Unfortunately, I missed the directions that were given in the first week about having a theme for my blog. I posted about a variety of information security articles, but I did notice that I wrote more about encryption and privacy throughout my blog.
I find encryption to be a very interesting topic because of the controversy and attention it has gotten lately. There are those who believe that encryption is a bad idea as it gives terrorists a way of communicating with each other to plan attacks. It also allows for the existence of the Dark Web (TOR). Most recently, the Government is attempting to mandate phone companies to create a backdoor to their encrypted devices to allow them to conduct investigations. On the other hand, others believe encryption is essential to our right to Internet privacy. They also believe that a backdoor to encryption also creates another doorway or vulnerability for hackers to break into the device. I'm personally for encryption because I believe in Internet privacy as well as keeping our devices as secure as possible to protect ourselves from hackers. Terrorists and criminals will always find a way around these obstacles so why put everyone's devices at risk?
I think this blog assignment was a great way for us to write about a topic related to information security that interests us. It allowed us to learn more about the topic and formulate our own opinion. As I searched for articles to post about, I came across many other info sec articles that caught my attention and found myself reading about various topics. I felt like I was in the loop with current events going on in the info sec world.
Wednesday, March 2, 2016
Tuesday, February 23, 2016
Week 11 - Smartphones to Replace Cards at Bank Machines
The cardless ATM is gaining ground in the US and the world, with smartphone technology allowing for speedier and more secure transactions.
Banking giants such as Wells Fargo, Bank of America, and Chase are in the process of installing new ATMs and updating existing ones to allow customers to withdraw cash with a mobile application and then scanning a code to get their money without having to use a card. It's estimated that 80,000 machines in North America will be in use over the coming 18 months.
Doug Brown of the major provider of software and technology for ATMs, FIS Global, believes the use of smartphones reduces a lot of vulnerabilities.
The new technology is aimed to curb the growing problem of "skimming" in which criminals steal the data on a card by inserting devices into the ATM card slot.
Another security benefit they mention is that authentication on your mobile phone reduces the time spent at the ATM to around 10 seconds instead of the the typical 30 to 40 seconds.
ATM manufacturer, Diebold, is also working on developing a "headless" teller machine, without a screen or keypad, which dispenses cash from interaction on the smartphone. Senior business development manager for new technology, Dave Kuchenski, believes this will provide a better user experience. "If we're using a mobile phone, we no longer have the need for a card, we no longer have a need for a receipt printer, we've dematerialized a lot of the devices. Banks like this, because it has fewer moving parts, so it reduces the total cost of ownership."
This is a very interesting concept that has already somewhat been around. I have a Galaxy S6 and it comes with 'Samsung Pay', which allows me to make purchases at stores with my mobile phone simply by holding it near the Debit/Credit Card mag stripe reader where the transaction is completed wirelessly.
As for doing away with cards and using our smartphones to withdraw money from ATMs, I think it's a great idea. From a security standpoint, we no longer have to worry about physically securing a card that can easily be stolen or lost. I think with technology constantly evolving, this was bound to happen. There will be many against it just because a lot of us are afraid of change especially when it involves tech security and our finances. There are also those who do not own a smartphone and surprisingly it's a lot more than you think. Would this force them to purchase one? This technology is a great idea with a lot of benefits, but will take a while to completely transition to it.
Banking giants such as Wells Fargo, Bank of America, and Chase are in the process of installing new ATMs and updating existing ones to allow customers to withdraw cash with a mobile application and then scanning a code to get their money without having to use a card. It's estimated that 80,000 machines in North America will be in use over the coming 18 months.
Doug Brown of the major provider of software and technology for ATMs, FIS Global, believes the use of smartphones reduces a lot of vulnerabilities.
The new technology is aimed to curb the growing problem of "skimming" in which criminals steal the data on a card by inserting devices into the ATM card slot.
Another security benefit they mention is that authentication on your mobile phone reduces the time spent at the ATM to around 10 seconds instead of the the typical 30 to 40 seconds.
ATM manufacturer, Diebold, is also working on developing a "headless" teller machine, without a screen or keypad, which dispenses cash from interaction on the smartphone. Senior business development manager for new technology, Dave Kuchenski, believes this will provide a better user experience. "If we're using a mobile phone, we no longer have the need for a card, we no longer have a need for a receipt printer, we've dematerialized a lot of the devices. Banks like this, because it has fewer moving parts, so it reduces the total cost of ownership."
This is a very interesting concept that has already somewhat been around. I have a Galaxy S6 and it comes with 'Samsung Pay', which allows me to make purchases at stores with my mobile phone simply by holding it near the Debit/Credit Card mag stripe reader where the transaction is completed wirelessly.
As for doing away with cards and using our smartphones to withdraw money from ATMs, I think it's a great idea. From a security standpoint, we no longer have to worry about physically securing a card that can easily be stolen or lost. I think with technology constantly evolving, this was bound to happen. There will be many against it just because a lot of us are afraid of change especially when it involves tech security and our finances. There are also those who do not own a smartphone and surprisingly it's a lot more than you think. Would this force them to purchase one? This technology is a great idea with a lot of benefits, but will take a while to completely transition to it.
Monday, February 15, 2016
Week 10 - Mandatory Encryption Backdoors Would Be Ineffective: Study
Cryptography expert Bruce Schneier and researchers Kathleen Seidel and Saranya Vijayakumar conducted a study to determine if the mandating of backdoor encryption on products to investigate crimes and fight terrorism would be as efficient as authorities believe.
The researchers identified 865 hardware and software encryption products from 55 different countries, including 546 from outside the United States. Of the non-US products, 47 are for encrypting files, 68 for email, 104 for messages, 35 for voice, and 61 for private networking.
The study found that while both domestic and foreign encryption products use strong algorithms, including proprietary ones, some solutions have been described as “jurisdictionally agile,” and the organizations behind them can easily move to countries with more favorable legislation. The study concluded that the international nature of the encryption marketplace would make mandatory backdoors ineffective.
The researchers stated that it would be easy to catch the criminals who are too stupid to realize that their product has been backdoored or lazy to switch to an alternative, but that's not the case for terrorists and organized crime, where they could easily switch to non-US non-backdoored communication devices.
While authorities in the United States and United Kingdom believe encryption backdoors would be beneficial for law enforcement investigations and national security, experts argue that it could also be exploited by criminals and terrorists.
The study conducted is just another reason why weakening encryption isn't the best solution. Terrorists and smart criminals always find a way around everything and in this case it's just as easy as switching to a non-backdoored device. I don't think this is the right solution and somehow the US Government and tech giants will have to come up with something that would satisfy both sides. Weakening encryption on devices is not it.
Reference:
http://www.securityweek.com/mandatory-encryption-backdoors-would-be-ineffective-study
The researchers identified 865 hardware and software encryption products from 55 different countries, including 546 from outside the United States. Of the non-US products, 47 are for encrypting files, 68 for email, 104 for messages, 35 for voice, and 61 for private networking.
The study found that while both domestic and foreign encryption products use strong algorithms, including proprietary ones, some solutions have been described as “jurisdictionally agile,” and the organizations behind them can easily move to countries with more favorable legislation. The study concluded that the international nature of the encryption marketplace would make mandatory backdoors ineffective.
The researchers stated that it would be easy to catch the criminals who are too stupid to realize that their product has been backdoored or lazy to switch to an alternative, but that's not the case for terrorists and organized crime, where they could easily switch to non-US non-backdoored communication devices.
While authorities in the United States and United Kingdom believe encryption backdoors would be beneficial for law enforcement investigations and national security, experts argue that it could also be exploited by criminals and terrorists.
The study conducted is just another reason why weakening encryption isn't the best solution. Terrorists and smart criminals always find a way around everything and in this case it's just as easy as switching to a non-backdoored device. I don't think this is the right solution and somehow the US Government and tech giants will have to come up with something that would satisfy both sides. Weakening encryption on devices is not it.
Reference:
http://www.securityweek.com/mandatory-encryption-backdoors-would-be-ineffective-study
Week 9 - US Unable to Crack San Bernardino Attacker's Phone
FBI Director, James Comey, revealed that after two months, they are still unable to to crack into the cell phone that belonged to the San Bernardino attackers, Syed Farook and Tashfeen Malik, who shot and killed 14 people.
The FBI and US intelligence have been trying to figure out whether or not the couple were self-radicalized and if they had links to broader jihadist-inspired groups or individuals.
Clapper's anecdote about the suspect's phone feeds into a broader campaign that the US government is waging to persuade Silicon Valley tech giants to give it access to encrypted devices and online files.
Consumers, worried by cyber crime and government snooping, are increasingly drawn to protected products and the industry is keen to serve the market, despite official concerns that encryption empowers criminals.
"Those devices are going to hold the evidence of child pornography, communications that someone made before they were killed, before they went missing," Clapper said, describing phones with a default lock.
"So it is a big problem with law enforcement armed with a search warrant when you find a device that can't be opened even though the judge said there's probable cause to open it."
I chose this article because I had previously posted a blog about the encryption debate on whether or not tech companies should weaken or create a backdoor to their devices for situations like this. Although the US Government's argument makes sense and would help in this investigation and other investigations, I am still on the side for NOT weakening encryption. I think the privacy and security of our devices are critical and the tech companies who decide to go with weak encryption will take a huge hit as far as consumer support goes. It's a controversial issue that I foresee being debated for a while. The Government needs access for investigative issues and companies need to protect their consumers and keep their trust. I will definitely be following this issue closely.
Reference:
http://www.securityweek.com/us-unable-crack-san-bernardino-attackers-phone
The FBI and US intelligence have been trying to figure out whether or not the couple were self-radicalized and if they had links to broader jihadist-inspired groups or individuals.
Clapper's anecdote about the suspect's phone feeds into a broader campaign that the US government is waging to persuade Silicon Valley tech giants to give it access to encrypted devices and online files.
Consumers, worried by cyber crime and government snooping, are increasingly drawn to protected products and the industry is keen to serve the market, despite official concerns that encryption empowers criminals.
"Those devices are going to hold the evidence of child pornography, communications that someone made before they were killed, before they went missing," Clapper said, describing phones with a default lock.
"So it is a big problem with law enforcement armed with a search warrant when you find a device that can't be opened even though the judge said there's probable cause to open it."
I chose this article because I had previously posted a blog about the encryption debate on whether or not tech companies should weaken or create a backdoor to their devices for situations like this. Although the US Government's argument makes sense and would help in this investigation and other investigations, I am still on the side for NOT weakening encryption. I think the privacy and security of our devices are critical and the tech companies who decide to go with weak encryption will take a huge hit as far as consumer support goes. It's a controversial issue that I foresee being debated for a while. The Government needs access for investigative issues and companies need to protect their consumers and keep their trust. I will definitely be following this issue closely.
Reference:
http://www.securityweek.com/us-unable-crack-san-bernardino-attackers-phone
Monday, February 1, 2016
Week 8 - DHS's Einstein Security System Has Limited Capabilities: Audit
The United States government plans on spending $5.7 billion by 2018 on a program called the National Cybersecurity Protection System (NCPS), also known as the Einstein program. It was launched in 2003 with its initial objective to help DHS detect intrusions in the networks of federal agencies.
The latest version of the NCPS, Einstein 3 Accelerated, is designed to deliver a wider range of capabilities, including intrusion detection and prevention, analytics, and information sharing. DHS has already spent $1.2 billion through fiscal year 2014.
Despite the time and money put into the program, an audit conducted by the Government Accountability Office (GAO) found that it only partially meets its objectives and not all federal agencies leverage its capabilities.
Its limited capabilities are due to the system only comparing traffic to known patterns or signatures, but does not detect deviations from normal behavior. It also does not monitor all types of traffic and commonly exploited vulnerabilities are not covered by its signature database. Also, the NCPS can block malicious email, but it cannot block malicious web traffic. DHS plans on implementing this capability in 2016 as well as enhancing its analytics capabilities.
Only 5 of the 23 agencies that were required to route their traffic through the NCPS benefited from intrusion prevention services.
I think it's a little ridiculous for the Government to have spent this much time and money into a program that produces these types of capabilities. We may never know the details as to why they've taken this long and spent this much money, but from the outside looking in, this is unacceptable.
The program started in 2003. If capabilities were fully developed then, would it have prevented the OPM, IRS, and Postal Service hacks? Maybe those recent hacks prompted the Government to kick it up a notch and pump more money into the program to develop it to its fullest potential. We can only hope they get it right this time and prevent future attacks.
Reference:
http://www.securityweek.com/dhss-einstein-security-system-has-limited-capabilities-audit
The latest version of the NCPS, Einstein 3 Accelerated, is designed to deliver a wider range of capabilities, including intrusion detection and prevention, analytics, and information sharing. DHS has already spent $1.2 billion through fiscal year 2014.
Despite the time and money put into the program, an audit conducted by the Government Accountability Office (GAO) found that it only partially meets its objectives and not all federal agencies leverage its capabilities.
Its limited capabilities are due to the system only comparing traffic to known patterns or signatures, but does not detect deviations from normal behavior. It also does not monitor all types of traffic and commonly exploited vulnerabilities are not covered by its signature database. Also, the NCPS can block malicious email, but it cannot block malicious web traffic. DHS plans on implementing this capability in 2016 as well as enhancing its analytics capabilities.
Only 5 of the 23 agencies that were required to route their traffic through the NCPS benefited from intrusion prevention services.
I think it's a little ridiculous for the Government to have spent this much time and money into a program that produces these types of capabilities. We may never know the details as to why they've taken this long and spent this much money, but from the outside looking in, this is unacceptable.
The program started in 2003. If capabilities were fully developed then, would it have prevented the OPM, IRS, and Postal Service hacks? Maybe those recent hacks prompted the Government to kick it up a notch and pump more money into the program to develop it to its fullest potential. We can only hope they get it right this time and prevent future attacks.
Reference:
http://www.securityweek.com/dhss-einstein-security-system-has-limited-capabilities-audit
Monday, January 25, 2016
Week 7 - Hackers Breach University of Virginia HR System
The FBI recently notified the University of Virginia of a data breach following a law enforcement investigation, which resulted in suspects overseas involved in the incident being taken into custody. The attack was done via a phishing email scam, which asked users to click on a link and provide their user name and password.
The cybercriminals were able to gain access to the University's HR system and the W-2s of 1,400 employees as well as direct deposit banking information of 40. Further investigation revealed that the attackers gained access to the system in November of 2014, with the last suspected intrusion being in February 2015.
Chairman and Founder of IDT911, Adam Levin stated, "While we don't have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.”
This article proves once again the importance of Information Security Awareness in an organization. In this case, the employees who fell for the phishing attack could have prevented the hack. But they can't be completely at fault. I'd also raise a few questions to the organization's Chief Information Security Officer (CISO) or Security Manager. What type of Infosec Awareness training is in-place?; How often are employees required to go through the training?; What can be done to minimize or even prevent an incident like this from happening again? Employees and users in general must understand that security starts with them.
Reference:
http://www.securityweek.com/hackers-breach-university-virginia-hr-system
The cybercriminals were able to gain access to the University's HR system and the W-2s of 1,400 employees as well as direct deposit banking information of 40. Further investigation revealed that the attackers gained access to the system in November of 2014, with the last suspected intrusion being in February 2015.
Chairman and Founder of IDT911, Adam Levin stated, "While we don't have intimate knowledge of the specific security protocols at UVA, it is clear that even if their IT and Information Security departments did everything right, one or more employees who click on a malicious link can be unwitting co-conspirators in the compromise of a database holding the personal information of countless individuals.”
This article proves once again the importance of Information Security Awareness in an organization. In this case, the employees who fell for the phishing attack could have prevented the hack. But they can't be completely at fault. I'd also raise a few questions to the organization's Chief Information Security Officer (CISO) or Security Manager. What type of Infosec Awareness training is in-place?; How often are employees required to go through the training?; What can be done to minimize or even prevent an incident like this from happening again? Employees and users in general must understand that security starts with them.
Reference:
http://www.securityweek.com/hackers-breach-university-virginia-hr-system
Tuesday, January 19, 2016
Week 6 - Struggling With Privacy Tradeoffs in Digital Era
A Pew Research Center survey released Thursday found no consistent pattern on decisions to give up privacy in return for discounts, rewards, or other benefits:
- A majority (52 percent) of those surveyed said they would allow their medical data to be uploaded to a secure site in order to allow their doctor to keep track of their health.
- But only 27 percent said it was acceptable for a thermostat sensor to monitor movements in the home to potentially save on energy costs.
- 47 percent said it was OK for retailers to keep track of shopping habits to offer discounts, while 32 percent said it was not acceptable.
- A majority (54 to 24 percent) said it would be acceptable for employers to install monitoring cameras following a series of workplace thefts.
- Asked about a scenario in which a free social media platform allows people to connect with friends in exchange for sharing data to deliver advertisements, just one in three said this was acceptable, and 51 percent disagreed.
Pew researcher, Lee Rainie stated, "These findings show how people's decisions are often context-specific and contingent. A phrase that summarizes their attitudes is, 'It depends.' Most are likely to consider options on a case-by-case basis, rather than apply hard-and-fast privacy rules."
This was a great article to read since privacy and technology have become a huge topic in recent years. I thought the results were very interesting. People are okay with uploading personal information to a site that could be vulnerable to hacking, but uncomfortable with a SENSOR that tracks their movements in their own home? From an IT security perspective, I'd think it would be the other way around. What about Smart TVs that have motion control or the XBOX Kinect, which both connect to the Internet? These are common household products and most likely used by those who oppose the thermostat sensor as well. I think many of us don't realize how much privacy they're already giving up like the use of social media or apps that have access to your personal information, phone contacts, and location.
Also, more people are okay with having their shopping habits tracked for possible discount offers. Personally, I feel that's invasion of my privacy. There's no need for anyone to know what my browsing habits or history is even if it's only for advertising a product. If I wanted to purchase something from a site, I'll do it on my own free will. I don't need ads popping up trying to tempt me. It's more of a nuisance than anything.
As the article stated, acceptance of losing some privacy with technologies and services will depend on what it is. There are just too many sides and opinions on it to come up with mutual privacy rules. It will be interesting to see how everything plays out as more issues like this come up.
References:
http://www.securityweek.com/struggling-privacy-tradeoffs-digital-era
- A majority (52 percent) of those surveyed said they would allow their medical data to be uploaded to a secure site in order to allow their doctor to keep track of their health.
- But only 27 percent said it was acceptable for a thermostat sensor to monitor movements in the home to potentially save on energy costs.
- 47 percent said it was OK for retailers to keep track of shopping habits to offer discounts, while 32 percent said it was not acceptable.
- A majority (54 to 24 percent) said it would be acceptable for employers to install monitoring cameras following a series of workplace thefts.
- Asked about a scenario in which a free social media platform allows people to connect with friends in exchange for sharing data to deliver advertisements, just one in three said this was acceptable, and 51 percent disagreed.
Pew researcher, Lee Rainie stated, "These findings show how people's decisions are often context-specific and contingent. A phrase that summarizes their attitudes is, 'It depends.' Most are likely to consider options on a case-by-case basis, rather than apply hard-and-fast privacy rules."
This was a great article to read since privacy and technology have become a huge topic in recent years. I thought the results were very interesting. People are okay with uploading personal information to a site that could be vulnerable to hacking, but uncomfortable with a SENSOR that tracks their movements in their own home? From an IT security perspective, I'd think it would be the other way around. What about Smart TVs that have motion control or the XBOX Kinect, which both connect to the Internet? These are common household products and most likely used by those who oppose the thermostat sensor as well. I think many of us don't realize how much privacy they're already giving up like the use of social media or apps that have access to your personal information, phone contacts, and location.
Also, more people are okay with having their shopping habits tracked for possible discount offers. Personally, I feel that's invasion of my privacy. There's no need for anyone to know what my browsing habits or history is even if it's only for advertising a product. If I wanted to purchase something from a site, I'll do it on my own free will. I don't need ads popping up trying to tempt me. It's more of a nuisance than anything.
As the article stated, acceptance of losing some privacy with technologies and services will depend on what it is. There are just too many sides and opinions on it to come up with mutual privacy rules. It will be interesting to see how everything plays out as more issues like this come up.
References:
http://www.securityweek.com/struggling-privacy-tradeoffs-digital-era
Tuesday, January 12, 2016
Week 5 - Privilege Escalation Flaw Found in VMware Tools
VMware has released their first security advisory of 2016 regarding an important guest privilege escalation vulnerability in VMware Tools
The Share Folders (HGFS) feature running on Windows is plagued by a memory corruption flaw that can be exploited by an attacker to escalate their privileges in the guest operating system. VMware has confirmed that the vulnerability cannot be exploited to escalate privileges from the guest operating system to the host, and host memory cannot be manipulated from the guest.
The vulnerability can be patched with 201512102-SG patches. Once the patches are applied, the VMware Tools in all Windows guests that include Shared Folders feature need to be updated. A workaround for this vulnerability is to remove the Shared Folders feature to prevent exploitation.
This short article caught my attention because I manage multiple VMware ESXI hosts at my job and will be looking into mitigating this vulnerability this week. This is a great example of why we should be keeping up with security patches in order to keep the network and devices safe especially when it affects the servers. Hacks on large companies like the SONY PSN hack could have been prevented if their servers were patched with the latest updates. With enough time and resources a hacker will get into a network, but to allow them in due to unpatched servers would be unacceptable. It's up to the system administrators to keep an eye out for these things.
The Share Folders (HGFS) feature running on Windows is plagued by a memory corruption flaw that can be exploited by an attacker to escalate their privileges in the guest operating system. VMware has confirmed that the vulnerability cannot be exploited to escalate privileges from the guest operating system to the host, and host memory cannot be manipulated from the guest.
The vulnerability can be patched with 201512102-SG patches. Once the patches are applied, the VMware Tools in all Windows guests that include Shared Folders feature need to be updated. A workaround for this vulnerability is to remove the Shared Folders feature to prevent exploitation.
This short article caught my attention because I manage multiple VMware ESXI hosts at my job and will be looking into mitigating this vulnerability this week. This is a great example of why we should be keeping up with security patches in order to keep the network and devices safe especially when it affects the servers. Hacks on large companies like the SONY PSN hack could have been prevented if their servers were patched with the latest updates. With enough time and resources a hacker will get into a network, but to allow them in due to unpatched servers would be unacceptable. It's up to the system administrators to keep an eye out for these things.
Wednesday, January 6, 2016
Week 4 - Samsung Launches Security Solution for Smart TVs
Last week, Samsung revealed they will be implementing a three-layer security solution to all of its Tizen-based Smart TVs called GAIA. The solution is designed to protect the consumer's personal data in three ways. The first is called Secure Zone, a virtual barrier designed to create a secure space and to protect the core service operations. It also includes a Secure Keypad, which works as the virtual data input mechanism displayed on a TV, which safeguards consumers' personal information, including credit cards and passwords.
GAIA will have the capability of encrypting important data being transmitted between a Smart TV and Internet of Things (Iot) service servers. It will also have a built-in anti-malware system. The security level is also improved by leveraging hardware-based security. The Tizen OS has been divided into two parts, the main and the security space, and data for each of them is secured separately. The public key used for verification of personal information will be included in a hardware chip.
Just like the smart phone, Smart TVs will follow the trend and eventually become almost a necessity in our households. It may not sound like a big deal now, but these Smart TVs are devices that connect to the Internet and they are just as vulnerable as computers and smart phones. It actually IS a computer as it runs on its own OS and stores and transmits data to other devices or servers over the Internet. It's definitely a recipe to being vulnerable to hacking. Raising awareness on the importance of securing it is critical and hopefully it prompts other Smart TV manufacturers to start implementing the same solutions.
References:
http://www.securityweek.com/samsung-launches-security-solution-smart-tvs
GAIA will have the capability of encrypting important data being transmitted between a Smart TV and Internet of Things (Iot) service servers. It will also have a built-in anti-malware system. The security level is also improved by leveraging hardware-based security. The Tizen OS has been divided into two parts, the main and the security space, and data for each of them is secured separately. The public key used for verification of personal information will be included in a hardware chip.
Just like the smart phone, Smart TVs will follow the trend and eventually become almost a necessity in our households. It may not sound like a big deal now, but these Smart TVs are devices that connect to the Internet and they are just as vulnerable as computers and smart phones. It actually IS a computer as it runs on its own OS and stores and transmits data to other devices or servers over the Internet. It's definitely a recipe to being vulnerable to hacking. Raising awareness on the importance of securing it is critical and hopefully it prompts other Smart TV manufacturers to start implementing the same solutions.
References:
http://www.securityweek.com/samsung-launches-security-solution-smart-tvs
Subscribe to:
Posts (Atom)