Week 10 - CYBR 650

This is my last post for this class. Has it really been 10 weeks already??? When did THAT happen!?

I think I will continue on with the DEFCON theme. One of the speakers during DEFCON 101 said something that has stuck in my head. They stated that geeks are typically anti-social and there is high demand for a geek that speak to both management and the techies but they are rare. A person in cybersecurity must be able to communicate. This class has reminded me of that a lot. It is hard to do when you are assuming your audience knows what you are talking about (in this case they did), but you have to take it from the perspective that your audience doesn't.

TOPIC CHANGE (sorry Coach!):

I have also taken XML this semester. While this isn't part of my degree, it was interesting that it did apply. While at DEFCON, I talked to a fellow attendee about XML. He was a pen-tester and told me that when a client tells him they want him to pen-test their XML, he begins to salivate. How funny.

I found out later why. I took in a talk called, "We've Got You By The Gadgets." The talk was about Microsoft Gadgets, but it was mentioned it could apply to apps that we all use on our smart phones and tablets because they are similar concepts. Here is what I wrote for my XML class:

Gadget and apps are very simple programs. They are not complicated at all. Any web application language can be used to write them and any web application language can be used to alter existing ones or create malicious ones. Software like SilverLight makes it all the more easier to create gadgets and apps, particularly malicious ones.

The first problem with gadgets and apps is the lack of code signing. Code signing confirms who the software designer is that guarantees that the code has not been altered or corrupted. This causes a Microsoft prompt to come up and display the security warning, "Are you sure you want to install this...?" The problem is, people will say yes because they do not see apps or gadgets as software or code, inviting the attacker into their technology through something that looks deceptively innocent.

Here was an interesting statement regarding gadgets:

"Some of the things you are actually able to do from a gadget. I can do anything I want with a gadget. I can execute a code. You can execute URLs. If you didn't want to carry something with you in the HTML that you're downloading with the gadget, you can get more. If you want to change what you downloaded, you can do that too. If you want to update, no problem. You want to create files with arbitrary content binary or otherwise on the system, we can do that. You want to be able to read files, anything the user has permission to you're good for. If you want to get passed that permission, obviously you can just raise the UAC prompt and do so. You can make your computer speak."

A demo was done using a Nyan Cat gadget turned into a proof of concept (POC) attack. It accessed the gmail account of the user and created a list of contacts for the attacker to spam. This malicious code was only 16 lines. The key is that it has all of the access it needs to all of your cookies and all the information in your browser. This means it also has all your proxy configurations, it can manipulate anything else it wants on the system.

Gadgets can also remap network drives, delete mapped network drives, handle mapped network drives, and add mapped network drives. Everything that Windows supports, it can do.

Gadgets are just code and are typically written by people who not have a bunch of experience writing code.

Also discussed was the ASN1 bug which was an underlying parsing protocol the US government defined and offered a reference implementation of it that nobody bothered to use as a reference. It was used in satellites, ISDN  There was a flaw that showed up everywhere because of the shared code problem.

Because of the lack of SSL used in gadgets and apps, it makes it hard to reference the original code of the original app/gadget. Anyone can "update" the gadget and turn it malicious without the user being aware of it. Once the update is complete, the gadget is forever altered. You think you are getting a cool gadget that does one thing, when it reality, you are getting something completely different.

The next demo they did was a man-in-the-middle attack. A piano gadget was used and it was taken from the Microsoft gallery with no modifications to it. When they put the piano on the Desktop it said this, "Hello, this is your computer. I am tired of the way you have been treating me. I am going to self-destruct in 5 seconds! Good-bye." That was three lines of code for the gadget to yell at you and do a man-in-the-middle attack.

In the end they offered these tips:

1. Don't take candy from strangers

and

2. Write your applications properly! Your parser may approve of your code, but you could inadvertently be writing a damaging code that can create problems later.

Applications are similar to gadgets. Keep that in mind when you see the next popular app headed your way.

Week 9 - CYBR 650

This week has been pretty exciting. I ended up in the ER and the ER doctor diagnosed me with "DEFCON" back! LOL After some percocet and rest, I can finally stand up. What I was told, however is that as a geek, it is easy to get absorbed with our machines. WALK periodically because sitting for a long period of time puts stress on the lumbar region on your back. While it may not seem like you have done anything to injure your back, not walking around will actually injure it. Speaking of which, I better get up and walk really quick!

*******

This week I have to write about what I experienced in doing my Action Plan. Playing with a new template, I was limited in what data I could add. I also forget to consider things such as controls and threat risk condition (high, medium, low). This is frustrating because it is not something that I do on a day-to-day basis. That and my brain is still in overload from all the information I got at DEFCON.

This is going to be a short blog due to my drugged up status, but I wanted to let everyone know the Cybersecurity Act of 2012 did NOT pass! However it only failed in a 52-46 vote.

This concerns me. In order for the Act to pass, it needed 60 votes. 8 more votes and it would have succeeded. Unlike the PIPA and SOPA, the Cybersecurity Act of 2012 was not as widely protested by the Internet community. It was, in essence, PIPA 2.0 and yet there was no uproar protesting this Act like the other two.

With only 8 votes away, we can be sure Congress will attempt to pass something similar soon. If the Internet community does not speak up, it will not be hard to make up those 8 votes and start passing legislation that will begin inhibiting our freedom of speech as well as our privacy.

CYBR 650 - DEFCON 20 - Fundamental Knowledge For Any Hacker

On Wed, I left for Las Vegas to see if I could match wits (not not my last name) with some real talent. I came upon some interesting realizations! First of all, they have this strange obsession with liquor and to be sober by the end of all the talk could end up in public humiliation (or some free booze so you can be as lit as they are????).

Second, do NOT trust anything that comes from Dark Tangent, LostBoy (aka 1o57),  Tuna, and the goons (USB thumb drives were given to the virgins and malicious codes in their badges which would prevent the human badges from working properly)!!!

Third, as much as I know, there is a lot I do not know!

I have had to deal with the fact that I have to actually pick ONE talk because I can't make them all. This sucks, but I will be buying the DEFCON discs to make up for that, so look for that summary when I get those.

I can't really summarize what I have learned the last couple days, but there was a talk that really got my attention. It was given by 1o57. It was titled "Hacking the Hackers: How Firm is Your Foundation?"

It got me thinking and I began to realize that in order to be good in Cybersecurity, we need a solid foundation just like anything else. When he went through his talk, I began to realize that there was a lot I didn't know. I realized I was in the right place. I have an insatiable curiosity. Now I know where to fill in my gaps.

He starts with, "I"ve got some things that are just bugging me because there are some people that I talk to that just don't have the basic fundamental knowledge of things that we need in the hacker community."

I will admit, I am a n00b. For me, this was the perfect talk. What foundation do I need to not only be excellent in the Cybersecurity field, but to build upon in an ever changing world?

****WARNING: Some hyperlinks do go to Wikipedia. Do not tell Professor Karla Carter! She will punish me for torturing her little alien****

Here is 1o57's take on what the basic foundation is:

1. Binary - Everyone knows that binary is 1's and 0's but what does it mean? Also it is common knowledge that 1's and 0's have two states: on and off. 1o57 asked this question: "Who can do a 4-bit binary count up off in your heads, right now? It should be everybody in this room." I suddenly felt very lame. He explained further:
      0+0 in binary is 0
      0+1 in binary is 1
      1+0 in binary is 1
      1+1 in binary is 0 with a carry

    If you don't have a solid fundamental understanding of binary, look it up. ***There is hope for me yet.***

2. Hex - "Everybody who is like the elite hacker now knows we write stuff in hex codes! Hex is cool!"  Why do we use hex? It starts with the binary (the foundation of everything). Hex is the exhaustive use of 4-bits.

3. TOR

4. SHODAN - "Silence on the wire." You can look something up on SHODAN without ever having to touch the site and not giving your presence away.

5. Reverse engineering - Tools help in reverse engineering. A popular one is IDA Pro, but 1o57 recommends Visisect created by InvisiGoth (aka Ken Shoto).

6. TCP/IP - Have a fundamental understanding of what it is. If you are going to do network security based stuff, you should have that foundational knowledge.

7. Assembly - Learning the fundamental language of the architectures we are dealing with.

8. Scripting language - Python, Perl, JavaScript, Lua, Ruby (makes 1o57 shudder, 1o57 does not like Ruby )

9. Get a little exposure to C/C++ -  Kernighan & Ritchie wrote the book on C back in the day and should be in every IT/security person's library.

10. Basic crypto properties - Know what the basic algorithms are, basic encryption schemes,  how to get a basic GPG or PGP key.

11. Wireshark -  If you don't have that fundamental knowledge of TCP/IP, you won't know what you are looking at.

12. NESSUS- A tool that is being used for compliance. According 1o57 though, it means nothing these days. To run a NESSUS scan on a system and say it is protected is snake oil (the opinion of 1o57). Security is a never ending cycle and continually evolving.

13. Metasploit - An attack framework for pen-testing

14. VMs - These can be used to create multiple machines in one computer to test the "mad hacking" skills the hacking community has. Virtual machines other uses too. :-)

15. Backtrack - A pre-compiled Linux distribution. You can run all your fun, basic tools built into it

16. Command Lines - These are timesavers. Pull down menus are inefficient. If you learn 15 of the most common commands in whatever software you use regularly, you get an hour back. Don't be slaves to the GUI. Also using "man pages" (manual pages) are for looking up instructions for different systems, primarily LINUX and UNIX.
   
17. SSH - If you use IRC, you should be using an SSH tunnel. If you don't, learn how!

18. PuTTY - PuTTY is used in a Windows box. If you log into Firezilla, what are you credentials encrypted with? Nothing. This adds a little bit of security.

19. Great open source tools - GIMP, Inkscape. These are great for graphic manipulations.

20. How DNS works and how it is fundamentally broken. There are protocols and systems that are in place that have been in use since the early days of the ARPANET that we keep putting spackle and duct tape on and continue to force them down people's throats. "DNS is fundamentally broken." We've blindly adhered to some protocols that need to be reworked because they were not designed with security in mind from the start.

21. If you are going to tinker in hardware based stuff, stay away from Radio Shack. Digikey, Jameco, Mouser, Sparkfun are much cheaper!!!!

22. Schematic Capture - Still on the hardware kick. Taking your circuit and putting in software to make it produce.

23. FPGA - This is going to change a lot of stuff. It allows software to change an electronic component (over simplified) It is the concept that was used for the DEFCON 20 badge. Once the VGA and PS/2 connectors were soldered onto the badges, it would allow a Commodore 64 emulator to run on the badge.

24. Eagle - A circuit designed software. Students can get a free version of this.

25. FREE STUFF!!! Ladyada put together on her page a place where you can pick up sample parts and free stuff from various companies. If you order a part, don't be stupid! Order a couple! If you have an .edu address, they love sending stuff to you.

26. Learn how to use an oscilloscope and digital multimeters.

27. Forrest Mims' "Getting Started In Electronics"

28. Stupid Code Tricks - Things like bit shifting (there's that binary code again) to make a multiplier divide very fast. Swapping two variables with no scratch spaced used: XOR three times. Makes code processing more efficient. Don't be intellectually lazy with how you write code.

29. Hacking servos! A servo is a DC motor with some kind of sensing technology in it to control position.

30. Social Engineering

31. Learn to communicate. Learn to communicate with as many people and things as possible. It makes for a better life.

30. Be a hacker. Go outside the box. Do not remain in the bubble that people want to put us in either due to societal definitions (hackers are criminals) or because of the potential to violate privacy (they are going to put it on Facebook anyways!).  Follow your intellectual curiosity.

Week 8 - CYBR 650

This week, I am to talk about action plans and what problems I encountered while doing them.

OK, I admit it. I cheated. I found the PERFECT action plan layout and downloaded it.

Taking business courses before computer classes helped me understand the importance of "scanability." It also taught me the importance of making sure your audience can understand what you are reading.

Throughout this whole process, I am applying a lot of theory. It's tough to do a process model and a threat analysis when the information is still just a concept in my head. I have had the chance to discuss this stuff with a person who is a professional in the cybersecurity field and he was more than happy to tell me where I was weak in some of my understandings.

With the ability to use the template, it made it easier for me to "itemize" what actions need to be taken. Add that it is easily scannable for any management personnel made it ideal. The hard part is thinking of everything and giving everything a priority. How do you decide what goes first? How do determine which threat is the one that is most likely to happen?

The scenario Harry & Mae's scenario in which we are working with has a huge amount of security "no-nos."

For instance, the default password is not required to be reset, passwords are allowed to be easy and are not required to be changed.

They have a Spam/Anti-virus firewall hardware that they do not subscribe to and so the signature files are all out-of-date.

They did not configure their firewall and their wireless access points allow connectivity from anybody as well as all traffic going in and out.

And these are just a few of the scenarios we were given to analyze. When looking at that, I found it hard to determine which one was of the highest priority. All leave the company's system vulnerable to anyone and any hacker would have easy access to their customers' information, even a script kiddie!

Another hard time I had was determine a "time frame." Since I have not done these things in real life (except for my own home network), it is hard to figure out how long it would take. When I fix friends' computers, I find that sometimes an easy job ends up taking longer than expected. So, I am apparently not experienced enough to gauge time estimates for any job. Of course, I tend to find Murphy's Law pops up at the most inconvenient time. This sometimes extends when the job will be done.

While I have been focusing on my A+ certification, I begin to realize that I need to focus on my Security+ certification. This will help me get my foot in the door so I can actually see how all this works.

What has made all this easier is "Coach" and my classmates. I couldn't have made it this far without them!

Week 7 - CYBR 650

Why do I have this nagging feeling it should be Week 8???? Ugh, I am going to need a vacation! I guess this is what happens when you have a one day break between two semesters. 

This week's topic:  

You might post about your experiences with the assignments, or perhaps observations from fellow students. Alternatively, this week you can consider technical aspects of cybersecurity. What tools or technologies are beneficial for Cybersecurity Professionals. 

I am hoping "Coach" will allow me to post on the tools and technologies next week as that will be when I return from DEFCON 20 and I should have a ton of information to post on here.

This post actually comes from a discovery I made in my other class which is XML. This week, for discussion, the professor gave us the freedom to post on whatever we wanted regarding XML. Since my major is Cybersecurity and not Web Application Design, I started a discussion regarding the security of XML. I needed to get into a topic I was a bit more comfortable in.

I will copy and paste my original post for the class and then give you my thoughts afterwards:

For those who don't know, I am actually getting my Master's in Cybersecurity. The class I needed was not offered this semester, so I thought I would take this course. It has been a struggle as I thought this would be a course I could easily understand, but I am finding out that this has been one of my harder classes (that and with all the summer activities, finding time to get my assignments in on time is a bear!). What caught my interest though was XML is web applications. You read on the news all the time about Yahoo! being hacked and user names and passwords being stolen by SQL injection. I took this course to see that side of hacking. While it is not SQL injection, XML still must be secured.

In going through the tutorials, there is a lot of data that can be accessed through XML. We have already done real estate, sales, and in some cases, personal information that you really do not want online. This piqued my interest. How secure is XML anyways?

I found two interesting articles for securing XML web applications. One is dated for 2004. Being frustrated that most of my hits were so old, I narrowed my Google search to the last year and actually found one written 14 June 2012!!!! Yay me!
The first article is Ten Guidelines For Deploying Secure XML Web Services.

Now, it would appear to me that this is mostly for web services that utilize XML. Sometimes I'm not the brightest person in the world, so feel free to thwap me with a large trout and correct me. XML is being used though and while sites like mine may not say "XHTML", they do use XML tools such as CSS. In this article, you read that it is important to validate the XML messages using XML Schema Definitions (XSD) and use XSLT to transform XML messages. When reading that, I thought, "HEY! I'm learning about that now!"

The second article is by IBM: Securing Web Services For Version 5.x Applications Using XML Encryption

This is actually the second time I saw XML encryption in an article. The one above briefly mentions it, but this one goes into it more in depth. In fact, the article states:
"WebSphere Application Server provides several different methods to secure your Web services. XML encryption is one of these methods. You can secure your Web services using any of the following methods:

• XML digital signature

• XML encryption

• Basicauth authentication

• Identity assertion authentication

• Signature authentication

• Pluggable token"

It is probably safe to say that most of you are majoring in some sort of web management degree. While there is no such thing as true security, there are means to make it more difficult for someone like me to get into your stuff. The digital world makes it easier and easier to commit crimes from long distances. Information is currency which is why ID theft is on the rise.
In looking at the text, I did not find anything on XML encryption. Perhaps it is because it is done very similarly to encrypting other files and e-mails the same way. The receiver must have the sender's key in order to decrypt the message/file. 

Finally, just to give you something to think about, our favorite website www.w3.org has an article "XML Hacking is Fun!" I'm going to DEFCON next week. Guess what I am going to play with??? ;-) 

It has spurred on an interesting discussion in the class. This discussion caused me to realize that there are many systems and codes that we need to secure and we may not know about. Had I not taken XML, it never would have crossed my mind that it existed or could be breached. It just goes to show exactly how much information there is out there and how much I don't know. But knowing what I don't know is a beginning to knowing.

Week 6 CYBR 650

I just checked the assignments and there is nothing to really focus on, except that "Coach" says I'm all over the place! LOL Which, if he was to meet me IRL (in real life), he would think I was a gerbil on cocaine. The thing I love about blogs is that I write what is on my mind and so, when you see me jump all over the place, that's how my mind works. Of course, it could be the ADHD... Ok..so, now I must FOCUS...

In continuation of the story regarding the paranoid person, I have learned a lot about personal security myself. I am learning how to use my own security software and in-turn, I go over and do it to theirs. I was in process of securing their cell phones when I was asked a question, "I did a factory reset on my phone and it wiped out the contacts, so why are all my contacts back and who are these people I do not know on my phone?"

This got me thinking. In order to purchase apps an Android phones, you must have a gmail account. Well, if you use that account for anything other than apps, gmail will save all the people you have contact with so if you need to write a new e-mail to them, the auto-fill pops up and makes it easy for you to write the person. It also occurred to me that when a contact is added, because gmail is synced to the cell phone, those contacts would be added to the phone.

I asked them some questions:

"Do you have a Facebook account?"
"Yes."
"Do you play the apps on those accounts?"
"Yes."
"Do the app games require you to add people to your friends list to advance?"
"Yes."
"Do you know the people you add?"
"Not all the time."
"Is Facebook updated through your phone?"
"Yes."

I realized the other source of their unknown contacts in their contact list on their phone. When you are connected to Facebook and it is connected to your phone, any friends you add will also be automatically sent to your phone.


Since Facebook is one of the least secure places on the web, this creates a security risk for anyone who applies the Facebook app to their cell phones. Even if your information is set to private, but only friends can see it, if you accept a stranger, this gives them access to your cell phone number, where you live, e-mail addresses, etc and gives them that opportunity to try and hack your accounts.

I advised them that as convenient as it is to view friends' updates on your cell phone, to not use the Facebook app on her phone. I also told them to change their gmail account to one they will not be using for e-mails. Meanwhile, their phone is rejecting the security software that I want to put on it because it is not an app. grrr.

It is truly amazing that something so simple can be so devious if care is not taken.

I used to think of Cybersecurity as a huge issue that was corporate/government level. This taught me that it is also in the home. And since the home can easily go to work, I came to realize that the risks spread from the home, to work, to school, etc where ever there is mobile technology and a fun app.

OK, well I'm off to get ready to go to Kids Kamp with my church. A cabin full of giggling girls, hairspray, curling irons, nail polish, and chocolate! They can have the hairspray, curling irons, and nail polish, but I can never pass up good chocolate!!!

Week 5 - CYBR 650

I was going through my Week 5 Assignments and found this:

 Consider the following: Are these the actual sources you are using this week? Are there any additional sources you've discovered? Any that you decided would not be good to use? Post your findings to your blog

I am so random that I use what I find interesting in all reality. Some of it is based on experience which is usually best when it comes to education. Others are based on something I heard on the radio or a pop-up while harassing people on my local paper's website. I never deem good sources bad. Just because I may not use them does not mean they are not valuable and any additional sources I find only adds to the information arsenal. When doing these blogs, I always find more sources.  The good thing about this blog, is they are all in one place. I merely have to go through my posts and find the one I need. Should the sources I have conflict, it makes it easier to make a better decision as I am able to read the viewpoints from both sides, obtain more data and draw my own conclusions. It is one of the reasons I love this field. The intellectual stimulation is never ending and the opportunity to expand that knowledge is always fresh.

Well, this has been an interesting week regarding fireworks.

On July 3, I had a candid conversation with a good friend. We were talking about the Cybersecurity Act of 2012 and the necessity of security. I was shocked at his response. He leaves the keys in his truck and his password is the same for ALL accounts. He states the rewards of convenience far outweighs the cost of loss. An interesting perspective to say the least. I asked about identity theft. He stated, "The banks cover that. If there is an unauthorized purchase, I tell them and they give me back my money. I lose nothing." I must say that while he is educated in security, he makes his choice freely and accepts the consequences of not living securely.

On the 4th of July, I got a call. My husband's friend called him and asked if I could come over. She bought a used computer from a private person and all of the sudden, things started acting weird. They bought a computer with keyloggers and remote access software. No biggie. Just format the c: and reinstall the OS.

As I was looking at their system at home, I noted that their WiFi router was wide open. I asked them if they were aware of other people using their Internet access. They responded that they did notice a bunch of people on their network and that their Netflix was always bogged down and buffering. Hmmmm...

So, I secured their router for them. There are some disappointed people who are no longer getting free Internet access I am sure.

During this process, I was getting frustrated. I am all for educating people in regards to cybersecurity, but I began to realize that you must be careful what you say and how you say it, otherwise you breed paranoia. In this case, by the time the discussion was done, it was suspected that all their technology was hacked. Is it possibly to be overly secure???

I have realized a long time ago that a majority of the regular population are very uneducated in regards to cybersecurity. They know to use antivirus software, they may know how to program their wireless router, but for the most part, they are oblivious to their other technological tools they use such as cell phones, tablets, and any other device that connects to the World Wide Web. Then, when you try to tell them, they either accept the risks of not securing their tech or they go to the other extreme of complete paranoia.

What is a cybersecurity expert supposed to do!?

As I continued my week, I heard news that the firework show in San Diego, normally called the Big Bay Boom, became the Big Bay Bust. In 15 seconds,  three of the barges where the fireworks were at all went off at once. A computer glitch was blamed for the misfire:

Computer Glitch Blamed In San Diego Fireworks Boom That Went Bust

According to the story though:

"Santore said the problem was not a malfunction of the pyrotechnics and it was not human error."

 An interesting reassurance. Considering the problem is being blamed on a glitch in the computer software used to sync the 5 barges. Since computer software is written by humans, it stands to reason that maybe it was human error. I am also taking a class in XML and I will tell you, one boo-boo will screw up my whole website. And it's not the computer's fault when that happens.

Cybersecurity is more than just keeping hackers out and playing dodgeball with viruses and other malware. It is also avoiding costly mistakes that can hit a company's profit margins. In this case, it cost the pyrotechnic company thousands of dollars in fireworks, cost the audience an hour's worth of a show (it was reduced to 15 seconds), and ruined the reputation of two companies: the one that wrote the software and the one using the software.

I decided to check out this story because my husband told me about it and he stated that from what he understood, the firework show had been hacked. Whether it was or not, we will probably never know. After all, if news that a firework show can be hacked and ignited remotely were to get out, no good can come from it.

In other news, the FBI is warning the public that hundreds of thousands of people may lose Internet in July and Apple promises to fight the Flashback virus.

In the news regarding the FBI, Eric Storm stated:

"This is the future of what we will be doing. Until there is a change in the legal system, both inside and outside the United States, to get up to speed with the cyber problem, we will have to go down these paths, trail-blazing if you will, on these types of investigations...Now, every time the agency gets new the end of a cyber case, we get to the point where we say, how are going to do this, how are going to clean the system without creating a bigger mess than before."

James Madison stated that "Crisis is the rallying cry of the tyrant."

I agree that there are cybersecurity issues and I agree that we do need to take measures to protect ourselves, our organizations, and our government.  The problem with the above article is that as of 23 April 2012, when the article was written, there were 85,000 victims in America. That is a minuscule percentage compared to the millions that use computers and the Internet and yet, there appears the need to make this bigger than it really is.

Based on this week's experience, I began to realize how easy it is to get the masses to panic over certain things. When it comes to educating the layman, we need to use simple terms, be careful how to answer their questions so as to alleviate their fears, not create them, and help them to protect themselves.

On the other end of cybersecurity, I have found some wireless surveillance camera systems. Yesterday, my husband woke me up at 5 a.m. A brave thing to do considering I am pure evil before the sun comes up and especially when I am woken up. However, it was a serious issue. A total of three tires had been slashed on two cars. Since my husband has a work car, two of his tires were slashed by a knife and one of my van tires were slashed. Interesting technology there is in regards to physical security. When the cameras detect motion, they can be program to begin recording. They can even turn on lights to alert the vandals that they are being watched. Upon activation, an e-mail or text can be sent to alert the homeowner where the homeowner can watch the feed live.

Schnazzy!

Finally, in preparation for DEFCON 20, I bought myself a prepaid phone! BWA HA HA! You think I'm going to take my real phone to a hacker's convention!? What do you think I am? Insane!?  I also have a computer that is completely scrubbed. Let the games begin.

Week 4 - CYBR 650

Well, this week had me rather perplexed. Last week, I misunderstood a portion of the assignment and had shifted into the Disaster Recover/Business Continuity gear. I think I did that because I understood that really well!

As I produce deliverables in my class, I get to review my peers' work and tell them what I think or ask questions for clarification. The scenario we are working on has already dealt with a series of breaches and it is our job to secure the business. For the subheading "Information Storage," many in my class listed SQL. I thought this was interesting. In getting ready for DEFCON 20, I found several talks regarding SQL:


SQL Injection to MIPS Overflows: Rooting SOHO Routers
ZACHARY CUTLIP SECURITY RESEARCHER, TACTICAL NETWORK SOLUTIONS

Three easy steps to world domination:

1. Pwn a bunch of SOHO routers
2. ???
3. Profit

I can help you with Step 1. In this talk, I'll describe several 0-day vulnerabilities in Netgear wireless routers. I'll show you how to exploit an unexposed buffer overflow using nothing but a SQL injection and your bare hands. Additionally, I'll show how to use the same SQL injection to extract arbitrary files from the file systems of the wifi routers. This presentation guides the audience through the vulnerability discovery and exploitation process, concluding with a live demonstration. In the course of describing several vulnerabilities, I present effective investigation and exploitation techniques of interest to anyone analyzing SOHO routers and other embedded devices.

Zachar Cutlip is a security researcher with Tactical Network Solutions, in Columbia, MD. At TNS, Zach develops exploitation techniques targeting embedded systems and network infrastructure. Since 2003, Zach has worked either directly for or with the National Security Agency in various capacities. Before becoming a slacker, he spent six years in the US Air Force, parting ways at the rank of Captain. Zach holds an undergraduate degree from Texas A&M University and a master's degree from Johns Hopkins University.
Twitter:@zcutlip


New Techniuqes in SQLi Obfuscation: SQL never before used in SQLi
NICK GALBREATH

SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source cod, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense.

Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in a number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internal and Database Applications" (Wiley), and was awarded a number of patents in the area of social netowrking. He holds a master's degree in mathematics from Boston University.
Twitter: @ngalbreath
http://client9.com
https://github.com/client9



SQL ReInjector - Automated Exfiltrated Data Identification
JASON A. NOVAK ASSISTANT DIRECTOR, DIGITAL FORENSICS; STROZ FRIEDBERG, LLC
ANDREA (DREA) LONDON DIGITAL FORENSIC EXAMINER; STROZ FRIEDBERG, LLC

In 2011, SQL injections became front page news as ever more high profile companies were victims of automated SQL injection attacks. Responders spent countless hours looking at values in log files like "0x31303235343830303536" trying to figure out what was being exfiltrated by whom. Incident response costs skyrocketed while the cost of attacking fell.

This presentation will debut SQL ReInjector, a tool for the rapid assessment of logs from SQL injection attacks to determine what data was exfiltrated.

When responding to an SQL injection attack, responders have to determine what was exfiltrated by manually parsing the web server logs from the victimized host. This is a time consuming process that requires a significant amount of a responder’s time. Moreover, manual replay of the SQL injection does not account for system level discrepancies in how queries are executed by the system – running SQL against a SQL server directly doesn’t account for the behavior of any intermediary systems – e.g. any application layer logic or nuances in how the web application and database server interact.

SQL ReInjector uses the log files from the machine that has been subject to a SQL injection attack to replay the attack against the server (or a virtualized forensic image thereof) and captures the data returned by the SQL injection web site requests, reducing the amount of time responders have to spend looking at web server logs and allows for responders to recreate the data exfiltrated through a SQL injection attack.

This text will be used for the web site and printed materials. In a nutshell, what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use these paragraphs to tell people how technical the talk is, what tools will be used, what materials to read in advance to get the most out of your presentation. This abstract is the primary way people will be drawn to your session. Presentations that are submitted without abstracts (eg that have only ppt or white papers attached or only point to a URL) will not be considered.

Jason A. Novak is an Assistant Director of Digital Forensics in Stroz Friedberg's Chicago office. At Stroz Friedberg, Mr. Novak has been lead examiner in a wide range of cases involving digital forensics, incident response, application testing, source code analysis, and data analytics, and has developed numerous tools to expedite the firm's analysis and response capabilities. The proprietary tools developed by Mr. Novak have included: an anti-money laundering data analytics platform and tools to process electronically stored information to respond to forensic and electronic discovery requests. As a co-writer of the Google Street View report, Mr. Novak analyzed the source code to gstumbler, the WiFi device geolocation application used by Google as part of the Street View project, and documented its structure and functionality in a publicly released report; Mr. Novak has responded to inquiries about the report from domestic and foreign regulators. 

Twitter: @strozfriedberg

http://www.strozfriedberg.com 

Andrea (Drea) London is a Digital Forensic Examiner in Stroz Friedberg's Dallas office. At Stroz Friedberg, Ms. London acquires and examines digital evidence from laptops, desktops and mobile phones in support of legal proceedings, criminal matters, and/or corporate investigations. Additionally she is responsible for implementing large-scale, end-to-end electronic discovery for both civil and criminal litigation. Ms. London previously held positions at Arsenal Security Group and IBM’s Internet Security Systems Emergency Response Team. At Arsenal, Ms. London was an integral part of the company’s immediate response team for worldwide cyber security incidents. During this time she completed and has maintained certification as a Payment Application Qualified Security Assessor (PA QSA), Payment Card Industry (PCI QSA), and PCI Forensic Investigators (PFI), one of the first appointed by the PCI Council. At IBM, she acted as an official Quality Incident Response Assessor (QIRA) reporting PCI breaches to major card brands. Prior to her work for IBM, Ms. London was with the Air Force Office of Special Investigations (AFOSI), where she was one of two Airmen chosen for special duty assignment at the Defense Cyber Crime Center, and where she was tasked with testing and evaluating forensic software and hardware for the Center.

Rapid Blind SQL Injection Exploitation with BBQSQL
BEN TOEWS SECURITY CONSULTANT, NEOHAPSIS
SCOTT BEHRENS SECURITY CONSULTANT, NEOHAPSIS

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. This talk will be introducing a new tool called BBQSQL that attempts to address these concerns. This talk will start with a brief discussion of SQL Injection and Blind SQL Injection. It will then segue into a discussion of how BBQSQL can be useful in exploiting these vulnerabilities. This talk will cover how features like evented concurrency and character frequency based searching can greatly improve the performance of a SQL Injection tool. This talk should leave you with enough knowledge to begin using BBQSQL to simplify and speed up your application pentests.

Ben Toews is a Security Consultant at Neohapsis where he specializes in application and network pentesting. Previously, Ben has worked as a sysadmin and as a developer. Ben has spoken at Thotcon 0x03 and has been published in HITB Magazine. Ben has a BS in Information Assurance and Security Engineering from DePaul University.
Twitter: @mastahyeti
http://btoe.ws 


Scott Behrens is currently employed as a Security Consultant at Neohapsis and an Adjunct Professor at DePaul University. Before Neohapsis, Scott Behrens was an Open Systems Architect for a financial consulting firm, as well as a Network Administrator at Argonne National Laboratories. Scott Behrens’ expertise lies in software security assessment, network penetration testing, social engineering, security architecture, and security research. Scott is also the co-developer of NeoPI, a framework to aid in the detection of obfuscated malware. Scott has also presented at Chicago B-sides and has published numerous articles in various security outlets. Scott Behrens has a Master’s of Science in Network Security from DePaul University.
Twitter: @HelloArbit
http://www.scottbehrens.com



*******************************

This got me thinking. That's a lot of talks on one topic! If the class is to find a way to harden our scenario's security, is SQL the answer?

Since it is relatively new to me, I reference one of my favorites sites: w3 schools. Don't know about SQL yourself? Here ya go: Introduction to SQL.

This got me thinking really hard. When considering a solution to some potential problems, we have to able to consider the insecurities of our solution. We can try to be as secure as possible, but there is no way to prevent a determined attacker unless we stay one step ahead of the game.

Talks like the one I mentioned above help keep us aware of vulnerabilities we may not have been aware of. It also proves the importance of due diligence in the world of Cybersecurity. As attackers evolve, so must the defenders. Failure to do so, no matter what system you have, could result in catastrophe. In my other course regarding Business Continuity and Disaster Recovery, the main cost is usually financial and the loss of consumer confidence. Both could cause the demise of an organization.

In regards to the regular person though, security is all the more important. After all, identity theft can take a long time to resolve. If you access this blog, then you are accessing the World Wide Web. Check your security, update your security software, secure your WiFi router, do not answer those silly questions on FaceBook, do what is necessary to protect yourself. Most importantly, as you learn about security measures, tell people. Education is the best way to keep things secure.

Week 3 - CYBR 650

It's MONDAY! Wait a second!!!

Ok, so last week was a total bust!

Things I learned last week:

1. Jet skis are not as easy to fix as you think
2. Baskin Robbins ice cream cakes do not fare well in an ice chest
3. Even though you are playing in the water, you can suffer from heat exhaustion
4. Even though you are playing in the water, you can suffer from dehydration
5. You can get 2nd degree sunburn playing on the water with jet skis
6. Nurses don't like 2nd degree sunburns on the back of your hands (caused by holding on to the jet ski throttle) because there is no place to put the IV
7. Despite it all, it was one heck of a great time!!!!! 7 extremely happy and yet very exhausted (and wore more sunblock than me) children: PRICELESS!!! :-)

One of my assignments for this class had me read about an event or news article about something to do with Cybersecurity. Human nature has always fascinated me and those of you locals who know me, also know this.

This leads me to social engineering. In essence, fooling others to get what you want. We see this every day. Locally, a tax increase was passed based on written intentions, but we just recently found out otherwise. The City played it well. They used a survey company to call the residents (I was actually one of them) about what was important to me in regards to what the local government should provide. They issued a "fiscal emergency." They hired a consultant to print out informative brochures about the new tax measure. It passed.

The City is now discussing ending the "fiscal emergency," hiring a federal lobbyist, putting a certain amount of the new funds into parks and rec instead of police and streets, losing one police position, and all before impaneling the oversight committee.

What does this have to do with Cybersecurity? Think about it. How many times have we been duped?

You know those questions that people like you to answer on Facebook? The ones about your favorite vacation spot? Your favorite color? Where your wedding rehearsal dinner was held? Who your favorite author is?

Have you ever stopped to wonder where those questions came from? Probably not. You think, "Hey! I know these people! They are my friends and probably know those answers already!" and then you answer them. These questions that you are answering for the world to see are based off of biometric security questions that can access your personal accounts! DOH! Don't feel bad though because it has been discovered that even CISSPs have been known to fill out those "surveys" without realizing what they were!!!

Without social engineering, there would be no need for Cybersecurity. Hackers, criminals, terrorists, and even national enemies rely on social engineering to obtain their objectives.

Recently, I was discussing with a friend about how the Navy issues colors for its passes on vehicles. The colors indicate what department the driver works in for the Navy. It also states what region they do it in! During this discussion, she told me that the Navy was going to change that. I asked her, "Really? What color?" She responded, "I'm not going to tell you!" I guess I need to practice this a bit more.

There is an advantage to posting this a little bit late. "Coach" presented me some interesting links to my assignment I submitted:

Institute for Competitive Intelligence

Confidential: Business Secrets - Getting Theirs, Keeping Yours

Switch: How to Change Things When Change Is Hard

Cybersecurity, while it seems to be centered around technology really isn't. Think about it. What are the motives of most our threats? Greed? Power? Maliciousness? Corporate Advantage?

Human nature has not changed and that includes its negative aspects. It is because of these negative aspects of human nature that the need for Cybersecurity was ever designed. As technology advanced, so did how people do things to get bad things done. Without human nature, there would never be a need for Cybersecurity, or computer forensics, or police, well, you get my drift.

Week 2 - CYBR 650

This week's assignment is based on finding reliable references from which to draw valuable information. For those of you who know me, you know I am excellent at finding information in places that local government doesn't want me to find. This makes this week's assignment right up my alley.

But another question I was posed is, what happens if I have two reliable sources that contradict each other?

During one of my classes, a discussion commenced regarding the security of cloud technology. I went to my usual sources and found there were indeed conflicting data regarding whether or not cloud technology is secure or not. This got me really thinking hard. I began to evaluate who wrote what and discovered that those who supported cloud technology as a secure alternative for business continuity and disaster recover were the very companies that offered services in that  technology!

It has been my experience that when there is something new that is developed, while most bugs are worked out, not all bugs are found. This is something I experienced as a Beta testers for Photoshop CS 5. I played with the software, found bugs, reported them and installed any patches that fixed those bugs. However, despite this, Adobe later released 5.5 because there were so many fixes that needed to be made, they had to release a .5 version of their new release. It is the same with new car technology. My husband and I just recently bought a new Hyundai. It has a new technology in it that helps conserve gas on long trips. It's a great commuter car! We are hoping the bugs are worked out, but like any new model, we are prepared for that very thing.

Anyways, when it came to figuring out who was the more reliable source, I tend to err on the side of caution. People who provide such technologies would never promote their flaws. That's suicide for any organization. However, some thing need to be considered.

Cybersecurity is a constant cycle. New threats will always present themselves. There is no such thing as true security. Benjamin Franklin told us that at the birth of our nation! Things have not changed much since then, just the methods used to violate security.

So, here are some sources I have found to be pretty reliable. They have been my best friends throughout my Master's program and I even found some new friends. I will most likely find more sources during my Defcon adventure!

One of the greatest weapons a hacker has is human behavior. People are predictable. A hacker understand that a majority of the people using computers do not understand security except they do know to buy virus software. So, what happens when a pop-up comes up on your screen and says, "You have 1,023,038 viruses!!!! Press here to get rid of them!" The initial response to someone who does not know is to download the software to get rid of all those viruses! What they do not know is they are downloading a virus. My daughter did this to my desktop. After I fixed it, I released my fury and gave her a class on social engineering.

Social-Engineer: Security Through Education is one of my favorite sources. It even offers a certification in Social Engineering Pentesting and once I have $3500, I'm going to get it! Anyways, this site offers newsletters that can be read and there is some really good stuff on that. After all, the reason computers are fallible is because humans are. Social engineering is the very foundation in which the hacker world lives in.

The Hacker Academy gets a person to consider, "Are you thinking like a hacker yet?" Membership is $150/month or $1495/year. Again, that money thing, darn it! However, there is Research and Blogs available to the public that contains interesting information.

Electronic Frontier Foundation has some interesting information regarding the digital world and our civil liberties. As a person that is highly involved in both topics, this site really excited me! Like other political sites though, one must take each article with a grain of salt. In other words, if you don't understand current laws and our Constitution, don't bother.

These three above sites are just a couple I have discovered in researching Defcon and they will be there this year! I intend to meet them! Maybe even get a Defcon discount!??? One can hope! But those are my new "friends" in regards to resources.

Of course, you can never have enough resources. These sources have been my best friends throughout my Master's Cybersecurity program. They are a wealth of information and have been invaluable in my education.


The National Institute of Standards and Technology has been an invaluable resource to me as well as SANS documentation.

I also have some listed below in previous blogs that have been so helpful in finding articles to write about.

Google is another wealth of information when doing basic searches. However, always take a look at your resources before using them as a viable source. The bad information will also surface with the good information!

Week 1 - CYBR 650

Hello again! I have once again been subjected to posting blogs on Cybersecurity. This will probably most likely be a reference point for me, since I do tend to look back on past classes to help with future ones.

As stated in the last set of blogs for my CIS 608 course, I intend to attend the DEFCON conference in Vegas! I am hoping that blog will be a fun one for anyone who happens to stumble on this blog and read it.

"Coach" wants me to introduce myself to the cybersecurity world, but as I look down, I wonder if that is necessary. Well, probably, just in case. I am getting graded on this you know!

My experience in cybersecurity is personal experience. I have a nice little secure home network setup. After that, the idea of corporations, government, and other large entities that need cybersecurity seems almost overwhelming! Organizations like the government, medical industry, and others contain a mass amount of information that must be protected. All I got are my weekly assignments and a wannabe budget. But this is a field that I am passionate about and I am hoping that eventually I will get to finally dip my foot in the cybersecurity pool and gain the experience needed to do my job excellently.

This type of work can be tedious, but it is fun in trying to play cat-and-mouse with the bad guys trying to keep them out while they try and get in. Also, trying to think of what might happen and protect against that threat as well, like tornadoes, earthquakes, fires, etc.

I love solving puzzles and how many people get to say that the career they chose,  they are paid to play? Cybersecurity is exactly that. A big puzzle. An intricate riddle. I can't wait until I can get a job where I am paid to play!

Like last time, I posted a list for my own personal reference that was recommended by the University. I will be posting that as well for me mostly, but you have my permission to use it too! ;-)

Also, I tend to go all over the place. I am a very random person so expect random posts. The University recommends sticking to a topic. Well, Cybersecurity is a topic and I'm sticking to it! HA!

 Cybersecurity Center at Bellevue University - http://blogs.bellevue.edu/cybersecurity/
Security Bloggers Network - http://www.securitybloggersnetwork.com/
infosec Island - http://www.infosecisland.com/
 Security Wizardry - http://www.securitywizardry.com/radar.htm
McAfee Threat Intelligence - http://www.mcafee.com/us/threat_center/default.asp
SANS News summary - http://isc.sans.edu/newssummary.xml
CNET Security and Privacy - http://news.cnet.com/security/
NebrasksaCERT - http://www.nebraskacert.org/CSF/
ISACA Knowledge Center - http://www.isaca.org/Knowledge-Center/Pages/default.aspx
Norton Security Resources - http://us.norton.com/yoursecurityresource/?prod=NIS.18.6.0.29&layout=esd&ssdcat=180&lcid=1033
Privacy Rights Clearinghouse - http://www.privacyrights.org/
National Cyber-Forensics & Training Alliance - http://www.ncfta.net/
Identity Theft Resource Center - http://www.idtheftcenter.org/
FBI Cyber Crime Stories - http://www.fbi.gov/news/stories/story-index/cyber-crimes
Security Week - http://www.securityweek.com/

See you next week!

Week 12

Well, this is my final post for CIS 608. I will keep these posts online just in case future courses require more of these posts. If that is the case, you will see the course name and week number such as: CIS 608: Week 1. This is to help the professors figure out where I am at. Tee hee. Actually, I think I can edit the title of these posts...I dunno...will have to check that out. Anyways, here is my final assignment, so if this post doesn't make sense to you, here is what I am addressing:

Time to finish up your blog. This last assignment should be a retrospective look at your postings over the last 11 weeks. Time for a little analysis. Write up an entry that provides a summary of what you chose to write about.
First, you need to categorize your topics of choice. Did you write primarily on operating system issues? User errors? Viruses? Or did you write about a variety of topics? Why did you choose those topics?
Next, you need to include an analysis of where you got your material. Did you use the same source each week? A variety each week?
As the last part of this entry, include whether or not you thought this type of blog might be useful to an information security professional and provide a few lessons learned for the next group of students.

Anyone who knows me well knows that I am a pretty random person. I am easily distra....oooh SHINY!

If I find it interesting, I will read about it. Some of my posts had to do with the political implications of cybersecurity. Since I am a limited (or small) government person, you got to see some of my opposition to too much government and how it cannot work in Cyberspace. So, there is no real category for my posts because they cover so much. Some of them covered Risk Management because I felt they applied to that week's learning in Information Security Management.

My sources started out with the ones that Professor Sue offered. Because I had to read Professor Woernor's blog for an assignment, I found other sources that fascinated me. Finally, my sources also came from my classes as I became aware of some things going on in regards to regular society and cybersecurity. So, my sources ranged from sources provided by both my professors as well as my texts and my peers.

I find "Coach's" (Prof. Woerner's) blogs VERY helpful. I'm not so sure on ones like mine. There's something to be said about wanting to write on various topics and being forced to. A person who makes a discovery they wish to share will provide good information and perspective to the topic. They want to write and will write for their target audience. A person doing it for a grade tends to do it, just to do it. The information is good, but you can tell there isn't much interest or passion in it. Chances are, I may not post here again unless another class asks me to. I am an interactive person. I like to give information and receive information. This is too one-sided for me.

On the other hand, for future students, if you are like me and groaned every week to think of something to write on here, do this: use it as an opportunity to reflect on what you are learning. Read your Chapter and if you are taking another course, incorporate that into your blog. Not only does this help you reinforce what you are learning, but it will help you think out how these concepts apply. Take advantage of it.

Week 11

So much information in so little time. I decided to post a bit of the discussions we had in CYBR 610: Risk Management. It really got me thinking. I will be paraphrasing here, but several of my peers brought up some good points as to why risk management and internet security isn't really taken seriously yet.

• Human beings are animals and won't respond until danger is eminent.
• People buy security software and think that is enough to secure their devices
• People assume there will be people out their to "fix" their problems when something does go wrong
• People don't like change.
• People like convenience and just want everything to work easily

I started thinking about it. I remember my interview with the Human Resources guy and he noticed that I was getting my Master's in Cybersecurity and he assumed the base was going to want me. It made me realize, he didn't understand what cybersecurity was. I'm not saying he's stupid, I just think he is part of the majority that thinks cybersecurity is a military or DoD thing. It's a big word that actually works from the home office to the FBI.

So, the question became, should we teach risk management and information security at the junior high and high school level? I started thinking about that and realized that risk management is already being taught in other topics such as PE and Science. In PE, kids stretch and warm up before vigorous exercise, managing the risk of injury for training on muscles that have not been warmed up. Science requires safety instruction in regards to how to handle scalpels for dissections or how to handle acid and water. 

It would make sense to put something that simple into the computer classes, I'm sure. After all, risk management or security should just be something that happens, not a separate job. It should be a habit, much like warming up before exercising or learning the importance of making sure the scalpel is properly cleaned and taking care of specimens to be dissected. Computer classes could begin in junior high with basic importance of strong passwords, Internet safety, and the importance of backing up your data. Start small and easy. As you get into the high school areas, they can do things such as assess the assets in their computer labs or even their homes to develop risk mitigation plans, showing them real world applications to risk management. 

Cybersecurity is not a national security issue. It's actually something that can be applied at home and should start in the home. The question is, how do we make people aware that security is more than just software? Again, people typically don't respond until they are the victims of ID theft or bank fraud. There is nothing telling the public that the security software they buy is good, but it's not 100%. Much like there are car mechanics that are not trustworthy, there are also computer techs that are just as dishonest. If you don't know your devices, how do you know you are getting quality repair work? And finally, what can be done, to get people to change their habits.

I would like to ask you a few questions to get you started:

• How many passwords do you have?
• If you only have one or two, are they used on all your accounts from banks to e-mail?
• If your job requires your account at work to have a long and complicated password, did you write it down and put someplace that you think is hidden but could potentially still be found?
• Is your WiFi at home broadcasting its SSID?
• Is your WiFi password protected to allow only those who know the password onto your network?
• Is your security software updated?
• Are your OS patches updated?

All these are things you can fix at home to reduce your risk of attack and secure your home office. All those things are cybersecurity.

Week 10

I don't really have much to offer in regards to links this go around except this week's reflections of the events of the past couple of weeks.

This week's assignment for CIS 608 regarded the different forms of biometric security. In doing this assignment, I realized that in the last two weeks, I have been exposed to many forms of biometric security ranging from security questions on my bank's website to taking a CBEST test. We were asked which form of biometric would be more acceptable to the average person, so to speak.

Believe it or not, we are exposed to biometric security all the time. If you don't have your ID on you when you go the bank, the bank has several standard questions for you such as the last four of your social or mother's maiden name. Unfortunately, if you are divorced, your ex-spouse knows the answers to all those questions. Which means that you need to change those questions to something that only you would know.

Another is signature recognition when you sign that schnazzy terminal at the bank. I don't feel this is accurate because I can't sign that stupid thing anyways and my signature never matches my driver's license. Not to mention, forgery was a problem with checks, why would that be any different?

In the recent weeks, I got hired on to the local school district. One of the requirements was for me to be fingerprinted by Live Scan. That wasn't too painful, although the machine can be picky in regards to your fingerprints and if your finger slides, you have to do the whole thing over again. But it was handy and I was glad to find out that my Information Warfare research and resulting paper did not put me on the terrorist list for the FBI or Department of Justice!

Finally, I was asked to take the CBEST because the school district wanted to know if I would be a substitute teacher. Sure. I visited Pearson VUE to take the CBEST. When I got there, they took my picture, and then had my right palm scanned, left palm scanned, right palm scanned again, and the left palm scanned again. What was wild was that I could not carry my phone in with me to the testing area (OK, smart phones, I can see that) and they kicked my husband out of the building!!!! My phone and water bottle were placed in a locker in the lobby. When I went into the testing station, they checked my driver's license and then scanned my palms again. If I wanted to take a break (the test is almost 5 hours long), then I would show my driver's license and scan my palm again to exit the testing area. I was not allowed to use my phone or anything electronic. When I went into the testing center, I would have to show ID again and scan my palms again. Oh! and I was being video and audio recorded which really sucked because tests make me nervous and my stomach was making a whole lot of noise (hence my need for the water bottle which I was denied)!!!!

Anyways, when I finished the test, I was escorted out of the testing area, showed ID, scanned my palm, got a copy of the unofficial test scores, went to the front desk, scanned my palms again and was released.

Who would have thought that taking a test was SOOOO serious and required so much security!!!!!

It really made me ponder, if security is this tight for a test, what would be like working for the government! HOLY COW!!!

Week 9

This week, I got to post a blog for CYBR 610: Risk Management taught by Ronald Woerner aka "Coach." Some of the articles I found, I thought would be appropriate here. The EC-Council is recommending that CISOs change how they do risk assessments by "wargaming" and  the Financial Times state that organizations are still blind to the importance of information security. I have included a link to the EC-Council's White Paper regarding wargaming below. Enjoy.

In one of Coach's blogs, he mentioned that 2011 was the "Year of the Breach" and as risk management professionals, we should do what we can to make 2012 the "Year of Security" (Jan 4, 2012). However, according to Financial Times, that may be easier said than done (Risk Managers' Uphill Task).

"The importance of risk management will increase in 2012, said more than 90 per cent of risk managers in a survey, but the biggest challenge they have is demonstrating the value of risk management."

This means that if you are in risk management or information security, you are simply an adviser. In reading "IT Risk: Turning Business Threats Into Competitive Advantage, the authors stated that risk management is not just one department's job, but should be integrated into the organizational culture of an organization so it is merely part of the job. The Financial Times seems to agree:

"The risk managers agreed the single most important development for risk management would be a change in organizational cultures that led to a better defined risk appetite."

Another article also stressed the importance of CISOs to impress on their organizations that security is no minor concern (EC-Council Encourages CISOs To Adopt A New Risk Management Process To Prevent Information Security Breaches).

"The damage created by the highly publicized security breaches in 2011 has many Chief Information Security Officers (CISOs) seeking alternative ways to create strategies to manage risk. A new risk management process called Business Wargaming will help the CISO forecast future scenarios and build better proactive and reactive strategies."

Business wargaming allows a CISO to not only prevent the most common breaches, but enables the CISO to predict and prevent future breaches. This is because with the new technology such as smart phones, iPads, Cloud technology, and such, the conventional way of risk management is no longer as effective.

Want to know more about wargaming? Click here: Wargaming For Chief Information Security Officers.

While it may take some upper management outside the realm of IT some convincing that information security is as important as customer satisfaction and sales, the one thing that I have run into isn't that kind of apathy, but rather ignorance of information security all together.

When working with Sears, the owner didn't even know that information security existed and became the victim of refund fraud. During a recent job interview, I was almost not hired because the interviewer thought that cybersecurity was for organizations like the military and DoD and thought the base would snatch me up. He did not know that cybersecurity was for everyone from the PC at home to government top secret classified information.

Perhaps information security's worst enemy is ignorance, not apathy. One thing is for sure, both is a recipe for disaster for any organization. It's our job to hit these organizations with the 2 x 4 of truth before the 2 x 4 of reality hits. We do this by closing the language barrier and segregation of positions. Upper management needs to be tightly connected to IT and IT tightly connected to upper management so that security becomes an organizational culture. While they are connected, they can both focus on the same objective of that organization, but instead of competing for resources, they become cohesive and aiming at the same objective in their own ways.

References:

Grene, Sophia. (2012, February 4). Risk Managers' Uphill Task. Retrieved from http://www.ft.com/cms/s/0/8926d1b0-4e5b-11e1-aa0b-00144feabdc0.html

PRWeb. (2012, February 6). EC-Council Encourages CISOs To Adopt A New Risk Management Process To Prevent Information Security Breaches. Retrieved from http://www.prweb.com/releases/prweb2012/2/prweb9169249.htm

Westerman, George and Hunger, Richard. (2007). IT Risk: Turning Business Threats Into Competitive Advantage. Boston, Massachusetts: Harvard Business School Press

Week 8

Another crazy week. I have finally figured out that when you have family, ALWAYS expect emergencies, particularly when you are busiest! Which means, I will soon be duct taping my youngest son up to prevent any more "Superman" accidents.

It's funny how people associate Information Security with hacking, viruses, hard drive crashes, and other such crazy disasters. Not many associate it with politics. As the Internet expands in how it is used, it was only a matter of time before politics got involved. After taking the Information Warfare class, I seriously began to ponder about if physical war would become obsolete. Will  World War III be conducted by buttons and joysticks in a virtual battleground? Over where I live, they are conducting many experiments on unmanned airplanes and stuff.

On top of it all, there are laws being passed left and right. One set protects privacy, another states that privacy only creates a national security risk. It's enough to drive a person insane!

In Letter To Congress, Google Defends Privacy Changes

In case you don't know, sites like Google.com, Facebook, Myspace, and other social networks and search engines are watching you. They track what you say on your updates, what your likes and dislikes are, and what you search on a regular basis. They are collecting data on your surfing habits. This allows for the sites to put up ads that you might be interested in. It also creates privacy issues as sometimes that information is sold to third parties which could inundate you with lots of spam.

Google is changing its privacy policies which has people in an uproar. Google claims that the privacy of their users will still be protected and the same data that was collected before would be the same after the new policies are implemented, but others aren't quite sure. Remember, Google is still being sued for their packet sniffing in the States of unprotected WiFi routers in private homes. Internet privacy still is yet to be determine.

Let's face it, the minute you log in, you might as well be naked to the world. Because in Cyberspace, privacy is nonexistent.

My next story I kind of found amusing. For me it was a no brainer. Information is currency. The more information you get, the more money you can make. It was about time the creators of malware started their own business! Zeus Trojan for sale! Come and get it!

For 'Malware as a Service' Merchants, Business Is Booming

Bet you were wondering where those Script Kiddies were getting their hacking software from, huh?

They are malware merchants; in the business of helping others steal from legitmate businesses and innocent consumers. And they have evolved to the point where they operate much like the legitimate software industry. It is possible to buy malware from what amounts to an app store, or to contract for Malware as a Service (MaaS). 

 Well, shoot, if they are being that open about it, why aren't they getting caught? Well, apparently, most of the people selling these services are using an "Onion Router." Not knowing what the heck that is, I decided to hit the button on the article and it took me here:

Researchers Show How Attackers Can Crack Onion Router

With that in mind, the only to get caught is if you honk them off and they tell on you...or your typical adage, "No honor among thieves."

Pretty interesting stuff.

Week 7

I am getting an early start. I am doing a midterm project for Risk Management, so this is one of the assignments I am getting behind me so I can focus on my midterm.

I found this article interesting:

Supreme Court: GPS Tracking Needs Court Warrant

A GPS was installed on a suspect's car and that data was used as evidence to convict a man of drug trafficking. Because it was installed on private property and there was no warrant obtained, the Supreme Court ruled that such collection of data on a person's vehicle is considered a violation of the 4th Amendment. The Department of Justice (DoJ) argued that the suspect had "no reasonable expectation of privacy" because the suspect drove his Jeep on private roads. It did not convince the Supreme Court.

Which kind of reminds me of Google's lawsuit regarding packet sniffing and sniffing packets on unsecure WiFi signals.

Going through several classes and meet many different students all over the country/world has been a fun experience. However, I noticed that some of my classmates talked about a database called Oracle. Until attending Bellevue, I had never heard of the software. I am very familiar with Access, but what is Oracle? In my job hunts, I have also noted that some employers would like potential employees to be familiar with Oracle. Hmmm...ok.

So, if you know anything about Oracle or you work for an organization that uses Oracle, you might be interested in this article:

The Oracle Flaw: Clarifications and More Information

Apparently, there is a bug in the System Change Number (SCN).

The patch will indeed prevent a database from accepting an elevated SCN that could cause that database to hit the soft limit during normal processing and cause problems ranging from lost transactions to a database shutdown. But it may also interfere with normal operations if the calling database has an elevated SCN acquired through a bug or other means. This means that a database with a sufficiently elevated SCN may not be able to link with patched databases until enough time has elapsed to push its SCN below the new, second limit.

Sounds pretty gnarly and with more and more companies using Oracle for their databases, this could quickly become a serious problem that CIOs need to address before it ends up costing organizations a lot of money.

Depending on time constraints, I may add more for Week 7, particularly if I find something really interesting.

Well! I did find something interesting!!!

How To Prevent Thumb Drive Disasters

For such a small device, the plastic, handheld USB flash drive can cause big security headaches. 

Because of the security risks involved with USB flash drives, it has been suggested that an organization should go around and 

Use clear silicone caulk and fill every USB port on every PC to prevent USB attachments.

That's...ummm...pretty severe! But perhaps necessary. Everyone is tempted to "personalize" their computers at work. Makes it "their own" at the job. However, when you bring in those personal photos or MP3 music from home and your computer is not virus free, this can create a huge problem in the workplace. There is also the point that in the private sector (military does not allow USB thumb drives and has already sealed the ports), USB drives are sometimes vital when an employee needs to do their job.

The articles gives four examples as to how organizations are dealing with USB thumb drives. But the author makes this point at the end that unless you seal your USB ports:

Whether the chosen security approach is to allow only one approved thumb drive, prompt users for the reasons they need to copy data, allow only Microsoft Office transfers, or classify files for approved transfers, each technique addresses one simple reality: Employees will use thumb drives, and they will find ways to continue using them.

I couldn't have said it better myself.

Week 6

In researching for Information Security Training Programs, I found this website because one of the sites had a hyperlink to it. Of course, since the topics piqued my interest, I did more searching and found these two articles:

Government Engineers Actively Plan For Cyberwar

and

Managing Information Security In An Innovation Void

A while back, I did some research on RFID and found the information rather disturbing. I was excited for the find and posted it on the same forum that I mentioned. Of course, there are always people that will tell you that you are paranoid and the sky is not falling.

While this is not about RFID, Cyberwar is just as touchy a subject but the word gives it a menacing feel. Is the government overreacting?

In doing research for CIS 610: Information Warfare, I found that China has been our biggest attacker in regards to cyberwarfare and it has been that way for years.

If governments start launching large-scale electronic responses to attacks, such as unleashing viruses and worms meant to neutralize an attack, or conducting denial-of-service attacks designed to knock adversaries offline, enterprises had better brace for the potential for collateral damage. "Once released, no one really knows what the impact could have on certain systems and networks," [says Pete Lindstrom].

 This goes back to last week's blog. While viruses are used to "fix" what other viruses "broke", it is only a matter of time before those "helpful" viruses are turned to cause more problems. The thing is, with this article being written just a few days ago, hasn't our government been working on these years to prepare for cyberwar? Isn't that why President Obama wanted to institute an "Internet Kill Switch"? Is our country, our government, prepared for a cyberattack that is inevitable? Will we be defeated in Cyberspace or conquer in Cyberspace?

The second story I chose was based on its title only. Security management in an innovation void? The phrase innovation void is what got my attention. I had to read it just to see what the article was talking about!

Peter Kuper says,

 In 2012 we will see an increase in network intrusions from disparate parties trying to create IT infrastructure chaos for a variety of reasons primarily political, financial and economic. An easy prediction perhaps given the trend and yet while I fully trust CSOs and CISOs and security teams are doing all they can to prevent breaches; I am deeply concerned that they still lack the technology to adequately protect IT infrastructure from malicious attacks.

  That's a pretty bold statement. After all, isn't installing patches for their OS and updating their security software enough? He further explains,

There are several reasons for this state of unpreparedness. Budget constraints certainly continue to be an issue even as the U.S. economy plods along in recovery mode. However, the more disconcerting limiting factor is beyond the direct control of infosec executives:the scarcity of innovation in the information security industry.

 Ok, budget constraints I can buy, but "scarcity of innovation"? I'm not sure about that. However, he redeems himself with me when he states that we should be innovators of our own security. I can buy that.

Resources such as The Honeynet Project  offer challenges that help us think outside the box when it comes to security. After all, our attackers are doing whatever they can to either make money or to take over. This means, that we have to outhink them and we can only do that if we utilize the tools that others make available to us to allow us to do that.

Another site is Hackers Thirst which is a site used at educating people on how to make their systems more secure.

Finally, just because you attend a DEF CON conference, doesn't make you an evil hacker. While hackers of the malicious kind do attend, such conferences help educate people involved in Information Security regarding various techniques. Also, it helps to be a hacker to understand how to prevent your system from being hacked. The next DEF CON conference is July 26 - 29. I intend to be there!!!