Thursday, March 14, 2013
Thursday, June 2, 2011
What have I done????
As I look back on past entries, I see that I have failed to limit the focus of my blog on one particular area. Rather, my goal was to discuss current events as they pertain to the information security world. One week I posted some information on why it is important to secure your home network and how this can be done. For this, and the majority of my other blogs, an in depth IT knowledge was not required. I intended to keep it light on the technical side, and focus more on providing valuable information to the common everyday user.
I wrote about things that affected me personally, such as the Sony Online Entertainment Network hack that denied service to many users for several days. This then prompted me to present some information on the hacker group Anonymous. The following week I discussed the penalties currently in place for convicted cyber criminals. My intention was for my blog to follow a path of learning with the topics discussed building upon the prior week’s content.
Basically I chose topics that I have no previous knowledge about, and was curious to know more. The creation of this blog provided me with the opportunity to research these issues and topic and report my findings to my faithful followers… or Ron. I enjoyed doing it, and learned a lot in the process.
Whether or not this information would be useful to IS professionals is hard to say. I am but only a beginner in the field and have yet to steer my career into a position focused solely on the IS/IA. I assumed that Ron likely didn’t learn anything from blog, and many experienced professionals would likely not derive a lot of new content from my presented findings. However, I like to entertain the idea that my fellow students would enjoy the subject matter. Either way thanks for keeping up with my blog.
Topics discussed:
Router encryption
Securing your personal network
Anonymous group – hacking
Sony hacked
Cyber crime laws
Government failures in keeping current with government standards
CISSP certification
Smartphone vulnerabilities
…just to name a few.
I wrote about things that affected me personally, such as the Sony Online Entertainment Network hack that denied service to many users for several days. This then prompted me to present some information on the hacker group Anonymous. The following week I discussed the penalties currently in place for convicted cyber criminals. My intention was for my blog to follow a path of learning with the topics discussed building upon the prior week’s content.
Basically I chose topics that I have no previous knowledge about, and was curious to know more. The creation of this blog provided me with the opportunity to research these issues and topic and report my findings to my faithful followers… or Ron. I enjoyed doing it, and learned a lot in the process.
Whether or not this information would be useful to IS professionals is hard to say. I am but only a beginner in the field and have yet to steer my career into a position focused solely on the IS/IA. I assumed that Ron likely didn’t learn anything from blog, and many experienced professionals would likely not derive a lot of new content from my presented findings. However, I like to entertain the idea that my fellow students would enjoy the subject matter. Either way thanks for keeping up with my blog.
Topics discussed:
Router encryption
Securing your personal network
Anonymous group – hacking
Sony hacked
Cyber crime laws
Government failures in keeping current with government standards
CISSP certification
Smartphone vulnerabilities
…just to name a few.
Sunday, May 29, 2011
Add-on and unauthorized installs
For the past couple weeks, I have been seeing pop up reminders informing me that Mozilla has released the new firefox 4 web browser. Being a big fan of firefox, I was anxious to see what improvements was made as far as security is concerned. Once I got around to actually installing the updated browser, I immediately noticed that I had acquired the lovely Yahoo toolbar. I say “lovely” in the most sarcastic of ways. I have a strong distaste for commercial toolbars, but I can’t seem to get away from them. They are all over the place and they continue to sneak their way onto my system. Some of the more common are Google, Windows
Live, MSN, Alexa, Asks, & AOL, just to name a small few. The developers of these toolbars often brag many cool features and convenience. Some toolbar installations include “protection” from evil internet content.
In my experience, toolbar protection measures include blocking common web pages and disruption of other software installations. When the software doesn’t know what page or download is being loaded, it is blocked. Personally, I don’t have much use for these toolbars because I, as a user am not able to derive any real value from them. Instead they just end up cluttering my browser.
While it is important to keep up to date on your software upgrades, package installs can be annoying and in some instances, dangerous. This is just a warning to be aware of what you are installing before it finds its way onto your computer.
Also, just a quick heads up, Win 7 service pack 1 is now available. Might want to ensure you got it.
Live, MSN, Alexa, Asks, & AOL, just to name a small few. The developers of these toolbars often brag many cool features and convenience. Some toolbar installations include “protection” from evil internet content.
In my experience, toolbar protection measures include blocking common web pages and disruption of other software installations. When the software doesn’t know what page or download is being loaded, it is blocked. Personally, I don’t have much use for these toolbars because I, as a user am not able to derive any real value from them. Instead they just end up cluttering my browser.
While it is important to keep up to date on your software upgrades, package installs can be annoying and in some instances, dangerous. This is just a warning to be aware of what you are installing before it finds its way onto your computer.
Also, just a quick heads up, Win 7 service pack 1 is now available. Might want to ensure you got it.
Friday, May 20, 2011
Smartphone Security
If you are like me, you keep a loose inventory on previous decisions that have greatly benefited your life. Some of mine include choosing to rent as opposed to buying a home, purchasing an 800 dollar Ford Festiva, and changing jobs. In 2009 I converted to a Smartphone against the advice of my friends. This has been an amazing tool that brings convince to my life. It is basically a mobile computer, which makes me wonder how safe it is to use. Is my phone susceptible to the same kind of attacks that my computer is? Are there any measures that I need to take to protect my phone and the information it contains/handles?
In December of 2010, the European Network and Information Security Agency (ENISA) released report that investigates the security risks involved with using Smart phones and what can be done to reduce these risks. This report identifies common uses as it pertains to common users, employees, and executives. Being a common user, the information on my phone is not normally sensitive. I have names and numbers, pictures, music, and some account email information. The report claims that most incidences are due to user error. Common reasons for security incidents can be attributed to the following:
· Not properly disposing of phone
· Not setting phone back to factory setting before phone changes hands.
· Network Spoofing Attacks
· Surveillance/shoulder surfing/eavesdropping.
· Malware – financial
· Network Congestion –dos attack
· Phishing
· Lost or theft devices
These techniques appear to be similar to the threats users encounter on their home computers. The same awareness and caution will need to be exercised when using your smart phone. Some recommended precautions to observe include:
· Be aware of your surroundings
· Be aware of what apps you download
· Lock your keypad and phone memory
· Reset and wipe memory occasionally
I currently do not conduct much business on my phone. Avoiding online purchases, accessing bank account sites and information, and actions that require my SSN, is very important in protecting my sensitive information. The smart phone users who conduct business with their phones have a higher risk of leaking information. Some things to keep in mind is that Not all apps in the marketplace are safe. Your phone stores information about what you type and sites you visit. Iphone holds a cache of all words ever typed on the device (with exception to words entered in password fields). There are many rogue WiFi hotspots out there that intend to intercept and tamper with your network communications. Often time’s theft occurs by making hidden use of premium SMS services.
Now that we see that cell phones are not immune to attacks, lets take a look at the effects of the attacks? According to Kiplinger.com impact ranges from mild to medium. Some annoying effects of attacks include freezing or slowing phone operations. More advanced attacks can remove numbers and text messages. However, it appears that the impact is relatively minor when compared to some attacks conducted on home PC’s and corporate networks.
On a final note, let’s review protection. Companies have come out with and continue to develop antivirus programs for mobile phones. Be aware that some companies may use fear to push their products. However, the fact is that the need for these services is not present. Successful attacks are relatively rare in the US and Asia. Service providers have taken steps to reduce the marketing of these vendors. I’d like to give a tip of the hat and a wave of the finger. First a wave of the finger to these companies for trying to push protection that is not needed for the general public at this time. Of course marketing stuff we don’t need is not a new concept. This is not to say that security software may not be required in the future. Advances in technology could produce a need in time, but for now it appears most of us are ok. Tip of the hat to the service providers for their efforts in protecting the general public from corporate greed. Before we get too sentimental on behalf of the service providers, I think it is obvious that this action is don’t only to benefit the company itself. The last thing they need is for customers to be worried hacked cell phones which would surely result in reduced sales.
I hope this was helpful. Please be advise that this is just the beginning. There is a lot of information out there, and the best thing that we can do to protect ourselves is be educated and aware of the threat and their capabilities.
REFS:
http://www.enisa.europa.eu/act/it/oar/smartphones-information-security-risks-opportunities-and-recommendations-for-users
http://www.zdnet.com/news/is-your-cell-phone-due-for-an-antivirus-shot/146956
http://www.kiplinger.com/businessresource/forecast/archive/smart-phones-under-cyber-attack.html
In December of 2010, the European Network and Information Security Agency (ENISA) released report that investigates the security risks involved with using Smart phones and what can be done to reduce these risks. This report identifies common uses as it pertains to common users, employees, and executives. Being a common user, the information on my phone is not normally sensitive. I have names and numbers, pictures, music, and some account email information. The report claims that most incidences are due to user error. Common reasons for security incidents can be attributed to the following:
· Not properly disposing of phone
· Not setting phone back to factory setting before phone changes hands.
· Network Spoofing Attacks
· Surveillance/shoulder surfing/eavesdropping.
· Malware – financial
· Network Congestion –dos attack
· Phishing
· Lost or theft devices
These techniques appear to be similar to the threats users encounter on their home computers. The same awareness and caution will need to be exercised when using your smart phone. Some recommended precautions to observe include:
· Be aware of your surroundings
· Be aware of what apps you download
· Lock your keypad and phone memory
· Reset and wipe memory occasionally
I currently do not conduct much business on my phone. Avoiding online purchases, accessing bank account sites and information, and actions that require my SSN, is very important in protecting my sensitive information. The smart phone users who conduct business with their phones have a higher risk of leaking information. Some things to keep in mind is that Not all apps in the marketplace are safe. Your phone stores information about what you type and sites you visit. Iphone holds a cache of all words ever typed on the device (with exception to words entered in password fields). There are many rogue WiFi hotspots out there that intend to intercept and tamper with your network communications. Often time’s theft occurs by making hidden use of premium SMS services.
Now that we see that cell phones are not immune to attacks, lets take a look at the effects of the attacks? According to Kiplinger.com impact ranges from mild to medium. Some annoying effects of attacks include freezing or slowing phone operations. More advanced attacks can remove numbers and text messages. However, it appears that the impact is relatively minor when compared to some attacks conducted on home PC’s and corporate networks.
On a final note, let’s review protection. Companies have come out with and continue to develop antivirus programs for mobile phones. Be aware that some companies may use fear to push their products. However, the fact is that the need for these services is not present. Successful attacks are relatively rare in the US and Asia. Service providers have taken steps to reduce the marketing of these vendors. I’d like to give a tip of the hat and a wave of the finger. First a wave of the finger to these companies for trying to push protection that is not needed for the general public at this time. Of course marketing stuff we don’t need is not a new concept. This is not to say that security software may not be required in the future. Advances in technology could produce a need in time, but for now it appears most of us are ok. Tip of the hat to the service providers for their efforts in protecting the general public from corporate greed. Before we get too sentimental on behalf of the service providers, I think it is obvious that this action is don’t only to benefit the company itself. The last thing they need is for customers to be worried hacked cell phones which would surely result in reduced sales.
I hope this was helpful. Please be advise that this is just the beginning. There is a lot of information out there, and the best thing that we can do to protect ourselves is be educated and aware of the threat and their capabilities.
REFS:
http://www.enisa.europa.eu/act/it/oar/smartphones-information-security-risks-opportunities-and-recommendations-for-users
http://www.zdnet.com/news/is-your-cell-phone-due-for-an-antivirus-shot/146956
http://www.kiplinger.com/businessresource/forecast/archive/smart-phones-under-cyber-attack.html
Sunday, May 15, 2011
Standards Compliance.. Just the beginning.
This week, I would like to speak generally about information security as a whole. In my weekly reading I came across an article that featured an interview with an IS representative from CSC (my currently employer). I continued my reading and lost the article, so I am not able to neither reference it here nor tell you the interviewee’s name. However, my fellow associate made a very interesting claim. It was his belief that many companies who bare the responsibility of information security or provide information security services are not completely concerned about protecting digital assets. Many of these companies do not focus their goals on protecting their resources and doing whatever it takes to provide that protection. Rather, companies only do what can be accomplished with minimal inconvenience. Many companies and security groups base their efforts on what others or the majority is doing. By taking those same steps in efforts to safeguard their systems, they can claim that those industry standards have been met. So when an incident does occur, the person responsible can point out that the deployed actions were up to code and that all standards and rules. Claiming compliance as an excuse that all reasonable measure was observed will surely convince management that the results of the attack could not have been avoided. Right?
Now, let’s take a quick look at the industry as it pertains to information security. If your company is compliant with industry standards, then it should be safe from attackers and threats. This is not the case when the IS industry is in such bad shape. I look at information security as a war. There are people out there that mean to bring your interests harm. It is everybody associated with that interest’s responsibility to take steps to avoid these attacks. In my opinion, the attackers are very successful. We are protectors of the information are inundated with cases, and giving up more sensitive information every day. Even the major players in the information security field are taking losses. I think that it is obvious that by simply doing the bare minimum is not enough.
I of course do not have all the answers, nor do I consider myself any kind of authority in the field of IS. However, from my research thus far, it appears that poor patch management is at the source of many of these successful attacks. I understand that my inexperience my result in some naivety in my understanding of the many processes related to carrying out proper IS programs. However, patch management appears to be kicking our butts, but why? With the assistance of SCCM and other mass software deployment suites, why are so many systems going unprotected. In some cases, systems will need to be manually updated or patched. Gaining access to these systems or making them unavailable for upgrade may not be as easy as it sounds. Keeping up to date on vendor releases may be a tedious task as well. The evaluation and testing of these patches is also a time consuming requirement.
Either way, it’s a big concern. If you want to catch the silver lining in all this dreary mess, I guess we can all be thankful that our IS job security is looking great!
-MJ
Now, let’s take a quick look at the industry as it pertains to information security. If your company is compliant with industry standards, then it should be safe from attackers and threats. This is not the case when the IS industry is in such bad shape. I look at information security as a war. There are people out there that mean to bring your interests harm. It is everybody associated with that interest’s responsibility to take steps to avoid these attacks. In my opinion, the attackers are very successful. We are protectors of the information are inundated with cases, and giving up more sensitive information every day. Even the major players in the information security field are taking losses. I think that it is obvious that by simply doing the bare minimum is not enough.
I of course do not have all the answers, nor do I consider myself any kind of authority in the field of IS. However, from my research thus far, it appears that poor patch management is at the source of many of these successful attacks. I understand that my inexperience my result in some naivety in my understanding of the many processes related to carrying out proper IS programs. However, patch management appears to be kicking our butts, but why? With the assistance of SCCM and other mass software deployment suites, why are so many systems going unprotected. In some cases, systems will need to be manually updated or patched. Gaining access to these systems or making them unavailable for upgrade may not be as easy as it sounds. Keeping up to date on vendor releases may be a tedious task as well. The evaluation and testing of these patches is also a time consuming requirement.
Either way, it’s a big concern. If you want to catch the silver lining in all this dreary mess, I guess we can all be thankful that our IS job security is looking great!
-MJ
Sunday, May 8, 2011
Risky Business!
This week, I thought I would take the suggestion of our instructor and not discuss the recent Sony Play station hack that has caused a disruption in service since mid-April. Instead we will explore the wonderful world of Risk! No, not the board game where people can partake in the epic struggle for world domination. Rather, the ever important task of prioritizing company assets and evaluating their vulnerabilities and their likelihood. Basically, a company wants to know the defense status of their systems as a whole and conducting a risk assessment is one way to carry out that assessment. Before this week, I was not aware of the detailed processes that make up the risk assessment. The charts presented in this week’s reading made the analytical work much easier, but the number crunching and investigation can be intense.
When looking at the risk assessment process, it is a very large undertaking. It is very important to conduct a thorough and accurate investigation. The results from this process could be a critical piece of information in allowing the IS team better protect the companies resources. However, when considering the information security field and all the activities it entails, the risk portion is not the main focus or goal of the system.
The instructor questions if this should be referred to as “information risk” as opposed to “information security”. In my humble opinion, this change is not necessary. I do not intend to take away from the importance of exploring and knowing the risks as they pertain to IT and ultimately, company resources. However, the security measures deployed in response to the risk assessment is of great importance.
On a final note, it is also important to realize that the risk assessment hold different value to different people. For example the team who is conducting the investigation may be fully aware of the risk and regard these vulnerabilities as critical issues. However, when presented to management, the course of action may be discarded all together. After all, many companies see these risks and losses as unavoidable and a cost of doing business. Yup, throw money at it! That should do the trick. Thanks for reading everybody!
When looking at the risk assessment process, it is a very large undertaking. It is very important to conduct a thorough and accurate investigation. The results from this process could be a critical piece of information in allowing the IS team better protect the companies resources. However, when considering the information security field and all the activities it entails, the risk portion is not the main focus or goal of the system.
The instructor questions if this should be referred to as “information risk” as opposed to “information security”. In my humble opinion, this change is not necessary. I do not intend to take away from the importance of exploring and knowing the risks as they pertain to IT and ultimately, company resources. However, the security measures deployed in response to the risk assessment is of great importance.
On a final note, it is also important to realize that the risk assessment hold different value to different people. For example the team who is conducting the investigation may be fully aware of the risk and regard these vulnerabilities as critical issues. However, when presented to management, the course of action may be discarded all together. After all, many companies see these risks and losses as unavoidable and a cost of doing business. Yup, throw money at it! That should do the trick. Thanks for reading everybody!
Sunday, May 1, 2011
Hactivists -- Hacking for a cause?
The hacking group “Anonymous” has been in the media a lot lately. “Anonymous” was planning to start their attack on the Iranian websites today. In honor of the “oppressed people” of Iran, Anonymous is attacking on International Worker’s Day. A couple of posts from the group reads as follows:
"We can see that Iran still suffers at the hands of those in power. Your former government has seized control and tries to silence you ... People of Iran - your rights belong to you. You have the right to free speech and free press, the freedom to assemble and to be safe in your person. You have the right to live free and without fear."
"Though your suffering is great, your strength is greater. Though your trial is long, your will persists. The people of Iran have the admiration of Anonymous, and the entire world."
Anonymous has lead other attacks to support causes for the “underdogs” in the past. This group seems to think that hacking accounts and causing security breaches are ok things to do as long as you are going against “the man.” This group is particularly interested in taking down the, "Primary Dealers within the Federal Reserve banking system.” The group demands that they, “be broken up and held accountable for rigging markets and destroying the global economy effective immediately."
The Anonymous manifesto:
• We are a decentralized non-violent resistance movement, which seeks to restore the rule of law and fight back against the organized criminal class.
• One-tenth of one percent of the population has consolidated wealth in unprecedented fashion and launched an all-out economic war against 99.9% of the population.
• We are not affiliated with either wing of the two-party oligarchy. We seek an end to the corrupted two-party system by ending the campaign finance and lobbying racket.
• Above all, we aim to break up the global banking cartel centered at the Federal Reserve, International Monetary Fund, Bank of International Settlement and World Bank.
• We demand that the primary dealers within the Federal Reserve banking system be broken up and held accountable for rigging markets and destroying the global economy, effective immediately.
• As a first sign of good faith we demand Ben Bernanke step down as Federal Reserve chairman.
• Until our demands are met and a rule of law is restored, we will engage in a relentless campaign of non-violent, peaceful, civil disobedience.
• In our next communication we will announce Operation Empire State Rebellion.
They recently hacked Sony for going after another hacker, George Hotz. Anonymous believed that Hotz had the right to share the information about Sony’s new system. Since Sony updated their system to install for security patches. The older versions have been “jail broken” by avid users. These users do not recommend an update. Holtz hacked the Sony system and has been taken to court by Sony. This lead to the Anonymous attack on Sony.
Anonymous is also infamous for hacking the cyber security firm HB Gary. This company is paid to protect their clients and prevent hacking. However, Anonymous was able to get in and change the password of entrepreneur Greg Hogland’s email. The group helped themselves to loads of information that it later posted for the entire world to see.
The group seems to believe strongly in their cause. Will this group lead to more and more people taking matters into their own hands? Will other try to demand that the government, either our own or other countries, play fair or else? Where will this lead and how long will this group reign before it is taken down. A few companies have tried to learn the identities of the members of this group and have face the wrath of Anonymous as a result.
-MJ
http://psgroove.com/content.php?852-Sony-s-3.60-Firmware-Update-Goes-Live-Introduces-Cloud-Storage-System
http://playstationlifestyle.net/2011/04/04/hacker-group-anonymous-declare-war-on-sony/
http://www.cnn.com/2011/WORLD/meast/04/30/iran.hackers/
http://www.gmanews.tv/story/219221/technology/anonymous-hackers-group-targets-iran
http://news.cnet.com/8301-31021_3-20058617-260.html?tag=topTechContentWrap;editorPicks
http://news.cnet.com/8301-27080_3-20058700-245.html?tag=topTechContentWrap;editorPicks
http://www.businessweek.com/magazine/content/11_12/b4220066790741.htm?campaign_id=rss_topStories
http://www.zerohedge.com/article/hacker-group-anonymous-brings-peaceful-revolution-america-will-engage-civil-disobedience-unt
"We can see that Iran still suffers at the hands of those in power. Your former government has seized control and tries to silence you ... People of Iran - your rights belong to you. You have the right to free speech and free press, the freedom to assemble and to be safe in your person. You have the right to live free and without fear."
"Though your suffering is great, your strength is greater. Though your trial is long, your will persists. The people of Iran have the admiration of Anonymous, and the entire world."
Anonymous has lead other attacks to support causes for the “underdogs” in the past. This group seems to think that hacking accounts and causing security breaches are ok things to do as long as you are going against “the man.” This group is particularly interested in taking down the, "Primary Dealers within the Federal Reserve banking system.” The group demands that they, “be broken up and held accountable for rigging markets and destroying the global economy effective immediately."
The Anonymous manifesto:
• We are a decentralized non-violent resistance movement, which seeks to restore the rule of law and fight back against the organized criminal class.
• One-tenth of one percent of the population has consolidated wealth in unprecedented fashion and launched an all-out economic war against 99.9% of the population.
• We are not affiliated with either wing of the two-party oligarchy. We seek an end to the corrupted two-party system by ending the campaign finance and lobbying racket.
• Above all, we aim to break up the global banking cartel centered at the Federal Reserve, International Monetary Fund, Bank of International Settlement and World Bank.
• We demand that the primary dealers within the Federal Reserve banking system be broken up and held accountable for rigging markets and destroying the global economy, effective immediately.
• As a first sign of good faith we demand Ben Bernanke step down as Federal Reserve chairman.
• Until our demands are met and a rule of law is restored, we will engage in a relentless campaign of non-violent, peaceful, civil disobedience.
• In our next communication we will announce Operation Empire State Rebellion.
They recently hacked Sony for going after another hacker, George Hotz. Anonymous believed that Hotz had the right to share the information about Sony’s new system. Since Sony updated their system to install for security patches. The older versions have been “jail broken” by avid users. These users do not recommend an update. Holtz hacked the Sony system and has been taken to court by Sony. This lead to the Anonymous attack on Sony.
Anonymous is also infamous for hacking the cyber security firm HB Gary. This company is paid to protect their clients and prevent hacking. However, Anonymous was able to get in and change the password of entrepreneur Greg Hogland’s email. The group helped themselves to loads of information that it later posted for the entire world to see.
The group seems to believe strongly in their cause. Will this group lead to more and more people taking matters into their own hands? Will other try to demand that the government, either our own or other countries, play fair or else? Where will this lead and how long will this group reign before it is taken down. A few companies have tried to learn the identities of the members of this group and have face the wrath of Anonymous as a result.
-MJ
http://psgroove.com/content.php?852-Sony-s-3.60-Firmware-Update-Goes-Live-Introduces-Cloud-Storage-System
http://playstationlifestyle.net/2011/04/04/hacker-group-anonymous-declare-war-on-sony/
http://www.cnn.com/2011/WORLD/meast/04/30/iran.hackers/
http://www.gmanews.tv/story/219221/technology/anonymous-hackers-group-targets-iran
http://news.cnet.com/8301-31021_3-20058617-260.html?tag=topTechContentWrap;editorPicks
http://news.cnet.com/8301-27080_3-20058700-245.html?tag=topTechContentWrap;editorPicks
http://www.businessweek.com/magazine/content/11_12/b4220066790741.htm?campaign_id=rss_topStories
http://www.zerohedge.com/article/hacker-group-anonymous-brings-peaceful-revolution-america-will-engage-civil-disobedience-unt
Subscribe to:
Posts (Atom)