This blog provides opportunities for students of RIT’s Cyber Self Defense classes to post their thoughts on information security topics of their choosing and to discuss those posts. If you’re in a class section using this blog, please read the requirements concerning posts and comments in your syllabus. If you’re visiting, welcome to the blog. You’re welcome
Your Heartbeat Could Replace Computer Password
4
The uniqueness our your heartbeat could provide the encryption needed to unlock your various devices. A scientific team has successfully translated a human heartbeat into an encryption key. Each person has a unique heartbeat and it also never repeats its pattern so you would never get the same encryption key twice.
The goal is to integrate the system into hardware so that users can both encrypt and decrypt their devices with the touch of their hand.
The research was conducted by Chun-Liang Lin at the National Chung Hsing University in Taichung, Taiwan.
links: NewScientist, Original Article
Anonymous – A Brief History
With the amount of time they have spent on the news over the last 18 months I think it is safe to assume that we all know about Anonymous. However, how many people really understand how anonymous was first created? I figured that because we all understand online culture in our own way, and maybe some of the students in this class understand more than others. At the bottom of this posting I will be listing a few websites and blogs that you can follow if you wish to keep a closer eye on Anonymous after reading this post.
To start this story off I will have to take you all back to the year 2003, and an old school blog/image board called 4Chan. When 4Chan was first created by Christopher Poole, he intended it to be a place that American teens would be able to congregate to talk about Japanese anime, post messages and images anonymously.
The reason Anonymous has proven to be a power house on the World Wide Web is that fact that they have no real structure that can be attacked. Think of the group as a living organism that takes on new members, and loses member in the same manner that the human body creates and loses cells. Anonymous members have the ability to do whatever they want within the group, and because there is no leadership in the traditional manner, when members are arrested there is no slowdown in the movement.
The ideology of this organization is something that a lot of online users and legal groups have spent a lot of time talking about because of so many things that the group has taken part in. One thing you need to keep in mind is the lack of true leadership. Because the group has no leaders there is not going to be one set of ethical beliefs that will dictate the actions of the group. So that is why you have heard about Anonymous attacking government organizations, financial, and even raciest websites.
I first started hearing about Anonymous in 2010 because of the controversy of the website Wikileaks. Wikileaks came under attack by the United States because of the information that was posted. And the fact that the U.S. influenced financial institutions PayPal, Visa, and MasterCard to the point of freezing Wikileaks accounts. Anonymous took it as a personnel attack on people’s freedom to free information, and ended up using a Denial of Service Attack (DDOS) to the point that it crashed their websites.
By Robert Tanner
The blog below showcases almost everything Anonymous has done to date, or is planning to do in the near future.
Website/blogs:
The Importance of Securing Medical Information
Today, a great deal of sensitive information is available online. With an ongoing shift of patient’s medical records from analog to electronic, and an increasing desire for patients to access their information remotely, a much greater pressure has been placed on those who secure this information. No longer is the theft of medical information simply a matter of keeping doors locked and information in the right physical hands. Now that this information is available via an internet connection, it has become far more vulnerable to being put in the wrong hands. According to a report from Redspin, Inc., a company dedicated to providing information security assessments, “incidents [involving health security breaches] have been reported in nearly all 50 states and the total number of records breached increased 97%” from 2010 to 2011(The Sacramento Bee).
With this in mind, doctors and patients must now figure out new ways to ensure that patients’ records are accessible remotely while not being able to be accessed by eavesdroppers, how medical information can be transferred from hospital to hospital without being intruded upon, and how all of this can be managed with the information intact and unmodified.
The importance of keeping medical information secure and intact begins with the fact that doctors have to rely on this information to make proper diagnoses. If this information is modified in any way, no matter how small it may be, there may be the possibility of an incorrect diagnosis that could lead, if it becomes severe enough, to further medical problems and death(Ivanov, Yu and Baras). Another more immediate problem that could come if your medical information is stolen or modified is the fact that you may be charged for large bills in your name, potentially maxing out your health care plan and putting you into serious debt(Coalition Against Insurance Fraud) .
Thankfully, there are several current medical policies that help to prevent these kinds of things from happening. The Health Insurance Portability and Accountability Act of 1996(HIPAA) is currently set up in order to provide a blanket of security over your medical information. According to the act’s guidelines, most information relating to your health records is to be kept private between you and your health care provider unless you specifically give written permission for it to be shared with anyone other than yourself or your healthcare provider(HHS.gov). This can help to safeguard your information from those who would use your information for unethical reasons. Most of the states will also have other laws on top of that to provide a further layer of security (Movers.org).
However, there are still some vulnerabilities in the system. What happens if you sign to give information to an organization that appears to be legitimate, but turns out to be nothing more than a facade for the very people who covet these records for their value? What would happen if someone was able to obtain this information through bribery or theft of your own means of identification? What if an attacker was able to somehow break through the encryption keys on your medical records?
Even with these questions in mind, there are many different ways that you can keep your information secure and out of the hands of thieves, including:
- Keeping your medical insurance card protected and notifying your insurance company immediately after you lose it or have it stolen (Silver Planet)
- Being more wise in choosing what clinics you are giving your information to, avoiding clinics that advertise with gimmicks (Silver Planet)
- Making sure that the information provided by your insurance company through their explanation of benefits (EOB) forms is accurate, including your doctor’s names (Silver Planet) and treatments that you have received (CAIF)
- Calling your insurance provider or asking your doctor for a summary of medical procedures made in the last year (Silver Planet)
- Always reviewing your medical information before you go under surgery, no matter the scale (Silver Planet)
With today’s technologies making a great deal of information available over the internet, including medical information, there has been an increase in people who are able to find ways to obtain this information through illegal means. This has put a great stress on patients, doctors and maintainers of medical information to keep this information safe due to the severe consequences that could come if the security weakened in any way. With this in mind, several new polices have made the protection of this information more streamlined and easier to enforce. However, the best and most assured way to secure this information is to take steps to protect it yourself.
That said, if you suspect that something is fishy with your medical records, through the means provided or otherwise, contact the authorities as soon as possible(CAIF). You life may be on the line.
Sources:
http://www.sacbee.com/2012/02/01/4230093/redspin-reports-on-the-state-of.html
http://www.insurancefraud.org/medical_id_theft.htm
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
http://www.movers.com/moving-guides/transferring-medical-records.html
http://www.silverplanet.com/scams/identity-theft/real-threat-medical-identity-theft/56573
Is Your Smartphone Really in Danger!!!
There is a lot of talk about a lack of awareness for securing mobile devices. On a PC we have known and have probably been affected by a virus or malware. Most smartphone users also believe there device is susceptible to these same viruses. This is where experts disagree. Some have advised against using anti-virus software, as it can be bad for the operating system (OS). Anti-virus software makers would like us to be differently. ”You could say that the anti-virus software makers have a great interest in playing up the danger, sometimes bigger than it really is,” says Juergen Schmidt.
The threat of malware or a virus on mobile operating systems differs across platforms. Android is deemed to be the least secure at this point, though it comes down to not paying attention to where and how you are getting the apps. Once again Apple is the top dog for the most secure platform as Apps can only be installed through the Apples App Store unless you are jailbroken, but that is a whole seperate story. Downloading from a trusted source is currently the best type of security.
One of the reasons anti-virus software is discouraged is because it slows down the phone and drains the battery. All of the manufacturers are trying to get longer battery life and faster phones and an anti-virus app could slow it down and stall that movement foward. Current anti-virus software is not to the ponit where it is beneficial on smartphones. The security needs to start in the App Store or the Android Market. A user must read reviews on apps and in most cases the larger the userbase of the app the more secure it is. It is also a great idea to see what the app will be using, which is a warning before every download on android. This does leave open the people that download third party apps but those are downloader beware!!
http://www.newsfactor.com/fullpage/fullpage.xhtml?dest=%2Fstory.xhtml%3Fstory_id%3D81139%26page%3D1
Google’s New “Privacy Policy”
Since it seems everyone is on the net these days and are connected by some social network or another there is growing concerns about privacy. Google has been taking a lot of heat lately for changing its privacy policy. They are going to make it where all of their services have access to your data from each other. The main reason Google is doing this is because it wants to be able to provide customized ads to its user base.
Google is trying to cover the whole issue by saying that using a social network is more secure private than being without one. This is also coming from a company that happens to run a growing social network. Many believe that companies should rename privacy policies to something like data use policies like Facebook. Companies are no longer keeping a person’s data safe; they are sharing it to make money. A data use policy outlines what they have the power to share and to whom they may share it with.
Google released a research paper about the how effective social media is towards privacy. The first study they conducted showed that it is possible to create a trustworthy network that is engaging hand supportive. That again points to them furthering their own agenda since they need people to stay on the web and use their service and the longer they are on the web the more ads they will see and the more money they will make.
The paper also showed that in a second study people were 3% more engaged in sharing if the media had some sort of social element like a link or a like button. I think that that is not enough to show how being on a social network is better than being without one. I do believe that Google is not an evil entity and that is should be more straight forward with its user base and not hide behind arbitrary privacy policies. They should just clearly lay out what they doing with the data and if it is not too outrageous it should not be a dilemma.
http://informationweek.com/news/security/privacy/232500586
Growing hacktivism and cyber attacks
Recently developing over the past few months the internet community has been in arms over proposed bills, corruption in the government, other local authorities, and what they deem corruption. Different hacktivist groups have been growing more bold as they orchestrate larger and larger attacks.
Just this past week the group temporarily shut down the Department of justice, the FBI, the Copyright office, the motion picture association, and the recording industry association presumably for payback for the recent DOJ shutdown of megaupload. In addition to these minor shutdowns, they’ve come to acquire confidential and private information and recordings.
In a recent attack on Puckkett Faraj the law firm currently handling the case of Staff Sgt. Frank Wuterich, accused of leading the massacre in Haditha where 24 unarmed Iraqi civilians were killed. Anonymous stole roughly 3 gigabytes of e-mails, and other records regarding the case to be exposed later this week in the form of a torrent. To expose the truth, and the minimal charges placed on Mr. Wuterich who is taking a plea that will merely demote him to a private as opposed to any prison time or other punishments.
In addition to this they also managed to gain access to a FBI Conference Call between members of Scotland yard and the FBI relating to members of this hacktivist group. All stated above was obtained illegally and with accordance to the groups agenda for whatever reasons motivate them.
Cyber terrorism, war, and attacks have been going on for quite a long time, but recently there seems to be a lot of clashes between different groups, governments, and individuals who all are acting for their own personal reasons. And I foresee this only getting worse, and continuing to grow out of hand. Not sure whose going to come out a head, but sooner or later somethings going to give, or someone is going to break.
http://www.washingtonpost.com/blogs/blogpost/post/anonymous-hacks-fbi-scotland-yard-conference-call-about-anonymous/2012/02/03/gIQAjzr0mQ_blog.html?tid=pm_national_pop
http://gizmodo.com/5882057/anonymous-leaks-marine-corps-massacre-case
Spear Phishing Safety
One of the most dangerous forms of cyber attacks known today are spear phishing attacks. Spear phishing attacks are a form of identity theft through email that involves making the victim believe the attacker is someone who holds authority over the victim, and the attacker using that position to get personal information from the victim. Examples of spear phishing attacks are worldwide, and have caused problems up to international conflict proportions. An example is as recent as May 2010, Chinese Hackers were caught trying to hack into the United States Chamber of Commerce. They did this by hijacking several known Chamber employees email accounts and used them to send out emails to other chamber employees giving a link to a site and saying that the receivers needed to click this link and enter their personal information.
So the question is, what would you do if you were in this situation?
First, look at the emails reasoning. Is the reasoning legitimate? Has your boss or whoever is sending this email mentioned to you they will be needing this information soon? No one should just email you out of the blue asking for personal information, your boss or whomever most likely would send another form of communication warning you or at least letting you know this was going to be happening.
Second thing to look at, the link provided. What site is the email telling you to put your information into? Often spear phishing emails has sketchy links, with unknown hosts and server names. If it is your work, your boss or company would most likely have you put your information on a company site, so is your company site the beginning of that address?
Third and finally, if you really are not a hundred percent sure this email is legitimate, ASK! Go to the source of this email and confirm this person is who they say they are. Worst case scenario, you get confirmation that it is indeed a correct email. Otherwise, you may just save yourself and a whole group of your co workers from some serious problems by bringing this attack to light.
Spear phishing attacks target specific people or departments, using fake identities of people of authority to steal personal information. With the rise of the internet, most likely everyone will face at least one phishing attempt in their lifetime. Knowing how to keep yourself safe from these attacks keeps your identity safe and personal, and is an important piece of knowledge in our technological world.
