Week 12 - Final Blog Lessons Learned From This Course

This was a very interesting course. It was quite the challenge as well. From the layman’s perspective, threat modeling sounds rather simple. However, this is not the case at all.  Throughout the course, I was challenged with the process because of the concepts that must go in at every step. Steps can easily get overlooked or seen differently than they really are. I am a big picture person so at times I miss details that others might see. Sometimes, it is challenging for me to get past my own big picture views to see the actual trees in the forest but this is still something I am working on.

I really enjoy the system analysis process in threat modeling. It combines some of the challenges of understanding a complex system to then combining this understanding into the ideas and concepts of threats. One important understanding to gain from threat modeling is how to best understand vulnerabilities and threats in specific environments. There seems to be some variation from organizations on what is considered a threat or vulnerability. My previous employer seemed to be lacking in the information security area which was frustrating at times because they didn’t value information security practices. This is why I feel like this is a very important part of threat analysis. It was a nice semester and I enjoyed the time I spent in this course! I really enjoyed creating these blogs!

Yours truly,

Rashele Shoun

Week 10 – Chick-fil-A facing potential breach

Chick-Fil-A might be facing a credit card breach as well. More specifically, “Several financial institutions informed Chick-fil-A that various patterns of credit card fraud were being linked back to consumers that used accounts to purchase food at one of their restaurant locations, reports Gizmodo. Since then the chain claims it has been working with federal law enforcement and ‘top IT firms’ to investigate the issue that has affected at least 9,000 individuals” (FOX News, 2015). I see an ongoing issue of attacks that just seem to be getting worse.

Interestingly enough, “On Jan. 2, Chick-fil-A issued a cautious statement about a ‘potential’ data breach but wants to assure customers that if ‘a breach has occurred, customers will not be liable for any fraudulent charges to their accounts --- any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card.’ In the event of breach confirmation, the chain says it will offer free identity protection services to affected individuals including credit monitoring” (FOX News, 2015). It seems that perhaps we need more and more IT Security professionals out there to investigate the issues at hand. I wonder how many companies are actually utilizing security audits. I think this is probably something that companies should consider in order to try and lower these types of attacks. We need more proactive approaches to Information Security.

           

Reference

FOX News. (2015, January 5). Chick-Fil-A investigating possible credit card breach of over 9,000 customers. Retrieved from FOX News: http://www.foxnews.com/leisure/2015/01/05/chick-fil-investigating-possible-credit-card-breach-over-000-customers/

Week 9 – Sally Beauty Second Credit Card Breach

            We all feel the hit when a major retailer gets hit with a breach the first time. How does it feel to see the same retailer hit again? Well, it’s going to cost you some business, at least as far as credit card transactions are concerned. I know I won’t be using my credit card at Sally’s anymore. “On March 5, 2014, [it was] reported that a batch of more than 282,000 cards that went up for sale on Rescator[dotc]cc — the same site that was first to sell cards stolen in the Home Depot and Target breaches — all traced back to customers who’d shopped at Sally Beauty locations nationwide. Asked about that pattern at the time, a company spokesperson said Sally Beauty had recently detected an intrusion into its network, but that neither its information technology experts nor an outside forensics firm could find evidence that customer card data had been stolen from the company’s systems” (Krebs on Security, 2015).

“But on March 17, 2014, Sally Beauty officially confirmed a breach of its network, but said its investigation determined that fewer than 25,000 card accounts were removed from its network. Nevertheless, a subsequent, exhaustive analysis of the Sally Beauty store ZIP codes listed in the cards for sale on Rescator’s site indicated that the 2014 breach impacted virtually all 2,600+ Sally Beauty locations nationwide” (Krebs on Security, 2015). I’m more interested in understanding how the attackers were able to get in. Could Sally Beauty have been able to prevent these breaches? Were they protecting their networks? I would like to see more information on this so that I can decide as a customer if I should continue to do business with this company. I prefer doing business with company’s who value my card holder data. It’s important to me that businesses protect my information otherwise I won’t want to give them any of this information. I suppose I’ll have to wait until further investigation is done on this matter.

Reference

Krebs on Security. (2015, May). Sally Beauty Card Breach, Part Deux? Retrieved May 4, 2015, from Krebs on Security: https://krebsonsecurity.com/2015/05/sally-beauty-card-breach-part-deux/

Week 8 – Hacker Arrested for Spying with Webcams

            Today a very interesting article was released on Security Week. Interestingly enough, a 27 year old female hacker was arrested for using malicious software to take over people’s computers and spy on them. (AFP, 2015) For me, I feel like it’s interesting to see a female similar to me doing these types of acts. I feel like you typically see males involved in hacking attempts. Obviously, this is not the case. More interestingly, this female is actually, “believed to be at the origin of a botnet, i.e. a group of computers infected by a virus and remotely controlled by a hacker” (AFP, 2015). This seems very interesting to me.

            According to the article she is from Saint-Alphonse-Rodriguez, Quebec and this is where she would launch all of her attacks. (AFP, 2015) So, what exactly was she able to do through a webcam? Well, “The woman allegedly eavesdropped on private conversations and communicated with victims through the speakers of their infected computers” (AFP, 2015). This act seems a little bizarre. It seems like she was just really board and maybe got some type of excitement in harassing these people through their computers. “Police said she also ‘frightened her victims,’ including children, by taking over control of their computers and logging on to extreme pornography websites” (AFP, 2015).

For me, this is where you really just cross the line. I mean why anyone would purposely expose little children to pornography in any sense just makes absolutely no sense. This really upsets me. I hate to see children exposed to inappropriate materials! I don’t even want to be exposed to them! It’s really unfair for someone to do this to innocent little kids. I think one of the most complicated parts of Information Security is trying to understand these attackers. Some of their behaviors just make no sense. You aren’t getting any monetary compensation for what you are doing, so why are you interested in doing what you are doing? The human behavior aspects really come into play in Information Security and I believe human behavior is a critical factor in understanding crime and criminal behaviors. Information Security is a very interesting area to be a part of.

References

AFP. (2015, April 30). Canadian Hacker Arrested for Spying Through Webcams. Retrieved April 30, 2015, from Security Week: http://www.securityweek.com/canadian-hacker-arrested-spying-through-webcams

Week 7 – Encryption cracked by simply listening to sounds from CPU

            With all of the attempt at hacking into systems and addressing vulnerabilities, it’s sort of ironic to discover that some security researchers were actually able to break the RSA 4096 encryption algorithm by simply listening to the computer’s CPU. (Anthony, 2013) More specifically, “the security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data” (Anthony, 2013). Interesting enough this process has been dubbed as a side channel attack. (Anthony, 2013) This is a rather interest type of attack that I’m sure most people would easily miss. I found this very interesting and intriguing.

           

            Interesting enough, “In terms of real-world repercussions, acoustic cryptanalysis is actually surprisingly dangerous. Imagine if you were decrypting some files in a library, coffee shop, or other public space — someone could obtain your decryption key just by placing their phone near your computer. Alternatively, an attacker could use spear phishing to put malware on your phone that listens for the decryption key. With HTML5 and Flash able to access the microphone, it would be possible to build a website that listens for encryption keys too. The researchers propose one particularly nefarious scenario: Put a microphone into a co-located server, slot it into a rack in a data center, and then scoop up the encryption keys from hundreds of nearby servers” (Anthony, 2013). This is actually very cool if you think about the possibilities. However, I’m not sure the risk is a typically high as other risks out there which is probably a really good thing.

            How do you protect yourself from this type of attack? Well, a co-worker of mind said you could play music really loud and rationalize doing this at work by claiming that you need to protect the sounds coming from your keyboard.  This made me laugh but I’m not sure too many mangers would be happy with this approach. Therefore, “If you want to keep your data secure, you only really have two viable options: Heavy-duty encryption, physical security, and ideally both at the same time. If an attacker can’t get physically close to your data, it instantly becomes much harder to steal it. As far as mitigating acoustic cryptanalysis attacks, you either implement physical security — keep your laptop in a sound-tight box, or never let anyone near your computer when you’re decrypting data — or you need to use a ‘sufficiently strong wide-band noise source.’ Something like a swooping, large-orchestra classical concerto would probably do it” (Anthony, 2013). I’m not sure I’d be too highly concerned at the moment with this vulnerability but I’d probably be cautious if a person strangely tries anything like the ideas mentioned.

References

Anthony, S. (2013, December 18). Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU. Retrieved from Extreme Tech: http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

Week 6 – Hackers could bring down planes with passenger Wi-Fi

            A coworker on my Information Security team found a really cool article on how hackers can actually use the Wi-Fi that is available on a plane to bring down the plane. (Fox News, 2015) More specifically, “The finding by the Government Accountability Office presents chilling new scenarios for passengers. The report doesn't suggest it would be easy to do, or very likely. But it points out that as airlines and the Federal Aviation Administration attempt to modernize planes and flight tracking with Internet-based technology, attackers have a new vulnerability they could exploit” (Fox News, 2015). This obviously brings up some serious concerns that we should all be worried about. It’s bad enough that in today’s world we have to worry about terrorists taking planes down. I suppose now we even have to worry about hackers as well.

            My co-worker actually brought up an interesting point. Why are the plane’s control systems on the same network as the passenger Wi-Fi? This is a very good point. Moreover, “The theoretical vulnerabilities exist within the In Flight Entertainment systems on both the Panasonic and Thales installations, the two main providers of these systems. [. . .] The systems can breached wirelessly, and, once in, a clever hacker can gain access into other areas of the plane’s network” (Fox News, 2015). This is very interesting and brings up many questions. One interesting consideration to me was what is the worst case scenario here?

According to the article, the “worst case would likely be the ability to access the avionics systems, monitor and possibly influence the control interfaces and other critical flight environments typically found on the private plane subnet, giving the hacker the ability to intercept and possibly modify the packets of data being sent from the controls to the actuators using readily available software” (Fox News, 2015). These are all extremely important points to note here. While this is still a relatively new issue, it is still potentially an issue. As we continue on, the potential threats in our environment continue to grow.

 

References

Fox News. (2015, April 15). GAO reports warns hackers could bring down plane using passenger Wi-Fi. Retrieved from Fox News: http://www.foxnews.com/tech/2015/04/15/gao-reports-warns-hackers-could-bring-down-plane-using-passenger-wi-fi/

 

 

Week 5 - Network Exposed Passwords During TV Interview

            A co-worker of mine found a hilarious article that describes how a French TV network probably got hacked. David Delos, a TV reporter, did a recent televised appearance in front of a co-workers desk. The co-worker’s desk was covered in sticky notes that had usernames and passwords all over the desk. (Machkovech, 2015) This made me laugh because it just seems so ironic. In information security this is one of the most basic protection mechanisms. You never put your password on a sticky note in front of a computer. It’s even more ironic that they chose to film the TV appearance in front of that specific desk.

            In today’s world, I am actually shocked that this type of situation was even able to occur. I can’t help but laugh at the simplicity of fixing this situation or at least choosing not to publically broadcast the fact that employees at that company display their passwords in that manner. It’s just one of those situations that in the security world seems like it shouldn’t happen anymore but I suppose it still does. Hopefully, they will learn from this event in the future.

References

Machkovech, S. (2015, April 9). Hacked French network exposed its own passwords during TV interview. Retrieved from ARS Technica: http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/