Final post

Looking back through my blogs I would have to say I had a variety of topics like physical security, cybercrime law and contingency planning to name a few. My selection of topics were generally what caught my interest at the time if I couldn't find anything to relate to the current week's material.

I admit there we some subjects that I couldn't pass up since I felt they will be something to really consider in the future like being able to take control of certain automotive systems with a cell phone. Another one that was interesting was how a supposedly closed system for the U.S. drone fleet had what seemed to be key logger software uploaded on the system.

I liked the piece about McAfee developing security tools to run at the processor level with Intel as well as the one about a phone hack that would use the accelerometer in a smart phone to determine the keystrokes from nearby computers.

I don't think it mattered just what topic anyone wanted to address for their weekly blog just as long as they were researching current trends and forming an opinion on what they read. It is interesting to see who tends to go outside the box in their analysis as it make the read more interesting.

IT certifications

As discussed in class,  there are a multitude of certifications that an IT professional can acquire. While there are governing bodies for these certifications such as ISC2 for CISSP certification, some do not measure up to others.

It is my opinion that a national standard, at a minimum, across all disciplines be established so that all IT workers have an opportunity to be call a true "professional". What I mean is that a network engineer should have a requisite number of certifications to be considered an engineer, otherwise they are still considered a network administrator.

Everyone knows that a certification doesn't mean much if the job the individual is "certified" in can't be done. That is why there should be other requirements put in place that must be met before a full certification is granted such as time doing the job.

This would not only help standardize the general knowledge base of IT professionals, but also justify higher salaries.

Phone hack logs keystrokes from nearby computers

Matt Liebowitz reported on Security News Daily dated 21 Oct 2011 that if there's a smartphone resting somewhere near your computer right now, it could be logging everything you type into your desktop keyboard and sending that information back to a hacker.

Students at Georgia Tech's School of Computing conducted a proof-of-concept hack to demonstrate how, by tapping into a smartphone's accelerometer, which measures the vibrations of the device, they were able to infer what a target was typing on a keyboard placed near the phone with up to 80 percent accuracy.

The hack works by detecting pairs of keystrokes, rather than individual keys. The researchers used the word "Canoe" as an example. Typed, the word canoe can be broken down into four pairs of keystrokes, C-A, A-N, N-O and O-E.

"Those pairs then translate into the detection system's code as follows: Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left, Far…This code is then compared to the preloaded dictionary and yields 'canoe' as the statistically probable typed word," the researchers said.

The method takes some work, and would require the targeted phone to download a specific application to allow the attackers to turn on the keylogger. But, as seen in millions of Internet scams everyday, it isn't difficult to convince someone on the Internet to click a link. And once the keylogger is activated, the technology hidden inside the new generation of smartphones makes the attack that much easier.

My take on this is we don't have to worry about this type of vulnerability just yet. I think that this would depend on the proficiency of the typist for it to work. How would it fair with a hunt and peck typist? It also doesn't mention how close the phone would have to be to the keyboard to detect the vibrations. What happens if you have a keyboard from Apple or a soft touch keyboard where you don't hear the clatter of the keys when typing? What about picking up sound from other nearby systems?

I also don't see how this is much different than placing a standard cell phone in a diagnostic mode where it is constantly transmitting everything that the microphone picks up. This would serve the same purpose and negate the need to transmit the information later.