Week 12 Blog

Summary of my blog posts for the last 12 Weeks

Over the last twelve weeks, I have researched and written about hackers and various types of malware. I chose the topic of hackers and malware because even though hackers are considered the bad guys, I absolutely idealize them. Many hackers are so brilliant and they know things about computers that many people would consider near science fiction. I have a true passion for Information Technology and even more so for those that have mastered it. I truly love anything technical. Information Technology keeps my interest and my attention. It is just so fascinating to me.

For the most part of my blog, I got much of the material from research. I searched magazine articles, books, and online references. I never used the same source. From week to week, I would go further and branch out my findings more and more. I tried to use a variety of references so that I could ensure unbiased resources. I enjoy doing research and comparing the opinions and findings of other people. My research was one of the most significant contributions I made to my blog.

I definitely think that my blog would be very useful to an Information Security professional. An Information Security professional could easily use my blog to discover any malware or viruses that maybe unknown to them. They could also use my blog to realize the capabilities of hackers. A few lessons that I learned from the creation of this blog is that you should not limit yourself to only what you already know. You should branch out and discover new thoughts and ideas. You should never limit yourself to the familiar. It is important that you branch out and learn new things because you never know how much you can learn unless you try.

Thanks so much for reading my blog! It has been a pleasure writing it and it has been a great semester! ☺

Yours truly,

Rashele Shoun

Week 11 Blog

CryptoLocker

        New types of malware are being unleashed practically every day. In fact, CryptoLocker, a new type of malware was recently unleashed. "CryptoLocker, [is] a new and nasty piece of malicious software is infecting computers around the world – encrypting important files and demanding a ransom to unlock them" (Weisbaum, 2013). Malware that demands ransom has to be the most hilarious form of malware. The hacker is not only smart enough to break into something that belongs to someone else but then they get cocky and decide that now they deserve to be paid for their disruption. That is just really funny to me. I mean of course it totally sucks if you are the "victim" but if you look at it from a non-emotional view, you can see that it's just cocky.

       More specifically, CryptoLocker "systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it" (Weisbaum, 2013). CryptoLocker is obviously pretty awesome. They need to use CryptoLocker for resale. Then the public could benefit by protecting their important files. It sounds like a great piece of software if it can be used for more productive reasons.

        "CryptoLocker is different from other types of 'ransomware' that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents. Not CryptoLocker – it encrypts your files. There’s only one decryption key and the bad guys have that on their server. Unless you pay the ransom – within three days, that key will be destroyed. And as the message from the extorters says, after that, nobody and never will be able to restore files…" (Weisbaum, 2013). So, CryptoLocker is a much more advanced type of ransomware. In fact, the typical extortion payment is $300 - $400. (Weisbaum, 2013) So, apparently, "Good antivirus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good" (Weisbaum, 2013). So, how do you protect yourself from this virus? Well, really the only good means of protection is to frequently backup your computer on to a safe drive that does not stay connected to your computer. (Weisbaum, 2013) There are other ways to protect your files and documents but to me this is by far the best way. In fact, I would recommend having a backup stored away from your house for even more protection, like in a safety deposit box at at bank.

References

Weisbaum, H. (2013, November 6). Nasty New Malware Locks Your Files Forever, Unless You Pay Ransom. Retrieved November 7, 2013, from Today Money: http://www.today.com/money/nasty-new-malware-locks-your-files-forever-unless-you-pay-8C11511655

Week 10 Blog

Major Security Issue with Vendor’s Biometric Software

A major security issue was discovered with a vendor’s biometric software. More specifically, “Laptops from various manufacturers including four of the world's top five largest PC makers, sport fingerprint readers with a flaw in their software described as ‘nothing but a big, glowing security hole compromising the entire security model of Windows accounts’” (Fontana, 2012). This is a huge security risk because biometric software is supposed to offer more security. Instead, it is offering much less security just so that a user can login with the swipe of a finger. This defeats the entire point of a fingerprint reader.

A Microsoft certified partner stated the following about the fingerprint reader security vulnerability, “[With the biometric fingerprint reader enabled] Windows account passwords are stored in the Windows registry almost in plain text, barely scrambled but not encrypted” (Fontana, 2012). If you enable the fingerprint reader now your password is practically stored in plain text. I’m not sure what the point of even having a password is if a user enable’s the fingerprint reader. According to Olga Koksharova, “We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable ‘automatic login,’ which is discouraged by Microsoft” (Fontana, 2012). The fingerprint reader allows for the user’s password to be easily extracted. This is a horrible security flaw!

Another interesting fact about the UPEK Protector Suite software is that, “Hackers compromising the UPEK software could gain access to all the files and documents on a PC. Elcomsoft notes that hackers would not be able to access EFS-encrypted files without knowledge of the Windows account password” (Fontana, 2012). Elcomsoft stated that users of UPEK software should disable the Windows logon feature which would help this problem. (Fontana, 2012) However, to me it seems that this is risky as well because I have used fingerprint readers and they won’t always let you login. Therefore, you would want to have the option to use your Windows logon if your fingerprint will not scan.

Sadly, I think the best solution is to disable the fingerprint reader and only use the Windows logon feature. “Elcomsoft’s website had a humorous comment from Kevin Mitnick, a famous hacker and social engineer, “I want to thank Elcomsoft for providing the best password auditing and recovery tools on the market” (Fontana, 2012). This comment made me laugh because Kevin Mitnick was clearly being humorous. I hope this company learns from this well-known hacker’s comment and takes action to fix their fingerprint software. 

Reference:

Fontana, J. (2012, September 5). Vendor’s Biometric Software Compromises “Entire Security Model of Windows Accounts”. Retrieved October 28, 2013, from ZDNet: http://www.zdnet.com/vendors-biometric-software-compromises-entire-security-model-of-windows-accounts-7000003784/

Week 9 Blog

Preventing SQL Attacks

 

SQL injection attacks are one of the most dangerous programming errors. (Paul Rubens, 2010) SQL injection attacks are a real problem for many organizations. SQL injection attacks could “allow hackers to compromise your network, access and destroy your data, and take control of your machines” (Paul Rubens, 2010). Organizations need to be sure that they determine if they are at risk for SQL injection attacks. Organizations can easily become victim to an SQL attack if they do not know how to protect their selves from them.

SQL injection attacks are very interesting in nature. “The principal behind an SQL injection is pretty simple. When an application takes user data as an input, there is an opportunity for a malicious user to enter carefully crafted data that causes the input to be interpreted as part of a SQL query instead of data” (Paul Rubens, 2010). Therefore, if an attacker knows what exactly to try they can easily use SQL injection attacks for malicious reasons. SQL attacks can cause a loss of confidentiality, data integrity, and data. (Paul Rubens, 2010) An SQL attack could even compromise an entire network. (Paul Rubens, 2010)

Organizations should be prepared to help mitigate the risk of an SQL injection attack. There are many techniques that an organization can take do to help prevent SQL injection attacks. More specifically, an organization should do the following:

1. “Trust no-one: Assume all user-submitted data is evil and validate and sanitize everything” (Paul Rubens, 2010).

2. “Don't use dynamic SQL when it can be avoided: Used prepared statements, parameterized queries or stored procedures instead whenever possible” (Paul Rubens, 2010).

3. “Update and patch: Vulnerabilities in applications and databases that hackers can exploit using SQL injection are regularly discovered, so it's vital to apply patches and updates as soon as practical” (Paul Rubens, 2010).

4. “Firewall: Consider a web application firewall (WAF) – either software or appliance based – to help filter out malicious data. Good ones will have a comprehensive set of default rules, and make it easy to add new ones whenever necessary. A WAF can be particularly useful to provide some security protection against a particular new vulnerability before a patch is available” (Paul Rubens, 2010).  

5. “Reduce your attack surface: Get rid of any database functionality that you don't need to prevent a hacker taking advantage of it. For example, the xp_cmdshell extended stored procedure in MS SQL spawns a Windows command shell and passes in a string for execution, which could be very useful indeed for a hacker. The Windows process spawned by xp_cmdshell has the same security privileges as the SQL Server service account” (Paul Rubens, 2010).

6. “Use appropriate privileges: Don't connect to your database using an account with admin-level privileges unless there is some compelling reason to do so. Using a limited access account is far safer, and can limit what a hacker is able to do” (Paul Rubens, 2010).  

7. “Keep your secrets secret: Assume that your application is not secure and act accordingly by encrypting or hashing passwords and other confidential data including connection strings” (Paul Rubens, 2010).

8. “Don't divulge more information than you need to: Hackers can learn a great deal about database architecture from error messages, so ensure that they display minimal information. Use the "RemoteOnly" customErrors mode (or equivalent) to display verbose error messages on the local machine while ensuring that an external hacker gets nothing more than the fact that his actions resulted in an unhandled error” (Paul Rubens, 2010).

9. “Don't forget the basics: Change the passwords of application accounts into the database regularly. This is common sense, but in practice, these passwords often stay unchanged for months or even years” (Paul Rubens, 2010).

10. “Buy better software: Make code writers responsible for checking the code and for fixing security flaws in custom applications before the software is delivered. SANS suggests you incorporate terms from this sample contract into your agreement with any software vendor” (Paul Rubens, 2010).

 

Reference

Paul Rubens. (2010, February 23). 10 Ways to Prevent or Mitigate SQL Injection Attacks. Retrieved October 26, 2013, from Enterprise Networking Planet: http://www.enterprisenetworkingplanet.com/netsecur/article.php/3866756/10-Ways-to-Prevent-or-Mitigate-SQL-Injection-Attacks.htm

 

Week 8 Blog

The NSA and their Backdoor Secrets

One of the most fascinating things about information security is the concept of a backdoor. What is more interesting is the shear idea that the NSA desires to eavesdrop on our internet traffic through the use of a backdoor. (Schneier, 2013) “[NSA] has secret agreements with telcos to get direct access to bulk internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext — encrypted information — and figure out which programs could have created it” (Schneier, 2013). Obviously, it is a little frightening to know that the NSA can easily go through our internet communications and collect our personal information whenever they want. It is even more alarming that the NSA can undercover this encrypted information and which potential program encrypted it to begin with.

Another interesting item to note is that, “The NSA wants is to be able to read that encrypted information in as close to real-time as possible. It wants backdoors, just like the cybercriminals and less benevolent governments do. And we have to figure out how to make it harder for them, or anyone else, to insert those backdoors” (Schneier, 2013). I guess this makes it our duty to prevent the NSA from inserting these backdoors. It seems a little ironic that we have to protect ourselves from the NSA. I thought they were on our side. More specifically, it is the National Security Agency’s motto to state that they are, “Defending our Nation and Securing the Future” (National Security Agency, 2013). I hope the NSA knows exactly what they are doing by wanting to incorporate all of these backdoor “features.”

In order for NSA to design backdoors, a few concepts should be considered. For instance, the concept of low discoverability, high deniability, and lastly the concept of minimal conspiracy should be considered. (Schneier, 2013) More specifically, “Low discoverability [means] the less the backdoor affects the normal operations of the program, the better. Ideally, it shouldn’t affect functionality at all. The smaller the backdoor is the better. Ideally, it should just look like normal functional code” (Schneier, 2013). This makes sense to the idea of low discoverability. You do not want functionality to be affected at all. Next is the concept of high deniability. For instance the concept of high deniability means, “If discovered, the backdoor should look like a mistake” (Schneier, 2013). Lastly, there is the concept of minimal conspiracy. “The more people who know about the backdoor, the more likely the secret is to get out. So any good backdoor should be known to very few people” (Schneier, 2013). These concepts are all just basic ideas of how the NSA could design their backdoors. (Schneier, 2013)

Some great strategies to defend against backdoors include the following: (Schneier, 2013)

·         “Vendors should make their encryption code public, including the protocol specifications. This will allow others to examine the code for vulnerabilities.”

·         “The community should create independent compatible versions of encryption systems, to verify they are operating properly.”

·         “There should be no master secrets. These are just too vulnerable.”

·         “All random number generators should conform to published and accepted standards. Breaking the random number generator is the easiest difficult-to-detect method of subverting an encryption system.”

·         “Encryption protocols should be designed so as not to leak any random information. Nonces should be considered part of the key or public predictable counters if possible. The goal is to make it harder to subtly leak key bits in this information.”

There is no definite method to defend against backdoors. The techniques listed above offer some great techniques to help prevent backdoor problems. For instance, “With these principles in mind, we can list design strategies. None of them is foolproof, but they are all useful. I’m sure there’s more; this list isn’t meant to be exhaustive, nor the final word on the topic. It’s simply a starting place for discussion. But it won’t work unless customers start demanding software with this sort of transparency” (Schneier, 2013). It is clear that this backdoor issue is one that the public needs to be aware of so that we can all work together and try to get these problems resolved.

 

References

National Security Agency. (2013, September 4). National Security Agency Central Security Service. Retrieved October 16, 2013, from National Security Agency Central Security Service: http://www.nsa.gov/

Schneier, B. (2013, October 16). How to Design — And Defend Against — The Perfect Security Backdoor. Retrieved October 16, 2013, from Wired: http://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-the-perfect-backdoor/

Week 7 Blog

Government Agencies = New Target for Attackers

Attackers have released a new virus that is seemingly only attacking government organizations. (The Yomiuri Shimbun, 2013) “Attackers implant a virus on certain websites. When people using targeted computers browse these sites, the computers [become] infected with the virus. The virus [does] not attack non-targeted computers” (The Yomiuri Shimbun, 2013). More specifically, “The virus is designed to infect only computers of certain IP addresses when users browse the altered websites on those computers” (The Yomiuri Shimbun, 2013). It’s funny to me that this new virus basically skips certain computers and only goes for government based computers. It seems like an attacker would want to take down every person that they could since they have the opportunity.

It's so fascinating that the attackers are only after governmental organizations. Obviously, there is some internal motive for these attacks. For instance, “The attackers alter websites that are frequently browsed by employees of government administrative organizations who are members of the websites. The attackers then implanted the virus on those websites, letting it await the chance to infect targeted computers so they could steal confidential information by taking control of the computers remotely” (The Yomiuri Shimbun, 2013). The attackers have a great attack mechanism in place. It seems like these attackers really had to think about their attack mechanism thoroughly so that they would be sure it worked. I am also amazed that the attackers are stealing confidential information remotely.

The attackers have really outdone their selves on this virus because “the virus is designed to infect only computers of certain IP address when users browse altered websites on those computers” (The Yomiuri Shimbun, 2013). This is just such a crazy technique for a hacker to apply when using a virus because they are clearly only targeting certain people. More interesting is the fact that, “Ordinary people using computers [. . .] are not targeted by the attackers [and they will] not get infected with the virus. [Therefore,] it is difficult for the cyber-attacks to be discovered” (The Yomiuri Shimbun, 2013). While it seems like attackers would want to take as many victims as possible these attackers don't seem to care about this approach at all. Clearly, these attackers are using other people to get to their real victims. Obviously, people who are not targets will be really happy to hear about this because they don’t have much to fear as far as becoming infected with a virus. However, governmental agencies should be very concerned because they could easily become the victim of an attack.

Reference:

The Yomiuri Shimbun. (2013, October 9). New Type of Cyber-Attack Targets Govt Bodies, Firms. Retrieved October 11, 2013, from The Japan News: http://the-japan-news.com/news/article/0000711266

Week 6 Blog

Adobe Got Hacked

The world of Information Security is of course ever growing. Throughout all of the warnings, companies are still not choosing the best means possible to protect their customer’s personal information. Recently, Adobe was hacked. The attackers were able to obtain “customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.” (King, 2013) In fact, 3 million accounts were compromised by the attack on Adobe. (King, 2013)

            While the attackers were only able to compromise encrypted credit and debit card numbers, my concern is that the attackers maybe be able to decrypt this information in the future. It is unclear as to what type of encryption algorithms Adobe was using. Obviously, it is our hope that they used the strongest encryption algorithm possible but this does not guarantee any customer security on the matter. However, Adobe has taken some immediate action to reset all adobe passwords. (King, 2013) Therefore, Adobe has made a few attempts to help their customers.       

            Holding a customer’ private information is a very difficult task that all businesses will face. It is important that businesses employ information security professionals in order to help mitigate the risk of being vulnerable to attackers. However, eliminating all risks is not necessarily easily done. It is important to protect customer’s information because you run the risk of jeopardizing your own company’s reputation. If a business loses their reputation, they may face scrutiny from the public and even face losses in sales. It is so important that businesses take information security very seriously.

References

King, R. (2013, October 3). Adobe hacked, 3 million accounts compromised. Retrieved October 6, 2013, from CNET: http://news.cnet.com/8301-1009_3-57605962-83/adobe-hacked-3-million-accounts-compromised/