As I look back on past entries, I see that I have failed to limit the focus of my blog on one particular area. Rather, my goal was to discuss current events as they pertain to the information security world. One week I posted some information on why it is important to secure your home network and how this can be done. For this, and the majority of my other blogs, an in depth IT knowledge was not required. I intended to keep it light on the technical side, and focus more on providing valuable information to the common everyday user.
I wrote about things that affected me personally, such as the Sony Online Entertainment Network hack that denied service to many users for several days. This then prompted me to present some information on the hacker group Anonymous. The following week I discussed the penalties currently in place for convicted cyber criminals. My intention was for my blog to follow a path of learning with the topics discussed building upon the prior week’s content.
Basically I chose topics that I have no previous knowledge about, and was curious to know more. The creation of this blog provided me with the opportunity to research these issues and topic and report my findings to my faithful followers… or Ron. I enjoyed doing it, and learned a lot in the process.
Whether or not this information would be useful to IS professionals is hard to say. I am but only a beginner in the field and have yet to steer my career into a position focused solely on the IS/IA. I assumed that Ron likely didn’t learn anything from blog, and many experienced professionals would likely not derive a lot of new content from my presented findings. However, I like to entertain the idea that my fellow students would enjoy the subject matter. Either way thanks for keeping up with my blog.
Topics discussed:
Router encryption
Securing your personal network
Anonymous group – hacking
Sony hacked
Cyber crime laws
Government failures in keeping current with government standards
CISSP certification
Smartphone vulnerabilities
…just to name a few.
Thursday, June 2, 2011
Sunday, May 29, 2011
Add-on and unauthorized installs
For the past couple weeks, I have been seeing pop up reminders informing me that Mozilla has released the new firefox 4 web browser. Being a big fan of firefox, I was anxious to see what improvements was made as far as security is concerned. Once I got around to actually installing the updated browser, I immediately noticed that I had acquired the lovely Yahoo toolbar. I say “lovely” in the most sarcastic of ways. I have a strong distaste for commercial toolbars, but I can’t seem to get away from them. They are all over the place and they continue to sneak their way onto my system. Some of the more common are Google, Windows
Live, MSN, Alexa, Asks, & AOL, just to name a small few. The developers of these toolbars often brag many cool features and convenience. Some toolbar installations include “protection” from evil internet content.
In my experience, toolbar protection measures include blocking common web pages and disruption of other software installations. When the software doesn’t know what page or download is being loaded, it is blocked. Personally, I don’t have much use for these toolbars because I, as a user am not able to derive any real value from them. Instead they just end up cluttering my browser.
While it is important to keep up to date on your software upgrades, package installs can be annoying and in some instances, dangerous. This is just a warning to be aware of what you are installing before it finds its way onto your computer.
Also, just a quick heads up, Win 7 service pack 1 is now available. Might want to ensure you got it.
Live, MSN, Alexa, Asks, & AOL, just to name a small few. The developers of these toolbars often brag many cool features and convenience. Some toolbar installations include “protection” from evil internet content.
In my experience, toolbar protection measures include blocking common web pages and disruption of other software installations. When the software doesn’t know what page or download is being loaded, it is blocked. Personally, I don’t have much use for these toolbars because I, as a user am not able to derive any real value from them. Instead they just end up cluttering my browser.
While it is important to keep up to date on your software upgrades, package installs can be annoying and in some instances, dangerous. This is just a warning to be aware of what you are installing before it finds its way onto your computer.
Also, just a quick heads up, Win 7 service pack 1 is now available. Might want to ensure you got it.
Friday, May 20, 2011
Smartphone Security
If you are like me, you keep a loose inventory on previous decisions that have greatly benefited your life. Some of mine include choosing to rent as opposed to buying a home, purchasing an 800 dollar Ford Festiva, and changing jobs. In 2009 I converted to a Smartphone against the advice of my friends. This has been an amazing tool that brings convince to my life. It is basically a mobile computer, which makes me wonder how safe it is to use. Is my phone susceptible to the same kind of attacks that my computer is? Are there any measures that I need to take to protect my phone and the information it contains/handles?
In December of 2010, the European Network and Information Security Agency (ENISA) released report that investigates the security risks involved with using Smart phones and what can be done to reduce these risks. This report identifies common uses as it pertains to common users, employees, and executives. Being a common user, the information on my phone is not normally sensitive. I have names and numbers, pictures, music, and some account email information. The report claims that most incidences are due to user error. Common reasons for security incidents can be attributed to the following:
· Not properly disposing of phone
· Not setting phone back to factory setting before phone changes hands.
· Network Spoofing Attacks
· Surveillance/shoulder surfing/eavesdropping.
· Malware – financial
· Network Congestion –dos attack
· Phishing
· Lost or theft devices
These techniques appear to be similar to the threats users encounter on their home computers. The same awareness and caution will need to be exercised when using your smart phone. Some recommended precautions to observe include:
· Be aware of your surroundings
· Be aware of what apps you download
· Lock your keypad and phone memory
· Reset and wipe memory occasionally
I currently do not conduct much business on my phone. Avoiding online purchases, accessing bank account sites and information, and actions that require my SSN, is very important in protecting my sensitive information. The smart phone users who conduct business with their phones have a higher risk of leaking information. Some things to keep in mind is that Not all apps in the marketplace are safe. Your phone stores information about what you type and sites you visit. Iphone holds a cache of all words ever typed on the device (with exception to words entered in password fields). There are many rogue WiFi hotspots out there that intend to intercept and tamper with your network communications. Often time’s theft occurs by making hidden use of premium SMS services.
Now that we see that cell phones are not immune to attacks, lets take a look at the effects of the attacks? According to Kiplinger.com impact ranges from mild to medium. Some annoying effects of attacks include freezing or slowing phone operations. More advanced attacks can remove numbers and text messages. However, it appears that the impact is relatively minor when compared to some attacks conducted on home PC’s and corporate networks.
On a final note, let’s review protection. Companies have come out with and continue to develop antivirus programs for mobile phones. Be aware that some companies may use fear to push their products. However, the fact is that the need for these services is not present. Successful attacks are relatively rare in the US and Asia. Service providers have taken steps to reduce the marketing of these vendors. I’d like to give a tip of the hat and a wave of the finger. First a wave of the finger to these companies for trying to push protection that is not needed for the general public at this time. Of course marketing stuff we don’t need is not a new concept. This is not to say that security software may not be required in the future. Advances in technology could produce a need in time, but for now it appears most of us are ok. Tip of the hat to the service providers for their efforts in protecting the general public from corporate greed. Before we get too sentimental on behalf of the service providers, I think it is obvious that this action is don’t only to benefit the company itself. The last thing they need is for customers to be worried hacked cell phones which would surely result in reduced sales.
I hope this was helpful. Please be advise that this is just the beginning. There is a lot of information out there, and the best thing that we can do to protect ourselves is be educated and aware of the threat and their capabilities.
REFS:
http://www.enisa.europa.eu/act/it/oar/smartphones-information-security-risks-opportunities-and-recommendations-for-users
http://www.zdnet.com/news/is-your-cell-phone-due-for-an-antivirus-shot/146956
http://www.kiplinger.com/businessresource/forecast/archive/smart-phones-under-cyber-attack.html
In December of 2010, the European Network and Information Security Agency (ENISA) released report that investigates the security risks involved with using Smart phones and what can be done to reduce these risks. This report identifies common uses as it pertains to common users, employees, and executives. Being a common user, the information on my phone is not normally sensitive. I have names and numbers, pictures, music, and some account email information. The report claims that most incidences are due to user error. Common reasons for security incidents can be attributed to the following:
· Not properly disposing of phone
· Not setting phone back to factory setting before phone changes hands.
· Network Spoofing Attacks
· Surveillance/shoulder surfing/eavesdropping.
· Malware – financial
· Network Congestion –dos attack
· Phishing
· Lost or theft devices
These techniques appear to be similar to the threats users encounter on their home computers. The same awareness and caution will need to be exercised when using your smart phone. Some recommended precautions to observe include:
· Be aware of your surroundings
· Be aware of what apps you download
· Lock your keypad and phone memory
· Reset and wipe memory occasionally
I currently do not conduct much business on my phone. Avoiding online purchases, accessing bank account sites and information, and actions that require my SSN, is very important in protecting my sensitive information. The smart phone users who conduct business with their phones have a higher risk of leaking information. Some things to keep in mind is that Not all apps in the marketplace are safe. Your phone stores information about what you type and sites you visit. Iphone holds a cache of all words ever typed on the device (with exception to words entered in password fields). There are many rogue WiFi hotspots out there that intend to intercept and tamper with your network communications. Often time’s theft occurs by making hidden use of premium SMS services.
Now that we see that cell phones are not immune to attacks, lets take a look at the effects of the attacks? According to Kiplinger.com impact ranges from mild to medium. Some annoying effects of attacks include freezing or slowing phone operations. More advanced attacks can remove numbers and text messages. However, it appears that the impact is relatively minor when compared to some attacks conducted on home PC’s and corporate networks.
On a final note, let’s review protection. Companies have come out with and continue to develop antivirus programs for mobile phones. Be aware that some companies may use fear to push their products. However, the fact is that the need for these services is not present. Successful attacks are relatively rare in the US and Asia. Service providers have taken steps to reduce the marketing of these vendors. I’d like to give a tip of the hat and a wave of the finger. First a wave of the finger to these companies for trying to push protection that is not needed for the general public at this time. Of course marketing stuff we don’t need is not a new concept. This is not to say that security software may not be required in the future. Advances in technology could produce a need in time, but for now it appears most of us are ok. Tip of the hat to the service providers for their efforts in protecting the general public from corporate greed. Before we get too sentimental on behalf of the service providers, I think it is obvious that this action is don’t only to benefit the company itself. The last thing they need is for customers to be worried hacked cell phones which would surely result in reduced sales.
I hope this was helpful. Please be advise that this is just the beginning. There is a lot of information out there, and the best thing that we can do to protect ourselves is be educated and aware of the threat and their capabilities.
REFS:
http://www.enisa.europa.eu/act/it/oar/smartphones-information-security-risks-opportunities-and-recommendations-for-users
http://www.zdnet.com/news/is-your-cell-phone-due-for-an-antivirus-shot/146956
http://www.kiplinger.com/businessresource/forecast/archive/smart-phones-under-cyber-attack.html
Sunday, May 15, 2011
Standards Compliance.. Just the beginning.
This week, I would like to speak generally about information security as a whole. In my weekly reading I came across an article that featured an interview with an IS representative from CSC (my currently employer). I continued my reading and lost the article, so I am not able to neither reference it here nor tell you the interviewee’s name. However, my fellow associate made a very interesting claim. It was his belief that many companies who bare the responsibility of information security or provide information security services are not completely concerned about protecting digital assets. Many of these companies do not focus their goals on protecting their resources and doing whatever it takes to provide that protection. Rather, companies only do what can be accomplished with minimal inconvenience. Many companies and security groups base their efforts on what others or the majority is doing. By taking those same steps in efforts to safeguard their systems, they can claim that those industry standards have been met. So when an incident does occur, the person responsible can point out that the deployed actions were up to code and that all standards and rules. Claiming compliance as an excuse that all reasonable measure was observed will surely convince management that the results of the attack could not have been avoided. Right?
Now, let’s take a quick look at the industry as it pertains to information security. If your company is compliant with industry standards, then it should be safe from attackers and threats. This is not the case when the IS industry is in such bad shape. I look at information security as a war. There are people out there that mean to bring your interests harm. It is everybody associated with that interest’s responsibility to take steps to avoid these attacks. In my opinion, the attackers are very successful. We are protectors of the information are inundated with cases, and giving up more sensitive information every day. Even the major players in the information security field are taking losses. I think that it is obvious that by simply doing the bare minimum is not enough.
I of course do not have all the answers, nor do I consider myself any kind of authority in the field of IS. However, from my research thus far, it appears that poor patch management is at the source of many of these successful attacks. I understand that my inexperience my result in some naivety in my understanding of the many processes related to carrying out proper IS programs. However, patch management appears to be kicking our butts, but why? With the assistance of SCCM and other mass software deployment suites, why are so many systems going unprotected. In some cases, systems will need to be manually updated or patched. Gaining access to these systems or making them unavailable for upgrade may not be as easy as it sounds. Keeping up to date on vendor releases may be a tedious task as well. The evaluation and testing of these patches is also a time consuming requirement.
Either way, it’s a big concern. If you want to catch the silver lining in all this dreary mess, I guess we can all be thankful that our IS job security is looking great!
-MJ
Now, let’s take a quick look at the industry as it pertains to information security. If your company is compliant with industry standards, then it should be safe from attackers and threats. This is not the case when the IS industry is in such bad shape. I look at information security as a war. There are people out there that mean to bring your interests harm. It is everybody associated with that interest’s responsibility to take steps to avoid these attacks. In my opinion, the attackers are very successful. We are protectors of the information are inundated with cases, and giving up more sensitive information every day. Even the major players in the information security field are taking losses. I think that it is obvious that by simply doing the bare minimum is not enough.
I of course do not have all the answers, nor do I consider myself any kind of authority in the field of IS. However, from my research thus far, it appears that poor patch management is at the source of many of these successful attacks. I understand that my inexperience my result in some naivety in my understanding of the many processes related to carrying out proper IS programs. However, patch management appears to be kicking our butts, but why? With the assistance of SCCM and other mass software deployment suites, why are so many systems going unprotected. In some cases, systems will need to be manually updated or patched. Gaining access to these systems or making them unavailable for upgrade may not be as easy as it sounds. Keeping up to date on vendor releases may be a tedious task as well. The evaluation and testing of these patches is also a time consuming requirement.
Either way, it’s a big concern. If you want to catch the silver lining in all this dreary mess, I guess we can all be thankful that our IS job security is looking great!
-MJ
Sunday, May 8, 2011
Risky Business!
This week, I thought I would take the suggestion of our instructor and not discuss the recent Sony Play station hack that has caused a disruption in service since mid-April. Instead we will explore the wonderful world of Risk! No, not the board game where people can partake in the epic struggle for world domination. Rather, the ever important task of prioritizing company assets and evaluating their vulnerabilities and their likelihood. Basically, a company wants to know the defense status of their systems as a whole and conducting a risk assessment is one way to carry out that assessment. Before this week, I was not aware of the detailed processes that make up the risk assessment. The charts presented in this week’s reading made the analytical work much easier, but the number crunching and investigation can be intense.
When looking at the risk assessment process, it is a very large undertaking. It is very important to conduct a thorough and accurate investigation. The results from this process could be a critical piece of information in allowing the IS team better protect the companies resources. However, when considering the information security field and all the activities it entails, the risk portion is not the main focus or goal of the system.
The instructor questions if this should be referred to as “information risk” as opposed to “information security”. In my humble opinion, this change is not necessary. I do not intend to take away from the importance of exploring and knowing the risks as they pertain to IT and ultimately, company resources. However, the security measures deployed in response to the risk assessment is of great importance.
On a final note, it is also important to realize that the risk assessment hold different value to different people. For example the team who is conducting the investigation may be fully aware of the risk and regard these vulnerabilities as critical issues. However, when presented to management, the course of action may be discarded all together. After all, many companies see these risks and losses as unavoidable and a cost of doing business. Yup, throw money at it! That should do the trick. Thanks for reading everybody!
When looking at the risk assessment process, it is a very large undertaking. It is very important to conduct a thorough and accurate investigation. The results from this process could be a critical piece of information in allowing the IS team better protect the companies resources. However, when considering the information security field and all the activities it entails, the risk portion is not the main focus or goal of the system.
The instructor questions if this should be referred to as “information risk” as opposed to “information security”. In my humble opinion, this change is not necessary. I do not intend to take away from the importance of exploring and knowing the risks as they pertain to IT and ultimately, company resources. However, the security measures deployed in response to the risk assessment is of great importance.
On a final note, it is also important to realize that the risk assessment hold different value to different people. For example the team who is conducting the investigation may be fully aware of the risk and regard these vulnerabilities as critical issues. However, when presented to management, the course of action may be discarded all together. After all, many companies see these risks and losses as unavoidable and a cost of doing business. Yup, throw money at it! That should do the trick. Thanks for reading everybody!
Sunday, May 1, 2011
Hactivists -- Hacking for a cause?
The hacking group “Anonymous” has been in the media a lot lately. “Anonymous” was planning to start their attack on the Iranian websites today. In honor of the “oppressed people” of Iran, Anonymous is attacking on International Worker’s Day. A couple of posts from the group reads as follows:
"We can see that Iran still suffers at the hands of those in power. Your former government has seized control and tries to silence you ... People of Iran - your rights belong to you. You have the right to free speech and free press, the freedom to assemble and to be safe in your person. You have the right to live free and without fear."
"Though your suffering is great, your strength is greater. Though your trial is long, your will persists. The people of Iran have the admiration of Anonymous, and the entire world."
Anonymous has lead other attacks to support causes for the “underdogs” in the past. This group seems to think that hacking accounts and causing security breaches are ok things to do as long as you are going against “the man.” This group is particularly interested in taking down the, "Primary Dealers within the Federal Reserve banking system.” The group demands that they, “be broken up and held accountable for rigging markets and destroying the global economy effective immediately."
The Anonymous manifesto:
• We are a decentralized non-violent resistance movement, which seeks to restore the rule of law and fight back against the organized criminal class.
• One-tenth of one percent of the population has consolidated wealth in unprecedented fashion and launched an all-out economic war against 99.9% of the population.
• We are not affiliated with either wing of the two-party oligarchy. We seek an end to the corrupted two-party system by ending the campaign finance and lobbying racket.
• Above all, we aim to break up the global banking cartel centered at the Federal Reserve, International Monetary Fund, Bank of International Settlement and World Bank.
• We demand that the primary dealers within the Federal Reserve banking system be broken up and held accountable for rigging markets and destroying the global economy, effective immediately.
• As a first sign of good faith we demand Ben Bernanke step down as Federal Reserve chairman.
• Until our demands are met and a rule of law is restored, we will engage in a relentless campaign of non-violent, peaceful, civil disobedience.
• In our next communication we will announce Operation Empire State Rebellion.
They recently hacked Sony for going after another hacker, George Hotz. Anonymous believed that Hotz had the right to share the information about Sony’s new system. Since Sony updated their system to install for security patches. The older versions have been “jail broken” by avid users. These users do not recommend an update. Holtz hacked the Sony system and has been taken to court by Sony. This lead to the Anonymous attack on Sony.
Anonymous is also infamous for hacking the cyber security firm HB Gary. This company is paid to protect their clients and prevent hacking. However, Anonymous was able to get in and change the password of entrepreneur Greg Hogland’s email. The group helped themselves to loads of information that it later posted for the entire world to see.
The group seems to believe strongly in their cause. Will this group lead to more and more people taking matters into their own hands? Will other try to demand that the government, either our own or other countries, play fair or else? Where will this lead and how long will this group reign before it is taken down. A few companies have tried to learn the identities of the members of this group and have face the wrath of Anonymous as a result.
-MJ
http://psgroove.com/content.php?852-Sony-s-3.60-Firmware-Update-Goes-Live-Introduces-Cloud-Storage-System
http://playstationlifestyle.net/2011/04/04/hacker-group-anonymous-declare-war-on-sony/
http://www.cnn.com/2011/WORLD/meast/04/30/iran.hackers/
http://www.gmanews.tv/story/219221/technology/anonymous-hackers-group-targets-iran
http://news.cnet.com/8301-31021_3-20058617-260.html?tag=topTechContentWrap;editorPicks
http://news.cnet.com/8301-27080_3-20058700-245.html?tag=topTechContentWrap;editorPicks
http://www.businessweek.com/magazine/content/11_12/b4220066790741.htm?campaign_id=rss_topStories
http://www.zerohedge.com/article/hacker-group-anonymous-brings-peaceful-revolution-america-will-engage-civil-disobedience-unt
"We can see that Iran still suffers at the hands of those in power. Your former government has seized control and tries to silence you ... People of Iran - your rights belong to you. You have the right to free speech and free press, the freedom to assemble and to be safe in your person. You have the right to live free and without fear."
"Though your suffering is great, your strength is greater. Though your trial is long, your will persists. The people of Iran have the admiration of Anonymous, and the entire world."
Anonymous has lead other attacks to support causes for the “underdogs” in the past. This group seems to think that hacking accounts and causing security breaches are ok things to do as long as you are going against “the man.” This group is particularly interested in taking down the, "Primary Dealers within the Federal Reserve banking system.” The group demands that they, “be broken up and held accountable for rigging markets and destroying the global economy effective immediately."
The Anonymous manifesto:
• We are a decentralized non-violent resistance movement, which seeks to restore the rule of law and fight back against the organized criminal class.
• One-tenth of one percent of the population has consolidated wealth in unprecedented fashion and launched an all-out economic war against 99.9% of the population.
• We are not affiliated with either wing of the two-party oligarchy. We seek an end to the corrupted two-party system by ending the campaign finance and lobbying racket.
• Above all, we aim to break up the global banking cartel centered at the Federal Reserve, International Monetary Fund, Bank of International Settlement and World Bank.
• We demand that the primary dealers within the Federal Reserve banking system be broken up and held accountable for rigging markets and destroying the global economy, effective immediately.
• As a first sign of good faith we demand Ben Bernanke step down as Federal Reserve chairman.
• Until our demands are met and a rule of law is restored, we will engage in a relentless campaign of non-violent, peaceful, civil disobedience.
• In our next communication we will announce Operation Empire State Rebellion.
They recently hacked Sony for going after another hacker, George Hotz. Anonymous believed that Hotz had the right to share the information about Sony’s new system. Since Sony updated their system to install for security patches. The older versions have been “jail broken” by avid users. These users do not recommend an update. Holtz hacked the Sony system and has been taken to court by Sony. This lead to the Anonymous attack on Sony.
Anonymous is also infamous for hacking the cyber security firm HB Gary. This company is paid to protect their clients and prevent hacking. However, Anonymous was able to get in and change the password of entrepreneur Greg Hogland’s email. The group helped themselves to loads of information that it later posted for the entire world to see.
The group seems to believe strongly in their cause. Will this group lead to more and more people taking matters into their own hands? Will other try to demand that the government, either our own or other countries, play fair or else? Where will this lead and how long will this group reign before it is taken down. A few companies have tried to learn the identities of the members of this group and have face the wrath of Anonymous as a result.
-MJ
http://psgroove.com/content.php?852-Sony-s-3.60-Firmware-Update-Goes-Live-Introduces-Cloud-Storage-System
http://playstationlifestyle.net/2011/04/04/hacker-group-anonymous-declare-war-on-sony/
http://www.cnn.com/2011/WORLD/meast/04/30/iran.hackers/
http://www.gmanews.tv/story/219221/technology/anonymous-hackers-group-targets-iran
http://news.cnet.com/8301-31021_3-20058617-260.html?tag=topTechContentWrap;editorPicks
http://news.cnet.com/8301-27080_3-20058700-245.html?tag=topTechContentWrap;editorPicks
http://www.businessweek.com/magazine/content/11_12/b4220066790741.htm?campaign_id=rss_topStories
http://www.zerohedge.com/article/hacker-group-anonymous-brings-peaceful-revolution-america-will-engage-civil-disobedience-unt
Sunday, April 24, 2011
Crime doesn't pay.. unless it's Cybercrime!
This week, the world was introduced to its newest hacker! Authorities apprehended the vicious criminal and she now faces possible time in prison. Her name is Hayastan Shakarian and she is responsible for single handedly taking down 90% of the internet access for the entire country of Armenia. The service was down for about 12 hours before it could be restored.
Reader, when I read this, I thought “Good, let Hayastan rot in prison for a while.” I, along with most victims of web attacks, harbor a strong distaste for spammers, people who create/spread viruses, identity thieves, and other cybercriminals! So, when I heard about this incident, I hoped for the worst of punishments.
Now, before we all agree to stone this our dastardly hacker, Mrs. Shakarian, I think I should tell you that she is a 75 year old Georgian (the country not the US state) who has never heard of the internet until her inaugural introduction into the world of “hacking”. While many modern hackers would recommend using a protected home computer for their work, Shakarian used a gardening spade. That’s right! The women severed the internet connection to Armenia while searching for underground copper.
When provided with the later information, it seems kind of harsh to send this woman to prison. However, it got me wondering what the punishments for common cybercrimes are. After some research, it appears that the common cybercriminal does not normally get more than 5 years in the clink. In some cases a 10 year sentence can be issued. At the end of this blog you can review a quick summary that detail these kinds of laws and punishment procured from www.spamlaws.com.
I think this is a joke! These kinds of punishments are not effective. How do we put a stop to this kind of activity? Would harsher penalties help? I see ads that advise against pirating data such as music and movies, and these crimes have significant penalties. Still it has not stopped people from downloading illegal media. Maybe cyber crime is an activity that cannot be contained. Maybe we as users will be subject to their threats forever.
On a brighter and final note… a HUGE bust just took place in the global cyber criminal world. It is referred to as the restock botnet takedown. It is a large ring of botnet systems that were sending information to criminals to enable them to steal information and steal money from several US companies. Hundreds of thousands of dollars were stolen. 1.8 million Computers were infected. 13 people who were associated with the criminal activity were apprehended and are looking at a “civil complaint” for engaging in wire fraud, bank fraud and illegal interception of electronic communications. What punishment will these people receive? What should they receive? Please see http://www.foxnews.com/scitech/2011/04/13/government-targets-ring-infecting-23-million-computers/ for more information and review the below information on cyber crime. Thanks for reading.
-MJ
http://www.spamlaws.com reports the following:
The penalty for illegally accessing a computer system ranges from 6 months to 5 years. The penalty for the unofficial modification on a computer ranges from 5 to 10 years. Other penalties are listed below:
Telecommunication service theft: The theft of telecommunication services is a very common theft and is punished with a heavy fine and imprisonment.
Communications intercept crime: This is a Class-D crime which is followed by a severe punishment of 1 to 5 years of imprisonment with a fine. Other cyber crimes like telecommunication piracy, offensive material dissemination, and other cyber frauds also belong to this category.
Information Technology Act-2000: According to this act, different penalties are available for different crimes. Some of the penalties are as follows:
Computer source document tampering: The person who changes the source code on the website or any computer program will get a punishment up to 3 years of imprisonment or fine.
Computer hacking: The individual who hacks the computer or computer devices will get an imprisonment up to 3 years or a fine.
Government protected system: An act of trying to gain access to a system which is a protected system by the government, will result in imprisonment for 10 years and a heavy fine.
The introduction of such penalties have lead to a drastic reduction in the cybercrime rates as more and more criminals are becoming aware of the penalties related to them. Spreading the word about the penalties of cybercrime can serve as a deterrent against such crime.
Penalties relating to cybercrime will vary depending on the country and legislation in place.
Summarized websites
http://www.spamlaws.com/cyber-crime-punishment.html
http://www.bbc.co.uk/news/business-13158351
http://www.foxnews.com/scitech/2011/04/13/government-targets-ring-infecting-23-million-computers/
Reader, when I read this, I thought “Good, let Hayastan rot in prison for a while.” I, along with most victims of web attacks, harbor a strong distaste for spammers, people who create/spread viruses, identity thieves, and other cybercriminals! So, when I heard about this incident, I hoped for the worst of punishments.
Now, before we all agree to stone this our dastardly hacker, Mrs. Shakarian, I think I should tell you that she is a 75 year old Georgian (the country not the US state) who has never heard of the internet until her inaugural introduction into the world of “hacking”. While many modern hackers would recommend using a protected home computer for their work, Shakarian used a gardening spade. That’s right! The women severed the internet connection to Armenia while searching for underground copper.
When provided with the later information, it seems kind of harsh to send this woman to prison. However, it got me wondering what the punishments for common cybercrimes are. After some research, it appears that the common cybercriminal does not normally get more than 5 years in the clink. In some cases a 10 year sentence can be issued. At the end of this blog you can review a quick summary that detail these kinds of laws and punishment procured from www.spamlaws.com.
I think this is a joke! These kinds of punishments are not effective. How do we put a stop to this kind of activity? Would harsher penalties help? I see ads that advise against pirating data such as music and movies, and these crimes have significant penalties. Still it has not stopped people from downloading illegal media. Maybe cyber crime is an activity that cannot be contained. Maybe we as users will be subject to their threats forever.
On a brighter and final note… a HUGE bust just took place in the global cyber criminal world. It is referred to as the restock botnet takedown. It is a large ring of botnet systems that were sending information to criminals to enable them to steal information and steal money from several US companies. Hundreds of thousands of dollars were stolen. 1.8 million Computers were infected. 13 people who were associated with the criminal activity were apprehended and are looking at a “civil complaint” for engaging in wire fraud, bank fraud and illegal interception of electronic communications. What punishment will these people receive? What should they receive? Please see http://www.foxnews.com/scitech/2011/04/13/government-targets-ring-infecting-23-million-computers/ for more information and review the below information on cyber crime. Thanks for reading.
-MJ
http://www.spamlaws.com reports the following:
The penalty for illegally accessing a computer system ranges from 6 months to 5 years. The penalty for the unofficial modification on a computer ranges from 5 to 10 years. Other penalties are listed below:
Telecommunication service theft: The theft of telecommunication services is a very common theft and is punished with a heavy fine and imprisonment.
Communications intercept crime: This is a Class-D crime which is followed by a severe punishment of 1 to 5 years of imprisonment with a fine. Other cyber crimes like telecommunication piracy, offensive material dissemination, and other cyber frauds also belong to this category.
Information Technology Act-2000: According to this act, different penalties are available for different crimes. Some of the penalties are as follows:
Computer source document tampering: The person who changes the source code on the website or any computer program will get a punishment up to 3 years of imprisonment or fine.
Computer hacking: The individual who hacks the computer or computer devices will get an imprisonment up to 3 years or a fine.
Government protected system: An act of trying to gain access to a system which is a protected system by the government, will result in imprisonment for 10 years and a heavy fine.
The introduction of such penalties have lead to a drastic reduction in the cybercrime rates as more and more criminals are becoming aware of the penalties related to them. Spreading the word about the penalties of cybercrime can serve as a deterrent against such crime.
Penalties relating to cybercrime will vary depending on the country and legislation in place.
Summarized websites
http://www.spamlaws.com/cyber-crime-punishment.html
http://www.bbc.co.uk/news/business-13158351
http://www.foxnews.com/scitech/2011/04/13/government-targets-ring-infecting-23-million-computers/
Sunday, April 17, 2011
CIS 608 Content Coincides with CISSP
I am taking classes through Bellevue University to farther my career in Information Security. I have also been working toward certifications that I know will make me more marketable in this field. I recently read an article on ClearanceJobs.com that listed the top 10 certifications held by Cleared Professionals. The top 5 of that list were Security +, Network +, A+, ITIL, and CISSP. This list got me thinking about what I need to do to make myself more marketable and what others can do as well.
These certifications listed are important and I think many companies and contractors like to see these certifications. The process for these certifications can be quite involved and it takes a lot of work to achieve these certifications and stay on top in the Information Security world. I am currently certified in Security +, Network +, and ITIL. The next big certification I would like to get is CISSP (Certified Information Systems Security Professional). This certification is a long and involved process. You must have five years of professional experience to be considered for the certification. There is also a code of ethics and ongoing education that you must adhere to keep “in good standing” and keep the certification current. The most difficult part of the certification process is obviously the test itself.
The test covers ten main points. These main points include:
1. Access Control
2. Application Development Security
3. Business Continuity and Disaster Recovery Planning
4. Cryptography
5. Information Security Governance and Risk Management
6. Legal, Regulations, Investigations and Compliance
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security
For six hours you are rigorously questioned with 250-question test on your knowledge of the above-mentioned topics. Even after passing the exam you must maintain the certification with accruing 120 credits toward continuing education every three years and also pay a maintenance fee yearly.
As you can see, CISSP requires you to jump through a lot of hoops. Not only must you prove your knowledge on the test and show that you have a working knowledge of the information by your work experience; you must maintain the certification through continuing education. I think that this is a good time for me to try to obtain the CISSP certification. The topics on the test are also being covered in the classes that I am currently enrolled in at Bellevue University. In Information Security Management 608, we have already discussed disaster recovery plans and security policies that are covered in the CISSP under topics bullet 3 and 6. Ahead in the book will be developing the security program and risk management and analysis. I think that these classes will really help me to prepare for the certification and have other resources for the studying process. I am also hoping that the classes I am enrolled in will count toward the continuing education credits that you must attain. The website is not very specific about the requirements for this. The website states that after certification, you will receive information about the maintenance of the certification.
To others who are also in pursuit of advancing their career in information security, I hope that you have found this information helpful. Thanks for reading and good luck on the tasks ahead!
References:
ClearanceJobs.com
https://www.isc2.org/cissp/Default.aspx
These certifications listed are important and I think many companies and contractors like to see these certifications. The process for these certifications can be quite involved and it takes a lot of work to achieve these certifications and stay on top in the Information Security world. I am currently certified in Security +, Network +, and ITIL. The next big certification I would like to get is CISSP (Certified Information Systems Security Professional). This certification is a long and involved process. You must have five years of professional experience to be considered for the certification. There is also a code of ethics and ongoing education that you must adhere to keep “in good standing” and keep the certification current. The most difficult part of the certification process is obviously the test itself.
The test covers ten main points. These main points include:
1. Access Control
2. Application Development Security
3. Business Continuity and Disaster Recovery Planning
4. Cryptography
5. Information Security Governance and Risk Management
6. Legal, Regulations, Investigations and Compliance
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security
For six hours you are rigorously questioned with 250-question test on your knowledge of the above-mentioned topics. Even after passing the exam you must maintain the certification with accruing 120 credits toward continuing education every three years and also pay a maintenance fee yearly.
As you can see, CISSP requires you to jump through a lot of hoops. Not only must you prove your knowledge on the test and show that you have a working knowledge of the information by your work experience; you must maintain the certification through continuing education. I think that this is a good time for me to try to obtain the CISSP certification. The topics on the test are also being covered in the classes that I am currently enrolled in at Bellevue University. In Information Security Management 608, we have already discussed disaster recovery plans and security policies that are covered in the CISSP under topics bullet 3 and 6. Ahead in the book will be developing the security program and risk management and analysis. I think that these classes will really help me to prepare for the certification and have other resources for the studying process. I am also hoping that the classes I am enrolled in will count toward the continuing education credits that you must attain. The website is not very specific about the requirements for this. The website states that after certification, you will receive information about the maintenance of the certification.
To others who are also in pursuit of advancing their career in information security, I hope that you have found this information helpful. Thanks for reading and good luck on the tasks ahead!
References:
ClearanceJobs.com
https://www.isc2.org/cissp/Default.aspx
Sunday, April 3, 2011
Government ignores Government mandates
April 15th is just around the corner and many will go to IRS.gov to e-file your taxes this year. You see that if you made less than 58,000 dollars in 2010, you can e-file for free from a website of your choice that is listed on the IRS website. You chose one, follow the link, and begin to enter all of you personal information. You complete the form online and submit. Another year of taxes complete, right? As uit turns out, this year you did not really file taxes, what you did was give all of your personal information to a hacker. You were redirected to a fake website during your search on IRS.com, this cache poisoning attack, or Kaminsky-style attack, is not new. In fact, in 2008 it was mandated that by December 31st, 2009 all .gov websites deploy security against just such an attack. DSN Security Extensions, or DSNSEC, prevents the redirecting of web users to other spoof websites. However, as of January 2011, only 51% of government websites have deployed such standards of protection. (Marsan, 2011)
Of the tested .gov websites, the state department leads, being 100% up to date and the department of labor on its heels at 90%. So, kudos to those departments for meeting the new standard, however, the rest of the story does not look good. The Treasury Department only signs one of its sub domains, the good news is there usually isn’t any important information that is entered into the Treasury Department. No one enters important information into the Treasury Department website to see if they qualify for loans, grants or other financial aide. It makes me wonder what the government is doing with the large portion of my paycheck that it keeps each month. You would think that the US government with all of its departments, resources, and officials would at least be able to run a secure website.
The private sector is not ahead of the government on this either. Many .com, .org, and .edu sites are now just starting to support DNSSEC in their domain. VeriSign has signed on to incorporate DNSEC in their operations. This is huge, since VeriSign is the Internet’s largest .com domain. This .com leader is spending $100 Million to support DNSSEC and upgrade to IPv6. Many other domains, do not know of, or are just learning of this DNSSEC. Another issue that goes with this security is that it takes up a lot of resources. It slows the server and can take a lot of financial resources to update. I think that these companies, however, owe it to their clients to ensure that their websites are secure and that client information will be secure and remain at that company’s official site.
I know that many of us who utilize the web for it’s resources and convenience have adopted this sense of security when dealing with the our personal sites. Sites like the one we use for online banking, or the site ran by our educational institution, or even one operated by the government. This is wrong. Nobody is ever 100% safe. These are the same people who encounter several attacks every year. What can a person do to ensure that this does not happen to you, you wonder. I will attempt address that in future blogs. For now, knowing what we got ourselves into is the first step. Thanks for reading.
Reference:
Marsan, Carolyn Duffy. (January, 27, 2011.). Half of federal Web sites fail DSN security test http://www.networkworld.com/news/2011/012711-dns-security-test.html?page=1.
Sunday, March 27, 2011
Van Hagar and those pesky alien uploads
This week, former Van-Halen rocker Sammy Hagar released his new book. In this book Hagar going into details about the band and its members. The book also mentions Hagar’s encounter with aliens. In this encounter, aliens proceeded to link up to Sammy Hagar’s brain and proceed to upload and download information. Now, I know what you’re thinking… Sammy Hagar’s got a brain? This has yet to be verified, but here is what Sammy has to say about it.
"It was real. [Aliens] were plugged into me," Hagar says. "It was a download situation. This was long before computers or any kind of wireless. There weren't even wireless telephones. Looking back now, it was like, 'F---, they downloaded something into me!' Or they uploaded something from my brain, like an experiment. 'See what this guy knows.' That happened. That friggin' happened, I'll tell you right now."
You can catch the rest of the story at: http://new.music.yahoo.com/blogs/amplifier/88706/sammy-hagar-was-abducted-uploaded-by-aliens/
After reading this, a few things occurred to me.
The first thing I imagined a couple of adolescent teenage aliens war driving human brains on a slow Saturday night in LA, when they stumble upon this gem of a mind we call Hagar. The second thing that occurred to me is that Hagar needs to get hot on upgrading his information security measures.
Even if Hagar is a lost cause, there are several things that you the reader can do right now to help protect your wireless network in your home or office. First, you will need to change the password on your router. All home routers come from the factory with a common default password. These passwords are well known to the people that intend to do harm to you by accessing your network. This password can also be easily obtained from a quick search of the web as well. This fact leaves you vulnerable to unauthorized access of your home network.
Next you will need to rename your SSID. Your SSID is the “service set identifier” or essentially the name of you wireless network. This allows you or others to identify what wireless network you are connecting to. The wireless card on your computer or wireless device can detect these networks. After you have renamed your SSID to something other than the default, you will then need to hide your signal. This will deny others the ability to see or recognize your wireless network with their wireless devices. You of course will still be able to connect to the network. By selecting not to broadcast your SSID, it will reduce the detection of your network by others, and thus making it less of a target.
There you go. There are 3 easy steps to increase protection of your home network that tend to be overlooked. Some of you are likely thinking…” that’s great, but how do I make these changes.” In most cases, this is easy too. You will need to access the interface on your router. This is typically a screen that displays a set of options and settings for the router. The changes are normally easy to make. You can contact the technical support for the brand name of your router, visit their website and look for instructions, or go the links below for further information. I hope this was helpful to many of you. Please feel free to post your comments. This does not apply to Van-Halen fans. .. jk
Sunday, March 20, 2011
Spam Rant
Do ya think that Spam, the meat in a can that can be found in stores everywhere, is pissed that they share their name with something as distasteful as electronic spam. I am sure that when Hormel registered the SPAM trademark in 1937, they never seen this coming. Either way, both the food and the junk mail have been frowned upon by many of us who have experienced them. I bring this up because of some recent unwanted activity in my email account. That's right, spam! I have lived a pretty good spam free existence for several years. I thought that I was being careful in protecting my email address. I mean, I thought so anyway. Previously deployed anti-spam measures include:
1. Having multiple email addresses.
- The intent being that I would use one for personal and social purposes. This was for communication with friends and family. A different email would be business. It would be used to contact employers, distribute resumes, make appointments, and converse with business associates. Any business correspondence is conducted using this email address. Finally, I have an email account that is solely used spamming scapegoat purposes. It is used when taking part in insecure activity that will likely make the account vulnerable to spam attacks. It is a sacrificial account of sorts.
2. Identifying questionable activity.
- I feel that being identifying an email scam or spam attempt is extremely important. This means that I avoid emails with general and nonspecific subject lines, emails from unrecognized contacts and businesses, and spotting poor grammar and spelling errors. Who falls for that anyway. Some spam that I have seen in my "sacrifice" account has the worst spelling and grammar ever. I know 2nd grade students who have a better understanding of the English language. I do not open forwarded emails content that is not for the purpose of communications. I don't care to receive jokes, political or religious stories, or random pictures. These often go straight to the trash folder for deletion. Sure I may miss out on a good laugh or touching story, but I will avoid spam, which is my main goal. If I get something that is questionable or looks interesting, I can always forward it to my sacrifice folder and open there. Most times the emailed tidbit ends up being a complete waste of time.
3. Surf intelligently.
- Seek out and view popular videos from unaccredited sources. When you hear of a video online of a shocking footage of some sort, be aware that these video may contain malicious code. These could be human accidents involving cars, trains, or animal attacks. Rock star falls off stage. Actress on drugs video... and of course the ever popular celebrity sex tapes. Which leads me to my next guideline for avoiding spam.... No internet porn. The internet porn industry is a huge source of generated spam and distribution of malicious code.
So , there you go. These are the methods that I have deployed to protect my email accounts from spam. It has been effective to a certain extent, but the system is not perfect. Spam is a real pain in the butt to deal with, and even harder to avoid completely. I feel that these guidelines should be enough to guard from spam, but it is not. In the upcoming posts, I will discuss spam further.
1. Having multiple email addresses.
- The intent being that I would use one for personal and social purposes. This was for communication with friends and family. A different email would be business. It would be used to contact employers, distribute resumes, make appointments, and converse with business associates. Any business correspondence is conducted using this email address. Finally, I have an email account that is solely used spamming scapegoat purposes. It is used when taking part in insecure activity that will likely make the account vulnerable to spam attacks. It is a sacrificial account of sorts.
2. Identifying questionable activity.
- I feel that being identifying an email scam or spam attempt is extremely important. This means that I avoid emails with general and nonspecific subject lines, emails from unrecognized contacts and businesses, and spotting poor grammar and spelling errors. Who falls for that anyway. Some spam that I have seen in my "sacrifice" account has the worst spelling and grammar ever. I know 2nd grade students who have a better understanding of the English language. I do not open forwarded emails content that is not for the purpose of communications. I don't care to receive jokes, political or religious stories, or random pictures. These often go straight to the trash folder for deletion. Sure I may miss out on a good laugh or touching story, but I will avoid spam, which is my main goal. If I get something that is questionable or looks interesting, I can always forward it to my sacrifice folder and open there. Most times the emailed tidbit ends up being a complete waste of time.
3. Surf intelligently.
- Seek out and view popular videos from unaccredited sources. When you hear of a video online of a shocking footage of some sort, be aware that these video may contain malicious code. These could be human accidents involving cars, trains, or animal attacks. Rock star falls off stage. Actress on drugs video... and of course the ever popular celebrity sex tapes. Which leads me to my next guideline for avoiding spam.... No internet porn. The internet porn industry is a huge source of generated spam and distribution of malicious code.
So , there you go. These are the methods that I have deployed to protect my email accounts from spam. It has been effective to a certain extent, but the system is not perfect. Spam is a real pain in the butt to deal with, and even harder to avoid completely. I feel that these guidelines should be enough to guard from spam, but it is not. In the upcoming posts, I will discuss spam further.
Monday, March 14, 2011
The Beginning
Well, here we go. The start to my very first original blog. Sure I have posted onto a forum here and there, but nothing that is available to the public and directed by myself. I created this account to fulfill the requirements for the CIS 608 course that I recently enrolled in at Bellevue University. I hope that you all enjoy all of the wizdom that you are sure to find posted here in the near future.
Subscribe to:
Comments (Atom)