Week 7

I am getting an early start. I am doing a midterm project for Risk Management, so this is one of the assignments I am getting behind me so I can focus on my midterm.

I found this article interesting:

Supreme Court: GPS Tracking Needs Court Warrant

A GPS was installed on a suspect's car and that data was used as evidence to convict a man of drug trafficking. Because it was installed on private property and there was no warrant obtained, the Supreme Court ruled that such collection of data on a person's vehicle is considered a violation of the 4th Amendment. The Department of Justice (DoJ) argued that the suspect had "no reasonable expectation of privacy" because the suspect drove his Jeep on private roads. It did not convince the Supreme Court.

Which kind of reminds me of Google's lawsuit regarding packet sniffing and sniffing packets on unsecure WiFi signals.

Going through several classes and meet many different students all over the country/world has been a fun experience. However, I noticed that some of my classmates talked about a database called Oracle. Until attending Bellevue, I had never heard of the software. I am very familiar with Access, but what is Oracle? In my job hunts, I have also noted that some employers would like potential employees to be familiar with Oracle. Hmmm...ok.

So, if you know anything about Oracle or you work for an organization that uses Oracle, you might be interested in this article:

The Oracle Flaw: Clarifications and More Information

Apparently, there is a bug in the System Change Number (SCN).

The patch will indeed prevent a database from accepting an elevated SCN that could cause that database to hit the soft limit during normal processing and cause problems ranging from lost transactions to a database shutdown. But it may also interfere with normal operations if the calling database has an elevated SCN acquired through a bug or other means. This means that a database with a sufficiently elevated SCN may not be able to link with patched databases until enough time has elapsed to push its SCN below the new, second limit.

Sounds pretty gnarly and with more and more companies using Oracle for their databases, this could quickly become a serious problem that CIOs need to address before it ends up costing organizations a lot of money.

Depending on time constraints, I may add more for Week 7, particularly if I find something really interesting.

Well! I did find something interesting!!!

How To Prevent Thumb Drive Disasters

For such a small device, the plastic, handheld USB flash drive can cause big security headaches. 

Because of the security risks involved with USB flash drives, it has been suggested that an organization should go around and 

Use clear silicone caulk and fill every USB port on every PC to prevent USB attachments.

That's...ummm...pretty severe! But perhaps necessary. Everyone is tempted to "personalize" their computers at work. Makes it "their own" at the job. However, when you bring in those personal photos or MP3 music from home and your computer is not virus free, this can create a huge problem in the workplace. There is also the point that in the private sector (military does not allow USB thumb drives and has already sealed the ports), USB drives are sometimes vital when an employee needs to do their job.

The articles gives four examples as to how organizations are dealing with USB thumb drives. But the author makes this point at the end that unless you seal your USB ports:

Whether the chosen security approach is to allow only one approved thumb drive, prompt users for the reasons they need to copy data, allow only Microsoft Office transfers, or classify files for approved transfers, each technique addresses one simple reality: Employees will use thumb drives, and they will find ways to continue using them.

I couldn't have said it better myself.

Week 6

In researching for Information Security Training Programs, I found this website because one of the sites had a hyperlink to it. Of course, since the topics piqued my interest, I did more searching and found these two articles:

Government Engineers Actively Plan For Cyberwar

and

Managing Information Security In An Innovation Void

A while back, I did some research on RFID and found the information rather disturbing. I was excited for the find and posted it on the same forum that I mentioned. Of course, there are always people that will tell you that you are paranoid and the sky is not falling.

While this is not about RFID, Cyberwar is just as touchy a subject but the word gives it a menacing feel. Is the government overreacting?

In doing research for CIS 610: Information Warfare, I found that China has been our biggest attacker in regards to cyberwarfare and it has been that way for years.

If governments start launching large-scale electronic responses to attacks, such as unleashing viruses and worms meant to neutralize an attack, or conducting denial-of-service attacks designed to knock adversaries offline, enterprises had better brace for the potential for collateral damage. "Once released, no one really knows what the impact could have on certain systems and networks," [says Pete Lindstrom].

 This goes back to last week's blog. While viruses are used to "fix" what other viruses "broke", it is only a matter of time before those "helpful" viruses are turned to cause more problems. The thing is, with this article being written just a few days ago, hasn't our government been working on these years to prepare for cyberwar? Isn't that why President Obama wanted to institute an "Internet Kill Switch"? Is our country, our government, prepared for a cyberattack that is inevitable? Will we be defeated in Cyberspace or conquer in Cyberspace?

The second story I chose was based on its title only. Security management in an innovation void? The phrase innovation void is what got my attention. I had to read it just to see what the article was talking about!

Peter Kuper says,

 In 2012 we will see an increase in network intrusions from disparate parties trying to create IT infrastructure chaos for a variety of reasons primarily political, financial and economic. An easy prediction perhaps given the trend and yet while I fully trust CSOs and CISOs and security teams are doing all they can to prevent breaches; I am deeply concerned that they still lack the technology to adequately protect IT infrastructure from malicious attacks.

  That's a pretty bold statement. After all, isn't installing patches for their OS and updating their security software enough? He further explains,

There are several reasons for this state of unpreparedness. Budget constraints certainly continue to be an issue even as the U.S. economy plods along in recovery mode. However, the more disconcerting limiting factor is beyond the direct control of infosec executives:the scarcity of innovation in the information security industry.

 Ok, budget constraints I can buy, but "scarcity of innovation"? I'm not sure about that. However, he redeems himself with me when he states that we should be innovators of our own security. I can buy that.

Resources such as The Honeynet Project  offer challenges that help us think outside the box when it comes to security. After all, our attackers are doing whatever they can to either make money or to take over. This means, that we have to outhink them and we can only do that if we utilize the tools that others make available to us to allow us to do that.

Another site is Hackers Thirst which is a site used at educating people on how to make their systems more secure.

Finally, just because you attend a DEF CON conference, doesn't make you an evil hacker. While hackers of the malicious kind do attend, such conferences help educate people involved in Information Security regarding various techniques. Also, it helps to be a hacker to understand how to prevent your system from being hacked. The next DEF CON conference is July 26 - 29. I intend to be there!!!

Week 5

You wanna know what makes me really grouchy? When government thinks it can control or fix anything and everything. This seems to further expand on last week's blog.

I listen to Air 1 every morning and Thursday morning I heard it announced that President Obama wants to create Internet ID. Seriously??? So, I looked it up and found it here:

Obama Eyeing Internet ID for Americans

Grrrr.

Inter-agency rivalries to claim authority over cybersecurity have existed ever since many responsibilities were centralized in the Department of Homeland Security as part of its creation nine years ago. Three years ago, proposals were circulating in Washington to transfer authority to the secretive NSA, which is part of the U.S. Defense Department.

So, now we have government agencies bickering about who's going to be in charge of this project, people screaming the private sector should be in charge of the project, and I'm trying to figure out who to thwap with my large trout.

Last week, I talked about Martin Libicki's these that Cyberspace cannot be conquered. This is because ti cannot be owned by anyone. He lists four reasons why Cyberspace cannot be conquered or owned.

1. Cyberspace is a replicable construct. 
2. To exist in cyberspace, your interactions must be recognized there.
3. Some aspects of cyberspace nevertheless tend to be persistent (ie mathematics)
4. Cyberspace has separate layers, the conquest of each of which has vastly different meaning

Let's face it, what is the point is wasting time with such a silly (and expensive project at the taxpayers dollars) project? 

Also, while Iran has similar applications (why are we even considering such an idea from a country like THAT!?), this is because Iran and even China has limited access to certain areas of the Internet already. Is this one step closer to controlling information???

On a lighter note, Symantec is being sued. Apparently, someone has created a new phrase for certain type of software called "scareware" where a reputable company "scans" your computer and tells you how badly your computer is infected and then you buy their product to fix it. Apparently, some dude didn't like being scared! 

Symantic Accused Of Selling "Scareware"

Sometimes you just have to shake your head and laugh and the silliness of people. 

Gross' beef with Symantec involves the free scans conducted by PC Tools Registry Mechanic, PC Tools Performance Toolkit and Norton Utilities.

He was tricked into paying about $30 to correct the issues that the scans revealed, even though the lawsuit alleges the scans didn't really check for anything, and the resulting product he bought served no purpose.

All I have to say to that is, "Dude, get a second opinion!"

 

Week 4

Well, being a wannabe politician, lots of things interest me. But there are some things that royally honk me off. In a news story Bumper Crop: Cyber Security Legislation, I found out there are more laws to be passed that may infringe on our privacy. In the article it states, 

 “The Cyber Intelligence Sharing and Protection Act would create a cyber security exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government for cyber security purposes,” a statement from the American Civil Liberties Union (ACLU) says. The bill, the group points out, would not limit the companies to sharing only technical, non-personal data."

You know, I'm not a fan of the ACLU, but I have to agree with them here. What bothers me about this whole cyber security legislation though is the fact that, how do you create laws in a part of the world you do not possess or own?? Martin C. Libicki said in his book "Conquest in Cyberspace,"

 "This work is not entitled not "The Conquest of Cyberspace" but "Conquest in Cyberspace for a reason... Emphasizing "in"...reflects that while something akin to conquest can be defined for cyberspace, cyberspace itself cannot be conquered in any conventional sense." Cyberspace can be replicated, be in several places at once, it is built.

Do we need to catch those disgusting perverts that sell child pornography on the Internet? YES! But do not create laws that infringe on my privacy or liberty...Ok...off my soapbox...for now

Finally, I found this article: Japan's Plan for 'Good Computer Virus' Sparks Debate. 

"The words “good” and “virus” may look funny stuck together in a headline, but the words have become a popular way to describe plans by the Japanese government to use a program designed to attack the attackers."

WHAT!? Wait a second! I know what I'll do! I'll go to a thief's house and steal from him before he steals from me first! HA! *facepalm* It would not be long before a virus like this would be turned around for malicious intent...oh wait! It already has! The article points out, 

"the Morris worm was not written to cause damage, he noted. Yet it ended up causing a massive disruption of the Internet in 1988."

You know, for the most part, most computer users are fully aware of the risks they take when they get online. Not all of them may know how to secure their computers, but they do know risks are out there and are willing to accept those risks when they sign up for service with an ISP. Much like a person getting out and getting behind the wheel of a car to go to work. You can only do so much, but inevitably, you will run into that moron who dropped his taco in his lap or is drunk or texting on their cell phone and no matter how much you try to avoid an accident, there are just some things you can't prevent. I witnessed an accident the other day. Someone wasn't paying attention, ran a red light to turn left and was hit by oncoming traffic with the green light. Does this mean we need cars out there that will prevent car accidents? Or get rid of cars all together?

Just keep the security software updated folks and make sure your customers are up to date on the latest attack. We don't need to complicate things any further. Really, we don't.