Week 8 – Hacker Arrested for Spying with Webcams

            Today a very interesting article was released on Security Week. Interestingly enough, a 27 year old female hacker was arrested for using malicious software to take over people’s computers and spy on them. (AFP, 2015) For me, I feel like it’s interesting to see a female similar to me doing these types of acts. I feel like you typically see males involved in hacking attempts. Obviously, this is not the case. More interestingly, this female is actually, “believed to be at the origin of a botnet, i.e. a group of computers infected by a virus and remotely controlled by a hacker” (AFP, 2015). This seems very interesting to me.

            According to the article she is from Saint-Alphonse-Rodriguez, Quebec and this is where she would launch all of her attacks. (AFP, 2015) So, what exactly was she able to do through a webcam? Well, “The woman allegedly eavesdropped on private conversations and communicated with victims through the speakers of their infected computers” (AFP, 2015). This act seems a little bizarre. It seems like she was just really board and maybe got some type of excitement in harassing these people through their computers. “Police said she also ‘frightened her victims,’ including children, by taking over control of their computers and logging on to extreme pornography websites” (AFP, 2015).

For me, this is where you really just cross the line. I mean why anyone would purposely expose little children to pornography in any sense just makes absolutely no sense. This really upsets me. I hate to see children exposed to inappropriate materials! I don’t even want to be exposed to them! It’s really unfair for someone to do this to innocent little kids. I think one of the most complicated parts of Information Security is trying to understand these attackers. Some of their behaviors just make no sense. You aren’t getting any monetary compensation for what you are doing, so why are you interested in doing what you are doing? The human behavior aspects really come into play in Information Security and I believe human behavior is a critical factor in understanding crime and criminal behaviors. Information Security is a very interesting area to be a part of.

References

AFP. (2015, April 30). Canadian Hacker Arrested for Spying Through Webcams. Retrieved April 30, 2015, from Security Week: http://www.securityweek.com/canadian-hacker-arrested-spying-through-webcams

Week 7 – Encryption cracked by simply listening to sounds from CPU

            With all of the attempt at hacking into systems and addressing vulnerabilities, it’s sort of ironic to discover that some security researchers were actually able to break the RSA 4096 encryption algorithm by simply listening to the computer’s CPU. (Anthony, 2013) More specifically, “the security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data” (Anthony, 2013). Interesting enough this process has been dubbed as a side channel attack. (Anthony, 2013) This is a rather interest type of attack that I’m sure most people would easily miss. I found this very interesting and intriguing.

           

            Interesting enough, “In terms of real-world repercussions, acoustic cryptanalysis is actually surprisingly dangerous. Imagine if you were decrypting some files in a library, coffee shop, or other public space — someone could obtain your decryption key just by placing their phone near your computer. Alternatively, an attacker could use spear phishing to put malware on your phone that listens for the decryption key. With HTML5 and Flash able to access the microphone, it would be possible to build a website that listens for encryption keys too. The researchers propose one particularly nefarious scenario: Put a microphone into a co-located server, slot it into a rack in a data center, and then scoop up the encryption keys from hundreds of nearby servers” (Anthony, 2013). This is actually very cool if you think about the possibilities. However, I’m not sure the risk is a typically high as other risks out there which is probably a really good thing.

            How do you protect yourself from this type of attack? Well, a co-worker of mind said you could play music really loud and rationalize doing this at work by claiming that you need to protect the sounds coming from your keyboard.  This made me laugh but I’m not sure too many mangers would be happy with this approach. Therefore, “If you want to keep your data secure, you only really have two viable options: Heavy-duty encryption, physical security, and ideally both at the same time. If an attacker can’t get physically close to your data, it instantly becomes much harder to steal it. As far as mitigating acoustic cryptanalysis attacks, you either implement physical security — keep your laptop in a sound-tight box, or never let anyone near your computer when you’re decrypting data — or you need to use a ‘sufficiently strong wide-band noise source.’ Something like a swooping, large-orchestra classical concerto would probably do it” (Anthony, 2013). I’m not sure I’d be too highly concerned at the moment with this vulnerability but I’d probably be cautious if a person strangely tries anything like the ideas mentioned.

References

Anthony, S. (2013, December 18). Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU. Retrieved from Extreme Tech: http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

Week 6 – Hackers could bring down planes with passenger Wi-Fi

            A coworker on my Information Security team found a really cool article on how hackers can actually use the Wi-Fi that is available on a plane to bring down the plane. (Fox News, 2015) More specifically, “The finding by the Government Accountability Office presents chilling new scenarios for passengers. The report doesn't suggest it would be easy to do, or very likely. But it points out that as airlines and the Federal Aviation Administration attempt to modernize planes and flight tracking with Internet-based technology, attackers have a new vulnerability they could exploit” (Fox News, 2015). This obviously brings up some serious concerns that we should all be worried about. It’s bad enough that in today’s world we have to worry about terrorists taking planes down. I suppose now we even have to worry about hackers as well.

            My co-worker actually brought up an interesting point. Why are the plane’s control systems on the same network as the passenger Wi-Fi? This is a very good point. Moreover, “The theoretical vulnerabilities exist within the In Flight Entertainment systems on both the Panasonic and Thales installations, the two main providers of these systems. [. . .] The systems can breached wirelessly, and, once in, a clever hacker can gain access into other areas of the plane’s network” (Fox News, 2015). This is very interesting and brings up many questions. One interesting consideration to me was what is the worst case scenario here?

According to the article, the “worst case would likely be the ability to access the avionics systems, monitor and possibly influence the control interfaces and other critical flight environments typically found on the private plane subnet, giving the hacker the ability to intercept and possibly modify the packets of data being sent from the controls to the actuators using readily available software” (Fox News, 2015). These are all extremely important points to note here. While this is still a relatively new issue, it is still potentially an issue. As we continue on, the potential threats in our environment continue to grow.

 

References

Fox News. (2015, April 15). GAO reports warns hackers could bring down plane using passenger Wi-Fi. Retrieved from Fox News: http://www.foxnews.com/tech/2015/04/15/gao-reports-warns-hackers-could-bring-down-plane-using-passenger-wi-fi/

 

 

Week 5 - Network Exposed Passwords During TV Interview

            A co-worker of mine found a hilarious article that describes how a French TV network probably got hacked. David Delos, a TV reporter, did a recent televised appearance in front of a co-workers desk. The co-worker’s desk was covered in sticky notes that had usernames and passwords all over the desk. (Machkovech, 2015) This made me laugh because it just seems so ironic. In information security this is one of the most basic protection mechanisms. You never put your password on a sticky note in front of a computer. It’s even more ironic that they chose to film the TV appearance in front of that specific desk.

            In today’s world, I am actually shocked that this type of situation was even able to occur. I can’t help but laugh at the simplicity of fixing this situation or at least choosing not to publically broadcast the fact that employees at that company display their passwords in that manner. It’s just one of those situations that in the security world seems like it shouldn’t happen anymore but I suppose it still does. Hopefully, they will learn from this event in the future.

References

Machkovech, S. (2015, April 9). Hacked French network exposed its own passwords during TV interview. Retrieved from ARS Technica: http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/

Week 4 - JP Morgan Chase Breach

Information Security and security concerns are not going anywhere. In fact, this area is only growing more and more. The threat of attackers is not going to decrease any time soon. I predict that things will continue to get worse and worse. Many companies, including the company I am leaving, refuse to take Information Security seriously. I feel like many large companies only take information security seriously after they have already lost their valuable data. This is a high concern for someone involved in security. It’s like you just can’t rest knowing that your company refuses to take risks seriously.  

One noteworthy attack was the recent attack at Chase. The JP Morgan Chase Breach of 2014 was fairly large. JP Morgan Chase actually affected 76 million households and even 7 million small businesses but luckily not consumer fraud has occurred yet because of this breach. Chase apparently lost names, addresses, phone numbers, and email addresses. Luckily, Chase says that sensitive information like account numbers, passwords, social security numbers, and birthdays were seemingly not able to be compromised. (Hardekopf, 2014) My hope is that as these attacks continue, Information Security positions will become more and more valued by corporations.

References

Hardekopf, B. (2014, October 3). Major Data Breach at JP Morgan Chase Hits 76 Million Households. Retrieved from Low Cards: http://www.lowcards.com/major-data-breach-jp-morgan-chase-hits-76-million-households-27953

Week 3 - Hackers Using Mobile Apps to Get Into Enterprises

“Each year, the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues, releases its 'Threat Horizon' report to provide members with a forward-looking view of the biggest security threats over a two-year horizon” (Olavsrud, 2014). Interestingly enough, one of the most interesting security threats that the Information Security Forum found was that mobile applications are now a huge target for cybercriminals and hackers because it typically offers them a way into the enterprise. (Olavsrud, 2014)

As more and more enterprises use mobile applications, they are exposing their selves more and more. The security of mobile applications is still not so great because of the rapid developmental processes involved. (Olavsrud, 2014) One important consideration is that the “ISF recommends you incorporate user devices into existing standards for access management, and that you begin to promote education and awareness of BYOx (Bring Your Own Anything) risk in innovative ways” (Olavsrud, 2014). It’s still outstanding to realize all of the threats that are still developing. I’m sure there is more to come on these types of threats.

References

Olavsrud, T. (2014, April 1). 10 Top Information Security Threats for the Next Two Years. Retrieved from CIO: http://www.cio.com/article/2368648/security0/149359-10-Top-Information-Security-Threats-for-the-Next-Two-Years.html#slide7