Wednesday, December 19, 2012

Final Grade

The problem I wrote about last time didn't appear to impact my grade, great!

Finished the semester with a 4.0. Whoo!

Monday, December 17, 2012

Winter break

Well, yesterday marked the end of my most recent semester. I was in charge of putting our paper through TurnItIn, reviewing the report, and submitting to our professor. It went terribly.

First, I ran the paper through TurnItIn and viewed the Similarity report. The web app was telling me the paper scored a 7% similar to its databases, but had nothing flagged in the paper. Commenting on it being weird to my wife, I downloaded the useless report and submitted the papers.

A few hours later, the rest of my team drew my attention back to the useless papers. Prompted by their concerns, I returned to TurnItIn and scanned around the app's interface. As it turns out, you can toggle off the report display so that it just shows what you submitted. Pointless, as I already have the file I submitted. So I toggled it on, downloaded the less useless report and submitted it again.

After a few more hours, the team contacted me concerned that my whole post was missing. Back to the website, attach the files again, and post.

Today, I got home from work and checked my email and the class page. (Note it is now after the submission deadline.) My attention is drawn, at prompting from my team, to the fact that TurnItIn claims a 3% match to www.uspto.gov. This claim is really bizarre, as we don't even have a reference for uspto.gov in our paper. Looking into it, the service is correct and we submitted a paper with two paragraphs ripped nearly word for word from this paper by the United States Patent and Trademark Office. Ridiculous.

In an attempt to save the team from my mistake, I have submitted the following amendment to my Self and Peer Evaluation concerning the paper to the professor.

I need to amend my evaluation.

There are two paragraphs that made it to the submitted TEAMNAME paper which are pulled almost verbatim from http://www.uspto.gov/about/vendor_info/current_acquisitions/sdi_ng/ocio_6016_10q.pdf without citation and without even a reference to www.uspto.gov.

I had felt I was being harsh on TEAMMATE0 in what I turned it, but it was too light.

He did not attend the work planning, threw together a quick, plagiarized section which required significant maintenance to even look passable, and withdrew his support from any of the post-drafting collaboration.

That said, I was the one who ran the paper through turnitin. I did not catch the two paragraphs in time. TEAMMATE1, TEAMMATE2, and TEAMMATE3 attended the planning, communicated often, and carried out their assigned portions of the work. The failure to prevent the plagiarized paragraphs from making it to submission was on me. My first paper had a 10% score overall, and 9% to SCHOOL papers that I never had seen, so it made me lose any faith I had in the turnitin system, so I didn't delve into what the 7% score was. I didn't trust the scanner, so all I concerned myself with was making sure that the paper didn't hit the 15% threshold.

The majority of the TEAMNAME group performed their responsibilities to satisfaction and deserve to have their grade based on the merit of the writing. The blame for the Internet and User Furnished Device Policy sections falls to TEAMMATE0 for submitting it as his section and to me for not catching it during my review.

Thank you for taking the time to read this,

Matthew Molyett

Wednesday, December 12, 2012

Finals week

Well, this week is the team project that makes up our final. Hopefully it goes well. My big concern about it is to remember that I need to focus on the human aspects of cybersecurity, I tend to think in more technical terms.

Monday, December 10, 2012

Customer tracking and computer newbies

Topic - Are non-literate internet users are at a higher risk for experiencing identity theft, or is everyone now equally vulnerable – support your opinion. Explain specifically how end-user tracking and recording technologies may either increase or reduce cybersecurity risks for non-literate users when using the Internet, or when shopping at a brick and mortar establishment.

Yes, non-literate internet users are at a distinctly higher risk of identity theft. Lacking knowledge about how the internet results in users missing clues that can protect them. Clues that protect knowledgeable users:

  • http:// vs https:// Encrypted traffic hides your data from passive snooping.
  • Verified site and certificates. Browsers identify sites which have gone the extra step to prove their ownership to the certificate authorities. This protects https://www.bankofamerica.com/ customers from accidently logging in to https://www.bankotamerica.com/ This style of URL transform is especially challenging to detect.(Kumaraguru et al, 2010)
  • Spoofed email headers, which can give away that the customerservice@bankofamerica.com email you just received is fake, so you should not click their link to https://www.bankotamerica.com.

Customer tracking and recording can significantly decrease the cybersecurity risk for non-literate users. The login patterns for a victim of phishing, or other account theft, will experience a sudden change. The damage of a compromise is greatly decreased if the tracking company recognizes the change and freezes the account.

Nguyen & Hayes (2010) write about customers having greatly different views about the tracking and recording based on what technology is in use. Web services tend to rate as a much higher concern technologies such as electronic toll collection. I find this a bit odd, personally. Electronic tolls place you physically someplace, which is information that can be used to commit real, dangerous crime against you.

Slightly off-topic, but those loyalty cards can pose a significant physical security risk. If you registered your address with your card and always use it at the local shop, then using the card else where lets your movements be tracked. Specifically, if you use the card two states away, then it is a good indicator that the house at that address is probably empty.


Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), 7.

Nguyen, D. H., & Hayes, G. R. (2010). Information privacy in institutional and end-user tracking and recording technologies. Personal and Ubiquitous Computing, 14(1), 53-72.

Sunday, December 9, 2012

Sacrificing privacy for... ugh

Topic - To what degree should US citizens and non US citizens have to give up privacy in the name of national security? Should US citizens be treated differently than non-US citizens? What factors, if any, influence this decision, tipping the scale to allow for less privacy in favor of national security?

Right off the bat, I would like to point out how incredibly subjective this topic is. The balance of personal liberty, especially privacy, versus state security is a constantly debated point in academic circles, political circles, and policy discussions.

What is privacy anyway? If we cannot define it, how can we discuss giving it up. If CNN was to run a story showing the outside of a house, with pictures, and revealing the full name and address pulled from the white pages, some people would call it an invasion of privacy. Pranevičienė (2011) reported numerous definitions of privacy:

  • "Privacy is not simply an absence of information about us in the minds of others, rather it is the control we have over information about ourselves"
  • "Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others"
  • "Privacy is a sweeping concept, encompassing (among other things) freedom of thought, control over one‘s body, solitude in one's home, control over personal information, freedom from surveillance, protection of one's reputation and it protection from searches and interrogations"
Given such sweeping definitions, basically anyone learning anything about you from anyone could be a violation of privacy. Such privacy is not defensible for citizens or non-citizens.

Concerning the easier to define privacy, the contents of our communications, there needs to be a refined focus to actionability of privacy violations. Privacy of communications with regard to law enforcement action is absolutely vital, and cannot be sacrificed for security. Citizens and non-citizens need to have freedom from every word they say or write to be potential evidence or circumstantial evidence.

Nonactionable privacy violations have no need to be protected. People do not fear pointless chit chat from being overheard in malls, precisely because the intercepted information is nonactionable. If collection for intelligence purposes was strictly nonactionable with regards to the target, then privacy would not need to be balanced against national security. The overlap of, or at least fear of, actionable law enforcement intercept with intelligence generation is what necessitates the balance.


Pranevičienė, B. (2011). LIMITING OF THE RIGHT TO PRIVACY IN THE CONTEXT OF PROTECTION OF NATIONAL SECURITY. Jurisprudencija, 18(4), 1609-1622.

Saturday, December 8, 2012

Anonymity and assisting society

Topic - Determine the extent that anonymity has helped better society, industry, and individuals. Does the malicious use of anonymity outweigh the positive benefits it provides?

Anonymity benefits society by easing the burden of charitable giving. Often, once a donation is made to a charity or such, that entity will continue to regularly solicit donations. I encountered this just after college. A small donation, via check, to St. Jude's Children's Hospital and I was receiving regular solicitation requests for years. By donating behind the screen of anonymity, generous patrons can give without regard for future communications. Kay, Salveggio, and Guess (2008) write that a rabbi from the 1300s, Maimonides, placed the label of second highest level of charity on giving anonymously to anonymous recipients.

The ability to perform acts of good, such as charitable giving, without ramifications unfortunately extends to acts of malice. The right to the privacy of ones behavior must be weighed against the right of others to be free from annoyance and danger. The impunity that one gains by anonymity enables great wrongs and so "traceable anonymity" (Kay, Salveggio, & Guess, 2008, pp 70-9) provides a good balance. It allows us to gain the privacy benefits of anonymity, but provides society a safeguard against overly malicious behavior; though only if the trace-ability is limited and guarded itself. An ISP that will turn over account information when presented with a valid court order (and only to a court order) provides reasonable traceable anonymity.


Kabay, M. E., Salveggio, E., & Guess, R. (2008) Anonymity and Identity in Cyberspace. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

1000 Reasons to keep writing

I went to check the activity on my blog and had 999 pageviews. My wife:"Hold on..."

Whoo! 1000 pageviews. I have noticed that my recognition of dangerous computer security practices has increased since starting this program. Hopefully the blog is helping those readers with their security.

I've write more in-depth soon about how I've noticed my own perceptions changing.

Wednesday, December 5, 2012

Pushing out the paper

Short post today because the week is really busy. I am in week 11 of 12 for my current class, so crunch time is starting.

As promised, here is the full paper Preventing Damage by Preventing Grade System Intrusions, although it is later than I meant to publish it. Out of every grade I have received during my Masters so far, this paper has scored the best. Hopefully it gives you something to think about.

Cheerio!

Monday, December 3, 2012

Preventing Damage by Preventing Grade System Intrusions: Conclusion

Educational institutes such as colleges and schools have understandable reasons to desire use of electronic grading records. Such systems must be recognized for the dangers they pose as lucrative targets for hackers, crackers, and cheaters. The impact from unauthorized intrusions can be significant for the future of the students, even those whose records are not modified, as shown by Tyler Coyner graduating salutatorian. Coyner’s data manipulation stripped another student of their rightful honor as salutatorian (McMillan, 2011).

Defensive efforts must be made to address but the attack vectors to be utilized by intruders and the motivation driving the attack. Whenever possible, it is best to recognize the situations that may lead to an attack and defuse it in advance.


McMillan. (March 4, 2011). Top Student Charged With Fixing Grades for Cash. PCWorld. Retrieved from: http://www.pcworld.com/article/221442/studentcharged.html

Preventing Damage by Preventing Grade System Intrusions: Attacker Vectors

Social Engineering

Non-technical theft of account information is a people problem and can be solved through policy and enforcement of said policy. Back in the first case study it was discussed that the attacker was alleged to have used the same account information numerous time, 110 times to be exact (Lupkin, 2012), over the course of two years. Such a situation cannot happen if passwords do not stay valid for that long. If the superintendent had updated her password every three months then the attack would have quickly lost access.

Another policy that can prevent such account compromises is strict rules on how to protect account information. Since Lupkin (2012) did not mention any technical tactics used, it is likely that Venusto received the account information in a more direct way, such as the victim having the data written down at her computer or even having handed over the account for some reason. It can be convenient for an upper official to give their information to a secretary, say to schedule meetings, but that should always be considered a critical security violation.

Attack Vector: Malware Infection

Edwin Kim collected his required account information via a software keylogger that he had installed on a shared workstation (Gibbons, 2012). Security policies which required and enforced the principle of least privilege would have prevented this compromise. A common user, as an average student should be at a university, will not have the privilege to install software which runs outside of their own session. Any changes which can impact the running environment of other users should require an administrator to perform. Additionally, high value targets such as professors should avoid sharing hardware with students. A student that exchanges the expected keyboard with a ‘value-added’ look-alike can then log their keystrokes even without installation privileges.

Attack Vector: Physical Security

Palos Verdes High School’s intrusion was the result of poor physical security. Defense in depth should have prevented access. Altman (2012) makes no mention of how the teens entered the grounds or the building, so one has to assume that those steps were fairly trivial. Both should have been secured and surveilled with either recording devices or human guards. Once inside, the intruders collected a master key after picking the lock on the janitors’ office. An object of such value as the master key should not be available just behind a lock that itself can open. Clearly, the protections on the key were significantly lacking.


Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Thursday, November 29, 2012

Preventing Damage by Preventing Grade System Intrusions: Attacker Motivation

the Hack

Intruders that are operating under just pure hacker motivations are the bored, the curious, and those searching for a challenge. Education institutes are uniquely qualified for defusing these intruders, as intellectual challenge and stimulation is the purpose of such bodies. This point is captured explicitly in the mission statement of Harvard University: education “...should liberate students to explore, to create, to challenge...” (Lewis, 1997). Boredom, curiosity, and lack of challenge can all be directly addressed through adjustments to curriculum and individualized development plans.

the Grades

Cheater intruders can be defused by recognizing that the core of what they are doing is not actually changing their grades, they are instead taking control of their grades and future. These intruders can probably be successfully profiled under the hacker motivation of desiring power (Campbell & Kennedy, 2010). For whatever reason, they find themselves without the power to shape their situation through the legitimate channels. Ways to place students in control of their situation and convince them to downplay the grade portion of the grade include engaging them and their interests, challenging them appropriately, empowering them with a voice in directing what they learn, and recognizing their effort and competence (Stephens & Wangaard, nd).

the Money

There is no magic bullet to help reduce this motivation. These attackers are driven by straight criminal mindsets and desires. The solution here is to just address the technical issues to close the attack vectors. They will be back, the defenders just have to be persistent. If a psychological profile was to be considered covering these attackers, it would fall in line with the abnormal psychology of offline criminals (Campbell & Kennedy, 2010). Money as a motivator drives the attacker to get more money.


Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Lewis, H. R. (February 23, 1997). What is Harvard’s mission statement? Harvard University. Retrieved from: http://www.harvard.edu/faqs/mission-statement/

Stephens, J. M., & Wangaard, D. B., (nd). Teaching for integrity: Steps to prevent cheating in your classroom. The School for Ethical Education. Retrieved from: http://www.ethicsed.org/programs/integrity-works/pdf/teachingforintegrity.pdf

Tuesday, November 27, 2012

Selling their skills

Teenage crackers known to be involved in for-profit modification of electronic grade books (McMillan, 2011). McMillan describes Tyler Coyner, a student that inflated his GPA to 4.54 while also selling grade increases to his peers. Until he was arrested, Coyner spent two semesters performing attacks on the grade records in exchange for cash. He even graduated salutatorian based on his manipulations (McMillan, 2011).

Financial gain as a cyber crime motivator is not rare, although the monetization is achieved through other means. Attackers often harvest directly monetizable data such as credit card information and online banking credentials. Another method is extortion, or protection money, where a botnet operator threatens a distributed denial of service attack unless the victim pays the extortion cost (Dittrich & Himma, 2006). Extremely rare, relative to other financial cybercrimes, is mercenary attacks, like the kind Coyner was selling (McMillan, 2011).


Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

McMillan. (March 4, 2011). Top Student Charged With Fixing Grades for Cash. PCWorld. Retrieved from: http://www.pcworld.com/article/221442/studentcharged.html

Saturday, November 24, 2012

Preventing Damage by Preventing Grade System Intrusions: Case Studies

Case Study: Northwestern Lehigh School District

Catherine Venusto allegedly manipulated the grade records of both her daughter and son while they attended Northwestern Lehigh School District. In 2010, while employed as an administrative office secretary, Venusto allegedly replaced a failing grade with a medical M grade. Access to the online grade book was accomplished by masquerading with the stolen network credentials of the superintendent. After having left her employment had ended, Venusto allegedly continued to utilize the stolen credentials to modify the grade of her son in 2012. The accused modification of the son’s grade could have been prevented through periodic password expiration policies (Lupkin, 2012).

Case Study: Temple University

In a more technically savvy attack, college student Edwin Kim accessed the electronic grade book of Temple University. A keylogger was installed by Kim on administrative office’s university computer to collect the credentials of professors that used the targeted system. Later, the keylogger was removed and cleaned up by Kim who was then left in the possession of his professors account information. Kim’s modifications were caught when his professors noticed the discrepancies by his changes. Kim himself was caught because the grade system logs were used to trace his connection sessions back to his workplace and home (Gibbons, 2012).

Case Study: Palos Verdes High School

Rounding out the vulnerabilities to be addressed, Palos Verdes High School fellow victim to a three student team which targeted the physical security as their main vulnerability. The teenagers, unnamed by Altman (2012), broke into the school under cover of night to steal tests and install hardware keyloggers on their teachers machines. During subsequent break-ins, the keyloggers were collected and analyzed to extract their teachers credentials. This information was used to access the grading system and boost the intruders’ grades (Altman, 2012).


Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Monday, November 19, 2012

Preventing Damage by Preventing Grade System Intrusions: Introduction

Grades are important and so manipulating grades is valuable. Manual management of the recording, computing, weighting, and totaling of an individual students grades, not to mention an entire course and even an entire semester, is extremely tedious and error prone (Migliorino & Maiden, 2004). Automated grade management systems relieve educators from many of these burdens and can even provide easy access anywhere through powerful web applications (Thinkwave, 2012). Where problems arise is when the electronic grade book falls prey to unauthorized access or, worse, modification.

Being stored electronically on a network leaves the grades subject to remote manipulation. Those manipulable grades become a target to challenge hackers, to tempt cheaters, and to profit crackers. Controlling and shaping the rankings of a class of students feeds directly into the desire for power that is a commonly self-reported motivation to hackers (Campbell & Kennedy, 2010). Cheaters gain direct academic boosts by inflating their own grades, as is covered in case studies below. Grade manipulation is a marketable good, as crackers can be paid to modify the customers’ or a third parties records.


Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Migliorino, N. J., & Maiden, J. (2004). Educator Attitudes Toward Electronic Grading Software. Journal Of Research On Technology In Education, 36(3), 193-212.

Thinkwave. (2012). Free Online Gradebook. Retrieved from: http://www.thinkwave.com/educator.html

Preventing Damage by Preventing Grade System Intrusions: Actors

Simplistically, those who would access, without authorization, a grade management system could be labeled as hackers or crackers. These two groups, according to Dittrich and Himma (2006), are computer users who engage in unauthorized system accesses; though they are differentiated by motivation. Where hackers are driven by arguably noble or ethically neutral purposes, crackers are driven by malice or profit. Describing possible manipulators in the introduction, the author separated out a subset of crackers as cheaters. This paper will be discussing crackers as intruders driven by malice or financial profit and cheaters as driven by academic profit.

When the target is an education institution’s grading system, the pool of potential hackers, crackers, and cheaters draws primarily from stakeholders relating to the grades stored in the specific target system. (Altman, 2012; Borja, 2006; Gibbons, 2012; Lupkin, 2012) Stakeholders are not limited to the grade-holding students but also can include relatives or contracted third parties.


Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Borja, R. R. (2006). Cyber-Security Concerns Mount as Student Hacking Hits Schools: Districts Straining to Safeguard Online Networks. Education Week, 25(19), 1,.

Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Intruding because they can

Curiosity, intellectual challenge, boredom; these are factors that motivate exceptional technical minds to delve into the ethically grey area of non-malicious cyber intrusions (Dittrich & Himma, 2006). Those exceptional minds tend to fall into the category of gifted students whom schools have difficulties providing appropriate challenges (Gallagher & And, 1997). Stemming from the difficulty of challenging these students is that they, according to Gallagher and And (1997), perceive their courses to be “a crushing bore.”

Combining all three elements, brilliant minds, boredom, and a ready made challenge to puzzle out, provides an ideal situation for student hackers to target the grading system. Behind that technical wall is a collection of information pertaining to their peers, which has the ability to appeal to the bored student’s non-technical curiosity. Just like cyber convict Adrian Lamos attributing his corporate network jaunts to looking for a relief to boredom, the students may try to just look around the grade system (Dittrich & Himma, 2006).


Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

Gallagher, J., & And, O. (1997). Challenge or Boredom? Gifted Students' Views on Their Schooling. Roeper Review, 19(3), 132-36.

Just Trying to Get Ahead

Secondary and collegiate schools both have had issues with electronic grade book modifications. The above described cheaters are the intruders which target the systems for academic advancement. Grades to be modified can be their own or their rivals, but the end goal is improvement of their relative standing. Additionally, there are instances of relatives who accessed and modified recorded grades to the benefit of the student whose grades were targeted (Lupkin, 2012).


Cheaters motivation to modify, or to have modified, their grades stems from the importance placed on the values and the impact which they have on the participants future. Moore (2006) writes about the weight that high school grade point average (GPA) have on admissions decisions for incoming college freshmen. Thus, but inflating their GPA, cheaters are able to qualify for more desirable post-high school opportunities. Again in 2006, Moore addresses the fact that GPA admission requirements do not always go away in college, but that professional colleges often have GPA standards that must be met to enroll in junior- and senior-level courses.


Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Moore, W. K. (2006). Advising Students about Required Grade-Point Averages. NACADA Journal, 26(2), 39-47

Preventing Damage by Preventing Grade System Intrusions: Defense

Successful defense against grade book intrusions requires identification of both the motivation of the attackers and the attack vector utilized. Addressing only the motivation results in the exploited vulnerability to still exist for future attackers, whereas addressed only the vulnerability means that the mind which worked out the known attack is just going to keep looking for other ways in.

Sunday, November 18, 2012

Exploring students and cybercrime

I'm working on a paper about a general target of cybercrime and delving into who the actors may be and what their intentions are.

The assignment gives some interesting targets and attacker goals; for instance maybe attacking a defense organization for launch codes or attacking a hospital for medical records. Am I writing about one of these? Nope, I'm going with attacking a school to get access to the grading system.

With that in mind, here is a video of what happens to students getting caught having done just that...

Credit: Nick videos

Saturday, November 17, 2012

Cyber crime profiling

Topic – While psychological profiling of criminals is not a new field, should we attempt to profile cyber criminals? What sort of things do we already know about the personalities of cyber criminals? Do we have enough evidence to indicate there is a distinct psychological pattern that would help in the apprehension of cyber criminals?

Psychological profiling is a lot like static malware detection. Researchers correlate observable behaviors of known criminals to the underlying motivations and other observable traits. The signatures and heuristics derived from that research is then applied to unknown persons to determine the likelihood of being a future criminal of the same pattern which was researched. If both the false positive and false negative rates can be kept low, application of the profile keeps society safer, just as successful anti-malware scanning keeps a computer safer. Attempts should definitely be made to incorporate profiling into the handling of cyber criminals.

When studying the personalities of cyber criminals, we should avoid using the definition that Campbell and Kennedy attribute to National Institute of Justice of anyone that utilizes any cyber technology when planning or executing their crime. (Campbell & Kennedy, 2009) A criminal that merely utilizes a computer to commit their crime will have the same motivations as someone committing the same crime decades ago. The profile of a cyber criminal needs to be limited to those “individuals for whom the computer represents an alternative way of life apart from social norms.” (Campbell & Kennedy, 2009, pp. 12-2)

Those computer-dedicated criminals are known, through various types of after the crime self reporting, to share a set of six motivators: addiction, boredom, curiosity, politics, power, and recognition. Through psychological behavioral research applied to cyber criminals, we also can attribute enabling factors which the criminals themselves may not be consciously aware of: aggression, anonymity, and social distance. (Campbell & Kennedy, 2009)

The writings of Campbell and Kennedy suggest that there is currently a great deal of evidence to support cyber criminal profiling to be used in the reduction of criminal acts. By recognizing the conscious motivations and the unconscious enablers, they can be addressed such that the computer obsession is not turned to crime. The reform of significant historical cyber criminals supports this fact. Identifying persons matching the patterns without having addressed the concerns will assist in the selection of suspects, so yes the pattern should assist in the apprehension of cyber criminals.


Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Friday, November 16, 2012

Computer addiction and cybercrime

Topic - Some mental health and criminal justice professionals contend that hacking is an "addiction," and causes obsessive, risk taking behavior in a manner similar to illegal narcotics - hackers hack to "get high" from the thrill of breaking into a system and getting away with it. Should policymakers look towards treatment, rather than incarceration, as the disposition of hacker cases? Why or why not?

Just as chemical addicts develop a tolerance and require a stronger drug to get their high, cybercriminals exhibit a similar pattern in the evolution of their habit. Many beginners start with attacking DRM and pirating, but then start to escalate. (Campbell & Kennedy, 2009)

Successful treatment is possible, as shown by “some reformed computer criminals … were able to focus their skills on practical endeavors instead of illicit undertakings” (Campbell & Kennedy, 2009, pp. 12-3). Such reform only occurred after being given significant responsibility, which provides the intellectual challenge and stimulation that previously was presented by the challenges of the illicit actions.

Not every criminal can be moved to a position that provides the requisite challenge. A significant reason for that is that security requires a great deal of trust. It is easy to see why someone would be hesitant to hire them for the tough, highly trusted position. If the job doesn’t actually provide enough stimulation, then you may have just hired the fox to provide security for your hen house.

Without the addict getting a safe way to get their fix, we are back to treatment versus incarceration. Taken from the philosophy declaration by Addictions Rehabilitation Association, “It is important for each recovering addict to develop an understanding and insight into his or her addiction and make behavioral changes.” (ARA, 2010). Unlike chemical addicts, computer addicts have their whole life centered around their addiction. Those tech-savvy people will have gone into technical careers. Acknowledging and leaving the addiction means walking away from not just the addiction, but their job, their hobby, their social circle. Realistically, it is not going to happen often enough to consider it a general solution.

Unfortunately, this leaves incarceration. Campbell and Kennedy discuss that the obsessive traits of computer addicts may actually be just keeping up with the rapidly changing nature of the technical landscape. (2010) Possibly, a long enough incarceration will put the addict far enough behind the technical curve that they can implement the lifestyle changes discussed above rather than get back into the field that no longer resembles what they left.


ARA (2010). Philosophy. Addictions Rehabilitation Association Retrived November 10, 2012 from http://www.a-rehab-a.org/philosophy

Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Thursday, November 15, 2012

Hacker motivation: Why I do what I do

Topic - What factors motivate hackers? What can organizations do to be more proactive in identifying and mitigating hacker threats?

Hackers are driven by a desire to discover, to tinker, and to be an expert. They don’t gain expertise or discover for the primary purpose of career advancement or money, but because they want to learn what there is to know. (Harvey, 1985)

During the Human Factors module we walked through the interviews with Claire and Dalen. Claire is a solid example of a hacker, lots of hobby projects, experimenting with a variety of tools. (UMUC, 2010)

The best way to combat the hacker threat is to embrace it. Closed systems, code, and protocols result in secrets which draw the curiosity of hackers. When the hackers can dive into code they find bugs and fix them, find interesting techniques and expand on them, and build complementary tools which make the original more valuable. When hackers are confronted with closed components they dive into the binaries to reverse engineer them, identify where functionality is impeded and free it. They reverse engineer the protocols and formats to create tools to replace the closed tool, like Open Office manipulating .doc files.


Harvey, B. (1985). What is a Hacker? University of California, Berkeley Retrieved from http://www.cs.berkeley.edu/~bh/hacker.html

UMUC (2010). Human Factors. UMUC CSEC620 Module

Wednesday, November 14, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Account Safety

Passwords are usually the only thing unknown about social networking site credentials and that makes them gold for those will malicious intent. In fact, according to Kim, site passwords along the the username have even been sold through illicit channels. Once the account’s credentials have been compromised, the new holder can harvest the owner’s posted information, any information that has been shared with the owner, and even impersonate the owner. Such impersonation can facilitate phishing attacks against the owner’s contacts with messages made plausible by accessing the private information which the victims have thought they only shared with friends. (Kim, 2012)

Account compromise can result in devastating damage to all three facets of cybersecurity. All confidentiality is stripped away from unencrypted data when an unauthorized user accesses the account. If there is modify access to posted data then the intruder has the ability to damage the integrity of such data. Through password modification the attacker can even lock the owner out of their account, impacting the availability, as was reported to have happened to the interviewed user Brian twice. (Debatin et al, 2009, pp. 98)

Account compromise is a high risk threat because of the extremely high amount of damage which can be inflicted upon a user, their social network, their data, their reputation, and other accounts that use the same credentials. Thankfully, the rate at which account credentials end up compromised is far less than the rate that private data is exposed. Policies prevent account compromise have to be broad to cover both prevention of malware as well as to prevent social engineering attacks. Users must be trained to avoid shady websites and not download unauthorized software. They must have it ingrained to never share or reveal their account details, even to persons that seem like legitimate support personnel. Systems administrators need to keep the machines patched to prevent automatic exploit access to the machine for malware.

Such policies and training can impose a significant burden on users. If the machines are not kept stocked with all authorized tools to address any needs they may have occur then the prohibition to download the requisite tools will impact their system use.


Debatin, B., Lovejoy, J. P., Horn, A. K., & Hughes, B. N. (2009). Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer‐Mediated Communication, 15(1), 83-108.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Conclusion

Vulnerabilities abound when confronting cybersecurity issues with online social networking, but they are manageable. Careful user practices can protect both the privacy of their shared data and the safety of their account, system, and reputation. Assuming that all posted information will be broadcast publicly and minimizing trust granted to others will maximize the security of the user.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Monday, November 12, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Interaction Safety

Interacting with contacts on an online social networking site has two dangerous scenarios which a user must protect themselves from. The first, and more readily apparent, is interacting with a new contact. This can be either someone whom the user thinks they know, but has not established a connection with through the site, or a stranger. In either situation, the person behind the persona may be a malicious actor attempting to gain access to the user’s private data. The second is that a user to communicating with a malicious actor impersonating a friend through compromised account credentials.

Both of these scenarios are cases which pose dangerous to the user’s confidentiality, as any private information divulged is being turned over to unauthorized recipients. Any files received from such an actor may very possibly be trojan horse malware which poses threats to all three cybersecurity facets.

Risks from tainted interactions are low when there is a reasonable belief that the other party is known and medium when the other party is unknown. Rarely will the friend you talk to actually be an imposter and even among strangers, most are not malicious. As the impact of a tainted interaction is potentially very high, the mitigation policies should still be followed.

Mitigation of these dangerous scenarios can be achieved through policies which instruct users to view all online interactions as potentially compromised, and as such not to ignore any suspicious indicators in a conversation. Before friending a ‘known’ contact, an out-of-band communication should be performed to verify that the account in question belongs to the expected person. Any conversation that only includes the other party referencing data available on the site should be questioned as well, because it may be an impostor.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Sunday, November 11, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Network Safety

Utilization of social networking sites over untrusted network infrastructure can result in account compromise, privacy compromise, or even system compromise. Unsecured Wi-Fi, a LAN with a hostile workstation (such as a hotel or an intranet with a compromised host on it), and a malicious router can all create hostile network conditions. Once the traffic on the wire cannot be trusted, an attacker could change in transit the link that a friend posted and the user wants to follow. They could change the poster’s upload such that the executable they are attempting to share is actually a trojan horse. A user’s communications can be eavesdropped on to sniff out the private data that is being posted, or even sniff out credentials if they are sent unencrypted, as was the case for the first two years of Facebook. (Mensch & Wilkie, 2011)

With ISP and Internet backbone infrastructure typically being considered trusted, most network accesses will not be reasonably unsafe, leading to this vulnerability to be low risk. The damage at risk during an incident is extremely high, but the likelihood of an incident is small, averaged across all accesses to the social network. When only addressing reasonable unsafe networks, the risk escalates to high.

Untrusted network situations are severe risks for social networking users, especially as a lot of social networking sites still utilize HTTP. Confidentiality is stripped away when eavesdroppers can view and record your plaintext communications with the site. Integrity is lost if routers, legitimate or spoofed, can perform in-transit packet modification. Dropped packets, TCP-reset injections, and wireless jamming are all methods that the untrusted network can impact the availability of the social networking service.

Outside of the implausible command to only utilize trusted infrastructure, the policy recommendations which prevent some of the problem, loss of confidentiality, is to use a VPN to connect to a mostly trusted infrastructure and then still only use social networking sites that can use HTTPS. The damage to integrity can be changed to the less damaging loss of availability by a signed and encrypted protocol. It doesn't prevent a hostile router from modifying the packets, but it will keep the other end from accepting them as clean.


Mensch, S., & Wilkie, L. (2011). INFORMATION SECURITY ACTIVITIES OF COLLEGE STUDENTS: AN EXPLORATORY STUDY. Academy of Information and Management Sciences Journal, 14(2).

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Safety Intro

Account safety, network safety, data safety, interaction safety, application safety, and monetary safety; there are a lot of ways to get something damaged through online social networking. Your traffic gets viewed, BAM! Compromised. A third party now knows more about your trip to Florida and you are being successfully phished because of it. Your account credentials get stolen and then the bank account which uses the same information is drained. Online social networking vulnerabilities directly threaten your safety with cyber attack and cyber exploitation. (Mensch & Wilkie, 2011)


Mensch, S., & Wilkie, L. (2011). INFORMATION SECURITY ACTIVITIES OF COLLEGE STUDENTS: AN EXPLORATORY STUDY. Academy of Information and Management Sciences Journal, 14(2).

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Saturday, November 10, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Privacy Protection

Privacy violations can be completely prevented through a single, strict policy: do not post content to online social networking sites. The complete lack of control over disseminated content means that any distribution is a potential redistribution. Damage mitigation can be achieved through one of three fairly disjoint policies. One option is to encrypt posted content and only distribute the key to the trusted recipients out-of-band. This way if either the first or second of the above privacy violations occur then the secondary recipients will be unable to view the content. The third violation is still possible, in that the authorized recipient can either forward/post the key or repost the received, but decrypted, content. Alternatively, a policy of treating all, even limited, distributions as full public postings. Anything, and everything, posted should be classified as approved for public dispersal, because each post has the potential to be released publicly. (UMUC, 2010) Lastly, any postings of non-publicly releasable content can be performed under careful scrutiny of the social networking site’s privacy settings and to be released to recipients under a legally binding and enforceable non-disclosure agreement. Such an agreement will still not physically prevent redistribution, but does permit a legal recourse in the event of redistribution.

Of the four policy suggestions to prevent or mitigate the damage from the discussed privacy violation, only one truly maintains the usability of the social networking site. Personal poster responsibility and operating under the assumption of full public disclosure allows the user to continue operating as is expected on the site. Not posting equates to not using the site. Posting only under encryption or a non-disclosure agreement runs significantly counter to the social, as opposed to business, nature and focus of most social networking sites.


UMUC (2010). Cybersecurity Policies in the Private and Public Sector. UMUC CSEC620 Module

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Friday, November 9, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Privacy Risk

The likelihood of such privacy violations is very high, especially when default settings result in a user’s data being exposed to everyone who is connected to their friends. A given user may practice safe social networking, but it is unlikely that every one of their friends do. It only takes one friend making one bad connection for a user’s data, with such protections, to become exposed to dangerous actors. In fact, in the time it took to write this paper, a fake account on Facebook that the author created and spammed random friend requests was able to become friends with 28 users, even with a public description that the account was a test to access their information. To most users, though, the risk is at the most medium, as they see a negligible value associated with such a breach, despite the extremely high occurrence rate. This is supported by a reported 30% acceptance rate to complete strangers. (Debatin et al, 2009, pp. 87)

The cybersecurity threat posed by the lack of content privacy severely damages the confidentiality of the messages intended for the originally limited audience. In the case of secondary uploading of a poster’s content, there is also a danger to the integrity of the message, because the secondary uploader can manipulate the content and repost it as if simply re-sharing it. The victim of the integrity damage is twofold: the recipient of the counterfeit message is damaged by collecting mis-information, the sender of the original message is damaged by the counterfeit by weakening the audience’s view of the sender (Counterfeit, 2012).


Counterfeiting (2012) Fact Sheets Protecting a Trademark. Global Trademark Research. Retrieved November 3, 2012 from http://www.inta.org/TrademarkBasics/FactSheets/Pages/Counterfeiting.aspx

Debatin, B., Lovejoy, J. P., Horn, A. K., & Hughes, B. N. (2009). Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer‐Mediated Communication, 15(1), 83-108.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Thursday, November 8, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Unremovable Content

All content posted onto a social networking site is released permanently, for the intents of a technically knowledgeable user. Whether that content is in the form of thoughts, images, videos, or otherwise, once it is made available to a second user it is out of the control of the poster. Often misunderstood, even by those that should know better as shown by the prohibition on downloading content in the YouTube terms of service (YouTube, 2010), is that all content displayed to the screen of another user has been downloaded by them. That content, technically rather than legally, is then the property of that other user to do with as they will. If it has been viewed, even if the poster tries to delete it, then it has been distributed.

Once distributed, the poster no longer controls where their content is sent, no longer controls how it is used. Social networking sites often provide visibility or access control options which limit the initial distribution, but these do very little to impact the vulnerability to privacy. First, the default settings tend to lean toward open, rather than closed, because “creation and preservation of this social capital is systematically built upon the voluntary disclosure of private information to a virtually unlimited audience” (Debatin et al, 2009, pp. 87) Thus, having users broadcast their content to the greatest audience in turn leads to the most people joining the audience. Secondly, the sites themselves tend to have controls built into them to allow those with viewing permission to directly share that content to an audience of their choosing. Posting content to only be accessed by a select group of people does not limit the audience at all if one of those recipients in turn just forward the content to the public. Thirdly and lastly, the recipient audience can claim the content as their own and directly post it themselves to the site, or even to a different social networking site. With such a sharing, the sharer may not even provide proper attribution to the content.


Debatin, B., Lovejoy, J. P., Horn, A. K., & Hughes, B. N. (2009). Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer‐Mediated Communication, 15(1), 83-108.

YouTube (2010). Your Use of Content. Terms of Service. Retrieved November 3, 2012 from http://www.youtube.com/static?gl=US&template=terms

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Privacy Intro

Privacy concerns, in online social networking as well as elsewhere, are primarily centered around data control. Before digital content, albums of family photos were accessible to the family and those that were given access to the images. Duplication was time consuming and costly, so surreptitiously doing so was impractical. A viewer keeping the image to view at a later time would be noticed by the owner, because their copy of the image would be physically taken from the album. Digital content has invalidated these assumptions. Data control no longer can be exercised by the owner keeping the original.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Wednesday, November 7, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Introduction

Online social networking is chock full of cybersecurity vulnerabilities and they are primarily disregarded by the users. For various reasons, users engage in behaviors related to social networking sites in ways that they would not normally perform in the physical realm. Trusting random people while knowing nothing about them. Exposing private data to perfect strangers. Providing intimate details of themselves to the public where the details can be viewed anonymously without the subject even knowing how many times it was viewed. These activities all expose the social networking users to cybersecurity vulnerabilities which pose true risks to them.

This paper will classify each presented vulnerability as a threat to one of the major principles of cybersecurity: confidentiality, integrity, availability. The risks associated with the threats of each vulnerability shall be discussed as well as prevention and mitigation possibilities as encapsulated in policies and procedures. Finally, the impact to customer satisfaction related to the prevention effort is covered.

The full paper in document form.
Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Sunday, November 4, 2012

Another paper dragging

Monday night I was busy compensating for a disrupted work schedule and Tuesday I had no word processor nor Internet due to a Sandy-related power outage. As such, Wednesday was spent working and taking care of problems caused by 30 or so hours of no power. The end of the week then sprinted up way too fast.

So now I sit here 18 hours before my second individual paper of the semester is due and still typing away. The sections in this paper are turning out much larger than in my previous one, so I will probably post the introduction with a link to the paper instead of posting the whole paper. Sorry if you prefer the fragmented presentation, I don't want to break it up by paragraph and I don't want to publish a post that is four pages long.

Oh man, I'll sleep good and early tonight.

Thursday, November 1, 2012

Mitigating an insider threat

Topic - One of the biggest risks that companies face is advanced persistent threats. Discuss the most effective way to implement policies that mitigate the chance of an insider either taking part in or facilitating an advanced persistent threat. Integrate the concept of separation of duties into your discussion.

Separation of duties requires that there be limits on access and checks on actions. When one person is responsible for overseeing their own work then there is not any oversight. A failure to sufficiently implement this principle fails to prevent a situation such that “a single individual cannot subvert a critical process”(Swanson & Guttman, 1996, p 27).

In the event that an inside actor has the ability to avoid or compromise procedural safeguards, they have a great deal of power to impact any of the three major security traits: confidentiality, integrity, or availability. Kabay and Robertson tell about a disgruntled system administrator that resigned from UBS Paine Webber, but before he left he released a malicious logic bomb of his creation (2002). Since the malicious code deleted files and generally caused chaos in the network, it damaged both the integrity of the data on the network and interfered with the availability of the systems it disrupted.

Such an attack could have been entirely prevented if the saboteur had his accesses properly compartmentalized with mandatory oversight. Disallowing him the ability to both generate code and to release it onto the production systems would have forced an accomplice to be involved, or stolen credentials. Gregg et al recommend not even having compilers available on production systems, which prevent the creation of low level malware on them. (2012) This is not a perfect protection by a long stretch because interpreted scripting languages, like Python, Perl, or Bash, can be used to create malicious scripts directly on the live systems.


Gregg, J., Nam, M., Northcutt, S. & Pokladnik, M. (May 5th, 2012) Separation of Duties in Information Technology. Sans Security Laboratory. Retrieved from http://www.sans.edu/research/security-laboratory/article/it-separation-duties

Kabay, M. E. & Robertson, B. (2002). Employment Practices and Policies. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Swanson, M., & Guttman, B. (1996). Generally accepted principles and practices for securing information technology systems (pp. 800-14).

Mobile Device Impact on Network Analysis

Topic - As new technology becomes adopted by organizations, standards must also adapt to meet the change. Using mobile device technology as an example, discuss the differences that will need to be addressed for penetration testing. What about vulnerability assessments?

The changing landscape of technology with regard to mobile computing requires a reassessment of potential access points into a network. Wireless access points were already dangerous, as they extended the accessibility of your network outside of the relative safety of your walls. Connecting a mobile phone to the wireless network is directly creating a bridge between the network and the Internet by way of the cellular data connection.

Such a bridge opens up new pathways, and expands existing ones, to be tested via penetration testing.

  • New pathway: ARM Malware. Mobile devices with ARM processors are miniature computers that cannot run the executable binaries which are created for traditional Intel-compatible x86 and x64 processors and desktop operating systems. Such malware requires a toolset designed for analyzing mobile applications to be analyzed. Malware for popular mobile operating systems, iOS and Android, are in the wild and on the rise (Schmidt, et al, 2009).
  • Expanded pathway: Social Engineering. Because the mobile device doubles as a phone three additional vectors of social engineering attacks are made available.
    1. The most straightforward is simply asking an employee to use their phone to make a phone call.
    2. Spear phishing via SMS can send links to malicious web servers. Due to the reduced character count, there is less room for explanation with the link, which can lead to users being less suspicious of concise messages containing links.
    3. QR Code exploits and links to malicious web servers. Due to the opaque nature of QR codes, a user does not know where they point until they scan them. A malicious QR code sticker can be placed on any number of signs, objects, or such where a target is likely to go (Kieseberg, et al, 2010).
  • Expanded pathway: Man in the Middle. The data connection of the phone to the cell network can be attacked Man-in-the-Middle style by an actor impersonating a cellular base station (Meyer & Wetzel, 2004).

Vulnerability assessments are impacted because it can become very difficult to inventory the systems on the network and to assess their potential vulnerability if the network is suddenly and unexpectedly no longer homogeneous (Bace, 2009). An easy-to-see example of this is a fully managed windows domain. All of the expected systems run Windows 7, so the VA tools utilized are designed for identifying and scanning Windows 7 systems. When an Android device is connected it changes the network make-up. Now the VA tools fail to identify all the devices or, even worse, fail to even find all the devices if discovery was being done by reading the expected devices via Active Directory.


Bace, R.G. (2009). Vulnerability assessment. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010, November). Qr code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (pp. 430-435). ACM.

Meyer, U., & Wetzel, S. (2004, October). A man-in-the-middle attack on UMTS. In Proceedings of the 3rd ACM workshop on Wireless security (pp. 90-97). ACM.

Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., Albayrak, S., & Yildizli, C. (2009, October). Smartphone malware evolution revisited: Android next target?. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on (pp. 1-7). IEEE.

Wednesday, October 31, 2012

Cool pics, not cybersecurity

The new profile picture was from a caricature artist doing work at a local restaurant. I found it to be amazing and wanted to make sure to get his name out and publicly show my appreciation for his work.

Stanley Rayfield, thank you for the awesome picture. We have an empty frame up in the middle of our photos which it will hold wonderfully.

Profile pic from: http://www.stanleyrayfield.com/home/

Just to make sure this post still makes sense if I change my pic in the future:

Monday, October 29, 2012

Motivating employees: Kick them out of the office sometimes

Topic - Companies motivate their employees as a means of retaining good workers. To do so, they incentivize the workers by offering a variety of benefits. Based on your experience, what is the best incentivizing mechanism? Qualify how well it compares to other incentives.

Employee benefits come in all kinds of packages: free lunch, convenient parking, flexible hours, generous vacation and sick leave, paid health care, free swag, and much more. Of these, I have seen flexible hours and generous leave being the most incentivizing benefits. The true benefit provided to the employee by these quantifiable benefits is that it allows the job to fit the live of the employee. Other options tend to be a roundabout way of providing more money, but these two give more time. Family time, hobby time, alone time. Whatever fits the lifestyle of the employee, they get through flexible hours and generous leave.

The other advantage of these options, asserted Kabay and Robertson in 2002, is it provides a tangible benefit to security. They discuss a specific case study about an embezzler who worked about 850 days without taking a single day of leave, never tardy, and never absent. He was such a dedicated employee because the only way to be sure his scam continued without getting caught was to always be present. A day away would be a day he risked detection. A good idea to implement along with offering generous leave is to require vacation breaks, without exception. Doing so forces the employee out of the office, which helps prevent burnout and encourages a healthy work-life balance. If a given employee seems to fight this policy more than is reasonable, they should be investigated to verify that they are just a highly dedicated employee. (Kabay & Robertson, 2002)


Kabay, M. E. & Robertson, B. (2002). Employment Practices and Policies. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Thursday, October 25, 2012

Airline Cybersecurity

Personal post written to the class. I had posted this because I felt it needed sharing, so I am saving it here too. From February 16, 2012.
Here is the paper for which this was research.

Well, today I learned that an important thing for airline cybersecurity is that a cyber-threat tipline needs to be available.

I was looking at airport websites as research and discovered a SQL Injection into an upcoming flights database. Upon verifying and documenting the vunerability, I went looking for a contact that I should send my report to and the only thing I could find was a minor TSA contact email. I ended up on the phone with a low level police information desk person and sent the report to both him and the TSA email, hoping it finds its way to the people that need the report.

The police information desk was definately not the best person to be talking to and I had to back pedel and re-explain that I was a Cybersecurity student after he asked, in a very accusing tone, "Are you a hacker?" Does he regularly have black hats calling him to report vulnerabilities? It was an Airport Police (Information / Assistance) number available on the state aviation administration contact page. I tried.

I don't have much faith in the TSA email either as I got back an auto generated response that implied that most of their incoming email is about what can and can't be carried onto a plane.

Matthew


Update: The airport in question has replaced the page in question, so this vulnerability has been corrected.

Wednesday, October 24, 2012

E-Government: Why you shouldn't go into the DMV

Topic - E-government comes at a cost. Is there a trade-off that occurs between the security of federal systems and the cost savings from reduced paperwork?

E-government provides significant convenience to both civil servants as well as to the citizens. The employees can automate tasks and process other requests asynchronously, while citizens can submit forms and look up information from the comfort of their home. A few months ago I had to update my address with the Maryland MVA. This involved driving 30 minutes to the MVA office and waiting in their queue for three hours before meeting with the clerk. I cannot overstate how irritated this stressful day left me. Looking into the e-government offerings of the MVA, I see that they have a no-charge process for processing a change of address online. (Frequently Asked Questions, 2012) Rather than coordinating their schedule around travel, waiting, and MVA hours, a citizen can just fill out an online form and have a Change-of-Address mailed to them when a clerk gets around to it.

Convenience like the MVA online services comes at a significant price, one that all e-government offerings face. Defense must be posted 24 hours a day, every day. Offices are closed for most of every day and are protected by being closed up in secure buildings. Online systems can be accessed at any time, so they must be monitored at every time. Frequently, public sector agencies and offices “must address security concerns in the face of deep budget cuts, staff shortages and legacy information systems.” (Lifting the Security Burden, 2012) Attempting to maintain the requisite security can be extremely difficult when faced with the budget realities of recession and reduced taxes.


Frequently Asked Questions (October 4, 2012). Motor Vehicle Administration. Retrieved from: http://www.mva.maryland.gov/About-MVA/FAQ/default.htm

Lifting the Security Burden. (2012). Government Technology, 25(1), 49. Retrieved from http://media2.govtech.com/documents/CDG11+BRIEF+Dell_Insert2pg-1.pdf

Cyberspace and Cybersecurity: Archive Post C

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – LAN Security Policy Function
Select one and only one security policy function related to LANs and provide more detail.

From March 30, 2012.

Drawing from Vacca's list of criticals functions of a good security policy, I will discuss the value and details of appointing "a security administrator who is conversant with users' demands and on a continual basis is prepared to accommodate the user community's needs" (2009, pg 152).

An easy to overlook, but vitally important phrase in there is a security administrator. The idea of a single point of failure may seem repulsive, and having a backup contingency in place is a good idea, but having a single point of security configuration minimizes the chances of multiple changes invalidating the security from each other. Having just one administrator guarantees that the entire security administrative team is always kept up to date on changes and incidents of note.

Familiarity with users' demands is absolutely vital for the administrator because a failure to address, not necessarily comply but at least address, users' demands will result in the user attempting to enact what they feel is needed themselves. If users do not have it explained to them why their demands cannot be met, then the actions they take will cause security or stability issues. For instance, when users demand to have access to streaming media even though policy denies it, if the administrator doesn't address that demand and explain that streaming media is banned due to stability concerns related to the enormous amount of bandwidth it uses, then the users avoid the block on Youtube with a proxy and strain the availability of the network due to bandwidth consumption.

The security administrator needs to be constantly prepared to accommodate the user community's needs, because those needs could be indicative of a network incident. If users begin reporting issues to the help desk, "with a complaint about his or her computer, the network, or an Internet connection, the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus" (Whitman & Mattord, 2010).


Whitman, M. E., Mattord, H. J. (2010). Management of Information Security. Retrieved from www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter05.doc

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Cyberspace and Cybersecurity: Archive Post B

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – Network Tools
Select one network monitoring tool mentioned in the module (Nmap, Nessus, etc.) and provide a more information about it. It is permissible to also discuss a tool that was not mentioned in the module.

From March 30, 2012.

The network monitoring tool I recently found out about it the Microsoft Network Monitor. From the relevant MSDN page, "Microsoft Network Monitor is a tool for viewing the contents of network packets that are being sent and received over a live network connection or from a previously captured data file. It provides filtering options for complex analysis of network data" (2012) From my experience, it is basically a closed source version of Wireshark published by Microsoft. It has one extremely interesting feature, and that it has the ability to put wireless cards into promiscuous mode with the proprietary Windows drivers. This is a feature I have searched literally for months for and was unable to find. Most everything you can find about promiscuous wireless packet capture is using Linux, but with Microsoft Network Monitor you can perform it in Windows with the default drivers.

I was shocked to find an official, free tool from Microsoft that will put your wireless card into promiscuous mode, capture the traffic, and parse it for you. As Vacca points out, promiscuous mode is useful as a troubleshooting tool, but "it is also a mechanism that can be easily abused by anyone motivated to enable promiscuous mode" (2009, p. 102).


MSDN. (2012) Network Monitor and Parsers. Retrieved from http://msdn.microsoft.com/en-us/openspecifications/cc816059

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Tuesday, October 23, 2012

Cyberspace and Cybersecurity: Archive Post A

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Operating Systems and Access Control
Discuss one aspect of access control (e.g., file access rights, privileges, ACL, etc.) in ensuring operating system security.

From March 23, 2012.

The According to Vacca, access control lists (ACL) provide access to certain resources and can be used for both physical access and electronic. "Implementing ACLs prevents end users from being able to access sensitive company information and helps them perform the jobs better by not giving them access to information that can act as a distraction" (Vacca, 2009, p257)

The Microsoft Windows operating systems use ACLs to protect securable objects such as files, directories, and registry keys. The ACLs are lists of access control entries, ACEs, which identify a trustee "and specifies the access rights allowed, denied, or audited for that trustee" (Microsoft, 2012) It actually uses two separate lists per object, discretionary access control list (DACL) and system access control list (SACL). The first is for controlling who accesses an object and the second is to log attempts to access the object. (Microsoft, 2012)

Whenever access to a securable object is attempted, the process accessing it is compared against the ACEs in the DACL. If there is no DACL associated with the object, everyone is granted access. When their is a DACL with no entries, everyone is denied access. Otherwise, the process is granted access if and only if there is no ACE denying it access and there is an ACE granting it.

The ACEs of the SACL for the object "specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both" (Microsoft, 2012).


Microsoft. (2012) Access Control Lists. Retrieved from http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872%28v=vs.85%29.aspx

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Cybercrime, extradition, and ... Julian Assange?

Topic - Cybercrime is a transnational issue that makes extradition exceedingly difficult. Using the Wikileaks case, discuss whether or not the breach of the U.S. classified network warrants the extradition and trial of Wikileaks' founder Julian Assange in the United States.

The transnational nature of more traditional cybercrime, like Chinese “economic cyber espionage” (McConnell et al, 2012) or Russian hackers (Capo, 2009) means that international boundaries are crossed, placing attackers and victims in entirely different jurisdictions. Even if the crime committed against the victim is also a crime in the locale of the attacker, and even if the involved law enforcement agencies are willing to work together, then investigation, extradition, and prosecution may still stall out due to political or diplomatic issues.

The WikiLeaks case is even murkier water, because the victim in this case, the United States Government, has been unable to decide if Assange has actually committed a crime. There are solid arguments to be made justifying the actions of WikiLeaks as just another journalist publishing the information turned over by just another whistleblower, which is a stance that Assange hosts about himself. As of the end of 2010, the federal government had never attempted a prosecution of journalist, nor had a successful conviction been had of a leak recipient. (Savage, 2010)

Since it was a non-American organization run by a non-American merely publishing leaked information, I find it hard to believe that any crime under American jurisdiction could have occurred. How the information was leaked is a crime, and one that is currently being tried, but not from the recipient.


Capo. (December 29, 2009) Russian Mafia Linked To Hacking. Mafia Today. Retrieved 12 October 2012 from: http://mafiatoday.com/other-mafia-orgs/russian-mafia-linked-to-hacking/

McConnell, M., Chertoff, M. & Lynn, W. (January 27, 2012) China’s Cyber Thievery Is National Policy - And Must Be Challenged. The Wall Street Journal. Retrieved 5 October 2012 from: http://www.boozallen.com/media/file/WSJ-China-OpEd.pdf

Savage, C. (December 7, 2010). U.S. Prosecutors Study WikiLeaks Prosecution. The New York Times. Retrieved 12 October 2012 from: http://www.nytimes.com/2010/12/08/world/08leak.html

Monday, October 22, 2012

Webmail: Why you should block it

Topic - If you were writing a code of ethics, what would be the most important practices to include in your company's acceptable use policy, internet use policy, or acceptable conduct policy?

As a cybersecurity focused professional, my primary objective for the code of ethics is to prevent intrusions into my network and guard the intellectual property which resides on it. Drive by downloads, phishing, and random, dirty pieces of software downloaded by employees are all dangerous, but real danger to the network resides with targeted attacks. Insiders and spear phishing are threats that require the most focused coverage in the drafted policies.

From the class module, I extracted basics of each policy to attempt to address each one correctly. The Acceptable Use Policy consists of enumerating unacceptable uses of the information systems and network. The Internet Use Policy sets out constraints on the allowable motivation behind web use to limit it to official business use only as well as prohibiting, in broad descriptions, uses which can expose private information, endanger the network, or violate copyright laws. (University of Maryland University College, 2012)

Targeted network attacks can be mitigated through carefully drafting, implementing, and enforcing these policies. The most important practice to be forbidden in the Acceptable Use Policy is that email is to be primarily used for text-based communication and scheduling. Because documents will inevitably need to be emailed, enforcement of this will not be mandatory restricting of emails to only text and scheduling.Targeted attacks often involve email attachments which are malware or infected documents containing malware. (Schwartz, 2011) To prevent this, the Acceptable Use Policy will be enforced by quarantining and reviewing all email attachments. A dropbox system will be used for internal file transfers so the attachment policy will apply even to internal emails.

Also aimed at email, the most important feature of my Internet Use Policy would be forbid personal internet use, especially and primarily webmail. Since the employees will have their company email address, there is no need to allow access to personal webmail. Such sites will be blocked by policy and enforced through DNS blacklist. This helps protect against both insiders and malware sending out IP through encrypted webmail.

I felt as though this weeks posts were really weak they scored very well. Here is the first one.


Schwartz, M. J. (June 08, 2011) Spear Phishing Attacks On The Rise. InformationWeek. Retrieved 12 October 2012 from http://www.informationweek.com/security/attacks/spear-phishing-attacks-on-the-rise/230500025

University of Maryland University College, N. A. (2012). Cyber Ethics: Csec 620, module 2. Informally published manuscript, Retrieved 12 October 2012 from http://tychousa11.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1209:CSEC620:9083&fs_project_id=344&xload&tmpl=CSECfixed&moduleSelected=csec620_02