Final post

Looking back through my blogs I would have to say I had a variety of topics like physical security, cybercrime law and contingency planning to name a few. My selection of topics were generally what caught my interest at the time if I couldn't find anything to relate to the current week's material.

I admit there we some subjects that I couldn't pass up since I felt they will be something to really consider in the future like being able to take control of certain automotive systems with a cell phone. Another one that was interesting was how a supposedly closed system for the U.S. drone fleet had what seemed to be key logger software uploaded on the system.

I liked the piece about McAfee developing security tools to run at the processor level with Intel as well as the one about a phone hack that would use the accelerometer in a smart phone to determine the keystrokes from nearby computers.

I don't think it mattered just what topic anyone wanted to address for their weekly blog just as long as they were researching current trends and forming an opinion on what they read. It is interesting to see who tends to go outside the box in their analysis as it make the read more interesting.

IT certifications

As discussed in class,  there are a multitude of certifications that an IT professional can acquire. While there are governing bodies for these certifications such as ISC2 for CISSP certification, some do not measure up to others.

It is my opinion that a national standard, at a minimum, across all disciplines be established so that all IT workers have an opportunity to be call a true "professional". What I mean is that a network engineer should have a requisite number of certifications to be considered an engineer, otherwise they are still considered a network administrator.

Everyone knows that a certification doesn't mean much if the job the individual is "certified" in can't be done. That is why there should be other requirements put in place that must be met before a full certification is granted such as time doing the job.

This would not only help standardize the general knowledge base of IT professionals, but also justify higher salaries.

Phone hack logs keystrokes from nearby computers

Matt Liebowitz reported on Security News Daily dated 21 Oct 2011 that if there's a smartphone resting somewhere near your computer right now, it could be logging everything you type into your desktop keyboard and sending that information back to a hacker.

Students at Georgia Tech's School of Computing conducted a proof-of-concept hack to demonstrate how, by tapping into a smartphone's accelerometer, which measures the vibrations of the device, they were able to infer what a target was typing on a keyboard placed near the phone with up to 80 percent accuracy.

The hack works by detecting pairs of keystrokes, rather than individual keys. The researchers used the word "Canoe" as an example. Typed, the word canoe can be broken down into four pairs of keystrokes, C-A, A-N, N-O and O-E.

"Those pairs then translate into the detection system's code as follows: Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left, Far…This code is then compared to the preloaded dictionary and yields 'canoe' as the statistically probable typed word," the researchers said.

The method takes some work, and would require the targeted phone to download a specific application to allow the attackers to turn on the keylogger. But, as seen in millions of Internet scams everyday, it isn't difficult to convince someone on the Internet to click a link. And once the keylogger is activated, the technology hidden inside the new generation of smartphones makes the attack that much easier.

My take on this is we don't have to worry about this type of vulnerability just yet. I think that this would depend on the proficiency of the typist for it to work. How would it fair with a hunt and peck typist? It also doesn't mention how close the phone would have to be to the keyboard to detect the vibrations. What happens if you have a keyboard from Apple or a soft touch keyboard where you don't hear the clatter of the keys when typing? What about picking up sound from other nearby systems?

I also don't see how this is much different than placing a standard cell phone in a diagnostic mode where it is constantly transmitting everything that the microphone picks up. This would serve the same purpose and negate the need to transmit the information later.

Kaspersky Lab calls on IT decision makers to participate in a study of IT security risks and challenges

I found this article on News Blaze and decided to Blog about it since we are covering it in class.

Abingdon, UK, 28 October 2011 – Kaspersky Lab, a leading developer of secure content and threat management solutions, has joined forces with The Bathwick Group, a strategic research and consulting company, to discover how companies are using IT to respond to changing business needs. 

Kaspersky Lab created an online questionnaire called "Be Ready Assessment" for companies to complete and then receive a personalized evaluation of their security risks. In return for completing the questionnaire, companies will receive an instant, personalised evaluation of their IT security risks.

 This ‘Be Ready Report’ will provide information on security priorities and potential areas of focus along with suggested next steps and quick wins to help the company prepare for the threats that lie ahead. Participating companies will also benefit from free early access to the full research report and personalised peer comparisons.

I think this is just a way of marketing ploy for their products. It says that they have empiracal data from hundreds of assessments to draw from. I would still be cautious of this since the Be Ready assessment is still depending on someone at your company filling it out and an expert is not gathering the data. Assuming that the person filling out the assessment has the expertise, why would you do one of these then?

It could prove a benefit if you have an inexperienced person like in our case study doing the analysis just so that nothing ins missed and a way forward is determined. I would also think that some best practices or benchmarks could be gathered from this report to help sell the recommended controls to management so that risks are mitigated accordingly.

In conclusion, it could go either way whether this would prove a benefit for your organization.






http://newsblaze.com/story/2011102807000500001.we/topstory.html

Security tools that run at the processor level

I couldn't believe the article Focus 2011: McAfee unveils Deep Defender and Deep Command security platforms by Shaun Nichols posted on http://www.v3.co.uk/v3-uk/news/2118121/focus-2011-mcafee-unveils-deep-defender-deep-command-security-platforms at first.

McAfee is working with Intel to provide security tools to run at the processor level that will detect rootkit infections and attacks that can't be detected by security tools installed on the operating system. McAfee co-president Todd Gebhart was quoted that there are things coming that will get below the operating system.

The rest of the article broke down what each piece will do. Deep Defender looks to be a host intrusion detection system as it will monitor system activity and take security actions based on behavior. Deep Command will allow administrators to remotely access systems even when powered down.

Enderle Group principal analyst Rob Enderle said, "The interesting thing is that it is a primary virtual machine and it points the way to what is going to happen in the future with servers."

What will prove interesting is how they will keep it updated. Will it be through firmware updates? We all know how badly those can go sometimes.I would hope that they would design it so that the primary virtual machine has a backup stored in a protected area so the machine can be recovered if the primary goes bad.

Curious that this speculation had nothing to back it up in the article. What is McAfee seeing that would warrant the development of a processor-based security suite? What kind of security issues that this may present?  The saying that the most secure computer is the one that is shut off will no longer be the case.

U.S. drone fleet days numbered?

According to Noah Shachtman in his article 'Computer Virus Hits U.S. Drone Fleet" posted in the Danger Room on the Wired web site, a computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.

Although it is reported that it has yet to affect missioncapabilities, it is a persistent virus that keeps coming back. To get rid of it, they had to do a complete wipe and reload of the affected system. This effectively could take down the fleet for a period of time that could be capitalized on by insurgents.

It was even mentioned that video feeds from drones were found on Iraqi insurgent's laptops because the feeds are not encrypted. One would assume that is is because the risk associated with intercepting a live feed is relatively low. However, given enough footage or data gathered, an analyst could determine commonalities between missions and anticipate the next course of action to counteract it which would make the drone fleet ineffectual in my opinion.

Does your automotive system need protected from malware?

According to Business Wire in the report "McAfee Report on Automotive Systems Finds Prevalent Lack of Security in Today’s Vehicles", it would seem that your vehicle could be susceptible.
The new report from McAfee examines risks associated with cybercriminal activity including:

• Remotely unlock and start car via cell phone
• Disable car remotely
• Track a driver’s location, activities and routines
• Steal personal data from a Bluetooth system
• Disrupt navigation systems
• Disable emergency assistance     

Most of the features that come in automobiles are supposed to be making the driving experience more palatable for driver, yet it is also opening vulnerabilities to the same systems that are supposed to help. Can you imagine how many cars that may be stolen if you can unlock and start the vehicle with a cell phone? While disabling a vehicle remotely may help the police recover your vehicle, what happens if this is done with vehicle in motion?

How many consumers are aware that these issues exist? What are the automobile manufacturers doing to secure these systems? What would really prove interesting is how your car would get its updates.

Reference: http://www.businesswire.com/news/home/20110906007207/en/McAfee-Report-Automotive-Systems-Finds-Prevalent-Lack

Online Financial transaction concerns warranted?

Sean Gallagher's article posted on ARS TECHNICA web site reported that a hacking tool which decrypts secure Web requests to sites using the Transport Layer Security 1.0 protocol and SSL 3.0, allowing a person or program to hijack sessions with financial websites and other services has been developed and dubbed BEAST.

It is a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage. http://arstechnica.com/business/news/2011/09/new-javascript-hacking-tool-can-intercept-paypal-other-secure-sessions.ars


In its current iteration, BEAST would require at least a half-hour to decrypt requests. If your average transaction is only mere minutes, is this vulnerability something that should receive immediate attention? I suppose this is just the price we all have to pay for the convenience of utilizing services that companies like PayPal give us.

Looking through my settings for IE9 shows TLS 1.1 and 1.2 disabled by default. I've read in other comments to this article that enabling these will not make a difference if the server that you are connected to only supports TLS 1.0.  It is unclear if implementing the new standards will prevent this attack.

This goes back to what has been drilled into my head since starting my degree concentration. Staying current on patch management and current security threats. Maybe receiving this kind of attention is what this needs. It will force the adoption of the newer standards to plug holes since what was considered risk accepted. If the customer doesn't feel secure, will they continue to use your service? It is all about the money, isn't it?

Contingency Planning for home use

This week's chapter is dealing with the fundamentals of contingency planning and it reminded me of a phone call I got from my younger brother about a computer problem he was experiencing recently. Most home users would not likely have any kind of contingency plan in place or even considered until it is too late as in my brother's case.

You see, he said he started to develop intermittent problems with shutting down his computer and the only way to shut it down was to do a hard shut off. It is hard to determine what the problem could have been when just talking with him on the telephone, but it could have been due to a virus, power issues, motherboard or CPU just gave up, etc.

What made him call me was because his college homework that was due in two days was still on his hard drive and he had no way of retrieving it. He did not want to hear the lecture of having a removable backup of important files when your computer is considered fairly old or other factors that could render his computer unusable.

Now coming up with a plan to mitigate some of the risks that you are exposed to in a home environment isn't that difficult. First, he should have identified possible incidents he would be susceptible to in his environment. He did say that the house he is renting did not have grounded power for starters.

This could have contributed to his system failing and may have been prevented if he ran his computer off of an uninterruptible power supply which regulated the power that the computer was using. This wouldn't help with his data access issue. Important files should be backed up on an external drive at the very least. He still would have his files even though the computer died. Another alternative would have been for him to email the files to himself or even upload them to a free online storage service.

He, like so many regular users, never even considered something like this would happen to him. It is a hard lesson to learn, but having a contingency plan even at home is a necessity depending on what you store on your computer.

Financial Industry Vulnerable to Cyberattacks

This article was found in the National Journal and was written by Josh Smith on 14 September 2011. It can be found at http://www.nationaljournal.com/daily/analysts-financial-industry-vulnerable-to-cyberattacks-20110914

I found the article mainly rehashing what we already know. Current laws are not adequate to stop the loss of money and information. The lack of employee education and training also makes the attacks that much easier.

"In a Sept. 2 security bulletin, the Homeland Security Department warned that the hacker group Anonymous has been using social media to ask employees at financial institutions for help gaining access to their networks." (Smith, 2011)

So no matter what best practices are implemented by an institution, the recurring theme is that employees tend to be the weak link in the security plan. If this is a known deficiency, why does it seem that nobody talks about training the employees?  I have never seen what institutions spend on training employees and giving customers a better awareness. Is this an accepted risk the financial industry is willing to take due to the cost?

Cybercrime Law

 I found an article  on the Infoworld websiteGrant Gross of the IDG News Service reported on 8 September 2011 that the main U.S. law targeting cyber crime may need to be changed because it has allowed law enforcement agencies to target people who simply violate websites' terms of service or their employers' computer use policies, two senators said Wednesday.

The article goes on to say that the law needs to further define the definition of illegal access to computers. What caught my attention about the article was that the law was being used to prosecute some for violation of computer use policies rather than going after actual computer crimes. Under the current law, employees could be charged with a crime if they access personal email or check the weather online in violation of their companies' computer use policies.

I wonder what companies would go to that kind of extreme and how would they enforce the policy fairly. How will they be able to differentiate between an acceptable use policy violation and a computer crime and still have enough teeth in the law to make a difference.

Physical Seccurity

As mentioned in previous classes, the insider threat is the biggest threat to deal with in the IT field. Today, I will talk about the various ways the physical security of your systems can be administered.

Depending on the layout of your facility and how much you are willing to spend on security will determine how tight your security can be made. Let's first look at a few ways that this can be accomplished. A few methods would be guards physically controlling access utilizing access lists to mechanical or electro-mechanical locks on the doors to gain entry.

Each of these by themselves can be defeated with some effort, but combining them creates a different dynamic called layered security.  This term will be used quite often throughout most discussions about security.

If you have the luxury of a big budget for security, you can tighten it further with security cameras, biometric scanners, and stand-off areas to gain access to sensitive areas. There has to be a point that a security specialist has to accept the security in-place is good enough otherwise, the budget for security alone could become too large.

Any one of these methods is better to have than nothing at all as you tend to see in a lot of businesses.