This is my last post for this class. Has it really been 10 weeks already??? When did THAT happen!?
I think I will continue on with the DEFCON theme. One of the speakers during DEFCON 101 said something that has stuck in my head. They stated that geeks are typically anti-social and there is high demand for a geek that speak to both management and the techies but they are rare. A person in cybersecurity must be able to communicate. This class has reminded me of that a lot. It is hard to do when you are assuming your audience knows what you are talking about (in this case they did), but you have to take it from the perspective that your audience doesn't.
TOPIC CHANGE (sorry Coach!):
I have also taken XML this semester. While this isn't part of my degree, it was interesting that it did apply. While at DEFCON, I talked to a fellow attendee about XML. He was a pen-tester and told me that when a client tells him they want him to pen-test their XML, he begins to salivate. How funny.
I found out later why. I took in a talk called, "We've Got You By The Gadgets." The talk was about Microsoft Gadgets, but it was mentioned it could apply to apps that we all use on our smart phones and tablets because they are similar concepts. Here is what I wrote for my XML class:
Gadget and apps are very simple programs. They are not complicated at
all. Any web application language can be used to write them and any web
application language can be used to alter existing ones or create
malicious ones. Software like SilverLight makes it all the more easier
to create gadgets and apps, particularly malicious ones.
The
first problem with gadgets and apps is the lack of code signing. Code
signing confirms who the software designer is that guarantees that the
code has not been altered or corrupted. This causes a Microsoft prompt
to come up and display the security warning, "Are you sure you want to
install this...?" The problem is, people will say yes because they do
not see apps or gadgets as software or code, inviting the attacker into
their technology through something that looks deceptively innocent.
Here was an interesting statement regarding gadgets:
"Some
of the things you are actually able to do from a gadget. I can do
anything I want with a gadget. I can execute a code. You can execute
URLs. If you didn't want to carry something with you in the HTML that
you're downloading with the gadget, you can get more. If you want to
change what you downloaded, you can do that too. If you want to update,
no problem. You want to create files with arbitrary content binary or
otherwise on the system, we can do that. You want to be able to read
files, anything the user has permission to you're good for. If you want
to get passed that permission, obviously you can just raise the UAC
prompt and do so. You can make your computer speak."
A demo was
done using a Nyan Cat gadget turned into a proof of concept (POC)
attack. It accessed the gmail account of the user and created a list of
contacts for the attacker to spam. This malicious code was only 16
lines. The key is that it has all of the access it needs to all of your
cookies and all the information in your browser. This means it also has
all your proxy configurations, it can manipulate anything else it wants
on the system.
Gadgets can also remap network drives, delete
mapped network drives, handle mapped network drives, and add mapped
network drives. Everything that Windows supports, it can do.
Gadgets are just code and are typically written by people who not have a bunch of experience writing code.
Also
discussed was the ASN1 bug which was an underlying parsing protocol the
US government defined and offered a reference implementation of it that
nobody bothered to use as a reference. It was used in satellites, ISDN
There was a flaw that showed up everywhere because of the shared code
problem.
Because of the lack of SSL used in gadgets and apps, it
makes it hard to reference the original code of the original app/gadget.
Anyone can "update" the gadget and turn it malicious without the user
being aware of it. Once the update is complete, the gadget is forever
altered. You think you are getting a cool gadget that does one thing,
when it reality, you are getting something completely different.
The
next demo they did was a man-in-the-middle attack. A piano
gadget was used and it was taken from the Microsoft gallery with no
modifications to it. When they put the piano on the Desktop it said
this, "Hello, this is your computer. I am tired of the way you have been
treating me. I am going to self-destruct in 5 seconds! Good-bye." That
was three lines of code for the gadget to yell at you and do a
man-in-the-middle attack.
In the end they offered these tips:
1. Don't take candy from strangers
and
2.
Write your applications properly! Your parser may approve of your code,
but you could inadvertently be writing a damaging code that can create
problems later.
Applications are similar to gadgets. Keep that in mind when you see the next popular app headed your way.
Friday, August 10, 2012
Sunday, August 5, 2012
Week 9 - CYBR 650
This week has been pretty exciting. I ended up in the ER and the ER doctor diagnosed me with "DEFCON" back! LOL After some percocet and rest, I can finally stand up. What I was told, however is that as a geek, it is easy to get absorbed with our machines. WALK periodically because sitting for a long period of time puts stress on the lumbar region on your back. While it may not seem like you have done anything to injure your back, not walking around will actually injure it. Speaking of which, I better get up and walk really quick!
*******
This week I have to write about what I experienced in doing my Action Plan. Playing with a new template, I was limited in what data I could add. I also forget to consider things such as controls and threat risk condition (high, medium, low). This is frustrating because it is not something that I do on a day-to-day basis. That and my brain is still in overload from all the information I got at DEFCON.
This is going to be a short blog due to my drugged up status, but I wanted to let everyone know the Cybersecurity Act of 2012 did NOT pass! However it only failed in a 52-46 vote.
This concerns me. In order for the Act to pass, it needed 60 votes. 8 more votes and it would have succeeded. Unlike the PIPA and SOPA, the Cybersecurity Act of 2012 was not as widely protested by the Internet community. It was, in essence, PIPA 2.0 and yet there was no uproar protesting this Act like the other two.
With only 8 votes away, we can be sure Congress will attempt to pass something similar soon. If the Internet community does not speak up, it will not be hard to make up those 8 votes and start passing legislation that will begin inhibiting our freedom of speech as well as our privacy.
*******
This week I have to write about what I experienced in doing my Action Plan. Playing with a new template, I was limited in what data I could add. I also forget to consider things such as controls and threat risk condition (high, medium, low). This is frustrating because it is not something that I do on a day-to-day basis. That and my brain is still in overload from all the information I got at DEFCON.
This is going to be a short blog due to my drugged up status, but I wanted to let everyone know the Cybersecurity Act of 2012 did NOT pass! However it only failed in a 52-46 vote.
This concerns me. In order for the Act to pass, it needed 60 votes. 8 more votes and it would have succeeded. Unlike the PIPA and SOPA, the Cybersecurity Act of 2012 was not as widely protested by the Internet community. It was, in essence, PIPA 2.0 and yet there was no uproar protesting this Act like the other two.
With only 8 votes away, we can be sure Congress will attempt to pass something similar soon. If the Internet community does not speak up, it will not be hard to make up those 8 votes and start passing legislation that will begin inhibiting our freedom of speech as well as our privacy.
Tuesday, July 31, 2012
CYBR 650 - DEFCON 20 - Fundamental Knowledge For Any Hacker
On Wed, I left for Las Vegas to see if I could match wits (not not my last name) with some real talent. I came upon some interesting realizations! First of all, they have this strange obsession with liquor and to be sober by the end of all the talk could end up in public humiliation (or some free booze so you can be as lit as they are????).
Second, do NOT trust anything that comes from Dark Tangent, LostBoy (aka 1o57), Tuna, and the goons (USB thumb drives were given to the virgins and malicious codes in their badges which would prevent the human badges from working properly)!!!
Third, as much as I know, there is a lot I do not know!
I have had to deal with the fact that I have to actually pick ONE talk because I can't make them all. This sucks, but I will be buying the DEFCON discs to make up for that, so look for that summary when I get those.
I can't really summarize what I have learned the last couple days, but there was a talk that really got my attention. It was given by 1o57. It was titled "Hacking the Hackers: How Firm is Your Foundation?"
It got me thinking and I began to realize that in order to be good in Cybersecurity, we need a solid foundation just like anything else. When he went through his talk, I began to realize that there was a lot I didn't know. I realized I was in the right place. I have an insatiable curiosity. Now I know where to fill in my gaps.
He starts with, "I"ve got some things that are just bugging me because there are some people that I talk to that just don't have the basic fundamental knowledge of things that we need in the hacker community."
I will admit, I am a n00b. For me, this was the perfect talk. What foundation do I need to not only be excellent in the Cybersecurity field, but to build upon in an ever changing world?
****WARNING: Some hyperlinks do go to Wikipedia. Do not tell Professor Karla Carter! She will punish me for torturing her little alien****
Here is 1o57's take on what the basic foundation is:
1. Binary - Everyone knows that binary is 1's and 0's but what does it mean? Also it is common knowledge that 1's and 0's have two states: on and off. 1o57 asked this question: "Who can do a 4-bit binary count up off in your heads, right now? It should be everybody in this room." I suddenly felt very lame. He explained further:
0+0 in binary is 0
0+1 in binary is 1
1+0 in binary is 1
1+1 in binary is 0 with a carry
If you don't have a solid fundamental understanding of binary, look it up. ***There is hope for me yet.***
2. Hex - "Everybody who is like the elite hacker now knows we write stuff in hex codes! Hex is cool!" Why do we use hex? It starts with the binary (the foundation of everything). Hex is the exhaustive use of 4-bits.
3. TOR
4. SHODAN - "Silence on the wire." You can look something up on SHODAN without ever having to touch the site and not giving your presence away.
5. Reverse engineering - Tools help in reverse engineering. A popular one is IDA Pro, but 1o57 recommends Visisect created by InvisiGoth (aka Ken Shoto).
6. TCP/IP - Have a fundamental understanding of what it is. If you are going to do network security based stuff, you should have that foundational knowledge.
7. Assembly - Learning the fundamental language of the architectures we are dealing with.
8. Scripting language - Python, Perl, JavaScript, Lua, Ruby (makes 1o57 shudder, 1o57 does not like Ruby )
9. Get a little exposure to C/C++ - Kernighan & Ritchie wrote the book on C back in the day and should be in every IT/security person's library.
10. Basic crypto properties - Know what the basic algorithms are, basic encryption schemes, how to get a basic GPG or PGP key.
11. Wireshark - If you don't have that fundamental knowledge of TCP/IP, you won't know what you are looking at.
12. NESSUS- A tool that is being used for compliance. According 1o57 though, it means nothing these days. To run a NESSUS scan on a system and say it is protected is snake oil (the opinion of 1o57). Security is a never ending cycle and continually evolving.
13. Metasploit - An attack framework for pen-testing
14. VMs - These can be used to create multiple machines in one computer to test the "mad hacking" skills the hacking community has. Virtual machines other uses too. :-)
15. Backtrack - A pre-compiled Linux distribution. You can run all your fun, basic tools built into it
16. Command Lines - These are timesavers. Pull down menus are inefficient. If you learn 15 of the most common commands in whatever software you use regularly, you get an hour back. Don't be slaves to the GUI. Also using "man pages" (manual pages) are for looking up instructions for different systems, primarily LINUX and UNIX.
17. SSH - If you use IRC, you should be using an SSH tunnel. If you don't, learn how!
18. PuTTY - PuTTY is used in a Windows box. If you log into Firezilla, what are you credentials encrypted with? Nothing. This adds a little bit of security.
19. Great open source tools - GIMP, Inkscape. These are great for graphic manipulations.
20. How DNS works and how it is fundamentally broken. There are protocols and systems that are in place that have been in use since the early days of the ARPANET that we keep putting spackle and duct tape on and continue to force them down people's throats. "DNS is fundamentally broken." We've blindly adhered to some protocols that need to be reworked because they were not designed with security in mind from the start.
21. If you are going to tinker in hardware based stuff, stay away from Radio Shack. Digikey, Jameco, Mouser, Sparkfun are much cheaper!!!!
22. Schematic Capture - Still on the hardware kick. Taking your circuit and putting in software to make it produce.
23. FPGA - This is going to change a lot of stuff. It allows software to change an electronic component (over simplified) It is the concept that was used for the DEFCON 20 badge. Once the VGA and PS/2 connectors were soldered onto the badges, it would allow a Commodore 64 emulator to run on the badge.
24. Eagle - A circuit designed software. Students can get a free version of this.
25. FREE STUFF!!! Ladyada put together on her page a place where you can pick up sample parts and free stuff from various companies. If you order a part, don't be stupid! Order a couple! If you have an .edu address, they love sending stuff to you.
26. Learn how to use an oscilloscope and digital multimeters.
27. Forrest Mims' "Getting Started In Electronics"
28. Stupid Code Tricks - Things like bit shifting (there's that binary code again) to make a multiplier divide very fast. Swapping two variables with no scratch spaced used: XOR three times. Makes code processing more efficient. Don't be intellectually lazy with how you write code.
29. Hacking servos! A servo is a DC motor with some kind of sensing technology in it to control position.
30. Social Engineering
31. Learn to communicate. Learn to communicate with as many people and things as possible. It makes for a better life.
30. Be a hacker. Go outside the box. Do not remain in the bubble that people want to put us in either due to societal definitions (hackers are criminals) or because of the potential to violate privacy (they are going to put it on Facebook anyways!). Follow your intellectual curiosity.
Second, do NOT trust anything that comes from Dark Tangent, LostBoy (aka 1o57), Tuna, and the goons (USB thumb drives were given to the virgins and malicious codes in their badges which would prevent the human badges from working properly)!!!
Third, as much as I know, there is a lot I do not know!
I have had to deal with the fact that I have to actually pick ONE talk because I can't make them all. This sucks, but I will be buying the DEFCON discs to make up for that, so look for that summary when I get those.
I can't really summarize what I have learned the last couple days, but there was a talk that really got my attention. It was given by 1o57. It was titled "Hacking the Hackers: How Firm is Your Foundation?"
It got me thinking and I began to realize that in order to be good in Cybersecurity, we need a solid foundation just like anything else. When he went through his talk, I began to realize that there was a lot I didn't know. I realized I was in the right place. I have an insatiable curiosity. Now I know where to fill in my gaps.
He starts with, "I"ve got some things that are just bugging me because there are some people that I talk to that just don't have the basic fundamental knowledge of things that we need in the hacker community."
I will admit, I am a n00b. For me, this was the perfect talk. What foundation do I need to not only be excellent in the Cybersecurity field, but to build upon in an ever changing world?
****WARNING: Some hyperlinks do go to Wikipedia. Do not tell Professor Karla Carter! She will punish me for torturing her little alien****
Here is 1o57's take on what the basic foundation is:
1. Binary - Everyone knows that binary is 1's and 0's but what does it mean? Also it is common knowledge that 1's and 0's have two states: on and off. 1o57 asked this question: "Who can do a 4-bit binary count up off in your heads, right now? It should be everybody in this room." I suddenly felt very lame. He explained further:
0+0 in binary is 0
0+1 in binary is 1
1+0 in binary is 1
1+1 in binary is 0 with a carry
If you don't have a solid fundamental understanding of binary, look it up. ***There is hope for me yet.***
2. Hex - "Everybody who is like the elite hacker now knows we write stuff in hex codes! Hex is cool!" Why do we use hex? It starts with the binary (the foundation of everything). Hex is the exhaustive use of 4-bits.
3. TOR
4. SHODAN - "Silence on the wire." You can look something up on SHODAN without ever having to touch the site and not giving your presence away.
5. Reverse engineering - Tools help in reverse engineering. A popular one is IDA Pro, but 1o57 recommends Visisect created by InvisiGoth (aka Ken Shoto).
6. TCP/IP - Have a fundamental understanding of what it is. If you are going to do network security based stuff, you should have that foundational knowledge.
7. Assembly - Learning the fundamental language of the architectures we are dealing with.
8. Scripting language - Python, Perl, JavaScript, Lua, Ruby (makes 1o57 shudder, 1o57 does not like Ruby )
9. Get a little exposure to C/C++ - Kernighan & Ritchie wrote the book on C back in the day and should be in every IT/security person's library.
10. Basic crypto properties - Know what the basic algorithms are, basic encryption schemes, how to get a basic GPG or PGP key.
11. Wireshark - If you don't have that fundamental knowledge of TCP/IP, you won't know what you are looking at.
12. NESSUS- A tool that is being used for compliance. According 1o57 though, it means nothing these days. To run a NESSUS scan on a system and say it is protected is snake oil (the opinion of 1o57). Security is a never ending cycle and continually evolving.
13. Metasploit - An attack framework for pen-testing
14. VMs - These can be used to create multiple machines in one computer to test the "mad hacking" skills the hacking community has. Virtual machines other uses too. :-)
15. Backtrack - A pre-compiled Linux distribution. You can run all your fun, basic tools built into it
16. Command Lines - These are timesavers. Pull down menus are inefficient. If you learn 15 of the most common commands in whatever software you use regularly, you get an hour back. Don't be slaves to the GUI. Also using "man pages" (manual pages) are for looking up instructions for different systems, primarily LINUX and UNIX.
17. SSH - If you use IRC, you should be using an SSH tunnel. If you don't, learn how!
18. PuTTY - PuTTY is used in a Windows box. If you log into Firezilla, what are you credentials encrypted with? Nothing. This adds a little bit of security.
19. Great open source tools - GIMP, Inkscape. These are great for graphic manipulations.
20. How DNS works and how it is fundamentally broken. There are protocols and systems that are in place that have been in use since the early days of the ARPANET that we keep putting spackle and duct tape on and continue to force them down people's throats. "DNS is fundamentally broken." We've blindly adhered to some protocols that need to be reworked because they were not designed with security in mind from the start.
21. If you are going to tinker in hardware based stuff, stay away from Radio Shack. Digikey, Jameco, Mouser, Sparkfun are much cheaper!!!!
22. Schematic Capture - Still on the hardware kick. Taking your circuit and putting in software to make it produce.
23. FPGA - This is going to change a lot of stuff. It allows software to change an electronic component (over simplified) It is the concept that was used for the DEFCON 20 badge. Once the VGA and PS/2 connectors were soldered onto the badges, it would allow a Commodore 64 emulator to run on the badge.
24. Eagle - A circuit designed software. Students can get a free version of this.
25. FREE STUFF!!! Ladyada put together on her page a place where you can pick up sample parts and free stuff from various companies. If you order a part, don't be stupid! Order a couple! If you have an .edu address, they love sending stuff to you.
26. Learn how to use an oscilloscope and digital multimeters.
27. Forrest Mims' "Getting Started In Electronics"
28. Stupid Code Tricks - Things like bit shifting (there's that binary code again) to make a multiplier divide very fast. Swapping two variables with no scratch spaced used: XOR three times. Makes code processing more efficient. Don't be intellectually lazy with how you write code.
29. Hacking servos! A servo is a DC motor with some kind of sensing technology in it to control position.
30. Social Engineering
31. Learn to communicate. Learn to communicate with as many people and things as possible. It makes for a better life.
30. Be a hacker. Go outside the box. Do not remain in the bubble that people want to put us in either due to societal definitions (hackers are criminals) or because of the potential to violate privacy (they are going to put it on Facebook anyways!). Follow your intellectual curiosity.
Tuesday, July 24, 2012
Week 8 - CYBR 650
This week, I am to talk about action plans and what problems I encountered while doing them.
OK, I admit it. I cheated. I found the PERFECT action plan layout and downloaded it.
Taking business courses before computer classes helped me understand the importance of "scanability." It also taught me the importance of making sure your audience can understand what you are reading.
Throughout this whole process, I am applying a lot of theory. It's tough to do a process model and a threat analysis when the information is still just a concept in my head. I have had the chance to discuss this stuff with a person who is a professional in the cybersecurity field and he was more than happy to tell me where I was weak in some of my understandings.
With the ability to use the template, it made it easier for me to "itemize" what actions need to be taken. Add that it is easily scannable for any management personnel made it ideal. The hard part is thinking of everything and giving everything a priority. How do you decide what goes first? How do determine which threat is the one that is most likely to happen?
The scenario Harry & Mae's scenario in which we are working with has a huge amount of security "no-nos."
For instance, the default password is not required to be reset, passwords are allowed to be easy and are not required to be changed.
They have a Spam/Anti-virus firewall hardware that they do not subscribe to and so the signature files are all out-of-date.
They did not configure their firewall and their wireless access points allow connectivity from anybody as well as all traffic going in and out.
And these are just a few of the scenarios we were given to analyze. When looking at that, I found it hard to determine which one was of the highest priority. All leave the company's system vulnerable to anyone and any hacker would have easy access to their customers' information, even a script kiddie!
Another hard time I had was determine a "time frame." Since I have not done these things in real life (except for my own home network), it is hard to figure out how long it would take. When I fix friends' computers, I find that sometimes an easy job ends up taking longer than expected. So, I am apparently not experienced enough to gauge time estimates for any job. Of course, I tend to find Murphy's Law pops up at the most inconvenient time. This sometimes extends when the job will be done.
While I have been focusing on my A+ certification, I begin to realize that I need to focus on my Security+ certification. This will help me get my foot in the door so I can actually see how all this works.
What has made all this easier is "Coach" and my classmates. I couldn't have made it this far without them!
OK, I admit it. I cheated. I found the PERFECT action plan layout and downloaded it.
Taking business courses before computer classes helped me understand the importance of "scanability." It also taught me the importance of making sure your audience can understand what you are reading.
Throughout this whole process, I am applying a lot of theory. It's tough to do a process model and a threat analysis when the information is still just a concept in my head. I have had the chance to discuss this stuff with a person who is a professional in the cybersecurity field and he was more than happy to tell me where I was weak in some of my understandings.
With the ability to use the template, it made it easier for me to "itemize" what actions need to be taken. Add that it is easily scannable for any management personnel made it ideal. The hard part is thinking of everything and giving everything a priority. How do you decide what goes first? How do determine which threat is the one that is most likely to happen?
The scenario Harry & Mae's scenario in which we are working with has a huge amount of security "no-nos."
For instance, the default password is not required to be reset, passwords are allowed to be easy and are not required to be changed.
They have a Spam/Anti-virus firewall hardware that they do not subscribe to and so the signature files are all out-of-date.
They did not configure their firewall and their wireless access points allow connectivity from anybody as well as all traffic going in and out.
And these are just a few of the scenarios we were given to analyze. When looking at that, I found it hard to determine which one was of the highest priority. All leave the company's system vulnerable to anyone and any hacker would have easy access to their customers' information, even a script kiddie!
Another hard time I had was determine a "time frame." Since I have not done these things in real life (except for my own home network), it is hard to figure out how long it would take. When I fix friends' computers, I find that sometimes an easy job ends up taking longer than expected. So, I am apparently not experienced enough to gauge time estimates for any job. Of course, I tend to find Murphy's Law pops up at the most inconvenient time. This sometimes extends when the job will be done.
While I have been focusing on my A+ certification, I begin to realize that I need to focus on my Security+ certification. This will help me get my foot in the door so I can actually see how all this works.
What has made all this easier is "Coach" and my classmates. I couldn't have made it this far without them!
Thursday, July 19, 2012
Week 7 - CYBR 650
Why do I have this nagging feeling it should be Week 8???? Ugh, I am going to need a vacation! I guess this is what happens when you have a one day break between two semesters.
This week's topic:
You might post about your experiences with the assignments, or perhaps observations from fellow students. Alternatively, this week you can consider technical aspects of cybersecurity. What tools or technologies are beneficial for Cybersecurity Professionals.
I am hoping "Coach" will allow me to post on the tools and technologies next week as that will be when I return from DEFCON 20 and I should have a ton of information to post on here.
This post actually comes from a discovery I made in my other class which is XML. This week, for discussion, the professor gave us the freedom to post on whatever we wanted regarding XML. Since my major is Cybersecurity and not Web Application Design, I started a discussion regarding the security of XML. I needed to get into a topic I was a bit more comfortable in.
I will copy and paste my original post for the class and then give you my thoughts afterwards:
For those who don't know, I am actually getting my Master's in Cybersecurity. The class I needed was not offered this semester, so I thought I would take this course. It has been a struggle as I thought this would be a course I could easily understand, but I am finding out that this has been one of my harder classes (that and with all the summer activities, finding time to get my assignments in on time is a bear!). What caught my interest though was XML is web applications. You read on the news all the time about Yahoo! being hacked and user names and passwords being stolen by SQL injection. I took this course to see that side of hacking. While it is not SQL injection, XML still must be secured.
In going through the tutorials, there is a lot of data that can be accessed through XML. We have already done real estate, sales, and in some cases, personal information that you really do not want online. This piqued my interest. How secure is XML anyways?
I found two interesting articles for securing XML web applications. One is dated for 2004. Being frustrated that most of my hits were so old, I narrowed my Google search to the last year and actually found one written 14 June 2012!!!! Yay me!
The first article is Ten Guidelines For Deploying Secure XML Web Services.
Now, it would appear to me that this is mostly for web services that utilize XML. Sometimes I'm not the brightest person in the world, so feel free to thwap me with a large trout and correct me. XML is being used though and while sites like mine may not say "XHTML", they do use XML tools such as CSS. In this article, you read that it is important to validate the XML messages using XML Schema Definitions (XSD) and use XSLT to transform XML messages. When reading that, I thought, "HEY! I'm learning about that now!"
The second article is by IBM: Securing Web Services For Version 5.x Applications Using XML Encryption
This is actually the second time I saw XML encryption in an article. The one above briefly mentions it, but this one goes into it more in depth. In fact, the article states:
"WebSphere Application Server provides several different methods to secure your Web services. XML encryption is one of these methods. You can secure your Web services using any of the following methods:
- XML digital signature
- XML encryption
- Basicauth authentication
- Identity assertion authentication
- Signature authentication
It is probably safe to say that most of you are majoring in some sort of web management degree. While there is no such thing as true security, there are means to make it more difficult for someone like me to get into your stuff. The digital world makes it easier and easier to commit crimes from long distances. Information is currency which is why ID theft is on the rise.
- Pluggable token"
In looking at the text, I did not find anything on XML encryption. Perhaps it is because it is done very similarly to encrypting other files and e-mails the same way. The receiver must have the sender's key in order to decrypt the message/file.
Finally, just to give you something to think about, our favorite website www.w3.org has an article "XML Hacking is Fun!" I'm going to DEFCON next week. Guess what I am going to play with??? ;-)It has spurred on an interesting discussion in the class. This discussion caused me to realize that there are many systems and codes that we need to secure and we may not know about. Had I not taken XML, it never would have crossed my mind that it existed or could be breached. It just goes to show exactly how much information there is out there and how much I don't know. But knowing what I don't know is a beginning to knowing.
Thursday, July 12, 2012
Week 6 CYBR 650
I just checked the assignments and there is nothing to really focus on, except that "Coach" says I'm all over the place! LOL Which, if he was to meet me IRL (in real life), he would think I was a gerbil on cocaine. The thing I love about blogs is that I write what is on my mind and so, when you see me jump all over the place, that's how my mind works. Of course, it could be the ADHD... Ok..so, now I must FOCUS...
In continuation of the story regarding the paranoid person, I have learned a lot about personal security myself. I am learning how to use my own security software and in-turn, I go over and do it to theirs. I was in process of securing their cell phones when I was asked a question, "I did a factory reset on my phone and it wiped out the contacts, so why are all my contacts back and who are these people I do not know on my phone?"
This got me thinking. In order to purchase apps an Android phones, you must have a gmail account. Well, if you use that account for anything other than apps, gmail will save all the people you have contact with so if you need to write a new e-mail to them, the auto-fill pops up and makes it easy for you to write the person. It also occurred to me that when a contact is added, because gmail is synced to the cell phone, those contacts would be added to the phone.
I asked them some questions:
"Do you have a Facebook account?"
"Yes."
"Do you play the apps on those accounts?"
"Yes."
"Do the app games require you to add people to your friends list to advance?"
"Yes."
"Do you know the people you add?"
"Not all the time."
"Is Facebook updated through your phone?"
"Yes."
I realized the other source of their unknown contacts in their contact list on their phone. When you are connected to Facebook and it is connected to your phone, any friends you add will also be automatically sent to your phone.
Since Facebook is one of the least secure places on the web, this creates a security risk for anyone who applies the Facebook app to their cell phones. Even if your information is set to private, but only friends can see it, if you accept a stranger, this gives them access to your cell phone number, where you live, e-mail addresses, etc and gives them that opportunity to try and hack your accounts.
I advised them that as convenient as it is to view friends' updates on your cell phone, to not use the Facebook app on her phone. I also told them to change their gmail account to one they will not be using for e-mails. Meanwhile, their phone is rejecting the security software that I want to put on it because it is not an app. grrr.
It is truly amazing that something so simple can be so devious if care is not taken.
I used to think of Cybersecurity as a huge issue that was corporate/government level. This taught me that it is also in the home. And since the home can easily go to work, I came to realize that the risks spread from the home, to work, to school, etc where ever there is mobile technology and a fun app.
OK, well I'm off to get ready to go to Kids Kamp with my church. A cabin full of giggling girls, hairspray, curling irons, nail polish, and chocolate! They can have the hairspray, curling irons, and nail polish, but I can never pass up good chocolate!!!
In continuation of the story regarding the paranoid person, I have learned a lot about personal security myself. I am learning how to use my own security software and in-turn, I go over and do it to theirs. I was in process of securing their cell phones when I was asked a question, "I did a factory reset on my phone and it wiped out the contacts, so why are all my contacts back and who are these people I do not know on my phone?"
This got me thinking. In order to purchase apps an Android phones, you must have a gmail account. Well, if you use that account for anything other than apps, gmail will save all the people you have contact with so if you need to write a new e-mail to them, the auto-fill pops up and makes it easy for you to write the person. It also occurred to me that when a contact is added, because gmail is synced to the cell phone, those contacts would be added to the phone.
I asked them some questions:
"Do you have a Facebook account?"
"Yes."
"Do you play the apps on those accounts?"
"Yes."
"Do the app games require you to add people to your friends list to advance?"
"Yes."
"Do you know the people you add?"
"Not all the time."
"Is Facebook updated through your phone?"
"Yes."
I realized the other source of their unknown contacts in their contact list on their phone. When you are connected to Facebook and it is connected to your phone, any friends you add will also be automatically sent to your phone.
Since Facebook is one of the least secure places on the web, this creates a security risk for anyone who applies the Facebook app to their cell phones. Even if your information is set to private, but only friends can see it, if you accept a stranger, this gives them access to your cell phone number, where you live, e-mail addresses, etc and gives them that opportunity to try and hack your accounts.
I advised them that as convenient as it is to view friends' updates on your cell phone, to not use the Facebook app on her phone. I also told them to change their gmail account to one they will not be using for e-mails. Meanwhile, their phone is rejecting the security software that I want to put on it because it is not an app. grrr.
It is truly amazing that something so simple can be so devious if care is not taken.
I used to think of Cybersecurity as a huge issue that was corporate/government level. This taught me that it is also in the home. And since the home can easily go to work, I came to realize that the risks spread from the home, to work, to school, etc where ever there is mobile technology and a fun app.
OK, well I'm off to get ready to go to Kids Kamp with my church. A cabin full of giggling girls, hairspray, curling irons, nail polish, and chocolate! They can have the hairspray, curling irons, and nail polish, but I can never pass up good chocolate!!!
Saturday, July 7, 2012
Week 5 - CYBR 650
I was going through my Week 5 Assignments and found this:
Well, this has been an interesting week regarding fireworks.
On July 3, I had a candid conversation with a good friend. We were talking about the Cybersecurity Act of 2012 and the necessity of security. I was shocked at his response. He leaves the keys in his truck and his password is the same for ALL accounts. He states the rewards of convenience far outweighs the cost of loss. An interesting perspective to say the least. I asked about identity theft. He stated, "The banks cover that. If there is an unauthorized purchase, I tell them and they give me back my money. I lose nothing." I must say that while he is educated in security, he makes his choice freely and accepts the consequences of not living securely.
On the 4th of July, I got a call. My husband's friend called him and asked if I could come over. She bought a used computer from a private person and all of the sudden, things started acting weird. They bought a computer with keyloggers and remote access software. No biggie. Just format the c: and reinstall the OS.
As I was looking at their system at home, I noted that their WiFi router was wide open. I asked them if they were aware of other people using their Internet access. They responded that they did notice a bunch of people on their network and that their Netflix was always bogged down and buffering. Hmmmm...
So, I secured their router for them. There are some disappointed people who are no longer getting free Internet access I am sure.
During this process, I was getting frustrated. I am all for educating people in regards to cybersecurity, but I began to realize that you must be careful what you say and how you say it, otherwise you breed paranoia. In this case, by the time the discussion was done, it was suspected that all their technology was hacked. Is it possibly to be overly secure???
I have realized a long time ago that a majority of the regular population are very uneducated in regards to cybersecurity. They know to use antivirus software, they may know how to program their wireless router, but for the most part, they are oblivious to their other technological tools they use such as cell phones, tablets, and any other device that connects to the World Wide Web. Then, when you try to tell them, they either accept the risks of not securing their tech or they go to the other extreme of complete paranoia.
What is a cybersecurity expert supposed to do!?
As I continued my week, I heard news that the firework show in San Diego, normally called the Big Bay Boom, became the Big Bay Bust. In 15 seconds, three of the barges where the fireworks were at all went off at once. A computer glitch was blamed for the misfire:
Computer Glitch Blamed In San Diego Fireworks Boom That Went Bust
According to the story though:
Cybersecurity is more than just keeping hackers out and playing dodgeball with viruses and other malware. It is also avoiding costly mistakes that can hit a company's profit margins. In this case, it cost the pyrotechnic company thousands of dollars in fireworks, cost the audience an hour's worth of a show (it was reduced to 15 seconds), and ruined the reputation of two companies: the one that wrote the software and the one using the software.
I decided to check out this story because my husband told me about it and he stated that from what he understood, the firework show had been hacked. Whether it was or not, we will probably never know. After all, if news that a firework show can be hacked and ignited remotely were to get out, no good can come from it.
In other news, the FBI is warning the public that hundreds of thousands of people may lose Internet in July and Apple promises to fight the Flashback virus.
In the news regarding the FBI, Eric Storm stated:
I agree that there are cybersecurity issues and I agree that we do need to take measures to protect ourselves, our organizations, and our government. The problem with the above article is that as of 23 April 2012, when the article was written, there were 85,000 victims in America. That is a minuscule percentage compared to the millions that use computers and the Internet and yet, there appears the need to make this bigger than it really is.
Based on this week's experience, I began to realize how easy it is to get the masses to panic over certain things. When it comes to educating the layman, we need to use simple terms, be careful how to answer their questions so as to alleviate their fears, not create them, and help them to protect themselves.
On the other end of cybersecurity, I have found some wireless surveillance camera systems. Yesterday, my husband woke me up at 5 a.m. A brave thing to do considering I am pure evil before the sun comes up and especially when I am woken up. However, it was a serious issue. A total of three tires had been slashed on two cars. Since my husband has a work car, two of his tires were slashed by a knife and one of my van tires were slashed. Interesting technology there is in regards to physical security. When the cameras detect motion, they can be program to begin recording. They can even turn on lights to alert the vandals that they are being watched. Upon activation, an e-mail or text can be sent to alert the homeowner where the homeowner can watch the feed live.
Schnazzy!
Finally, in preparation for DEFCON 20, I bought myself a prepaid phone! BWA HA HA! You think I'm going to take my real phone to a hacker's convention!? What do you think I am? Insane!? I also have a computer that is completely scrubbed. Let the games begin.
Consider the following: Are these the actual sources you are using this week? Are there any additional sources you've discovered? Any that you decided would not be good to use? Post your findings to your blogI am so random that I use what I find interesting in all reality. Some of it is based on experience which is usually best when it comes to education. Others are based on something I heard on the radio or a pop-up while harassing people on my local paper's website. I never deem good sources bad. Just because I may not use them does not mean they are not valuable and any additional sources I find only adds to the information arsenal. When doing these blogs, I always find more sources. The good thing about this blog, is they are all in one place. I merely have to go through my posts and find the one I need. Should the sources I have conflict, it makes it easier to make a better decision as I am able to read the viewpoints from both sides, obtain more data and draw my own conclusions. It is one of the reasons I love this field. The intellectual stimulation is never ending and the opportunity to expand that knowledge is always fresh.
Well, this has been an interesting week regarding fireworks.
On July 3, I had a candid conversation with a good friend. We were talking about the Cybersecurity Act of 2012 and the necessity of security. I was shocked at his response. He leaves the keys in his truck and his password is the same for ALL accounts. He states the rewards of convenience far outweighs the cost of loss. An interesting perspective to say the least. I asked about identity theft. He stated, "The banks cover that. If there is an unauthorized purchase, I tell them and they give me back my money. I lose nothing." I must say that while he is educated in security, he makes his choice freely and accepts the consequences of not living securely.
On the 4th of July, I got a call. My husband's friend called him and asked if I could come over. She bought a used computer from a private person and all of the sudden, things started acting weird. They bought a computer with keyloggers and remote access software. No biggie. Just format the c: and reinstall the OS.
As I was looking at their system at home, I noted that their WiFi router was wide open. I asked them if they were aware of other people using their Internet access. They responded that they did notice a bunch of people on their network and that their Netflix was always bogged down and buffering. Hmmmm...
So, I secured their router for them. There are some disappointed people who are no longer getting free Internet access I am sure.
During this process, I was getting frustrated. I am all for educating people in regards to cybersecurity, but I began to realize that you must be careful what you say and how you say it, otherwise you breed paranoia. In this case, by the time the discussion was done, it was suspected that all their technology was hacked. Is it possibly to be overly secure???
I have realized a long time ago that a majority of the regular population are very uneducated in regards to cybersecurity. They know to use antivirus software, they may know how to program their wireless router, but for the most part, they are oblivious to their other technological tools they use such as cell phones, tablets, and any other device that connects to the World Wide Web. Then, when you try to tell them, they either accept the risks of not securing their tech or they go to the other extreme of complete paranoia.
What is a cybersecurity expert supposed to do!?
As I continued my week, I heard news that the firework show in San Diego, normally called the Big Bay Boom, became the Big Bay Bust. In 15 seconds, three of the barges where the fireworks were at all went off at once. A computer glitch was blamed for the misfire:
Computer Glitch Blamed In San Diego Fireworks Boom That Went Bust
According to the story though:
"Santore said the problem was not a malfunction of the pyrotechnics and it was not human error."An interesting reassurance. Considering the problem is being blamed on a glitch in the computer software used to sync the 5 barges. Since computer software is written by humans, it stands to reason that maybe it was human error. I am also taking a class in XML and I will tell you, one boo-boo will screw up my whole website. And it's not the computer's fault when that happens.
Cybersecurity is more than just keeping hackers out and playing dodgeball with viruses and other malware. It is also avoiding costly mistakes that can hit a company's profit margins. In this case, it cost the pyrotechnic company thousands of dollars in fireworks, cost the audience an hour's worth of a show (it was reduced to 15 seconds), and ruined the reputation of two companies: the one that wrote the software and the one using the software.
I decided to check out this story because my husband told me about it and he stated that from what he understood, the firework show had been hacked. Whether it was or not, we will probably never know. After all, if news that a firework show can be hacked and ignited remotely were to get out, no good can come from it.
In other news, the FBI is warning the public that hundreds of thousands of people may lose Internet in July and Apple promises to fight the Flashback virus.
In the news regarding the FBI, Eric Storm stated:
"This is the future of what we will be doing. Until there is a change in the legal system, both inside and outside the United States, to get up to speed with the cyber problem, we will have to go down these paths, trail-blazing if you will, on these types of investigations...Now, every time the agency gets new the end of a cyber case, we get to the point where we say, how are going to do this, how are going to clean the system without creating a bigger mess than before."James Madison stated that "Crisis is the rallying cry of the tyrant."
I agree that there are cybersecurity issues and I agree that we do need to take measures to protect ourselves, our organizations, and our government. The problem with the above article is that as of 23 April 2012, when the article was written, there were 85,000 victims in America. That is a minuscule percentage compared to the millions that use computers and the Internet and yet, there appears the need to make this bigger than it really is.
Based on this week's experience, I began to realize how easy it is to get the masses to panic over certain things. When it comes to educating the layman, we need to use simple terms, be careful how to answer their questions so as to alleviate their fears, not create them, and help them to protect themselves.
On the other end of cybersecurity, I have found some wireless surveillance camera systems. Yesterday, my husband woke me up at 5 a.m. A brave thing to do considering I am pure evil before the sun comes up and especially when I am woken up. However, it was a serious issue. A total of three tires had been slashed on two cars. Since my husband has a work car, two of his tires were slashed by a knife and one of my van tires were slashed. Interesting technology there is in regards to physical security. When the cameras detect motion, they can be program to begin recording. They can even turn on lights to alert the vandals that they are being watched. Upon activation, an e-mail or text can be sent to alert the homeowner where the homeowner can watch the feed live.
Schnazzy!
Finally, in preparation for DEFCON 20, I bought myself a prepaid phone! BWA HA HA! You think I'm going to take my real phone to a hacker's convention!? What do you think I am? Insane!? I also have a computer that is completely scrubbed. Let the games begin.
Subscribe to:
Posts (Atom)