Banking Data

Thanks to the trend of dropping prices for malware programs, certain Trojan horse programs are posing new threats to the online banking industry.

The particular malware program referenced in this online article is called Limbo. Limbo has dropped in price to $350, “down from about $1,000 a year ago and $5,000 two years ago.” As a result of this decrease in cost, Limbo and similar malware programs have become available to a wider variety of fraudsters, and there concerns about an increased number of online bank frauds.

Specifically, Limbo “integrates itself into a Web browser using a technique called HTML injection,” and operates when users access online banking sites. Since Limbo is so closely integrated into the web browser, “it can operate even while the user is at the real bank site and can actually change the layout of that site.”

Unfortunately—other than that they are asked for personal information which has never been requested before—there are no clues to users that they are under attack. So, Limbo can easily trick users into releasing personal information such as credit card numbers, bank account numbers, social security numbers, and PINs.

Even more unfortunate is how easy it is for such malware to get onto users’ computers. According to the article, Limbo can get onto your computer through “many paths, including both pop-up messages that ask you to download an add-on program and methods that are invisible to the user.” To combat this new security threat, software programmers are working on ways for anti-malware programs to screen for malware that use HTML injection and block said malware from running.

Until such updates are available, I suggest being vigilant. If you are banking online and your bank suddenly asks for new personal information that it has never requested before, you should be cautious. I would also suggest not downloading any software programs that you aren’t certain are safe. I realize that this kind of vigilance should be practiced regardless, but I thought I’d mention it anyway.

Blog Spammers

Since we have our own blog here, I thought I'd ask a few questions about blog spammers. Basically, how and why do they do what they do? One blog that I help manage is for a company that runs a virtual trading platform for investors. Every single day I receive comments on any number of recent blog posts from blog spammers, who usually post nothing more than jumbled words and web sites. The better spammers post a few words having to do with investing along with their web site, which usually is not relevant at all. Finally, the best of the best link to websites promising great stock tips and investing information along with form messages like, "I just added your blog to my blogroll" or "The market is tanking! Our government is so stupid, isn't it?"

First and foremost, how do they build the programs that produce all of this spam? What do they actually look like? How long do they take to make? I'm presuming that all of these spammers, especially those who post only jumbled words and websites, can't reproduce these messages manually over and over again on blogs like ours day after day. Second, I'm having a hard time trying to get inside these spammers' heads. Why do they do this? Does history show that the main goal of blog spam is to find additional clicks for their sites or to acquire sensitive information from blog administrators? I can't imagine that the marginal difference of a few misguided clicks every day could substantially improve a site's authority or advertising bottom line, so for now I'm betting on the attacking reasoning. Third, whatever the aims behind these efforts are, how successful has blog spam been in achieving them? Given the amount of spam that I have seen every single day, it seems that they have, unfortunately, been very worthwhile. Finally, what is the best way to protect against these annoying and threatening messages? It seems like these guys walk through the provided blog spam protectors (on WordPress, at least) and I have no idea how to set up anything else.

What does everyone think?

Brendan

Sarah Palin's E-mail Hacked?

News reports today indicate that WikiLeaks has published personal e-mails allegedly stolen from vice-presidential candidate Sarah Palin's Yahoo account.

That's certainly an interesting twist in the election. I couldn't get the WikiLeaks site to load this afternoon. I'm guessing the sudden rush of interest overwhelmed their servers.

E-Voting Security

It is a known fact that the security of e-voting machines is too easily compromised and resultantly, vulnerable to fraud. Recently, there is cause for worry as a new threat surfaces. Smartmatic is a foreign company (based in Venezuela) which owns one of the most used voting machines in the United States. This is a private company and one which is, in some ways, running US elections. The urgent issue here is that the software which it uses to count the votes is held as a "trade secret" - one which allows no one to review the source code and is kept secret from voters. There is no room for auditing the company and it is under the control of foreign entities. This seems very bothersome. Venezualan president Hugo Chavez comes to mind - for the results of that very election have been questioned.
Some US jurisdictions have opted to return to the paper ballot method due to the fact that it is more accountable. Without paper trails, how can one verify the accuracy of such machines?

Another concern deals with voting machines with wireless communications. Theoretically, a hacker could infect the system with a virus or alter the software all from a remote location. Voter fraud is a very serious issue and one which some states are trying to alleviate the issue by banning machines with wireless capabilities completely.

What Canadian Banks Are Doing That U.S. Banks Should Be

An article recently appeared in the Vancouver Sun regarding Canadian banks’ attempts at protecting their clients’ information (http://www.canada.com/vancouversun/news/westcoastnews/story.html?id=0130fa57-d25d-42e8-833b-b8069acb3cca&p=2). Since we talked about using multiple layers of protection in class, it seemed to be an appropriate topic. We’ve all heard about the countless scams directed at bank customers, several of which have involved the Notre Dame Credit Union, but this what is known as zero-day attacks are becoming more popular strategies. In these information security attacks, the attackers utilize the information gained within twenty-four hours. As a result, victims of these attacks have an extremely small window in which they can resolve the problem without facing some damage.

With the ever increasing number of clients making transactions online, Canadian Banks are taking greater precautions to protect the sensitive financial and personal information of their clients. In 2006, CIBC, TD Bank, BMO Bank of Montreal, Scotiabank, and RBC Royal Bank, the largest banks in Canada, spent about $4.4 billion dollars on information security. The large amount of investment these banks are making on protecting their clients’ information is predictive of the numerous layers of security used including improved sign-ins, firewalls, and encryption. An enhanced sign-in method has been developed that requires the user to not only enter the typical member number and password, but also includes customized phrases and personalized graphics which serves a dual purpose. Not only can the bank verify that the customer is who they claim to be, but it also allows the customer to verify that they are on a valid website, not a fraudulent one. In addition, most of these banks use multiple firewalls to strengthen the security. Finally, 128-bit encryption is becoming more widely used in order to protect data as it travels between the clients and the bank as well as within the bank. This results from the use of SSL (Secure Sockets Layer) which verifies that the server is that of the bank. Some banks such as BMO are putting more emphasis on signing-in. When managing their bank account, most people consistently use the same computer, so when a customer uses a different computer than usual, they are asked additional security questions to verify their identity.

In addition to the precautions that the banks are taking, they also warn their customers about protecting themselves. Banks stress that they will never ask their customers for things such as a password since they already have the information. Clients should also make sure that a sight is valid by verifying the SSL certificate. This is a good way to avoid Phishing attacks as well as searching for the bank’s URL instead following a link sent in an email.

Protecting the confidentiality of sensitive financial and personal information is becoming a major concern. Knowing that some banks are taking greater cautions to protect our information breeds confidence in those banks, but what about all the others? It makes me wonder why they are not taking the same measures to protect their clients. According to another article in The Business Journal, the U.S. Government has established laws that will require banks to protect their costumers from identity theft. However, a study found that only a third of banks meet these standards. One can only hope the government will enforce these laws and protect our valuable information. It may be difficult to find a balance between protecting clients’ information and maintaining online banking as a convenient way to making transactions, but I think most people would be willing to have to go through a few additional security measures if it meant they could be more confident in the confidentiality of their information.