Category Archives: Security Mindset

Clickjacking

Posted on by

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. 
http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:

http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Ethical Hackers 2

Posted on by

In a follow up to my post about ethical hackers, I found an article about a Cyber Challenge which was looking into getting teenagers and young adults, who have are partial to hacking, interested in cybersecurity jobs. “In the eyes of the organizers of the Maryland Cyber Challenge and Conference, today’s hacker could be tomorrow’s cybersecurity hero.”  Realizing that there is a shortage of security professionals in the work force, those who ran the whole conference, intended to help those who attended see the great aspects of cybersecurity. The challenge itself was:

an all-day brain tester for eight high school and eight college teams. The college students had to hack into a computer, gain control, and rummage through files for valuable information. Meanwhile the high-schoolers were required to defend six computer servers against attacks by cunning computer professionals seated across the room.

It would seem that the “Ethical Hacker” is a much needed resource in this day and age.

Article: 
http://www.homelandsecuritynewswire.com/cyber-challenge-encourages-teen-hackers-seek-security-jobs

Someone shut off the Internet!

Posted on by

Someone shut off the Internet! No I’m not kidding.

Yesterday, November 7th, 2011, the internet briefly ‘died’ for about 30 seconds. This event was witnessed by users and servers all around the U.S. in places ranging from highly populated areas such as Washington D.C., Los Angeles, San Francisco, Raleigh, N.C., Dallas, NYC, and some lesser known locations in the Midwest.

Obviously this affected individuals world wide. Servers and services hosted in the U.S. could no longer be reached by any client, regardless of their location.

Time Warner took responsibility for the massive outage with only a brief statement on their Twitter account.

@TWCableHelp: We appear to be recovering from a large but brief internet outage affecting most of our service areas. Please attempt to connect again.

This raises the question of how easy would it be to actually ‘turn off’ the internet in the event access could be gained to the systems Time Warner controls? Either that, or, how easy would it be to disable the systems preventing Time Warner’s customers from going offline?

Security is a huge issue here, because, if Time Warner has the power to disable the internet and adjacent services, at least the portion they control (which is massive! they had over 36 million subscribers as of 2009), then, potentially, other ISPs might have the same amount of incredible power. Could we be facing a state where a complete shutdown of the internet, ala Egypt or China, is feasible and a real threat to our freedoms as citizens?

What if an unscrupulous individual manages to take control of these systems and have an entire country’s internet at their fingertips? If a merchant like Amazon goes offline for even a few seconds, they potentially lose millions of dollars. Thirty seconds of downtime is a massive outage in any network administrator’s eyes. It is certainly unacceptable for such a large service provider conglomerate.

Sources:

Developing the security mindset

Posted on by

What is a mindset? It can be defined as:

  • beliefs that affect somebody’s attitude: a set of beliefs or a way of
    thinking that determine somebody’s behavior and outlook

This might be simplified by saying, “the way you think”. So how do you make yourself think in a way that is security focused?

Mild tangent: It’s true that good cops think like criminals. By this logic, who do good security professionals think like? Like hackers? Like information gatherers similarly to China? This is not good enough. A security professional should be a paragon of security; a cop should think like a criminal and the person being offended and the landlord of the apartment being robbed and then so on. Simply put, every angle should be covered.

One such person is Bruce Schneier. On the page
http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html
 where Schneier talks about his views on security he makes statements that might be out of the normal range of statements for a non-security pro, such as “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.” (talking about a company that does just that). There is always a weakness, something exploitable. Is the security mindset about finding weaknesses, like a therapist’s arch-nemesis?

A security mindset can always use improvement. How do you create a security mindset. Security pros will look at how something can be broken. So are people with this method of thinking applying it to everything they do? Or is there a “security mode” that is turned on when something that has a weakness appears.

Surely, everyone will have their own approach to security. So what is security to you? I think security is an understanding in full, including it’s shadow (what is and what isn’t). It is about repairing or using weaknesses. Imagine new ways to look at a problem, different resources to exploit, and you will be closer to finding a better solution. Understanding the way other people think of security will allow you to be a better security guy or gal. But what really is security, and it’s ‘mindset’?

Cyber Security Insurance-Related Industry

Posted on by

The introduction to the Bruce Schneier’s book Secrets & Lies alluded to an industry that will be booming in the upcoming years,  insurance company-driven Cyber Security Providers.

Mr. Schneier pointed out that many companies and organizations don’t invest enough money and effort into protecting their digital data. Making sure that data is safe from potential attack or theft is a new concept to non-tech savvy business leaders, and one that isn’t at the top of many company’s priority list.  Unfortunately attacks are becoming more widespread and more complex, so the likelihood that a business will be attacked increases daily.  To off-set the threat and the possible losses incurred from an attack, some business owners are turning to insurance policies.

Mr. Schneier feels that as more business owners turn to cyber insurance policies, the insurance industry will push for cyber security providers to supply better services (to better protect business owners).  The demand for services will increase, and so will the need for some sort of industry standards for cyber security providers.  Looking forward from Mr. Schneier’s viewpoints, one can see a new service industry spring up to meet the needs of standardized and strong cyber security services to meet insurance company requirements.

A similar “cottage-industry” boom occurred in the late 1990s as companies rushed to prepare their computer systems for Y2K, but that was a temporary surge in demand.  Conversely, cyber crime and attacks will only increase as global economies suffer and people become more desperate to find alternative sources of income.  To see how important it is, just look at the Information, Security and Forensics program that is growing in popularity here at RIT.  The emergence of the Cyber Insurance industry will increase the need for more highly trained professional, and should lead to plenty of long-term employment opportunities for people with the right skill set.

Posted on by

So, in class we’ve been talking about privacy, and how it no longer exists on the internet. Most of us use Facebook on the internet, correct? Well, how many of you have have used any of the apps on Facebook? Did you know that those apps have access to everything on your Facebook: friends, pictures, information you post on Facebook, like the town you live in, you’re relationship status, ect…

We watched a video in class about the Facebook stalker. It was kind of a spoof; what if it actually happened? Does your Facebook have the least amount of information on it about you?

With this app on Facebook, it shows exactly what would happen if there were someone looking at your Facebook; in fact if they gained access to it. 
http://www.takethislollipop.com/
 is a really scary application that makes you as a Facebook user re-think every thing you put on Facebook, or any social media website for that matter.

The fact that our generation doesn’t view anything as private anymore is really scary. People put up their address on Facebook and then they do not have their privacy settings so that only friends can see their information. But really, what is the definition of ‘Friend’ on Facebook? Is it someone that your just clicked a button and suddenly you have access to their page of pictures and their wall? Or is it some one that you’d trust to save your life if it had to be done?

Basically, in this day in age, the stuff you can find on the internet is so much different then the stuff that you had to actually look up in books years ago. The internet has made it so much easier to get information at your fingertips. Do you trust people with your information not to abuse it?

Cloud storage and the new realities for IT departments

Posted on by

IT departments love control and for a good reason. Security is a major concern for large corporations with thousands of employees, but even a small business like your local bakery also wants to be protected from cyber crimes.

The challenge is a lot of people are switching to a new breed of web applications like dropbox and box.net which are very easy to use. Employees already use these tools at home for their everyday lives and they love it, so why not at work!

The problem is security and lack of control over these application. IT departments need the ability to tackle issues and attacks in real time and depending on a service such as Dropbox might not be their ideal solution.

Dropbox and other services are noticing the trend and started offering business packages and more control for teams.

To me the main thing to understand here, is the power of good design and development. People use applications like Dropbox because they are so easy to use and there are no crazy setup preferences to make you call a younger son or daughter to teach you how to do something.

20111106-093054.jpg

Government requests to Google for information on users has spiked.

Posted on by

 

 

 

The number of requests from the government to Google for information on its users has increased by 29% in the last 6 months.  Google is one of the few companies that release these kinds of statistics to the public. The reason they give for doing this is that they want to raise awareness about the ECPA.

The ECPA is the Electronic Communications Privacy Act and it was enacted 25 years ago. It was set to provide people with protection and privacy against government intrusion but hasn’t been updated since it was made to reflect new advances in technologies. Because of this people are still massively vulnerable to government intrusion, with their ability to get access to users online information with out having to go through a judges approval like they would need to with a warrant. Google is just  one of many high tech companies that have formed the Digital Due Process coalition to advocate reform.

This isn’t the first time Google has attempted to rock the boat over government monitoring. Most of you probably remember back when Google refused to censor search results in China. Their refusal of this demand caused them to close up shop in a much of China. On the other hand companies like yahoo have no trouble with censoring or even monitoring and giving information on political dissidents.


http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163


http://m.wired.com/threatlevel/2011/10/google-data-requests/

Hackers 101

Posted on by

I came across this article on the “How Stuff Works” website. It has a lot to do with many of the things we talked about in class. Not a lot more in depth but still it ties things together nicely for anyone that still could use a simple smooth overview.

It goes more into detail about hackers themselves however; history, culture, motivation and things like that. It even has a part about the problems hackers have with the law…or perhaps more accurately the problems the law has with them.

The reasons why I included the article however were the videos that were good to watch, the links to various hacker websites and there was even a simple short quiz at the end regarding computer security. For you more advanced about hackers and computer security the article might seem simplistic but the links were somewhat interesting, including one called “Could hackers devastate the U.S. economy?” ; if you are like me you will end up clicking on links till you look at the clock and realize you need to get to bed.

For those of you that could use a quick overview of many of the things we’ve covered n class there are links at the end that you might find helpful about things like phishing, types of viruses and encryption.

I hope some of you find this helpful.

http://computer.howstuffworks.com/hacker.htm

Steps to take after the hack

Posted on by

I was reading an article recently on securityweek.com that listed some steps that should be taken from the view point of a systems administrator. Considering how many people in the class wish to pursue that particular career I decided to write about it. The first step which could very well be the most important is to make a call to IT and tell them “Do not shut down the system.” I know that the first thing to come to someones mind would usually be to shut it all down to stop the attack, however if you do that then there is no way that you can trace the hacker or find out what it was that they were trying to steal from the company that your work for. So I know it may be tempting, but do not disconnect.

Next step is to gather as much information as possible about the attack and the hacker. You should find out things from all the departments and examine all possibilities. Some of the questions your should be asking yourself while gathering this information includes: How large is the problem? Is it one computer, or the entire network, or somewhere in between. Has IT noted any peculiar employee behavior? Are any logs suggesting suspicious behaviors? Any employees dismissed recently? What was hacked? What was not hacked? Does it appear that the data was not touched, or was the data stolen, but left intact to look like it was not breached? Is the breach open? Is it spreading and from where?

The next step would be to call in some extra help. The best person to get a hold of would be the closest “white hat” that you can find. These guys know all the things and probably more than whoever broke into your network.  It is their job, 24 hours a day, to know the latest and to be experts in cutting edge technology. They will be able to help you find anything that you may have missed.

The final step you should take is to think about what your response should be in terms of reporting what happened to the company. You should think long and hard, depending on the seriousness of the situation, about whether or not to let your customers know what happened. If the attack was very serious and important information was compromised, like credit cards. The company should probably report it to the customers and try to ease their minds. Nothing reaps havoc on the mind like knowing if your credit card number is “out there” somewhere and in the hands of a shady character. Ways that you could help ease the person is by giving them a phone number to call that can help rebuild their credit and do flagging of unauthorized use of credit cards. . A company’s reputation, if founded on how customers are treated, will help soften the blow that may come to the company’s established reputation.