Wednesday, October 31, 2012

Cool pics, not cybersecurity

The new profile picture was from a caricature artist doing work at a local restaurant. I found it to be amazing and wanted to make sure to get his name out and publicly show my appreciation for his work.

Stanley Rayfield, thank you for the awesome picture. We have an empty frame up in the middle of our photos which it will hold wonderfully.

Profile pic from: http://www.stanleyrayfield.com/home/

Just to make sure this post still makes sense if I change my pic in the future:

Monday, October 29, 2012

Motivating employees: Kick them out of the office sometimes

Topic - Companies motivate their employees as a means of retaining good workers. To do so, they incentivize the workers by offering a variety of benefits. Based on your experience, what is the best incentivizing mechanism? Qualify how well it compares to other incentives.

Employee benefits come in all kinds of packages: free lunch, convenient parking, flexible hours, generous vacation and sick leave, paid health care, free swag, and much more. Of these, I have seen flexible hours and generous leave being the most incentivizing benefits. The true benefit provided to the employee by these quantifiable benefits is that it allows the job to fit the live of the employee. Other options tend to be a roundabout way of providing more money, but these two give more time. Family time, hobby time, alone time. Whatever fits the lifestyle of the employee, they get through flexible hours and generous leave.

The other advantage of these options, asserted Kabay and Robertson in 2002, is it provides a tangible benefit to security. They discuss a specific case study about an embezzler who worked about 850 days without taking a single day of leave, never tardy, and never absent. He was such a dedicated employee because the only way to be sure his scam continued without getting caught was to always be present. A day away would be a day he risked detection. A good idea to implement along with offering generous leave is to require vacation breaks, without exception. Doing so forces the employee out of the office, which helps prevent burnout and encourages a healthy work-life balance. If a given employee seems to fight this policy more than is reasonable, they should be investigated to verify that they are just a highly dedicated employee. (Kabay & Robertson, 2002)


Kabay, M. E. & Robertson, B. (2002). Employment Practices and Policies. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Thursday, October 25, 2012

Airline Cybersecurity

Personal post written to the class. I had posted this because I felt it needed sharing, so I am saving it here too. From February 16, 2012.
Here is the paper for which this was research.

Well, today I learned that an important thing for airline cybersecurity is that a cyber-threat tipline needs to be available.

I was looking at airport websites as research and discovered a SQL Injection into an upcoming flights database. Upon verifying and documenting the vunerability, I went looking for a contact that I should send my report to and the only thing I could find was a minor TSA contact email. I ended up on the phone with a low level police information desk person and sent the report to both him and the TSA email, hoping it finds its way to the people that need the report.

The police information desk was definately not the best person to be talking to and I had to back pedel and re-explain that I was a Cybersecurity student after he asked, in a very accusing tone, "Are you a hacker?" Does he regularly have black hats calling him to report vulnerabilities? It was an Airport Police (Information / Assistance) number available on the state aviation administration contact page. I tried.

I don't have much faith in the TSA email either as I got back an auto generated response that implied that most of their incoming email is about what can and can't be carried onto a plane.

Matthew


Update: The airport in question has replaced the page in question, so this vulnerability has been corrected.

Wednesday, October 24, 2012

E-Government: Why you shouldn't go into the DMV

Topic - E-government comes at a cost. Is there a trade-off that occurs between the security of federal systems and the cost savings from reduced paperwork?

E-government provides significant convenience to both civil servants as well as to the citizens. The employees can automate tasks and process other requests asynchronously, while citizens can submit forms and look up information from the comfort of their home. A few months ago I had to update my address with the Maryland MVA. This involved driving 30 minutes to the MVA office and waiting in their queue for three hours before meeting with the clerk. I cannot overstate how irritated this stressful day left me. Looking into the e-government offerings of the MVA, I see that they have a no-charge process for processing a change of address online. (Frequently Asked Questions, 2012) Rather than coordinating their schedule around travel, waiting, and MVA hours, a citizen can just fill out an online form and have a Change-of-Address mailed to them when a clerk gets around to it.

Convenience like the MVA online services comes at a significant price, one that all e-government offerings face. Defense must be posted 24 hours a day, every day. Offices are closed for most of every day and are protected by being closed up in secure buildings. Online systems can be accessed at any time, so they must be monitored at every time. Frequently, public sector agencies and offices “must address security concerns in the face of deep budget cuts, staff shortages and legacy information systems.” (Lifting the Security Burden, 2012) Attempting to maintain the requisite security can be extremely difficult when faced with the budget realities of recession and reduced taxes.


Frequently Asked Questions (October 4, 2012). Motor Vehicle Administration. Retrieved from: http://www.mva.maryland.gov/About-MVA/FAQ/default.htm

Lifting the Security Burden. (2012). Government Technology, 25(1), 49. Retrieved from http://media2.govtech.com/documents/CDG11+BRIEF+Dell_Insert2pg-1.pdf

Cyberspace and Cybersecurity: Archive Post C

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – LAN Security Policy Function
Select one and only one security policy function related to LANs and provide more detail.

From March 30, 2012.

Drawing from Vacca's list of criticals functions of a good security policy, I will discuss the value and details of appointing "a security administrator who is conversant with users' demands and on a continual basis is prepared to accommodate the user community's needs" (2009, pg 152).

An easy to overlook, but vitally important phrase in there is a security administrator. The idea of a single point of failure may seem repulsive, and having a backup contingency in place is a good idea, but having a single point of security configuration minimizes the chances of multiple changes invalidating the security from each other. Having just one administrator guarantees that the entire security administrative team is always kept up to date on changes and incidents of note.

Familiarity with users' demands is absolutely vital for the administrator because a failure to address, not necessarily comply but at least address, users' demands will result in the user attempting to enact what they feel is needed themselves. If users do not have it explained to them why their demands cannot be met, then the actions they take will cause security or stability issues. For instance, when users demand to have access to streaming media even though policy denies it, if the administrator doesn't address that demand and explain that streaming media is banned due to stability concerns related to the enormous amount of bandwidth it uses, then the users avoid the block on Youtube with a proxy and strain the availability of the network due to bandwidth consumption.

The security administrator needs to be constantly prepared to accommodate the user community's needs, because those needs could be indicative of a network incident. If users begin reporting issues to the help desk, "with a complaint about his or her computer, the network, or an Internet connection, the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus" (Whitman & Mattord, 2010).


Whitman, M. E., Mattord, H. J. (2010). Management of Information Security. Retrieved from www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter05.doc

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Cyberspace and Cybersecurity: Archive Post B

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – Network Tools
Select one network monitoring tool mentioned in the module (Nmap, Nessus, etc.) and provide a more information about it. It is permissible to also discuss a tool that was not mentioned in the module.

From March 30, 2012.

The network monitoring tool I recently found out about it the Microsoft Network Monitor. From the relevant MSDN page, "Microsoft Network Monitor is a tool for viewing the contents of network packets that are being sent and received over a live network connection or from a previously captured data file. It provides filtering options for complex analysis of network data" (2012) From my experience, it is basically a closed source version of Wireshark published by Microsoft. It has one extremely interesting feature, and that it has the ability to put wireless cards into promiscuous mode with the proprietary Windows drivers. This is a feature I have searched literally for months for and was unable to find. Most everything you can find about promiscuous wireless packet capture is using Linux, but with Microsoft Network Monitor you can perform it in Windows with the default drivers.

I was shocked to find an official, free tool from Microsoft that will put your wireless card into promiscuous mode, capture the traffic, and parse it for you. As Vacca points out, promiscuous mode is useful as a troubleshooting tool, but "it is also a mechanism that can be easily abused by anyone motivated to enable promiscuous mode" (2009, p. 102).


MSDN. (2012) Network Monitor and Parsers. Retrieved from http://msdn.microsoft.com/en-us/openspecifications/cc816059

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Tuesday, October 23, 2012

Cyberspace and Cybersecurity: Archive Post A

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Operating Systems and Access Control
Discuss one aspect of access control (e.g., file access rights, privileges, ACL, etc.) in ensuring operating system security.

From March 23, 2012.

The According to Vacca, access control lists (ACL) provide access to certain resources and can be used for both physical access and electronic. "Implementing ACLs prevents end users from being able to access sensitive company information and helps them perform the jobs better by not giving them access to information that can act as a distraction" (Vacca, 2009, p257)

The Microsoft Windows operating systems use ACLs to protect securable objects such as files, directories, and registry keys. The ACLs are lists of access control entries, ACEs, which identify a trustee "and specifies the access rights allowed, denied, or audited for that trustee" (Microsoft, 2012) It actually uses two separate lists per object, discretionary access control list (DACL) and system access control list (SACL). The first is for controlling who accesses an object and the second is to log attempts to access the object. (Microsoft, 2012)

Whenever access to a securable object is attempted, the process accessing it is compared against the ACEs in the DACL. If there is no DACL associated with the object, everyone is granted access. When their is a DACL with no entries, everyone is denied access. Otherwise, the process is granted access if and only if there is no ACE denying it access and there is an ACE granting it.

The ACEs of the SACL for the object "specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both" (Microsoft, 2012).


Microsoft. (2012) Access Control Lists. Retrieved from http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872%28v=vs.85%29.aspx

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Cybercrime, extradition, and ... Julian Assange?

Topic - Cybercrime is a transnational issue that makes extradition exceedingly difficult. Using the Wikileaks case, discuss whether or not the breach of the U.S. classified network warrants the extradition and trial of Wikileaks' founder Julian Assange in the United States.

The transnational nature of more traditional cybercrime, like Chinese “economic cyber espionage” (McConnell et al, 2012) or Russian hackers (Capo, 2009) means that international boundaries are crossed, placing attackers and victims in entirely different jurisdictions. Even if the crime committed against the victim is also a crime in the locale of the attacker, and even if the involved law enforcement agencies are willing to work together, then investigation, extradition, and prosecution may still stall out due to political or diplomatic issues.

The WikiLeaks case is even murkier water, because the victim in this case, the United States Government, has been unable to decide if Assange has actually committed a crime. There are solid arguments to be made justifying the actions of WikiLeaks as just another journalist publishing the information turned over by just another whistleblower, which is a stance that Assange hosts about himself. As of the end of 2010, the federal government had never attempted a prosecution of journalist, nor had a successful conviction been had of a leak recipient. (Savage, 2010)

Since it was a non-American organization run by a non-American merely publishing leaked information, I find it hard to believe that any crime under American jurisdiction could have occurred. How the information was leaked is a crime, and one that is currently being tried, but not from the recipient.


Capo. (December 29, 2009) Russian Mafia Linked To Hacking. Mafia Today. Retrieved 12 October 2012 from: http://mafiatoday.com/other-mafia-orgs/russian-mafia-linked-to-hacking/

McConnell, M., Chertoff, M. & Lynn, W. (January 27, 2012) China’s Cyber Thievery Is National Policy - And Must Be Challenged. The Wall Street Journal. Retrieved 5 October 2012 from: http://www.boozallen.com/media/file/WSJ-China-OpEd.pdf

Savage, C. (December 7, 2010). U.S. Prosecutors Study WikiLeaks Prosecution. The New York Times. Retrieved 12 October 2012 from: http://www.nytimes.com/2010/12/08/world/08leak.html

Monday, October 22, 2012

Webmail: Why you should block it

Topic - If you were writing a code of ethics, what would be the most important practices to include in your company's acceptable use policy, internet use policy, or acceptable conduct policy?

As a cybersecurity focused professional, my primary objective for the code of ethics is to prevent intrusions into my network and guard the intellectual property which resides on it. Drive by downloads, phishing, and random, dirty pieces of software downloaded by employees are all dangerous, but real danger to the network resides with targeted attacks. Insiders and spear phishing are threats that require the most focused coverage in the drafted policies.

From the class module, I extracted basics of each policy to attempt to address each one correctly. The Acceptable Use Policy consists of enumerating unacceptable uses of the information systems and network. The Internet Use Policy sets out constraints on the allowable motivation behind web use to limit it to official business use only as well as prohibiting, in broad descriptions, uses which can expose private information, endanger the network, or violate copyright laws. (University of Maryland University College, 2012)

Targeted network attacks can be mitigated through carefully drafting, implementing, and enforcing these policies. The most important practice to be forbidden in the Acceptable Use Policy is that email is to be primarily used for text-based communication and scheduling. Because documents will inevitably need to be emailed, enforcement of this will not be mandatory restricting of emails to only text and scheduling.Targeted attacks often involve email attachments which are malware or infected documents containing malware. (Schwartz, 2011) To prevent this, the Acceptable Use Policy will be enforced by quarantining and reviewing all email attachments. A dropbox system will be used for internal file transfers so the attachment policy will apply even to internal emails.

Also aimed at email, the most important feature of my Internet Use Policy would be forbid personal internet use, especially and primarily webmail. Since the employees will have their company email address, there is no need to allow access to personal webmail. Such sites will be blocked by policy and enforced through DNS blacklist. This helps protect against both insiders and malware sending out IP through encrypted webmail.

I felt as though this weeks posts were really weak they scored very well. Here is the first one.


Schwartz, M. J. (June 08, 2011) Spear Phishing Attacks On The Rise. InformationWeek. Retrieved 12 October 2012 from http://www.informationweek.com/security/attacks/spear-phishing-attacks-on-the-rise/230500025

University of Maryland University College, N. A. (2012). Cyber Ethics: Csec 620, module 2. Informally published manuscript, Retrieved 12 October 2012 from http://tychousa11.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1209:CSEC620:9083&fs_project_id=344&xload&tmpl=CSECfixed&moduleSelected=csec620_02

Saturday, October 20, 2012

Cyberspace and Cybersecurity: Archive Post 9

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Virtual Machine Security
Discuss one significant issue associated with virtual machine technology and identify appropriate countermeasures.
From March 23, 2012.

Virtual Machines are useful for security researchers because they enable malware analysis through multiple ways: easy reverting to a known (ideally known good) state via snapshots, ability to run malicious code (usually) without putting a physical system at risk, and easy kernel debugging. Unfortunately, malware authors have identified the existence of these advantages and have begun performing virtualization detection and executing alternative code paths when virtualized or even :escape the context of the virtual machine and attack the host system or at least glean information from it" (Vacca, 2009, pg 699).

Liston and Skoudis claim that the leading method of detecting VMware detection is by looking for the communications channel used to communicate between the guest and host operating systems. Since this is, they claim, the "most widely deployed means of detecting virtual machines" they have researched into thwarting it. (Liston & Skoudis, 2006) Their research had yielded, as of the writing in 2006, "essentially a high speed search-and-replace tool that is designed to find the fixed “VMXh” magic value used to access the VMware communication channel and change it to a user-specified alternate value" (Liston & Skoudis, 2006). Unfortunately, since VMware disk images are huge and a given DWORD is small, there are false positives such that modifying them is disastrous to successful execution. At the time of writing, "the best [they]’ve been able to do is to coax a VM into booting ... but with severely limited functionality (i.e. no keyboard, no mouse)" (Liston & Skoudis, 2006).

Overall, VM detection is easy and thwarting it reliably is hard. According to Vacca, some administrators have instead begun setting up flags on real systems to convince malware that the machine is a VM to prevent the ones that hide their behavior in VMs from attacking. (Vacca, 2009, pg 699)


Liston, T., Skoudis, E. (2006) On the Cutting Edge: Thwarting Virtual Machine Detection. Retrieved from http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Friday, October 19, 2012

Think like a Hacker

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – Think like a Hacker
Select an e-business. Thinking like a hacker, describe a hypothetical scenario on how you go about breaking into their system and acquire assets.
Next, describe how the attack could have been prevented.
From March 16, 2012.

I enjoy music, especially when I can get it cheap, like from iTunes or the Amazon Cloud.

First, I will select a busy area with free wi-fi, like a Starbucks at lunch time. (Starbucks, 2011) Next, use a tool like Arpspoof to establish a man-in-the-middle session with each user attached to the network by pretending to be the network gateway. (Arpspoof) I monitor traffic for email addresses, especially email addresses used as logins and the associated password. Any email addresses I get will be sent phishing emails with attached document exploits to install keyloggers that call back to a server I have set up. Any email, password pairs will be used to attempt to log into various services. I will use a script to test the pair against numerous social networking sites like Facebook, MySpace, Linkedin and others. Successful access will be used to spread my keyloggers. I will continue this pattern until I net an email, password pair that successfully log into either iTunes or the Amazon Cloud. Once successful, I will use the access to download all the purchased music on the account. If there is an outstanding balance on the account, I will buy digital goods with it and download that too. All direct access to the victim business will be performed through a proxy, probably one of the machines I am keylogging.

This type of attacker would be considered a "Script kiddy" as it requires little to no direct technical knowledge and can just use tools downloaded off the internet. (Vacca, 2009, p 296). It can easily be protected against by not utilizing unsecured wireless networks, especially public ones and by not reusing passwords. It can be protected against, somewhat, by the victim company by not using email addresses as the user name, which both Amazon and iTunes do. Anything further the company could do to protect against this will interfere with the ease of use of the site, which makes users less likely to choose their service.


Arpspoof retrieved from http://arpspoof.sourceforge.net/

Starbucks. (2011) Wi-Fi(United States) Retrieved from http://www.starbucks.com/coffeehouse/wireless-internet

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Think like an Industrial Spy

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – Think like an Industrial Spy
Select a company. Thinking like a industrial spy, describe a hypothetical scenario on how you go about attacking their system and acquiring intellectual property.
Next, describe how the attack could have been prevented.
From March 15, 2012.

Wanting to steal intellectual property, I would search for a high gain, low effort target. Small businesses which do R&D seem like good targets to meet this criteria, since their business model relies on developing intellectual property yet they do not have the employees or likely the budget to perform extensive cybersecurity. To select my target, I read about the Small Business Innovation Research, SBIA, Program which provides grants from the Small Business Administration to companies that meet the following criteria: American-owned and independently operated, For-profit, Principal researcher employed by business, Company size limited to 500 employees. Their criteria for giving grants lines up perfectly with my criteria for targets, and their list of recipients is public record. (SBA)

I able to find a list of FY2011 recipients of the SBIR awards from the Environmental Protection Agency with a breakdown of recipients by environmental category of research. I decided to select a company whose category of research was Homeland Security and so I selected Operational Technologies Corporation of San Antonio, Texas. (EPA, 2012)

To collect intellectual property, I need access to their network. The first step after choosing the company is some minor reconnaissance that is checking over their website. There is a Contact Us page with direct email addresses and names for three employees as well as an information email. The direct person contacts will be the best for a well crafted phish, but the info email has the benefit of having a very small chance of being opened outside of the company network. (OTCorp, 2008)

To gain my actual access I will use Metasploit to craft malicious doc and pdf files containing Poison Ivy RAT payloads. (Vacca, 2009, p 55) Once the documents are opened on a vulnerable computer, the remote administration tool is dropped and executed and it calls back to the server I set up. Once that connection is established, I can browse the internal network at my leisure using the full control of the target system that the Poison Ivy gives me. (Codius, 2007)

This attack could have been prevented by intensive scanning of emailed documents and also by using hard to target workstations. The exploits I would be using are targeting Microsoft Office and Adobe Reader on Windows. If alternative software like FoxIt Reader and Openoffice were used then the exploits would fail to land. Likewise, Linux or Mac workstations would prevent the attack too.


Codius. (2007) Poison Ivy Remote Administration Tool Retrieved from http://www.poisonivy-rat.com/index.php?link=dev

EPA. (2012) Small Business Innovative Research:FY11 Awards: Full List Retrieved from http://cfpub.epa.gov/ncer_abstracts/index.cfm/fuseaction/outlinks.sbir/fullList/Yes/showYear/current

OTCorp. (2008) Contact Us Retrieved from http://www.otcorp.com/home/index.php?option=com_content&task=view&id=19&Itemid=34

SBA. Small Business Innovation Research Program Retrieved from http://www.sba.gov/content/small-business-innovation-research-program-sbir-0

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Thursday, October 18, 2012

Thinking like a criminal...

Tonight I will be publishing two archive posts from my previous course: Think like an Industrial Spy and Think like a Hacker.

I am very proud of how these posts turned out, but they are well thought out briefs on engaging in cyber crime. A small part of me is leary of posting them publicly unredacted, but I will be. The bigger part of me keeps remembering that those likely to perform a crime like the ones I describe are also as likely to already know what I posted about.

The people that my posts will be most interesting to are the ignorant innocents whom are likely to be the targets. The table below will contain direct links to both posts. Enjoy!

Thinking like a criminal...
Think like an Industrial Spy
Think like a Hacker

Tuesday, October 16, 2012

Cyberspace and Cybersecurity: Archive Post 6

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Effective Security Awareness and Training Program
Discuss an important factor which would ensure an effective security awareness and training program.
From March 2, 2012

An important factor in ensuring an effective security awareness and training program is fostering an environment where users feel they have a stake in the security situation of the company. If lost productivity is the only risk then the average office worker will not see any danger to checking their webmail and file swapping on P2P sites while on work computers. These high risk activities pose significant security dangers, but that danger may be overlooked by everyone except for the system administrators. Vacca, on page 13, suggests that "perhaps the most direct way to gain employee support is to let employees know that the money needed to respond to attacks and fix problems initiated by users is money that is then not available for raises and promotions" (Vacca, 2009) A further suggestion is that presenting the computer security policies and advice in such a way that reminds employees that the advice and habits can be used to secure their home systems and information.

Mark Wilson and Joan Hash at the National Institute of Standards and Technology also remind that "an organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements" (Wilson and Hash) If the users see that the IT policies and training are becoming, or even just seeming, obsolete then they will put less effort in sticking to the advice and policies. The appearance of being lackadaisy about keeping up with technology suggests to the trainees that they don't need to take the training seriously either.


Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Wilson, M. and Hash, J. INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION Retrieved from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm

Cyberspace and Cybersecurity: Archive Post 5

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Encryption Algorithm
Describe one encryption algorithm.
From March 2, 2012.

Rivest Cipher 4

RC4 is a light weight encryption algorithm that can easily be implemented in all programming languages. It is a symmetric encryption, which means that the encryption and decryption functions are the same and utilize the same key. As a stream cipher, RC4 can be used to encrypt any length of plaintext without having to pad out to a block size and cipher text is created by bitwise adding the keystream and plaintext modulo two, commonly known as XOR. "It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100" (What is RC4)

RC4 was used as the first wireless networking encryption in the Wireless Equivalent Privacy standard by IEEE 802.11. (Vacca, 2009, pg 172) Despite the algorithm itself being fairly secure, the implementation used in WEP uses a fixed shared key, derived from the access point password, and an Initialization Vector (IV) to generate the keystream. Since all packets use the same shared key, the only difference seeding the keystream comes from the IV, which is only 24 bits. Borisov et al at Berkeley studied the security provided by WEP and summarized the weakness caused by the small IV well. " Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours" (Borisov et al)


Borisov, N., Goldberg, I., & Wagner, D. Security of the WEP algorithm. Retrieved from http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

What is RC4? Retrieved from https://www.rsa.com/rsalabs/node.asp?id=2250

Cyberspace and Cybersecurity: Archive Post 4

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Access Control Models
For each access control model (RBAC, DAC and MAC), describe the environment in which that model would work best. Provide examples.
From February 24, 2012.

Discretionary access control is useful in a shared user environment like a Unix system to provide file permissions. “In DAC, generally the resource owner (a user) controls who has access to a resource. (IBM, 2012)” This allows each user to share files they wish to, but still keep private others.

Role based access control works well for situations where a system is shared amongst various groups, but individual users do not need personal privacy. A timekeeping and point of sale system at a restaurant is a good example of this, like the one used at the Big Boy I worked at in high school. Access to clock in and out was provided to all employs but the rest of the system was denied to the kitchen staff. Servers, hosts, and managers all had access to order submission; while only managers had access to remove orders and pull daily statistics.

Mandatory access control limits security definitions to a policy administrator. Security takes precedence over usability because the access-control model “attempt to prevent transfer of information that is not allowed by the rules” (Goodrich & Tamassia, 2011) Trade secrets or national security information are good targets for this type of access control because more harm can come from unauthorized access than from inconveniences in sharing between authorized parties.


Goodrich, M. T., & Tamassia R., (2011) Introduction to Computer Security. Boston, MA: Pearson

IBM (2012). Access control: MAC and DAC. Retrieved from http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fselinux%2Fliaaiselinuxmacdac.htm

Sunday, October 14, 2012

Cyberspace and Cybersecurity: Archive Post 3

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Network Security Best Practices
Discuss the best practices for securing wired and/or wireless networks.
From February 24, 2012.

The best practice in securing a wired network is to properly identify and authenticate users, and the way to do so properly is through multi factor authentication. The traditional factor used for authenticating users in most networks is through the use of a password or passcode, this is an instance of something that the user knows. Other factors that can be used is something that the user is, that is a biometric feature like retinal image or fingerprint, or something that the user has, like a magnetic card or even a physical key. "Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multi factor authentication methods are more reliable and stronger fraud deterrents" (Wihenly, 2005, pg 3).

At present, a common and cost-effective method of implementing two factor authentication remotely is through a combination of password and a "hardware token-generated random PIN" (Vacca, 2009, pg 139) which demonstrates possession of the token generating hardware.

The hardware token PINs are used alongside the username and password combination to log into a secure system or VPN, with the user submitting the PIN that is shown on their token at the time of login. The appropriate PIN for the username is generated by the server and compared to the submission to confirm that the user possesses the required token. (RSA, 2010)

This method of two factor authentication is only effective as long as the seed information to each token is kept secret. If an attacker is able to steal the seed information, they can generate the appropriate PIN the same way that the server does. An example of this was demonstrated when the spoils of an intrusion against RSA was used to compromise Lockheed Martin. (Drew & Markoff, 2011)


Wihenly, (2005). Authentication in an Internet Banking Environment. Retrieved from http://www.ffiec.gov/pdf/authentication_guidance.pdf

Vacca, J. R. (2009). Computer and information security handbook. Burlington, MA: Morgan Kaufmann.

RSA. (2010). RSA SecureID Two-factor Authentication. Retrieved from https://www.rsa.com/products/securid/sb/10695_SIDTFA_SB_0210.pdf

Drew, C. & Markoff, J. (2011) Data Breach at Security Firm Linked to Attack on Lockheed. Retrieved from https://www.nytimes.com/2011/05/28/business/28hack.html?_r=1

Saturday, October 13, 2012

Cyberspace and Cybersecurity: Archive Post 2

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – Cyber Security Issues related to Outsourcing IT Services
Discuss the cyber security issues associated with outsourcing IT services and how can they be addressed.

From January 27, 2012

When outsourcing IT services, a company is placing either access to their network, their Intellectual Property, or both into the hands of another company. That other entity's primary objective becomes to hold onto that contract. All other priorities are viewed from the perspective of that objective, be it service quality, data protection, or any other facet of business. The secondary objective is protecting the company's image with regards to how it will affect the establishment of future contracts. Thus, the defense of the outsourcing companies IP or network will be funded only as far as it takes to defend their own image. Thus, companies that are being outsourced to create a weak spot in the security posture of the outsourcing entity. An example of this can be seen in the example of a low sophistication attacker Anonymous stealing .mil email addresses and passwords not from DOD but instead from a company they outsourced to, Booz Allen Hamilton. (CBSNews)

The reasons that companies who do not have an intrinsic interest in protecting information do not do a good job protecting it is summed up quite well back Vacca on page 5: “For most organizations, the cost of creating a strong security posture is seen as a necessary evil, similar to purchasing insurance. Organizations don't want to spend the money on it, but the risks of not making the purchase outweigh the costs.” When the data at risk isn't their own, the risks fail to outweigh the cost, so long as enough is spent to support the image of a strong security posture. After all, at the end of the day they win if they still have the contract, but the original company only wins if their network or data is still safe.


Vacca, J. R. (2009). Computer and information security handbook. Burlington, MA: Morgan Kaufmann.

CBSNews (July 11, 2011). Anonymous at it again: Defense contractor hacked Retrieved from: http://www.cbsnews.com/stories/2011/07/11/scitech/main20078614.shtml

Friday, October 12, 2012

Cyberspace and Cybersecurity: Archive Post 1

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.
In this reposting I have noticed citation errors, which have been left intact.

Topic – Vulnerabilities of Hardware and Software Components: Pick one specific hardware or software component and thoroughly discuss its cyber security vulnerabilities. From January 27, 2012

A hybrid hardware software component of particular interest to cyber security is the network stack, the operating system's implementation of the OSI model. The layered nature of the OSI model allows abstraction such that each layer can operate without concern for how or what is occurring at lower levels. This setup is highly convenient for developers because they can interface with logical constructs of sockets, ports, and sessions transparently. The vulnerability that this poses is that each level is entirely at the mercy of each lower level. TCP and UDP socket communication at the session level rides on the IP packets at the transport level for both IPv4 and IPv6 type packets. Thanks to layered networking implementing the OSI model in the network stack, the socket communication gets to its destination with no knowledge of what path it took to get there. (Ruh)

Within a single LAN, both IPv4 and IPv6 addresses are cached in a system with the associated MAC address so that the network stack can properly wrap the transport layer payload in a data link layer header. The associated transport protocol has its method for resolving a protocol address to MAC address which is used to populate the cache. IPv4 uses Address Resolution Protocol, hereafter referred to as ARP, (RFC826) and IPv6 uses Neighbor Discovery (RFC4861); both of which boil down to a host that needs to resolve an address will ask all the systems in the LAN what system uses the address. The appropriate host then responds back, essentially saying 'I have that address.' The first system records the protocol address and associated MAC address in their cache and transmits the packets it was waiting to send. Until the cache entry expires, the system will save time and send future packets destined for that same protocol address directly to the MAC from the cache. For simplicity only IPv4 will be discussed from this point on. The basic principles all apply to IPv6 though. The whole exchange is based on an assumption of trust in the network as most network stacks will record any ARP responses directly into the cache, even if the current entry was still valid.

This method of address resolution and caching creates the vulnerability that if a rogue host, 'Eve', sends an ARP response claiming to have an IP address that belongs to another host, 'Alice', to a third host, 'Bob', then Bob will update his cache. As long as the cache entry is valid, Bob will send all traffic intended for Alice to Eve. If Eve is performing IP forwarding, then she will send the traffic on to Alice. Since this all occurs at the data-link and transport layers, Alice and Bob's applications using sockets will function properly without ever knowing that Eve was receiving the traffic too. If Eve also is sending spoofed ARP responses to Alice, then all traffic will be passing through Eve, allowing that system to view, save, or even change the packets, completely transparently to the applications being run by Alice or Bob. (King)


King, Tom (Aug 4, 2002). Packet Sniffing In a Switched Environment Retrieved 27 January 2012 from: https://www.sans.org/reading_room/whitepapers/networkdevs/packet-sniffing-switched-environment_244

Ruh, Larry (2009). Open Systems Interconnection Reference Model Retrieved 27 January 2012 from: http://polaris.umuc.edu/de/csi/OSI_model_2009/OSI_Model_2009.html

RFC4861 (September 2007). Neighbor Discovery for IP version 6 (IPv6) Retrieved 27 January 2012 from: https://tools.ietf.org/html/rfc4861

RFC826 (November 1982). An Ethernet Address Resolution Protocol Retrieved 27 January 2012 from: https://tools.ietf.org/html/rfc826

Analysis of Cybersecurity as a Public Good: US Government Implications: Conclusions

Private industry has been ineffective in addressing any of the hacker threats; criminal, activist, or sponsored. Washington has a shared belief that new laws or regulations are necessary to remedy this. Leadership out of Washington is the only way to guarantee the requisite post-intrusion consumer protections.

This concludes the paper I submitted as my Individual Assignment 1, "Analysis of Cybersecurity as a Public Good: US Government Implications."

Analysis of Cybersecurity as a Public Good:
US Government Implications
Introduction
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry
Conclusions

Thursday, October 11, 2012

Analysis of Cybersecurity as a Public Good: US Government Implications: Implementation Reliance back with Industry

Because the servers, network backbones, and actual critical infrastructure is owned by private corporations the final implementation of any statutes or regulations will be carried out by the involved owners. This will potentially result in inconsistent implementations across different entities’ equities. Compared to the stipulated requirements, the inconsistent implementations will fall into three categories: noncompliance, minimal compliance, extra compliance.

The most significant risk to national security will come from locations that choose to remain in noncompliance with the future laws and regulations. This group will probably start small and shrink quickly because of the danger of remaining the soft target, plus the threat of governmental punishment. The primary reason for non remaining in this group though will be that once it begins to be published who is in noncompliance then those companies will be elevated to prime targets for cyber spies and thieves. Lewis claims that “the primary damage to U.S. national security and economic strength from poor cybersecurity comes from the theft of intellectual property and the loss of advanced commercial and military technology to foreign competitors.” Those few identified to be in noncompliance will have their intellectual property copied completely as all the adversaries are targeting them. (Lewis, 2009)

Since the present cybersecurity actors will surely be lobbying heavily on any cybersecurity laws or regulation, it is unlikely that the legal minimum will be much higher than the current status quo, so the companies that barely become compliant will continue to be targets of cybertheft. At best we can hope for a slowing of the “economic cyber espionage” (McConnell et al, 2012) from foreign actors.

Companies that work to become more than compliant are where we will see a real gain in national security. They will be the ones that will be quick to call CERT and FBI when they think they were breached. They will be configuring their workstations to meet NSA recommendations. Hopefully they will be intercepting and analyzing every email coming into their networks.


Lewis, J. A. (March 2009). Innovation and Cyberspace Regulation. Center for Strategic and International Studies.

McConnell, M., Chertoff, M. & Lynn, W. (January 27, 2012) China’s Cyber Thievery Is National Policy - And Must Be Challenged. The Wall Street Journal. Retrieved 5 October 2012 from: http://www.boozallen.com/media/file/WSJ-China-OpEd.pdf

Analysis of Cybersecurity as a Public Good:
US Government Implications
Introduction
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry
Conclusions

Analysis of Cybersecurity as a Public Good: US Government Implications: Government as Trustee

The Federal Government has recognized the potential danger of cyber threats since 1998 when President Clinton announced via Presidential Decision Directive 63 that he wanted to close up vulnerabilities to the nation’s growing cyber infrastructure. Presidential attention to the issue has since continued through both Bush administrations and into the current Obama term. (Heilbrun & Brown, 2011)

In 2011, a legislative proposal was presented by the Administration to encourage the adoption of several significant cybersecurity changes which would have impacted several portions of the country’s economy. A significant one that follows up on the sections above was to create a federal standard for doing National Data Breach Reporting after breaches that accessed customer’s personal data. It would have been a change from 47 states having separate breach reporting laws. (Heilbrun & Brown, 2011) The Obama proposal would have strengthened the current laws that affect cybercrime. Proposed changes included requiring minimum sentence for knowingly attempting to damage critical infrastructure. It, and multiple bills started in the houses of Congress, would have allowed for a voluntary program where non-federal targets of cybercrime would be able to get federal assistance.(Heilbrun & Brown, 2011)

Additionally, the legislative proposal would have established a system to identify and protect critical infrastructure. The Department of Homeland Security would have had authorization to monitor the operations and review their cybersecurity plans, ensuring that they addressed cybersecurity risks. Lastly, it would have streamlined the process for DHS to get and keep cybersecurity management, professionals, and fresh entries to the field. (Heilbrun & Brown, 2011)

Government mandated protection of data will probably be legalized though laws that follow the style, or as expansions to, the existing privacy data protection statutes. The existing laws focus directly on the protection of nonpublic personal information, in the form of the Financial Services Modernization Act of 1999 (commonly GLB), and individually identifiable health information, in the form of HIPAA from 1996. (Heilbrun & Brown, 2011)

Though currently GLB is regulated by the Securities and Exchange Commision and HIPAA is regulated by Heath and Human Services, future data protection laws will probably be regulated by DHS. This prediction is consistent with current legislative attempts and discussed potential executive order to put in place cybersecurity policies if Congress doesn’t pass something. (Heilbrun & Brown, 2011)

The drafting of cybersecurity legislations will need to be careful that they do not interfere with future innovation or security. The Digital Millennium Copyright Act of 1998 is an example that can cause security issues. The analysis of software, hardware, and cryptographic devices and components includes reverse engineering to examine exactly what is happening under-the-hood. The prohibitions in DMCA makes a lot of people uncomfortable performing reverse engineering, including the students we would expect to grow into security researchers. If the law abiding citizens are not reverse engineering the products, they won’t find the flaws that the non-law abiding vulnerability analysts do. Overall security is left more insecure when the illicit analysis is significantly more advanced than the legal. (Lewis, 2009)


Heilbrun, M. R., & Brown, I. (2011). Cybersecurity Policy and Legislation in the 112th Congress. Intellectual Property & Technology Law Journal, 23(12), 14-20.

Lewis, J. A. (March 2009). Innovation and Cyberspace Regulation. Center for Strategic and International Studies.

Analysis of Cybersecurity as a Public Good:
US Government Implications
Introduction
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry
Conclusions

Wednesday, October 10, 2012

Analysis of Cybersecurity as a Public Good: US Government Implications: Workstation Cybersecurity a Public Good?

Is cybersecurity a public good? This is a premature moment to ask this question. First, identification of what constitutes a public good is required before an analysis about cybersecurity as a public good can be performed. Cowen applies two traits to public goods, specifically nonexcludability and nonrivalrous consumption. Nonexcludability is recognizable by the existence of, and ease of, free riding. A service or good is provided in such situation, medium, or style such that it cannot be reasonably or realistically restricted to only those who pay for the enjoyment or utilization. (Cowen, 2008)

For a very visible, and close to my own heart, example of nonexcludability, Cowen describes in detail the situation of a private entrepreneur considering a for-profit fireworks display. His illustration mirrors my own experience from this past July. On the military base I live near, a fireworks presentation was set up for the service members and the public that wanted to attend. Since there was no ‘fee’ being charged, the cost of admission was navigating the crowds and the terrible traffic upon exit. To avoid paying the admission cost, I instead took my family to a parking lot off of the base but still could see the display. This allowed me to collect the same benefit that the paying attendees received, while avoiding the cost: free riding. (Cowen, 2008)

The classic example of a public good due to free riding is geographic defense. Protecting an area from invaders is an all or nothing proposition, regardless of how many of the inhabitants chip in toward the cost. Therefore history has harnessed two methods of handling this situation: feudalism, where the non-payers are beholden to the payee, and the public supplying the security as a shared cost. Modern, developed countries address this issue by relying on their governments to provide the security and pay for it through taxes. (Cowen, 2008) The second trait of public goods is less visible but still readily important. Nonrivalrous consumption allows any consumer to consume the good without impacting the benefit to others. Geographic defense makes this readily apparent, if a space has been kept clear of invaders and a given number of people reside there then those people will be safe from invaders even if more friendly people moved into the area. (Cowen, 2008)

Since geographic defense is so readily a public good, it makes sense to naively extrapolate that to include cybersecurity as a public good. I have previously written about the networking protocols detailed in RFCs 826 and 4861, which discuss the protocols used for discovering and interacting with other workstations within a local area network, LAN. This protocols, as my paper went into great detail, require absolute adherence to the RFC specification, which renders the integrity of the whole network segment at the mercy of any malicious actor. This compromise one means a compromise of all nature does mean that defense of a LAN segment is most assuredly a public good. (Molyett, 2012)

Does the public good nature of small scale cybersecurity translate directly into nation-wide or even Internet-wide cybersecurity as a public good? I submit that the answer to that isn’t as easy and straightforward as one would like. To illustrate, allow me to describe the security of the internet as it stands. Individual workstations and secure data servers tend to be clustered into LANs which are secured from the external network typically by carefully configured routers, one or more firewalls, and policies to disallow unauthorized gateways out. Both at the gateway and inside the network intruders can be watched for and identified. Such identification only potentially mitigates the damage done by a successful intruder, it doesn’t eliminate it so the previous assumption about compromises still holds. (Vacca, 2009, pp. 149-167)

Other potential protections of the LAN can be accomplished by preconfiguring the workstations for security: using static ARP tables to protect against spoofing and man in the middle attacks, and installation of a public key infrastructure by trusted administrators. These solutions prevent use of the network resources by both malicious and benign outsiders though, so it means the security comes at the expense of nonexcludability.

Furthermore, does large scale cybersecurity have the same nonrivalrous consumption that geographic security does? It does not. When it comes to cybersecurity being a small, low value target helps. The type of infection that a typical user needs to be concerned with is wide net malware which is normally spyware or botnets. Since these enterprises want to hit as many systems as they can they target, they target vulnerabilities and softwares that are common. Being the outlier utilizing higher quality security tools will make you far safer. As the market share for your security tool grows the protection offered drops, since it will result in your configuration being targeted more. Thus adding more users to a security solution does in fact reduce the benefit that the given solution provides to the consumers. Since I have shown that network defense occurs in excludable enclaves and that security tools do not offer nonrivalrous consumption, doesn't that demonstrate that cybersecurity as an ideal does not provide a public good? It does not. Underlying the preceding analysis is the assumption that the end user and their workstation are interchangeable; interchangeable in the sense that a compromise of the user occurs if and only if their workstation or network connection to the route is compromised. Unfortunately, this is assumption does not reflect the current reality.


Cowen, T. (2008). Public Goods. The Concise Encyclopedia of Economics. Retrieved 4 October 2012 from: http://www.econlib.org/library/Enc/PublicGoods.html

Molyett, M. D. (February 2012). Network Vulnerabilities Due to Intranet Trust. Retrieved from: http://tychousa7.umuc.edu/CSEC610/1202/9042/class.nsf/d890059733f8b04085256bf3004e9fff/1aa1a770cd77d4d08525797e00163566/$FILE/MMOLYETT_Assignment1.doc

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Analysis of Cybersecurity as a Public Good:
US Government Implications
Introduction
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry
Conclusions

Analysis of Cybersecurity as a Public Good: US Government Implications: Data Security a Public Good?

In 1988 a piece of malware was released on the fledgling internet which climbed into about 10% of the connected machines and clogged up resources. The Morris Worm was not stealing data, not monitoring users, and was not trying to cause downtime or server damage to a given target. It was merely an unethical and malicious tech demo of what was yet to come. (Marsan, 2008)

Now, almost twenty-five years later, we are not so lucky. The vandals and experimenters of the early internet have been replaced with organized criminals, unaffiliated hackers, and nation state espionage. Our data does not exist just on our workstations, it exists everywhere. That data is in the digital hands of companies with no intrinsic responsibility to protect it. Those holders do make an attempt to secure it because losing customer data doesn’t build strong trust with ongoing and future customers, but the vast majorities of companies are collecting the data to assist their mission. Once they have the data they don’t actually lose anything when that customer data is taken. Loss of exclusive control of research and intellectual property does cause actual damage but non-voluntary sharing of the customer data doesn’t. Because unauthorized access to this customer data may raise liability issues for the breached company, disclosing the loss of customer data to the affected customers is likely to be low on the company’s list of incident response priorities. (Waleski, 2011)

A compromise of a customer’s data is itself actually a compromise of the customer himself. In June 2012 the professionals-focused social network LinkedIn was breached and the intruders collected over 6 million hashed user passwords. Allegedly, the attackers successfully converted 60% of those back to plaintext. That leaves 3.6 million plaintext passwords in the hands of malicious actors which they probably used to train their password crackers to generate password scheme more efficiently. Thus, by attacking LinkedIn, the total online safety of the impacted customers was damaged because their password schemes will be more easily broken in the future. Though there was no report about it, it is not unlikely that the attackers also received the associated account email addresses. Put together, an email address and a plaintext password, an attacker has far more information about the customer than is at all good for the customer. (Carlson, 2012)

Considering that a person’s digital life can end up in malicious crosshairs if they get caught up in a bulk collect like the LinkedIn one, data breaches pose a significant risk to the public at large. A single compromised customer can chain into a small botnet when you consider that access to a single email account means virtually complete control over their all their digital life. Address book for contacts who can be spear phished from the stolen account. Ability to perform password resets on web services that have that account. Ability to read the emails that the victim keeps, which tells the attacker what kinds of email they are likely to open. Once an attacker can be sure of an email getting opened they can utilize technical exploits to place malware onto the workstation. Once keylogging data is returned, the attacker knows everything they need to know about the victim. Since a single compromised customer can lead to a widespread infiltration, it becomes apparent that the public as a whole needs to be protected. Trusting individual companies to protect their data does not cut it because the risk is that any of them get breached, not just if all of them do. When such breaches happen, the customers need to know as soon as the company does, even though it may not be in the company’s best interest to report it. Somewhere there should be an authority watching over this trust. Can anything be located which would be able to act as trustee, ensuring that companies attempt to protect themselves from all breaches and to report it when it happened? Ideally, this trustee should even be able to assist in incident response and investigations should an intrusion occur.


Carlson, A. (2012). Linkedin Password Leak Implies Weak Passwords in Law Firms. [C&W Security Blawg] Retrieved 5 October 2012 from: http://www.securityblawg.com/2012/06/site-to-check-your-linkedin-password.html

Marsan, C. D. (October 30, 2008) Morris worm turns 20: Look what it's done. Retrieved 5 October 2012 from: http://www.networkworld.com/news/2008/103008-morris-worm.html

Waleski, B. D. (2011). Implications of Information Security:Regulatory Compliance and Liability. In Bidgoli, H. (Ed.), Handbook of information security (Vol 2). New York, NY: John Wiley & Sons.

Analysis of Cybersecurity as a Public Good:
US Government Implications
Introduction
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry
Conclusions

Analysis of Cybersecurity as a Public Good: US Government Implications: Introduction

This is the introduction to the individual assignment paper I wrote last week. The publishing of this paper will take all week.

The United States’ use of the Internet is full of security holes and those holes are leaking customer personal data and corporate intellectual property. Not immune to this situation are components of backbone networks and utility systems regularly grouped as critical infrastructure. I will explore why or why not the federal government should put its weight into the private industries action on these fronts.

Analysis of Cybersecurity as a Public Good:
US Government Implications
Introduction
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry
Conclusions

Friday, October 5, 2012

Pre-Report Posting

Well, I finished my write up and have posted it to TurnItIn. I will begin posting it here Wednesday.

I'm so sleepy...

Update, 11:59AM) TurnItIn has the settings wrong so I still can't do the final posting. I really hope I can finish this soon.

Speech to Text Composing

I came up with a solution to the empty page problem: voice recognition.

After installing Google Drive to my Android phone, I am writing in my draft document using the speech recognition and just rambling away. The conversion is far from perfect, but it is letting me get the thoughts out into the paper.

Next I will translate the draft into a new document where it is using sentences and real words instead of the poor transcription that my phone is writing for me.

A brief sample of what my draft consists of.

the argument of cyber security as a public good is evident 1 system compromised news and tire network technician is compromised

This will be cleaned up into...

The argument of cyber security as a public good is evident because one system compromised means an entire network segment is compromised.

Thursday, October 4, 2012

The Poem Stuck in my Head

Here I sit, so brokenhearted.
Came to shit, but only farted.

Don't be sad, you had your chance.
I tried to fart and shit my pants.

- Anonymous, date unknown

I have just sat here for over two hours today and about 4 hours over the last two days, staring at a blank page and the following prompt...

Each student explores cyber security as a public good.

Now I just need to write out 9 or so pages about it.

Week 1 Graded submission, part 3

This question requires a little background. Adagia Telecom is a fictional company that on the launch day of a much hyped value-add web service they had severe network problems and the launch fully flopped. Server logs looked at after the fact suggest a DDoS attack.

Topic – How would compliance have prevented the attack against Adagia Telecom? Should Adagia report this attack to law enforcement? Why or Why not? If the crime is reported, what challenges might law enforcement have in finding the perpetrator and prosecuting the case?

As the initial question of the topic is vague and relies on a prior understanding of compliance, I am first going to address what it is. According to page 22 in UMUC, compliance centers around having a solid set of administrative controls regulating process and defining who has specific responsibilities related to said controls. Relevant to the Adagia situation are the controls of solid training and procedures and responsibilities of risk determination and the creation of appropriate procedures.

Successful effective compliance in instances of the stated examples could have helped reduce or even eliminate the impact that the alleged distributed denial of service (DDoS) caused. With appropriate levels of training about system defense and scalability, the system administrators could have identified the beginning of the incoming DDoS and reacted effectively. Proper training and established procedures in preparation for this contingency could have possibly resulted in the administrators engaging is successful congestion control and packet filtering. (Xiang, 2006, p 560) Such preparation and creation of the requisite procedures are not possible if the system’s risks were not effectively identified, though.

Adagia should notify the FBI and share their logs, if for no other reason than to provide law enforcement visibility into the fact that the attack occurred. Criminal DDoS attacks typically consist of an attacker controlling large numbers of compromised computers, with those systems being the ones actually communicating with the victim. This indirection, especially combined with intentional anonymizing actions the attack may use like proxies, means that an after the fact investigation is unlikely to lead back to the source attacker. Even if law enforcement is able to locate the system, there could be significant legal roadblocks before prosecution, like jurisdiction issues and an inability to connect the attacking system with the attacking user.

Matthew

UMUC (2010). Human Aspects in Cybersecurity: Ethics, Legal Issues, and Psychology. Retrieved 26 September 2012 from: http://tychousa9.umuc.edu/CSEC620/1102/csec620_01/assets/csec620_01.pdf

Xiang Y., Zhou W., (2006) "Protecting web applications from DDoS attacks by an active distributed defense system", International Journal of Web Information Systems, Vol. 2 Iss: 1, pp.37 - 44 Retrieved 26 September 2012 from: http://research.mercubuana.ac.id/proceeding/iiWAS2004(586-595).pdf

Wednesday, October 3, 2012

Week 1 Graded submission, part 2

Topic - What are some difficulties policy-makers face (at the US national level) to make policy that gets the desired results to counter cyber crime? Does the public demand seriously effective policy to counter cyber crime (think credit card fraud or ID theft)? In your view, do current legislative efforts address cybercrime concerns adequately?

A significant difficulty that impedes the creation of federal cyber crime legislation is that detection, prevention, and tracking of cyber crime is performed through monitoring. Botnets, a collection of compromised systems controlled by a “botherder”, or single attacker, are valuable weapons to cyber criminals and attackers. (Vacca, p. 119, 2006) The best way to mitigate or prevent the damage from an attack by a botnet is to have the authorities detect, locate, and disrupt it. According to Walsh et al., botnets are detected by examining traffic sessions for known botnet command and control (C2) traffic. (2006) Such detection cannot occur without examining the traffic and such examination by US government entities run into privacy concerns. The moment wide scale monitoring is mentioned then Constitutional privacy concerns are raised. The appearance or opportunity for privacy abuse by the US government is then given tough scrutiny by the judiciary and public.

Tsukayama quotes a American Civil Liberties Union counsel as saying “Cybersecurity does not have to mean abdication of Americans’ online privacy. As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back” about the Cyber Intelligence Sharing and Protection Act (CISPA), passed by the House this past April. (2006) CISPA just allows companies the option of share data with the federal government in the event of a possible cyber threat, it doesn’t require it. If the Electronic Frontier Foundation and American Civil Liberties Union represent the American public then I think the answer is no. Seriously effective policy apparently comes at too great of a price to personal privacy. (Tsukayama, 2006)

Recent legislative efforts, Cyber Intelligence Sharing and Protection Act (which Tsukayama reports that even the White House feels is inadequate) as well as the failed attempts from 2011 of Stop Online Piracy Act and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, risk too much damage to privacy and freedom of speech. (censorship, loosely covered as protecting copyright and trademarks)

Matthew

Strayer, T. W., Walsh, R., Livadas, C., & Lapsley, D. (2006). Detecting Botnets with Tight Command and Control. Retrieved 26 September 2012 from: http://people.csail.mit.edu/clivadas/pubs/StrayerWLL06.pdf

Tsukayama, H. (2012). CISPA: Who’s for it, who’s against it and how it could affect you. Retrieved 26 September 2012 from: http://www.washingtonpost.com/business/technology/cispa-whos-for-it-whos-against-it-and-how-it-could-affect-you/2012/04/27/gIQA5ur0lT_story.html

Vacca, J. R. (2009). Computer and information security handbook. Burlington, MA: Morgan Kaufmann.

Week 1 Graded submission, part 1

Topic - Many cyber security professionals believe the likely application of ‘cyber terrorism’ to be an asymmetric attack against some portion of this nation’s critical infrastructure. Which critical infrastructure do you think to be a likely target and why? Who should be responsible for protecting that infrastructure and why? Would this vary based on who the attacker is – if it is a state actor, a non-government organization, or an individual?

The electric grid is a very visible target and the loss of it is very noticeable. Just this past summer those of us in Maryland got to experience a (natural) disruption to the grid. No air conditioning, no lights, no traffic lights (come on, Maryland. No traffic light means a four way stop, not ‘Ehmagawd!’) and no refrigeration. Obviously an attack on the grid is significant.

An attack on the grid is even possible, at least for those well funded shops that can afford to spend the time and manpower to research industrial equipment. Critical infrastructure has been under assault since before late 2010 when Fleming reported on Stuxnet sabotaging Iranian centrifuges.(2010) The worm is reported to target Siemens SCADA (supervisory control and data acquisition) systems. A look at job postings for Baltimore Gas and Electric (BGE) shows that they use SCADA systems, “...integration of the various BGE Supervisory Control and Data Acquisition (SCADA) systems such ...” (BGE, 2011) If Iranian SCADA systems are targetable, it stands to reason our electric grid ones could be to.

Who should be responsible for protection is a complicated issue. As our utilities are run by private companies, the current responsibility falls to the utility companies to protect their infrastructure. They have to protect their infrastructure because it is protecting their investment and their bottom line profitability. On the other hand, a disruption of the electric grid may hurt the utility company’s bottom line, but it literally means life and death for the diabetic customer that needs to keep their insulin refrigerated during a heatwave. When it comes to protecting the general populace from bodily injury and death, that responsibility falls to the government. Outsourcing the security concerns to DHS though would provide such a budgetary windfall to the utilities though that the reasonable next step would be full government control over the utility in question. That option is rarely considered a good idea with the US population.

Since an interruption of power would be so devastatingly disruptive, it would most definitely be a target for a military, or nation state organization supporting the military, to attack as an immediate lead-up to a kinetic action.

If the goal was to just be human death, which is the likely goal of an infrastructure attack from an independent actor or organization, then [thoughts on a specific way that cyber mass murder could be possible]. If, like Stuxnet, the compromises also affected the monitoring reports, then it wouldn’t get caught until the first few victims showed symptoms. Which would be far too late for many others. (Fleming, 2010)

Matthew

BGE (June, 7 2011) BGE Job Descriptions. Retrieved 26 September 2012 from: http://www.bge.com/myaccount/billsrates/ratestariffs/Documents/BGEJobDescriptions.pdf

Fleming, R. (December 2, 2010). Bits before bombs: How Stuxnet crippled Iran’s nuclear dreams. Retrieved 26 September 2012 from: http://www.digitaltrends.com/computing/bits-before-bombs-how-stuxnet-crippled-irans-nuclear-dreams/

Tuesday, October 2, 2012

Choose your own fail

Week one, a chance to learn what my second Cybersecurity course is going to be like. Wanting to get started on the right foot, I decided to work through their Flash driven module. Yeah, yeah, yadda, yadda... until page three had a mini survey for me. Select an answer and get their "expert’s feedback."
1. Creating malicious code is freedom of expression, demonstrating programming talent and innovation.
  Yes. Usually, virus developers have very high IQs. It takes a lot of skill and intelligence to exploit multiple levels of security in computer systems.  
  Yes. Launching viruses or malicious code is not a crime if it is done by hackers to test their abilities and if it doesn’t cause any damage.  
  No. Creating malicious code is unethical irrespective of whether monetary damages are caused and is a punishable offense.  

I find the “expert’s feedback” extremely close-minded and wrong. My selection was the second option, feeling it was the best of three bad choices.

The feedback is “Not really. Launching malicious code is unethical and unlawful even if it does not cause any damage. It is still a breach of privacy and security.”

I interpreted “Launching viruses or malicious code” as including the use by penetration testers and grey hat researchers. These users of malicious code utilize it against systems being tested for vulnerabilities or systems set up for the purpose of being targeted. Also, malicious code may be utilized by law enforcement agents acting under warrant.

The primary reason I selected that answer was through process of elimination. Specifically, I excluded the “correct” answer immediately, which the system called the third.

There is such an extreme prejudice included in this answer that there is no way I would ever select it. First, malicious code is a too vague term to be able to apply any absolutes about the ethical nature of its creation. Coders are malicious, but code, especially the individual blocks, are just tools.

I have personally developed a background keystroke logger as in intellectual exercise. The experience was valuable and the knowledge gained is helpful. I never deployed it, and the development was not unethical. The techniques that I learned in the exercise can now be used to develop legitimate, non-malicious tools like a system-wide hot-key tool like AutoHotKey. The same techniques and code blocks that would build a web snooping implant also can make a parental monitoring tool. Anti-virus tools hook functions, inject DLLs, monitor network activities, consist of rootkits, and the list goes on and on. Honestly, the only difference between an antivirus tool and malware is the method of delivery and the intentions of the distributors.

First!

I am back to being a student while working my way through a graduate degree in Cybersecurity. This blog is being set up so I have a way to archive my writings that I do for the class. Somewhere in the basement is a stack of folders and notebooks that contain the little things which I have forgotten that I wanted to remember from my undergraduate courses, I don't want these writings to end up like that.

Recently I have read a bunch of Joel Spolsky and Jeff Atwood. Those blogs have been a real inspiration to sit down and do this. I can't find the exact quote right now, but one of Joel's write ups encouraged blogging as well as any (every?) other prose output for coders. Heaven knows that prose doesn't come natural to us. So here goes. I am not a writer, I am not a UI or web designer. This blog will probably look like crap and read even worse, but it is just a place to dump thoughts and archive work.

I tend to like to rant when tech things bug me, so maybe this will take that burden off my wife.