Week 12 - Final Blog Lessons Learned From This Course

This was a very interesting course. It was quite the challenge as well. From the layman’s perspective, threat modeling sounds rather simple. However, this is not the case at all.  Throughout the course, I was challenged with the process because of the concepts that must go in at every step. Steps can easily get overlooked or seen differently than they really are. I am a big picture person so at times I miss details that others might see. Sometimes, it is challenging for me to get past my own big picture views to see the actual trees in the forest but this is still something I am working on.

I really enjoy the system analysis process in threat modeling. It combines some of the challenges of understanding a complex system to then combining this understanding into the ideas and concepts of threats. One important understanding to gain from threat modeling is how to best understand vulnerabilities and threats in specific environments. There seems to be some variation from organizations on what is considered a threat or vulnerability. My previous employer seemed to be lacking in the information security area which was frustrating at times because they didn’t value information security practices. This is why I feel like this is a very important part of threat analysis. It was a nice semester and I enjoyed the time I spent in this course! I really enjoyed creating these blogs!

Yours truly,

Rashele Shoun

Week 10 – Chick-fil-A facing potential breach

Chick-Fil-A might be facing a credit card breach as well. More specifically, “Several financial institutions informed Chick-fil-A that various patterns of credit card fraud were being linked back to consumers that used accounts to purchase food at one of their restaurant locations, reports Gizmodo. Since then the chain claims it has been working with federal law enforcement and ‘top IT firms’ to investigate the issue that has affected at least 9,000 individuals” (FOX News, 2015). I see an ongoing issue of attacks that just seem to be getting worse.

Interestingly enough, “On Jan. 2, Chick-fil-A issued a cautious statement about a ‘potential’ data breach but wants to assure customers that if ‘a breach has occurred, customers will not be liable for any fraudulent charges to their accounts --- any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card.’ In the event of breach confirmation, the chain says it will offer free identity protection services to affected individuals including credit monitoring” (FOX News, 2015). It seems that perhaps we need more and more IT Security professionals out there to investigate the issues at hand. I wonder how many companies are actually utilizing security audits. I think this is probably something that companies should consider in order to try and lower these types of attacks. We need more proactive approaches to Information Security.

           

Reference

FOX News. (2015, January 5). Chick-Fil-A investigating possible credit card breach of over 9,000 customers. Retrieved from FOX News: http://www.foxnews.com/leisure/2015/01/05/chick-fil-investigating-possible-credit-card-breach-over-000-customers/

Week 9 – Sally Beauty Second Credit Card Breach

            We all feel the hit when a major retailer gets hit with a breach the first time. How does it feel to see the same retailer hit again? Well, it’s going to cost you some business, at least as far as credit card transactions are concerned. I know I won’t be using my credit card at Sally’s anymore. “On March 5, 2014, [it was] reported that a batch of more than 282,000 cards that went up for sale on Rescator[dotc]cc — the same site that was first to sell cards stolen in the Home Depot and Target breaches — all traced back to customers who’d shopped at Sally Beauty locations nationwide. Asked about that pattern at the time, a company spokesperson said Sally Beauty had recently detected an intrusion into its network, but that neither its information technology experts nor an outside forensics firm could find evidence that customer card data had been stolen from the company’s systems” (Krebs on Security, 2015).

“But on March 17, 2014, Sally Beauty officially confirmed a breach of its network, but said its investigation determined that fewer than 25,000 card accounts were removed from its network. Nevertheless, a subsequent, exhaustive analysis of the Sally Beauty store ZIP codes listed in the cards for sale on Rescator’s site indicated that the 2014 breach impacted virtually all 2,600+ Sally Beauty locations nationwide” (Krebs on Security, 2015). I’m more interested in understanding how the attackers were able to get in. Could Sally Beauty have been able to prevent these breaches? Were they protecting their networks? I would like to see more information on this so that I can decide as a customer if I should continue to do business with this company. I prefer doing business with company’s who value my card holder data. It’s important to me that businesses protect my information otherwise I won’t want to give them any of this information. I suppose I’ll have to wait until further investigation is done on this matter.

Reference

Krebs on Security. (2015, May). Sally Beauty Card Breach, Part Deux? Retrieved May 4, 2015, from Krebs on Security: https://krebsonsecurity.com/2015/05/sally-beauty-card-breach-part-deux/

Week 8 – Hacker Arrested for Spying with Webcams

            Today a very interesting article was released on Security Week. Interestingly enough, a 27 year old female hacker was arrested for using malicious software to take over people’s computers and spy on them. (AFP, 2015) For me, I feel like it’s interesting to see a female similar to me doing these types of acts. I feel like you typically see males involved in hacking attempts. Obviously, this is not the case. More interestingly, this female is actually, “believed to be at the origin of a botnet, i.e. a group of computers infected by a virus and remotely controlled by a hacker” (AFP, 2015). This seems very interesting to me.

            According to the article she is from Saint-Alphonse-Rodriguez, Quebec and this is where she would launch all of her attacks. (AFP, 2015) So, what exactly was she able to do through a webcam? Well, “The woman allegedly eavesdropped on private conversations and communicated with victims through the speakers of their infected computers” (AFP, 2015). This act seems a little bizarre. It seems like she was just really board and maybe got some type of excitement in harassing these people through their computers. “Police said she also ‘frightened her victims,’ including children, by taking over control of their computers and logging on to extreme pornography websites” (AFP, 2015).

For me, this is where you really just cross the line. I mean why anyone would purposely expose little children to pornography in any sense just makes absolutely no sense. This really upsets me. I hate to see children exposed to inappropriate materials! I don’t even want to be exposed to them! It’s really unfair for someone to do this to innocent little kids. I think one of the most complicated parts of Information Security is trying to understand these attackers. Some of their behaviors just make no sense. You aren’t getting any monetary compensation for what you are doing, so why are you interested in doing what you are doing? The human behavior aspects really come into play in Information Security and I believe human behavior is a critical factor in understanding crime and criminal behaviors. Information Security is a very interesting area to be a part of.

References

AFP. (2015, April 30). Canadian Hacker Arrested for Spying Through Webcams. Retrieved April 30, 2015, from Security Week: http://www.securityweek.com/canadian-hacker-arrested-spying-through-webcams

Week 7 – Encryption cracked by simply listening to sounds from CPU

            With all of the attempt at hacking into systems and addressing vulnerabilities, it’s sort of ironic to discover that some security researchers were actually able to break the RSA 4096 encryption algorithm by simply listening to the computer’s CPU. (Anthony, 2013) More specifically, “the security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data” (Anthony, 2013). Interesting enough this process has been dubbed as a side channel attack. (Anthony, 2013) This is a rather interest type of attack that I’m sure most people would easily miss. I found this very interesting and intriguing.

           

            Interesting enough, “In terms of real-world repercussions, acoustic cryptanalysis is actually surprisingly dangerous. Imagine if you were decrypting some files in a library, coffee shop, or other public space — someone could obtain your decryption key just by placing their phone near your computer. Alternatively, an attacker could use spear phishing to put malware on your phone that listens for the decryption key. With HTML5 and Flash able to access the microphone, it would be possible to build a website that listens for encryption keys too. The researchers propose one particularly nefarious scenario: Put a microphone into a co-located server, slot it into a rack in a data center, and then scoop up the encryption keys from hundreds of nearby servers” (Anthony, 2013). This is actually very cool if you think about the possibilities. However, I’m not sure the risk is a typically high as other risks out there which is probably a really good thing.

            How do you protect yourself from this type of attack? Well, a co-worker of mind said you could play music really loud and rationalize doing this at work by claiming that you need to protect the sounds coming from your keyboard.  This made me laugh but I’m not sure too many mangers would be happy with this approach. Therefore, “If you want to keep your data secure, you only really have two viable options: Heavy-duty encryption, physical security, and ideally both at the same time. If an attacker can’t get physically close to your data, it instantly becomes much harder to steal it. As far as mitigating acoustic cryptanalysis attacks, you either implement physical security — keep your laptop in a sound-tight box, or never let anyone near your computer when you’re decrypting data — or you need to use a ‘sufficiently strong wide-band noise source.’ Something like a swooping, large-orchestra classical concerto would probably do it” (Anthony, 2013). I’m not sure I’d be too highly concerned at the moment with this vulnerability but I’d probably be cautious if a person strangely tries anything like the ideas mentioned.

References

Anthony, S. (2013, December 18). Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU. Retrieved from Extreme Tech: http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

Week 6 – Hackers could bring down planes with passenger Wi-Fi

            A coworker on my Information Security team found a really cool article on how hackers can actually use the Wi-Fi that is available on a plane to bring down the plane. (Fox News, 2015) More specifically, “The finding by the Government Accountability Office presents chilling new scenarios for passengers. The report doesn't suggest it would be easy to do, or very likely. But it points out that as airlines and the Federal Aviation Administration attempt to modernize planes and flight tracking with Internet-based technology, attackers have a new vulnerability they could exploit” (Fox News, 2015). This obviously brings up some serious concerns that we should all be worried about. It’s bad enough that in today’s world we have to worry about terrorists taking planes down. I suppose now we even have to worry about hackers as well.

            My co-worker actually brought up an interesting point. Why are the plane’s control systems on the same network as the passenger Wi-Fi? This is a very good point. Moreover, “The theoretical vulnerabilities exist within the In Flight Entertainment systems on both the Panasonic and Thales installations, the two main providers of these systems. [. . .] The systems can breached wirelessly, and, once in, a clever hacker can gain access into other areas of the plane’s network” (Fox News, 2015). This is very interesting and brings up many questions. One interesting consideration to me was what is the worst case scenario here?

According to the article, the “worst case would likely be the ability to access the avionics systems, monitor and possibly influence the control interfaces and other critical flight environments typically found on the private plane subnet, giving the hacker the ability to intercept and possibly modify the packets of data being sent from the controls to the actuators using readily available software” (Fox News, 2015). These are all extremely important points to note here. While this is still a relatively new issue, it is still potentially an issue. As we continue on, the potential threats in our environment continue to grow.

 

References

Fox News. (2015, April 15). GAO reports warns hackers could bring down plane using passenger Wi-Fi. Retrieved from Fox News: http://www.foxnews.com/tech/2015/04/15/gao-reports-warns-hackers-could-bring-down-plane-using-passenger-wi-fi/

 

 

Week 5 - Network Exposed Passwords During TV Interview

            A co-worker of mine found a hilarious article that describes how a French TV network probably got hacked. David Delos, a TV reporter, did a recent televised appearance in front of a co-workers desk. The co-worker’s desk was covered in sticky notes that had usernames and passwords all over the desk. (Machkovech, 2015) This made me laugh because it just seems so ironic. In information security this is one of the most basic protection mechanisms. You never put your password on a sticky note in front of a computer. It’s even more ironic that they chose to film the TV appearance in front of that specific desk.

            In today’s world, I am actually shocked that this type of situation was even able to occur. I can’t help but laugh at the simplicity of fixing this situation or at least choosing not to publically broadcast the fact that employees at that company display their passwords in that manner. It’s just one of those situations that in the security world seems like it shouldn’t happen anymore but I suppose it still does. Hopefully, they will learn from this event in the future.

References

Machkovech, S. (2015, April 9). Hacked French network exposed its own passwords during TV interview. Retrieved from ARS Technica: http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/

Week 4 - JP Morgan Chase Breach

Information Security and security concerns are not going anywhere. In fact, this area is only growing more and more. The threat of attackers is not going to decrease any time soon. I predict that things will continue to get worse and worse. Many companies, including the company I am leaving, refuse to take Information Security seriously. I feel like many large companies only take information security seriously after they have already lost their valuable data. This is a high concern for someone involved in security. It’s like you just can’t rest knowing that your company refuses to take risks seriously.  

One noteworthy attack was the recent attack at Chase. The JP Morgan Chase Breach of 2014 was fairly large. JP Morgan Chase actually affected 76 million households and even 7 million small businesses but luckily not consumer fraud has occurred yet because of this breach. Chase apparently lost names, addresses, phone numbers, and email addresses. Luckily, Chase says that sensitive information like account numbers, passwords, social security numbers, and birthdays were seemingly not able to be compromised. (Hardekopf, 2014) My hope is that as these attacks continue, Information Security positions will become more and more valued by corporations.

References

Hardekopf, B. (2014, October 3). Major Data Breach at JP Morgan Chase Hits 76 Million Households. Retrieved from Low Cards: http://www.lowcards.com/major-data-breach-jp-morgan-chase-hits-76-million-households-27953

Week 3 - Hackers Using Mobile Apps to Get Into Enterprises

“Each year, the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues, releases its 'Threat Horizon' report to provide members with a forward-looking view of the biggest security threats over a two-year horizon” (Olavsrud, 2014). Interestingly enough, one of the most interesting security threats that the Information Security Forum found was that mobile applications are now a huge target for cybercriminals and hackers because it typically offers them a way into the enterprise. (Olavsrud, 2014)

As more and more enterprises use mobile applications, they are exposing their selves more and more. The security of mobile applications is still not so great because of the rapid developmental processes involved. (Olavsrud, 2014) One important consideration is that the “ISF recommends you incorporate user devices into existing standards for access management, and that you begin to promote education and awareness of BYOx (Bring Your Own Anything) risk in innovative ways” (Olavsrud, 2014). It’s still outstanding to realize all of the threats that are still developing. I’m sure there is more to come on these types of threats.

References

Olavsrud, T. (2014, April 1). 10 Top Information Security Threats for the Next Two Years. Retrieved from CIO: http://www.cio.com/article/2368648/security0/149359-10-Top-Information-Security-Threats-for-the-Next-Two-Years.html#slide7

Week 2 - Hacking Wireless Implantable Medical Devices

Implantable Medical devices (IMDs) are not only important in today’s technologically advanced medical world to help extend the human life, they are now a normal part of our life in general. IMDs consist of important medical devices like pacemakers, defibrillators, and even insulin pumps (Homeland Security News Wire, 2015). What would happen if IMDs were able to be hacked? What would be the toll on humans if these devices were vulnerable to attacks? Well, “Roughly 300,000 Americans receive IMDs a year, with 2.5 million people relying on them to treat a wide variety of illnesses and conditions like diabetes and Parkinson’s disease. A 2012 study by the Freedonia Group estimated that demand for IMDs will increase about 7.7 percent annually. The industry is expected to grow to $52 billion by 2015” (Homeland Security News Wire, 2015). These numbers sound alarming. The amount of people that could potentially be affected by these types of attacks makes me think we should be concerned.

Interestingly enough, “The Department of Homeland Security (DHS) has issued an alert, warning medical facilities that more than 300 different devices from forty separate manufacturers had vulnerabilities which could be exploited by a malicious hacker or group. This warning follows incidents in which computers have been targeted by computer viruses such as the Stuxnet, credit card cryptographic algorithms have been reversed engineered, smart phones have been infected with malware, and Iraqi insurgents hacked the video feed of U.S. Department of Defense (DOD) Predator drone aircraft” (Homeland Security News Wire, 2015). Obviously, there could be some real potential for attackers to exploit any vulnerabilities on these devices.

There is a serious issue at hand here. What could happen to the world if anyone could change your medications or dosage amounts whenever they wanted? How about the issue of hacking someone’s medical device to do fatal harm to them? “At a 2011 hacker conference, a known hacker who goes by the alias ‘Barnaby Jack’ demonstrated how he could compromise of an insulin pump at a distance of a 300 feet. He could alter the insulin amount remotely, which would result in death should someone have been implanted with the device. For the first time in the history of humanity, the human body has become subject to cyber-attacks. The more we implant tiny computers inside ourselves to monitor and improve our health, the more we create opportunities for others to hack into our bodies and subvert these machines for any number of criminal offenses, with homicide being the most obvious concern” (Homeland Security News Wire, 2015).

These are still early issues at this point in time but these are issues that must be understood. As technology increases, so too does the sophistication of crime. It is important that these issues be understood, studied, and resolved. We can’t just give up our new innovations in the medical world because of malicious attacks. As Information Security professionals, we must monitor, understand, and address all malicious issues that come up in everything we do. Information Security is an outstanding field. It is up to us to continue keeping our world secure. I look forward to reading more on these issues as they develop.

For more information on sources that I feel are credible in the Information Security world please see my list below. Typically governmental organizations (like the Department of Defense, FBI, and the NSA) usually have reliable information on threats, vulnerabilities, and security news. When it comes to conflicting sources of information, the best approach is to do your own research so that you can decide who has all the facts and who does not. This can be tricky but if you further investigate you should be able to accomplish this task.

Good sources:

Security Week http://www.securityweek.com/

Symantec http://www.symantec.com/security_response/

Information Week Dark Reading http://www.darkreading.com/

Homeland Security News Wire http://www.homelandsecuritynewswire.com/topics/cybersecurity

NSA https://www.nsa.gov/

DOD http://www.defense.gov/today/

FBI http://www.fbi.gov/

References

Homeland Security News Wire. (2015, March 19). Wireless Implantable Medical Devices Vulnerable to Hacking. Retrieved from Homeland Security News Wire: http://www.homelandsecuritynewswire.com/dr20150319-wireless-implantable-medical-devices-vulnerable-to-hacking

Can Apple Pay Be Hacked?

The new Apple Pay sounds very cool. It even has my attention because I like trying new technologies plus I have been trying out the new iPhone plus. However, my question is are there any potential security risks that the public should be aware of before taking the plunge and fully using Apple Pay for all their basic needs? “While Apple Pay has yet to be put to a real-world test, some security experts--despite generally praising Apple's move as a step in the right direction--have already identified some potential risks inherent in the system” (Thompson, 2014). This might be concerning to some people in the population. It definitely concerns me. Moreover, "If correctly implemented it could add security benefits, but there could also be some gaping security flaws” (Thompson, 2014).

Some important considerations for security with Apple Pay include using Tokenization instead of storing user financial data. The actual credit card number is not stored instead another account number is generated to each specific Apple device that is stored on an encrypted chip in the iPhone 6 and iPhone 6 Plus. (Thompson, 2014) This makes the Apple Pay option sound fairly secure. There are many considerations to consider but at this point it is too soon to determine if Apple Pay will have considerable weaknesses or not. I look forward to finding out more about this matter in the near future. I wouldn’t mind seeing what those vulnerabilities are, if they do end up existing.

References

Thompson, C. (2014, September 11). How hackers could still get around Apple Pay security . Retrieved from CNBC: http://www.cnbc.com/id/101992749#.