Two former students, Joseph Camp and Daniel Fowler, at the University of Central Missouri have been indicted on the charges of breaking into university databases. They acquired over personal information on 90,000 students, faculty, staff, and alumni and attempted to sell the data. The students launched a virus on the UCM computer system and attempted to steal funds from the university.
The duo completed the attacks during last year's fall semester while they were both students at the school. They used a dorm room as the "home" of their attacks. They used a virus to infect the system - the source was typically a USB drive that they convinced people to insert into their computers. Another way they launched their virus was through enticing links in e-mails.
The virus allowed them to monitor all happenings on the network - including keystrokes, steal data, etc. It seems as if their main motivation was money because they attempted to sell the data they stole and add money to their student accounts.
I think that the cause of the event was fairly obvious. The users that allowed Camp and Fowler to gain access to their systems by either inserting a USB drive into their computer or clicking on a link in an e-mail.
I think it is necessary for everybody to become as educated on information security as possible. It is obvious that some education could have prevented this attack. If individuals would have known that the links were not safe to click on and to not load a USB onto their computer then it could have been prevented. Every user needs to be cautious all the time because there could always be somebody attempting to gain access to your computer (and personal information). On a larger scale, I think that the university needs to protect their students. I think that they could involve some sort of data encryption (possibly a hash function or triple DES) for very personal information. Although it would take more time and money to retrieve the data, the school could be certain that their students' information is protected.
http://www.computerworld.com/s/article/9197884/Two_former_students_charged_in_university_hack_in_Mo.?taxonomyId=17
Tuesday, November 30, 2010
Sunday, November 28, 2010
Security Review: Notre Dame ID Cards
Your student ID card may not be as secure as you may think. The magnetic strip on your ID card contains your card number (your 90 ndID number, sans the first 9 and with a two digit number appended to the end, identifying which card you’re on – so if your ndID was 901234 and you’re on your second card, then your card number would be 0123402). The school has made an attempt to secure the magnetic strip by obscuring the card number in a string of random numbers. However, if you know the pattern and have access to just one student ID card, it is possible to identify the pattern and figure out how to extract data from the card.
As the user of a student ID card, I would want the card to be as secure as possible. In terms of confidentiality however, it is unreasonable to assume that the ID number will be confidential because it must be decrypted to be read by card scanners. Instead, confidentiality should be achieved through alternate means, namely a PIN. The University recognizes that it is not possible to fully protect the ID number by making it a non-sensitive internal ID number, one that has little significance outside the organization. In terms of integrity, very light protection is provided by printing the card number on the face of the card so it can verified against what is encoded on the magnetic strip. However, this is easily overcome by simply printing one’s own card that looks like a Notre Dame ID card with matching card numbers printed on the front and on the magnetic strip. The Notre Dame ID card system’s availability depends on whatever the system the card is being used to access – this could be the Registrar’s computer system/Banner, the dorm/University locksmith systems, or another system that utilizes an ID card for access.
The primary vulnerability in the ID card system, then, is the potential for an attacker to create their own ID card by simply acquiring a student ID number through social engineering and writing it to blank card, which they could make (if necessary) look like a legitimate ID card. While attackers could always skim the data off a card’s magnetic strip by swiping it through an illegitimate card reader that copies the data, attackers could also obtain the card data through social engineering. Because the University views the ND ID number as a non-sensitive identifier, it appears all over the place – on most Banner pages (including course schedules) and some professors use it to post grades. Thus, the primary threat here is a threat of disclosure.
Someone could then, in theory, generate their own ID cards to either gain access to dormitories or steal meal plans. The attacker should ideally target freshmen. This is because of two reasons: freshmen are more likely to print out their schedules at the beginning of a semester – and this schedule has both their names and student ID numbers printed on it. Secondly, freshmen are more likely than any other class to be on their first ID card, making it safer to assume that their ID card number ends in 01. As you move up through the classes, there is greater variance as people move onto their second or third (or more) card. All an attacker needs to do is to obtain the student’s schedule printout which they can do through social engineering techniques or just dumpster diving. Armed with the student ID number, an attacker simply needs to strip off the leading 9, append an 01 to the end, and add the requisite number of leading and ending random digits. With a convincingly printed card, an attacker could use the card to steal the person’s meal plan. And, with the owner’s name printed on the schedule, a quick Facebook search can reveal the person’s birth date, and thus their access code into a dormitory.
This, of course, assumes that card readers simply remove the random digits, and append a 9 to derive the student’s ID number, from which they perform a database lookup. A more secure method of encoding an ID card would be not to use random leading and ending digits for obfuscation, but to make these digits derived from other static but not too common information. For example, the random numbers could be replaced with a truncated (first 5 characters) hash of the last four digits of the person’s (freshman year) phone number. Hashing the data keeps it secure, while using the last four digits of their phone number allows for greater variance among the student body. If ZIP code or area code were to be used, for example, there would be a lot of repetition among the student body given that a lot of people come from the same (Chicagoland) areas. Finally, the freshman year phone number is used to avoid the need to issue a new ID card every time the student’s contact information changes.
This system would be more secure because when the card readers derive the student’s ID number and make their database lookup, they should also lookup the student’s freshman year phone number, hash the last four digits, and truncate the hash to just its first five characters – then compare these characters to the leading digits on the ID card. If they match, then we can have greater assurance that the ID card is legitimate and not a socially engineered fake. However, the phone number can also be socially engineered (though the task of getting more information increases the “cost” of creating fake ID cards) and this solution does not eliminate the issue of skimmed/copied ID cards.
Tuesday, November 23, 2010
Human, technology key to security defense
SINGAPORE--Security experts are calling for greater emphasis on human factors in dealing with IT security risks and reiterating the need for technology to be the last line of defense.
Speaking at the Enterprise Information Security 2010 conference held here Tuesday, Fuller Yu, vice president of resiliency and IT risk management at JP Morgan Hong Kong, said the key to protecting sensitive data is to inculcate an environment where employees are educated and aware about potential risks. He revealed that the financial services company requires all its staff, as well as third-party vendors that have access to JP Morgan's data, to undergo IT security training.
Yu explained: "The training is to ensure staff members take responsibility in maintaining data security. You will take very good care of your mobile phone and money, so this applies to data at work. If there is no proper training, people may shirk responsibility and say this information does not belong to me."
He also urged senior IT executives to start similar training programs as education is a "multi-investment and most effective way" of keeping the organization's sensitive data and transactions at bay. It is not enough to simply rely on technology alone, he said.
Muhammed Dawud Saifullah, head of IT infrastructure at Celcom Axiata, concurred. He acknowledged that while most organizations would have to work within a limited amount of resources, they should evaluate the feasibility of increasing efforts on training staff members to better handle security matters.
Also a speaker at the conference, Saifullah suggested using branding and marketing tactics, such as corporate wallpaper with a one-sentence reminder highlighting "safety" best practices to drive home the message. Such "motivation" efforts are especially relevant in combating security attacks which carry a sociological element, he said.
He pointed to Kevin Mitnick, the infamous IT hacker who, among other crimes he committed, was able to obtain the source codes of a Motorola mobile phone simply by speaking to a staff member and "dropping names".
Saifullah said studies have shown that it is human nature to respond to familiarity and form relationships, and Mitnick took advantage of this trait and deployed social engineering to gain sensitive information.
"For you to secure the infrastructure, you need to look at what motivates people to act the way they do, then come up with initiatives such as slogans or mascots. With greater understanding comes better security behavior," he said.
However, he cautioned against implementing tough penalties on any breach of security protocols as it is proven that security effectiveness is inversely proportionate to the severity of the punishment. "Whereas, if employees buy-in [to the idea], then it becomes a motivational factor [to comply with the protocols]," he said.
Deepak Rout, chief information security officer at Uninor, added that if IT departments feel the need to implement "penalty" for policy breaches, these should be linked to HR (human resource) policies to ensure effective results.
UAE faces government challenge
While enterprises today are faced with multitudinal security issues in the workplace, those operating in United Arab Emirates (UAE) have more issues to address, according to Samir Abdullah, director of fixed and core network security at du, a telecommunication services provider based in the UAE.
Samir, who also spoke at the conference, explained that operators in the local telecom industry have to comply strictly with regulatory guidelines and need extra manpower to monitor certain applications such as Skype.
"You always keep a certain percentage [of the budget] dedicated for security, and enterprises have to be mindful that this is an expense that they have to consider," he explained.
Speaking at the Enterprise Information Security 2010 conference held here Tuesday, Fuller Yu, vice president of resiliency and IT risk management at JP Morgan Hong Kong, said the key to protecting sensitive data is to inculcate an environment where employees are educated and aware about potential risks. He revealed that the financial services company requires all its staff, as well as third-party vendors that have access to JP Morgan's data, to undergo IT security training.
Yu explained: "The training is to ensure staff members take responsibility in maintaining data security. You will take very good care of your mobile phone and money, so this applies to data at work. If there is no proper training, people may shirk responsibility and say this information does not belong to me."
He also urged senior IT executives to start similar training programs as education is a "multi-investment and most effective way" of keeping the organization's sensitive data and transactions at bay. It is not enough to simply rely on technology alone, he said.
Muhammed Dawud Saifullah, head of IT infrastructure at Celcom Axiata, concurred. He acknowledged that while most organizations would have to work within a limited amount of resources, they should evaluate the feasibility of increasing efforts on training staff members to better handle security matters.
Also a speaker at the conference, Saifullah suggested using branding and marketing tactics, such as corporate wallpaper with a one-sentence reminder highlighting "safety" best practices to drive home the message. Such "motivation" efforts are especially relevant in combating security attacks which carry a sociological element, he said.
He pointed to Kevin Mitnick, the infamous IT hacker who, among other crimes he committed, was able to obtain the source codes of a Motorola mobile phone simply by speaking to a staff member and "dropping names".
Saifullah said studies have shown that it is human nature to respond to familiarity and form relationships, and Mitnick took advantage of this trait and deployed social engineering to gain sensitive information.
"For you to secure the infrastructure, you need to look at what motivates people to act the way they do, then come up with initiatives such as slogans or mascots. With greater understanding comes better security behavior," he said.
However, he cautioned against implementing tough penalties on any breach of security protocols as it is proven that security effectiveness is inversely proportionate to the severity of the punishment. "Whereas, if employees buy-in [to the idea], then it becomes a motivational factor [to comply with the protocols]," he said.
Deepak Rout, chief information security officer at Uninor, added that if IT departments feel the need to implement "penalty" for policy breaches, these should be linked to HR (human resource) policies to ensure effective results.
UAE faces government challenge
While enterprises today are faced with multitudinal security issues in the workplace, those operating in United Arab Emirates (UAE) have more issues to address, according to Samir Abdullah, director of fixed and core network security at du, a telecommunication services provider based in the UAE.
Samir, who also spoke at the conference, explained that operators in the local telecom industry have to comply strictly with regulatory guidelines and need extra manpower to monitor certain applications such as Skype.
"You always keep a certain percentage [of the budget] dedicated for security, and enterprises have to be mindful that this is an expense that they have to consider," he explained.
Monday, November 22, 2010
"Don't Fight the Cloud"
Cloud computing has been in recent news as the next big evolutionary change in the computing world. What is all this hype about? More importantly, what is cloud computing? Cloud computing does not have one establish and widely agreed upon definition, but it is accepted as a relatively new concept of computing outside of servers. It “is Internet-base computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.”
John Thompson, a chairman for the Symantec Corp., compares cloud computing to any natural evolutionary process under which it is inevitably going to be a significant part of our future. He continues to argue that we should, therefore, embrace it and take advantage of the benefits that it can offer the computer world. However, as with every new technology, the security concerns must be addressed.
Many believe that computing on the cloud, and therefore having sensitive information available on the cloud, is a significant concern. Inherently it is believed that this information is safer when handled internally. John Thompson argues that these insecurities can be managed. Security focuses would no longer be focus on hardware and infrastructures; rather the focus would switch to purely information-based. This would require constant monitoring, however these are concerns are being addressed by the Cloud Security alliance, a nonprofit dedicated to promoting security assurance in cloud-based computing. Furthermore, people need to take the time to understand the technology that they are dealing with; John Thompson recommends easing into the technology, starting with little amount of insignificant information being moved to the cloud and work from there.
Ultimately, I am interested to see what role the Cloud will play in our computing future. This new idea definitely has its perks of convenience, speed, centralization of information, and other distinguishing features, but with new security issues (such as not have the ability to physically remove malware, like can be done on a server) it is absolutely necessary for the success of this technology that the proper security conditions are implemented to protect information on the Cloud.
Sunday, November 21, 2010
Recent Hacking of The Federal Reserve and Other Corporations
Prosecutors recently arrested Lin Mun Poo, a 32-year-old Malaysian man for hacking into major U.S. corporations. Some of the corporations the man hacked include the U.S. Federal Reserve Bank of Cleveland and FedComp, a corporation that processes financial transactions for credit unions.
Apparently, Lin Mun Poo sold 1,000 dollars worth of stolen credit card numbers before U.S. officials arrested him. However, this amount was only a small portion of his business, as when The Secret Service searched his laptop, they found more than 400,000 account numbers from credit and debit cards. It is of the belief that the man obtained this sensitive information by hacking into various computer systems of financial institutions.
Poo informed investigators that he traveled to the United States in order to meet with an unidentified individual who regularly provides him with stolen credit card information. However, this was not his only method for compromising personal information. Prosecutors say he was able to compromise at least 10 computers at the Federal Reserve Bank of Cleveland and accessed more personal data belonging to members of the Fireman’s Association of the State of New York Federal Credit Union and the Mercer County New Jersey Teachers’ Federal Credit Union by hacking into FedComp. Aside from the U.S, Lin Mun Poo also admitted to hacking the computer networks of international banks and companies. Poo’s tactics for compromising data were very original. He simply accessed the information by finding and exploiting network vulnerabilities.
If I were an executive for one of the hacked companies, such as FedComp or the U.S. Federal Reserve Bank of Cleveland, I would immediately notify my customers. As we read about in the ChoicePoint case, it is extremely important to inform customers of the situation in order for them to attempt to mitigate any damage. Also, I would set up free credit monitoring for customers, which would determine if one’s information was being breached. Each company could also use free credit monitoring as a brand restoration strategy. It is also important to implement new security procedures. If Lin Mun Poo was exploiting network vulnerabilities, I think it is important to increase the security standards of the customer’s information. If I had accounts in the corporations that were hacked by Lin Mun Poo, I would most certainly utilize the free credit card monitoring by the company. Monitoring the information would allow an individual to see if their account had been breached and if any money was stolen.
http://news.yahoo.com/s/pcworld/20101118/tc_pcworld/malaysianchargedwithhackingfederalreserveothers_1
Friday, November 19, 2010
The Great Cyberheist
As Prof. Chapple mentioned in class on Tuesday, the NY Times put out an article on November 10th talking about the mastermind behind numerous cybercrimes, including the TJX case we studied earlier in the semester. It's a long article, but well worth reading if you have 20-25 minutes of spare time.
The article goes into great depth about the progression of Albert Gonzalez, a black hat hacker out of Miami who was essentially the brains behind the crimes on Marshall's/TJX and a number of other large corporations. It begins by going into Gonzalez's first run in with the law and how this led to him becoming an informant for the Justice Department in "Operation Firewall". The goal of this operation was to take down a number of black hat hackers who gathered together on this web site called Shadowcrew, which served as an eBay/Monster/Myspace for black hat hackers. As a rising star in the world of cybercrime, Gonzalez became an irreplaceable piece of the puzzle in taking down dozens of these hackers.
As many people say, however, once a criminal, always a criminal. The case is no different for Albert Gonzalez. Like many black hat hackers, his original motives were purely monetary. But as his actions snowballed from 2003-2007, Gonzalez found himself performing these crimes purely out of greed and stubbornness. While working for the government, Gonzalez and his crew of Jonathan James, Patrick Toey, Christopher Scott, Jonathan Williams, and Maksym Yastremskiy were able to gain access to roughly 180 million payment card accounts from Office Max, BJ's wholesale club, Dave & Busters, TJ Maxx and Marshalls, Target, Barnes & Noble, JC Penney, Sports Authority, Boston Market and 7/11. In the words of Gonzalez's chief prosecutor, "The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled."
After becoming bored with Operation Firewall, Gonzalez began working on business wi-fi networks by the end of 2004. Because of the rush for companies to get online and adjust to the payment card industry, Gonzalez saw a number of vulnerabilities in their networks and protection of data. Gonzalez was able to get Christopher Scott and Jonathan James to do a lot of the grunt work in terms of sitting outside the stores with the antennas and laptops.
Originally, Gonzalez was running into the problem of companies like TJX storing expired credit card information (since they held data for so long). Soon, however, he was able to find a way to find the most recently used credit cards and have that uploaded directly to his computer. It was his ability to breach point-of-scale terminals at stores that enabled him to get cards right after the customers used them. This method of attack was first tried on JC Penney, Wet Seal, Hannaford Brothers grocery chain and Dave & Busters. This was ultimately what led to such a great hit on TJX's databases. By the end of 2006, they had legitimate credit card information for over 40 million users.
Gonzalez went through an intricate process of setting up fake businesses, laundering money and using his international connections to hide and obtain his money. He went completely undetected in these actions, but it was his selling of personal information to Yastremskiy, a Ukranian hacker, that ultimately led to his demise. Gonzalez had been providing credit card information for Yastremskiy to sell over the web and it just so happened that an undercover cop in San Diego had been buying information from Yastremskiy for two years. Once TJX and Heartland Payment Systems (a credit card processing company), reported these breaches, this cop was able to provide a lead in what seemed like an unsolvable case. Once they raided Yastremskiy they were only able to find Gonzalez's IM address, which initially gave no lead to the hackers identity. Once they were able to obtain the IM registration info, however, they saw one piece of information: an email address. Listed as soupnazi@efnet.ru, those who knew Gonzalez from Operation Firewall knew immediately that it was Gonzalez providing the credit card information.
In the end, it was estimated that Gonzalez and his team cost TJX, Heartland and other companies roughly 400 million in reimbursements and forensic and legal fees. The number could be much, much higher, however. The article goes into much more detail about the whole process and how Gonzalez was able to do what he did. I encourage you to read it if you have the time.
http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?pagewanted=all
Security Awareness Strategy: Weighing Optimism vs. Pragmatism
In a recent article from SearchSecurity.com, the methods and "merits" of spreading security awareness are examined. Is it up to the end user to keep themesleves safe through updated knowledge and understanding of threats? Or is it the responsibility of governments, ISPs, vendors and enterprises to jointly protect the ignorant consumer?
Tony Neate, managing director of U.K-based Get Safe Online, a joint public-private security education initiative aimed at individuals and small companies, is a passionate proponent of security awareness initiatives. In a time when more than three-quarters of the U.S. population and three-fifths of the U.K. population use the Internet regularly, he believes governments, ISPs, vendors and enterprises have a joint responsibility to teach the public not only how to protect themselves and their companies, but also about the increasingly complex ways in which they can be victimized.
Neate argues the public should know as much about how vulnerable they are to phishing and hacking as they know about robbery and burglary.
Neat's organization uses the typical strategies for boosting awareness: events, competition, public outreach, and even the institution of the recent National Cybersecurity Awareness Month. And Neate calls for companies to spend more resources on expert speakers, statistics and research, attack scenarios and behavioral training. However, here, the article mentions, is where the debate around security awareness becomes contentious.
In many organizations, the security staff is already stretched too thin, the budget for security awareness training is nonexistent, and even when security awareness programs are implemented, they are often ineffective because, as Lance Spitzner writes in the October 2010 issue of Information Security, "Nothing is more boring to employees then having to sit through hours of training, and being told what they can and cannot do for the benefit of the company." Ah, realism. Refreshing. Here are several points made by people interviewed in the article that serve as the alternatives to Neate's plan.
I knew it was Cybersecurity Awareness Month in October, but that was about the extent of how it affected me. It seemed the media didn't really care, and while security-savvy blogs and professionals probably learned one or two new things in honor of the special time of year, people like you or me probably didn't do or learn anything different than usual because frankly, most people don't see what personal benefit would come from knowing more about IS threats, nor do they have the fear of the consequences of a lack of awareness.
I would argue for a combination of both the first and second strategies, and ditch Neate's altogether. There's something to this idea of appealing to people's interest in protecting themselves over the corporation. Human nature is tuned for self-preservation. Companies can hope that through the transitive property, teaching employees how to be safe online at home will generate safer behavior online at work. Further, the training will be more effective in the first place because its about the individual, not the corporation.
Finally, who hasn't heard someone say "Man, ever since X happened, I never do Y anymore"? I think it would be pretty interesting (although perhaps unethical) to do some white hat hacking and run phishing schemes on employees. Much like in airport screening points, the person who monitors the baggage X-Ray is shown an image of a bag with a bomb that isn't really in the machine, and is supposed to alert their superior. The superior knows when this test is going to happen and to whom, so if he or she is never notified, that employee can be seen as a threat to the airport's security.
And frankly, that employee will probably become more diligent after making that mistake. I think things would operate quite similarly with members of a company when "put to the test." Of course, this might raise some legal and ethical issues, but given the ends, I tend to think the means make sense.
In summary, my ideal IS awareness and training strategy would incorporate the proliferation of fear and exploit our self-interested human nature. Does that make me a jerk?
Tony Neate, managing director of U.K-based Get Safe Online, a joint public-private security education initiative aimed at individuals and small companies, is a passionate proponent of security awareness initiatives. In a time when more than three-quarters of the U.S. population and three-fifths of the U.K. population use the Internet regularly, he believes governments, ISPs, vendors and enterprises have a joint responsibility to teach the public not only how to protect themselves and their companies, but also about the increasingly complex ways in which they can be victimized.
Neate argues the public should know as much about how vulnerable they are to phishing and hacking as they know about robbery and burglary.
Neat's organization uses the typical strategies for boosting awareness: events, competition, public outreach, and even the institution of the recent National Cybersecurity Awareness Month. And Neate calls for companies to spend more resources on expert speakers, statistics and research, attack scenarios and behavioral training. However, here, the article mentions, is where the debate around security awareness becomes contentious.
In many organizations, the security staff is already stretched too thin, the budget for security awareness training is nonexistent, and even when security awareness programs are implemented, they are often ineffective because, as Lance Spitzner writes in the October 2010 issue of Information Security, "Nothing is more boring to employees then having to sit through hours of training, and being told what they can and cannot do for the benefit of the company." Ah, realism. Refreshing. Here are several points made by people interviewed in the article that serve as the alternatives to Neate's plan.
1. Scare the awareness into them.
"A lot of day-to-day security professionals think security awareness is a waste of time," said Mike Rothman, analyst and president at Phoenix-based security research and advisory firm Securosis LLC and author. "These folks need to take a step back and have the awareness to do [security awareness] correctly; it can minimize the percentage of people who do stupid things, which allows you, the security professional, to focus on the minority of people who are going to do stupid things no matter how much you train them not to."
Rothman advocates a pointed security awareness strategy for enterprises that shuns formal training and instead focuses on tests for individuals or groups of users that mimic the real-world risk scenarios users often face when sensitive personal or business data may be at risk.
"By running an internal phishing experiment, for instance, when users [fall prey] to it, then you have the opportunity to educate them on how they can identify those messages," Rothman said. "Those kinds of awareness programs are an order of magnitude more effective than a sign by the bathroom or a four-hour training once a year."
2. Make it about helping the individual, not the corporation.
Almost as controversial as security awareness training methods is the question of whether enterprises should train employees on how to keep their personal data safe. Neate said a large organization he has worked with in the U.K., after finding traditional security awareness training ineffective, decided to instead focus their training sessions on teaching users how to use the Internet securely at home.
"They got droves of people to attend because people realized it was going to be useful to them at home, but it works both ways, at home and at work," Neate said.
Similarly, Rothman said companies should worry about how employees conduct themselves online when they are not on the clock. Clicking on a malicious Facebook app while using a company laptop, after all, can still put sensitive enterprise data at risk. Rothman also noted that if parents know how to act securely online, they'll pass that knowledge to their kids.
"How do we protect this next generation of kids who have all these tools at their disposal so they grow up knowing how to use them responsibly?" Rothman asked. "That's one of the most significant issues we have in today's tech-enabled society."
I knew it was Cybersecurity Awareness Month in October, but that was about the extent of how it affected me. It seemed the media didn't really care, and while security-savvy blogs and professionals probably learned one or two new things in honor of the special time of year, people like you or me probably didn't do or learn anything different than usual because frankly, most people don't see what personal benefit would come from knowing more about IS threats, nor do they have the fear of the consequences of a lack of awareness.
I would argue for a combination of both the first and second strategies, and ditch Neate's altogether. There's something to this idea of appealing to people's interest in protecting themselves over the corporation. Human nature is tuned for self-preservation. Companies can hope that through the transitive property, teaching employees how to be safe online at home will generate safer behavior online at work. Further, the training will be more effective in the first place because its about the individual, not the corporation.
Finally, who hasn't heard someone say "Man, ever since X happened, I never do Y anymore"? I think it would be pretty interesting (although perhaps unethical) to do some white hat hacking and run phishing schemes on employees. Much like in airport screening points, the person who monitors the baggage X-Ray is shown an image of a bag with a bomb that isn't really in the machine, and is supposed to alert their superior. The superior knows when this test is going to happen and to whom, so if he or she is never notified, that employee can be seen as a threat to the airport's security.
And frankly, that employee will probably become more diligent after making that mistake. I think things would operate quite similarly with members of a company when "put to the test." Of course, this might raise some legal and ethical issues, but given the ends, I tend to think the means make sense.
In summary, my ideal IS awareness and training strategy would incorporate the proliferation of fear and exploit our self-interested human nature. Does that make me a jerk?
Thursday, November 11, 2010
Security Review: Eye-Fi
Eye-fi is a new memory card for digital cameras that uses wireless internet to upload photos directly from your camera. The user sets up to 32 preferred wireless networks and upload destinations to initialize the memory card. There are multiple variations of the card with different memory limits. The card also allows for the "endless memory option" where the oldest information is uploaded and deleted as the card fills - therefore giving off the idea of being an endless supply of memory. The card is compatible with almost any digital cameras from any company, and can upload to any type of portal from email to facebook to flicker, to iphoto etc.
As an owner of such technology I would want to ensure that my pictures and other media stored on this device are only being uploaded to my specified locations on my specified networks. I would also want to make sure that I am aware of when these uploads are occurring and what is being removed from the device when the upload occurs. I would also want to make sure that if I have chosen to upload directly to a public networking site, that I have control over which pictures are automatically uploaded and which are kept for personal use. There is also the idea of knowing if an upload fails that I do not lose any of my media. Lastly, I would want to also have the option of uploading directly to my computer via some other technology than wireless networks if I am in an unsecured location.
As a hacker I would be looking to exploit the use of wireless networks as a means to usurp media from one of these cards. This could be anything from capturing the upload as it is in progress to retain the media rather than the user or deleting the media without consent of the user. I would look to possible delete data or disable an upload as it occurs, possibly confusing the system into removing the media without proper back up support. I would also potentially look to disable or circumvent personalized settings to either upload to a different portal (ie facebook instead of iphoto) or even circumvent security measures as to which photos/videos get uploaded with or without owners consent.
Some of the vulnerabilities that exist is the reliance of this device on wireless networks. Though many now are secure, older networks are not as protected as they could be. This could allow hackers easy access to disrupting or intercepting uploads. It could also allow hackers to penetrate the Eye-fi's settings and alter them for their personal benefit. Eye-fi has also had problems with failed uploads. Normally uploads are backed up with something called, "Relayed photos" which are photos/ videos that get stored on Eye-fi servers in case of failure or extended Endless Memory issues. If these servers are not securely protected, then hackers could potential enter them stealing media from all Eye-fi users. Lastly, the vulnerability also exists with this being a new technology. As this is the first of its kind, the bugs and issues are coming up while it is in its early life cycle stages. Though Eye-fi has had one of the fastest turn around times with patches for known problems, it is still in the infant stages looking to grow.
Though wireless networks are becoming more and more secure, there is still and always will be the potential hacker looking to exploit a vulnerability. The dependence on wireless networks by eye-fi will always be a risk that the device relies heavily on. The device also relies on users having the ability to set their personal settings and controls on the device. Many users do not realize either how to do this or even how to set limitations on the networks they allow their Eye-fi to operate on. There is always room for human error. Another inherent risk is the risk of media loss. Though Eye-fi has put in place many back up systems, there are risks from nature or unforeseen accidents that could pose threats to the servers, data center, or even the transfer of data from the device to the suggested portal.
In order to mitigate risks, I would first always alert users to use protected networks and to manage their personal settings. There is a need for the user to understand that their media has the possibility of being intercepted if using an un-secure connection. I would also require passwords for any change to personal settings, beyond the passwords required of the different upload portals. This could help in authenticating users. There should also be a survey of risks to servers and data centers from threats such as mother nature, to begin discussion on further backup procedures. As Eye-fi gains market share in the memory card industry there will be more and more exploited holes in their system, as long as Eye-fi continues its quick patch fixes to problems I believe it will begin to become an even more sought after good.
http://www.eye.fi/
As an owner of such technology I would want to ensure that my pictures and other media stored on this device are only being uploaded to my specified locations on my specified networks. I would also want to make sure that I am aware of when these uploads are occurring and what is being removed from the device when the upload occurs. I would also want to make sure that if I have chosen to upload directly to a public networking site, that I have control over which pictures are automatically uploaded and which are kept for personal use. There is also the idea of knowing if an upload fails that I do not lose any of my media. Lastly, I would want to also have the option of uploading directly to my computer via some other technology than wireless networks if I am in an unsecured location.
As a hacker I would be looking to exploit the use of wireless networks as a means to usurp media from one of these cards. This could be anything from capturing the upload as it is in progress to retain the media rather than the user or deleting the media without consent of the user. I would look to possible delete data or disable an upload as it occurs, possibly confusing the system into removing the media without proper back up support. I would also potentially look to disable or circumvent personalized settings to either upload to a different portal (ie facebook instead of iphoto) or even circumvent security measures as to which photos/videos get uploaded with or without owners consent.
Some of the vulnerabilities that exist is the reliance of this device on wireless networks. Though many now are secure, older networks are not as protected as they could be. This could allow hackers easy access to disrupting or intercepting uploads. It could also allow hackers to penetrate the Eye-fi's settings and alter them for their personal benefit. Eye-fi has also had problems with failed uploads. Normally uploads are backed up with something called, "Relayed photos" which are photos/ videos that get stored on Eye-fi servers in case of failure or extended Endless Memory issues. If these servers are not securely protected, then hackers could potential enter them stealing media from all Eye-fi users. Lastly, the vulnerability also exists with this being a new technology. As this is the first of its kind, the bugs and issues are coming up while it is in its early life cycle stages. Though Eye-fi has had one of the fastest turn around times with patches for known problems, it is still in the infant stages looking to grow.
Though wireless networks are becoming more and more secure, there is still and always will be the potential hacker looking to exploit a vulnerability. The dependence on wireless networks by eye-fi will always be a risk that the device relies heavily on. The device also relies on users having the ability to set their personal settings and controls on the device. Many users do not realize either how to do this or even how to set limitations on the networks they allow their Eye-fi to operate on. There is always room for human error. Another inherent risk is the risk of media loss. Though Eye-fi has put in place many back up systems, there are risks from nature or unforeseen accidents that could pose threats to the servers, data center, or even the transfer of data from the device to the suggested portal.
In order to mitigate risks, I would first always alert users to use protected networks and to manage their personal settings. There is a need for the user to understand that their media has the possibility of being intercepted if using an un-secure connection. I would also require passwords for any change to personal settings, beyond the passwords required of the different upload portals. This could help in authenticating users. There should also be a survey of risks to servers and data centers from threats such as mother nature, to begin discussion on further backup procedures. As Eye-fi gains market share in the memory card industry there will be more and more exploited holes in their system, as long as Eye-fi continues its quick patch fixes to problems I believe it will begin to become an even more sought after good.
http://www.eye.fi/
Access Controls for the Internet?
Microsoft is now considering a new way to keep internet users safe as they surf the web: an Internet wide network access control. Such an access control would scan computers before they go online and would only allow internet access if they were clean and free from all viruses and malware. If a computer was infected, it would be cleaned through a restricted Internet connection. In his paper Collective Defense, Scott Charney (a Microsoft executive) argues that a global health model should be applied to the internet saying, “To improve the security of the Internet, governments and industry could similarly engage in more methodical and systematic activities to improve and maintain the health of the population of devices in the computing ecosystem by promoting preventative measures, detecting infected devices, notifying affected users, enabling those users to treat devices that are infected with malware, and taking additional action to ensure that infected computers do not put other systems at risk.”
While this idea is definitely interesting, critics have cited many possible problems. First of all it would be hard to determine who had the power and authority to implement such a control (the government? Internet Service Providers?), and how they would be able to do so. There is also the issue that it is impossible to protect against something if we don’t know that it exists. Therefore, hackers may design new types of viruses and malware that might be able to bypass the access control. There is also always the risk of the access control itself being hacked.
Despite these issues, I still think that a network wide access control is an interesting possible solution to the problem of increasing malware and viruses. It is definitely something to keep an eye on for the future.
http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1522386,00.html
Wednesday, November 10, 2010
Barracuda Bounty Hunters
Barracuda Networks is an internet security company that offers industry leading protection for hundreds of thousands of internet users a day. They offer spam and virus protection, firewalls and web filters. They recently began a program that offers bounty’s to users who can find harmful bugs and vulnerabilities in their products. The price of the bounty ranges from $500 to $3,000, depending on the severity of the issue, for anyone who can find an issue with their system. Barracuda is the first internet security provider to offer a bounty for an issue related with their own software. Other groups and companies have offered bounties on other company’s software but not for their own.
The actual cause of these bounty offerings is that Barracuda wants to enable its users to search for problems within their own software. This gives the information technology professionals at Barracuda another viewpoint, other than their own when researching their own technology. Another cause of this issue is that a lot of bugs may have been reported with the Barracuda security and they can be fixed in a more timely manner by offering bounties to fix them. A typical user who comes across a bug will probably just avoid just the software all together or they will find a way around the bug and not report it to the manufacturer. I know when I come across an issue in my browser or security system and it asks me to report it I always decline because it takes too long. However, if the users know that they will be paid money for reporting the bug to Barracuda then they are much more likely to report it to them.
The best scenario would be for a network security company to offer a security package that does not have any bugs in it. Obviously that is usually not ever the case because people come up with new ways to create viruses and problems with a network system almost daily. The security company cannot always respond very quickly because they don’t really know until someone reports it. Thus, offering users a reward for reporting the bug is a great idea.
The actual cause of these bounty offerings is that Barracuda wants to enable its users to search for problems within their own software. This gives the information technology professionals at Barracuda another viewpoint, other than their own when researching their own technology. Another cause of this issue is that a lot of bugs may have been reported with the Barracuda security and they can be fixed in a more timely manner by offering bounties to fix them. A typical user who comes across a bug will probably just avoid just the software all together or they will find a way around the bug and not report it to the manufacturer. I know when I come across an issue in my browser or security system and it asks me to report it I always decline because it takes too long. However, if the users know that they will be paid money for reporting the bug to Barracuda then they are much more likely to report it to them.
The best scenario would be for a network security company to offer a security package that does not have any bugs in it. Obviously that is usually not ever the case because people come up with new ways to create viruses and problems with a network system almost daily. The security company cannot always respond very quickly because they don’t really know until someone reports it. Thus, offering users a reward for reporting the bug is a great idea.
Thursday, November 4, 2010
Burma hit by massive net attack ahead of election
An ongoing computer attack has knocked Burma off the internet, just days ahead of its first election in 20 years.
The attack started in late October but has grown in the last few days to overwhelm the nation's link to the net, said security firm Arbor Networks.
Reports from Burma say the disruption is ongoing.
The attack, which is believed to have started on 25 October, comes ahead of closely-watched national elections on 7 November.
International observers and foreign journalists are not being allowed into the country to cover the polls - which many Western leaders have said will not be free or fair.
It will raise suspicions that Burma's military authorities could be trying to restrict the flow of information over the election period.
Cyber attack
The Distributed Denial of Service (DDoS) attack, as it is known, works by flooding a target with too much data for it to handle.
The "distributed" element of it means that it involves PCs spread all over the world. These networks of enslaved computers - known as "botnets" - are typically hijacked home computers that have been compromised by a virus.
They are typically rented out by cyber criminals for various means, including web attacks. They can be called into action and controlled from across the internet.
Burma links to the wider net via cables and satellites that, at most, can support data transfers of 45 megabits of data per second.
At its height, the attack was pummelling Burma's connections to the wider net with about 10-15 gigabits of data every second.
Writing about the attack, Dr Craig Labovitz from Arbor Networks said the gigabits of traffic was "several hundred times more than enough" to swamp these links.
The result, said Dr Labovitz, had disrupted network traffic in and out of the nation.
He said the attack was sophisticated in that it rolled together several different types of DDoS attacks and traffic was coming from many different sources.
At time of writing attempts to contact IP addresses in the block owned by Burma and its telecoms firms timed out, suggesting the attack is still underway.
"Our technicians have been trying to prevent cyber attacks from other countries," a spokesperson from Yatanarpon Teleport told AFP.
"We still do not know whether access will be good on the election day."
Mr Labovitz said that he did not know the motivation for the attack but said that analysis of similar events in the past had found motives that ran the gamut "from politically motivated DDoS, government censorship, extortion and stock manipulation."
He also noted that the current wave of traffic was "significantly larger" than high profile attacks against Georgia and Estonia in 2007.
The attack started in late October but has grown in the last few days to overwhelm the nation's link to the net, said security firm Arbor Networks.
Reports from Burma say the disruption is ongoing.
The attack, which is believed to have started on 25 October, comes ahead of closely-watched national elections on 7 November.
International observers and foreign journalists are not being allowed into the country to cover the polls - which many Western leaders have said will not be free or fair.
It will raise suspicions that Burma's military authorities could be trying to restrict the flow of information over the election period.
Cyber attack
The Distributed Denial of Service (DDoS) attack, as it is known, works by flooding a target with too much data for it to handle.
The "distributed" element of it means that it involves PCs spread all over the world. These networks of enslaved computers - known as "botnets" - are typically hijacked home computers that have been compromised by a virus.
They are typically rented out by cyber criminals for various means, including web attacks. They can be called into action and controlled from across the internet.
Burma links to the wider net via cables and satellites that, at most, can support data transfers of 45 megabits of data per second.
At its height, the attack was pummelling Burma's connections to the wider net with about 10-15 gigabits of data every second.
Writing about the attack, Dr Craig Labovitz from Arbor Networks said the gigabits of traffic was "several hundred times more than enough" to swamp these links.
The result, said Dr Labovitz, had disrupted network traffic in and out of the nation.
He said the attack was sophisticated in that it rolled together several different types of DDoS attacks and traffic was coming from many different sources.
At time of writing attempts to contact IP addresses in the block owned by Burma and its telecoms firms timed out, suggesting the attack is still underway.
"Our technicians have been trying to prevent cyber attacks from other countries," a spokesperson from Yatanarpon Teleport told AFP.
"We still do not know whether access will be good on the election day."
Mr Labovitz said that he did not know the motivation for the attack but said that analysis of similar events in the past had found motives that ran the gamut "from politically motivated DDoS, government censorship, extortion and stock manipulation."
He also noted that the current wave of traffic was "significantly larger" than high profile attacks against Georgia and Estonia in 2007.
Wednesday, November 3, 2010
Security Review on Web Servers and Back-end Databases
MySQL (pronounced “My Sequel” or “My S-Q-L”) is a relational database management system that runs as a server to provide multi-user access to databases of information. MySQL is a very common database system used in web applications and is even used by websites such as Facebook, Google, and Youtube. One popular scripting language used in conjunction with MySQL to produce dynamic web pages is PHP (Hypertext Preprocessor). Website developers embed PHP code into a standard HTML page and it is interpreted by a web server with a PHP module which generates the final web page filled with dynamic content.
When developing a website which can be accessed by hundreds of millions of people, securing sensitive data on your server is crucial. If your website allows users to register an account and submit personal information to the database, you need to be sure that the data remains confidential and safe from unauthorized tampering. Attackers will try any method they can to expose a flaw in the system to gain access.
MySQL can be a very secure system if set up correctly and used appropriately by web programmers. The server administrator must protect the system from a number of attacks including: denial of service, altering, playback, and eavesdropping. Access Control Lists are used to secure all connections, queries, and other user-performed operations. SSL-encrypted connections between the MySQL server and clients can also help secure information. In the end, most security risks are caused either by the administrator of the server who fails to set things up correctly or by web programmers who unintentionally allow SQL injections in their code.
Two very simple examples of tasks the administrator should perform when setting up a secure MySQL server are to put the server behind a firewall and block untrusted connections on the port MySQL is running on and to encrypt user passwords within the database using hash encryption algorithms such as MD5 or SHA1. MySQL provides administrators and programmers these functions to easily encrypt data on the fly. Most administrators will put a firewall between the internet and the web server which is known as the Demilitarized zone (DMZ). They will then put a back-end database within their internal network that is protected from outside access. In order for this database to communicate with the web server in the DMZ, information needs to be passed back and forth between the firewall which can compromise security if the traffic on the open ports on the firewall is not carefully monitored. Aside from various technical details, this is a simple way to describe how most network administrators organize their web servers and databases.
One of the most common attacks on any SQL server is an attack known as injection. SQL injection is when a user enters a special sequence of characters into an input such as a website form and if the web programmers do not handle the input correctly, the MySQL server could recognize the user input as a command rather than just plaintext input. I will not dive into the specifics but if you are curious there is a great wiki explaining the basics of SQL injection that can be found here: http://en.wikipedia.org/wiki/SQL_injection. If a hacker finds a way to use SQL injection on your website, they can compromise the CIA security model (confidentiality, integrity, and availability). Failure to pay attention to minor details when dealing with user input on a web server can result not only in information being stolen but can result in the loss of the whole database.
Sources:
http://dev.mysql.com/doc/refman/5.0/en/security-guidelines.html
http://www.softpanorama.org/DB/Mysql/mysql_security.shtml
Monday, November 1, 2010
Identity Theft and the Increase in Technology
This article highlights a growing, almost unstoppable, problem with the advancement of technology today. It describes how the increase in technological advantages makes it more difficult to prevent the misuse of information on the internet. Identity theft was a highlighted crime in this situation as it has become easier to exploit this type of crime. “Identities are sold around the world quickly after they are stolen through online auction sites operated by organized crime or hackers, and they are used for a number of purposes -- most of which do not need a personal presence where a retina scan might be used.” This clip from the article highlights two critical problems with the current technological situation as well as revealing a potential problem with the proposed solution, which is physical identification.
The first problem is the availability of internet sources that make a profit selling and buying personal information. These sites are capable of quickly and discretely selling information such as credit card numbers, phone numbers, social security numbers and complete names to buyers across the world for a simple transfer of funds and an email. Considering the nature of this crime and its potential for easy money, it is no surprise that identity theft has become such a growing crime. Once the information has been stolen or purchased, it can be used to create false duplicate identities of a person on the internet. This can result in several false purchases of various products in another person’s name. However, it should be noted that these purchases are rarely sent to, or identified with, the person who had stole the information. It makes sense as a criminal would not want to identify themselves with the crime that they had just committed. An analogy was used that described a theft using a stolen credit card at an ATM. They would eventually be caught as many ATMs have cameras that watch and monitor the transactions. However, the internet does not have such a monitoring device which leads to the second problem.
The second problem is the lack of identity on the internet. Because a computer only recognizes a person as a series of inputs it is possible to become anyone on a computer as long as you possess the necessary inputs. If a person has the inputs necessary than they can essentially become anyone that they wish to and the computer will not have the ability to distinguish the difference. This allows hackers and identity thieves to pass as anyone they want to as long as they have the necessary information to do so. This includes bank accounts, paypals, credit companies and online businesses. And because of the lack of identity given by the internet, it becomes increasingly more difficult to trace someone back to the crime.
This has led many to suggest physical identification in the form of retina scanners and even fingerprint scanners. While this is just the tip of the suggestions offered, they seem to be the ones that are gaining ground in protection of information. However, the solution has some potential problems. By giving users a “physical” presence on the internet it infringes on the freedom offered by internet autonomy. This freedom will be lessened if everyone is given a traceable presence on the internet. This is one of the reasons that the article at hand suggests that a “physical” solution would be made impossible by the people who would reject it. Another problem is the implausibility of physical identification. While it is possible in the office places as well as in a few other places where information is publically accessible, it is not plausible on something as vast and flowing as the internet. I am at a loss as to how a system like this could be applied to any of the online business. Would they need direct access to a user’s personal computer to be able to gain access to the information needed? How much permission must outside sources be given in order for a system like this to function? Is it possible for hackers to scam a user into giving out their fingerprints and sensitive information?
While I see potential application to closed systems which are designed to function in a manner that allows physical identification, the internet has grown too far in complexity. So much so that it is often impossible to propose a single encompassing solution to fix an overall problem which leaves independent organizations to come up with their own solution. However, because these solutions often lack a physical way of identifying one person from another, they are often exposed to potential unauthorized access and possible identity theft. The article itself delves into the topic but its difficult to imagine that anyone is capable of understanding the problem to the depth that is needed in order to fix it.
http://www.physorg.com/news185121642.html
Other Sources
http://usgovinfo.about.com/cs/consumer/a/aaspoofing.html
http://www.privacyrights.org/fs/fs17-it.html
http://articles.winferno.com/computer-fraud/internet-identity-theft/
Subscribe to:
Posts (Atom)
Posts
