Thursday, November 29, 2012

Preventing Damage by Preventing Grade System Intrusions: Attacker Motivation

the Hack

Intruders that are operating under just pure hacker motivations are the bored, the curious, and those searching for a challenge. Education institutes are uniquely qualified for defusing these intruders, as intellectual challenge and stimulation is the purpose of such bodies. This point is captured explicitly in the mission statement of Harvard University: education “...should liberate students to explore, to create, to challenge...” (Lewis, 1997). Boredom, curiosity, and lack of challenge can all be directly addressed through adjustments to curriculum and individualized development plans.

the Grades

Cheater intruders can be defused by recognizing that the core of what they are doing is not actually changing their grades, they are instead taking control of their grades and future. These intruders can probably be successfully profiled under the hacker motivation of desiring power (Campbell & Kennedy, 2010). For whatever reason, they find themselves without the power to shape their situation through the legitimate channels. Ways to place students in control of their situation and convince them to downplay the grade portion of the grade include engaging them and their interests, challenging them appropriately, empowering them with a voice in directing what they learn, and recognizing their effort and competence (Stephens & Wangaard, nd).

the Money

There is no magic bullet to help reduce this motivation. These attackers are driven by straight criminal mindsets and desires. The solution here is to just address the technical issues to close the attack vectors. They will be back, the defenders just have to be persistent. If a psychological profile was to be considered covering these attackers, it would fall in line with the abnormal psychology of offline criminals (Campbell & Kennedy, 2010). Money as a motivator drives the attacker to get more money.


Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Lewis, H. R. (February 23, 1997). What is Harvard’s mission statement? Harvard University. Retrieved from: http://www.harvard.edu/faqs/mission-statement/

Stephens, J. M., & Wangaard, D. B., (nd). Teaching for integrity: Steps to prevent cheating in your classroom. The School for Ethical Education. Retrieved from: http://www.ethicsed.org/programs/integrity-works/pdf/teachingforintegrity.pdf

Tuesday, November 27, 2012

Selling their skills

Teenage crackers known to be involved in for-profit modification of electronic grade books (McMillan, 2011). McMillan describes Tyler Coyner, a student that inflated his GPA to 4.54 while also selling grade increases to his peers. Until he was arrested, Coyner spent two semesters performing attacks on the grade records in exchange for cash. He even graduated salutatorian based on his manipulations (McMillan, 2011).

Financial gain as a cyber crime motivator is not rare, although the monetization is achieved through other means. Attackers often harvest directly monetizable data such as credit card information and online banking credentials. Another method is extortion, or protection money, where a botnet operator threatens a distributed denial of service attack unless the victim pays the extortion cost (Dittrich & Himma, 2006). Extremely rare, relative to other financial cybercrimes, is mercenary attacks, like the kind Coyner was selling (McMillan, 2011).


Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

McMillan. (March 4, 2011). Top Student Charged With Fixing Grades for Cash. PCWorld. Retrieved from: http://www.pcworld.com/article/221442/studentcharged.html

Saturday, November 24, 2012

Preventing Damage by Preventing Grade System Intrusions: Case Studies

Case Study: Northwestern Lehigh School District

Catherine Venusto allegedly manipulated the grade records of both her daughter and son while they attended Northwestern Lehigh School District. In 2010, while employed as an administrative office secretary, Venusto allegedly replaced a failing grade with a medical M grade. Access to the online grade book was accomplished by masquerading with the stolen network credentials of the superintendent. After having left her employment had ended, Venusto allegedly continued to utilize the stolen credentials to modify the grade of her son in 2012. The accused modification of the son’s grade could have been prevented through periodic password expiration policies (Lupkin, 2012).

Case Study: Temple University

In a more technically savvy attack, college student Edwin Kim accessed the electronic grade book of Temple University. A keylogger was installed by Kim on administrative office’s university computer to collect the credentials of professors that used the targeted system. Later, the keylogger was removed and cleaned up by Kim who was then left in the possession of his professors account information. Kim’s modifications were caught when his professors noticed the discrepancies by his changes. Kim himself was caught because the grade system logs were used to trace his connection sessions back to his workplace and home (Gibbons, 2012).

Case Study: Palos Verdes High School

Rounding out the vulnerabilities to be addressed, Palos Verdes High School fellow victim to a three student team which targeted the physical security as their main vulnerability. The teenagers, unnamed by Altman (2012), broke into the school under cover of night to steal tests and install hardware keyloggers on their teachers machines. During subsequent break-ins, the keyloggers were collected and analyzed to extract their teachers credentials. This information was used to access the grading system and boost the intruders’ grades (Altman, 2012).


Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Monday, November 19, 2012

Preventing Damage by Preventing Grade System Intrusions: Introduction

Grades are important and so manipulating grades is valuable. Manual management of the recording, computing, weighting, and totaling of an individual students grades, not to mention an entire course and even an entire semester, is extremely tedious and error prone (Migliorino & Maiden, 2004). Automated grade management systems relieve educators from many of these burdens and can even provide easy access anywhere through powerful web applications (Thinkwave, 2012). Where problems arise is when the electronic grade book falls prey to unauthorized access or, worse, modification.

Being stored electronically on a network leaves the grades subject to remote manipulation. Those manipulable grades become a target to challenge hackers, to tempt cheaters, and to profit crackers. Controlling and shaping the rankings of a class of students feeds directly into the desire for power that is a commonly self-reported motivation to hackers (Campbell & Kennedy, 2010). Cheaters gain direct academic boosts by inflating their own grades, as is covered in case studies below. Grade manipulation is a marketable good, as crackers can be paid to modify the customers’ or a third parties records.


Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Migliorino, N. J., & Maiden, J. (2004). Educator Attitudes Toward Electronic Grading Software. Journal Of Research On Technology In Education, 36(3), 193-212.

Thinkwave. (2012). Free Online Gradebook. Retrieved from: http://www.thinkwave.com/educator.html

Preventing Damage by Preventing Grade System Intrusions: Actors

Simplistically, those who would access, without authorization, a grade management system could be labeled as hackers or crackers. These two groups, according to Dittrich and Himma (2006), are computer users who engage in unauthorized system accesses; though they are differentiated by motivation. Where hackers are driven by arguably noble or ethically neutral purposes, crackers are driven by malice or profit. Describing possible manipulators in the introduction, the author separated out a subset of crackers as cheaters. This paper will be discussing crackers as intruders driven by malice or financial profit and cheaters as driven by academic profit.

When the target is an education institution’s grading system, the pool of potential hackers, crackers, and cheaters draws primarily from stakeholders relating to the grades stored in the specific target system. (Altman, 2012; Borja, 2006; Gibbons, 2012; Lupkin, 2012) Stakeholders are not limited to the grade-holding students but also can include relatives or contracted third parties.


Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. DailyBreeze.com. Retrieved from: http://www.dailybreeze.com/latestnews/ci_19829634

Borja, R. R. (2006). Cyber-Security Concerns Mount as Student Hacking Hits Schools: Districts Straining to Safeguard Online Networks. Education Week, 25(19), 1,.

Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. phillyBurbs.com Retrieved from: http://www.phillyburbs.com/news/crime/bucks-college-student-fails-in-attempt-at-an-easy-a/article_175726b7-b2c5-56ce-93ab-bbfb6abddcc4.html

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Intruding because they can

Curiosity, intellectual challenge, boredom; these are factors that motivate exceptional technical minds to delve into the ethically grey area of non-malicious cyber intrusions (Dittrich & Himma, 2006). Those exceptional minds tend to fall into the category of gifted students whom schools have difficulties providing appropriate challenges (Gallagher & And, 1997). Stemming from the difficulty of challenging these students is that they, according to Gallagher and And (1997), perceive their courses to be “a crushing bore.”

Combining all three elements, brilliant minds, boredom, and a ready made challenge to puzzle out, provides an ideal situation for student hackers to target the grading system. Behind that technical wall is a collection of information pertaining to their peers, which has the ability to appeal to the bored student’s non-technical curiosity. Just like cyber convict Adrian Lamos attributing his corporate network jaunts to looking for a relief to boredom, the students may try to just look around the grade system (Dittrich & Himma, 2006).


Dittrich, D., & Himma, K. E. (2006). Hackers, Crackers, and Computer Criminals. Bidgoli, Hossein: Handbook of information security-Information warfare; social, legal and international issues, 154-171.

Gallagher, J., & And, O. (1997). Challenge or Boredom? Gifted Students' Views on Their Schooling. Roeper Review, 19(3), 132-36.

Just Trying to Get Ahead

Secondary and collegiate schools both have had issues with electronic grade book modifications. The above described cheaters are the intruders which target the systems for academic advancement. Grades to be modified can be their own or their rivals, but the end goal is improvement of their relative standing. Additionally, there are instances of relatives who accessed and modified recorded grades to the benefit of the student whose grades were targeted (Lupkin, 2012).


Cheaters motivation to modify, or to have modified, their grades stems from the importance placed on the values and the impact which they have on the participants future. Moore (2006) writes about the weight that high school grade point average (GPA) have on admissions decisions for incoming college freshmen. Thus, but inflating their GPA, cheaters are able to qualify for more desirable post-high school opportunities. Again in 2006, Moore addresses the fact that GPA admission requirements do not always go away in college, but that professional colleges often have GPA standards that must be met to enroll in junior- and senior-level courses.


Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: http://abcnews.go.com/US/mom-charged-hacking-school-computers-change-childrens-grades/story?id=16812838#.UKhiZoevuIM

Moore, W. K. (2006). Advising Students about Required Grade-Point Averages. NACADA Journal, 26(2), 39-47

Preventing Damage by Preventing Grade System Intrusions: Defense

Successful defense against grade book intrusions requires identification of both the motivation of the attackers and the attack vector utilized. Addressing only the motivation results in the exploited vulnerability to still exist for future attackers, whereas addressed only the vulnerability means that the mind which worked out the known attack is just going to keep looking for other ways in.

Sunday, November 18, 2012

Exploring students and cybercrime

I'm working on a paper about a general target of cybercrime and delving into who the actors may be and what their intentions are.

The assignment gives some interesting targets and attacker goals; for instance maybe attacking a defense organization for launch codes or attacking a hospital for medical records. Am I writing about one of these? Nope, I'm going with attacking a school to get access to the grading system.

With that in mind, here is a video of what happens to students getting caught having done just that...

Credit: Nick videos

Saturday, November 17, 2012

Cyber crime profiling

Topic – While psychological profiling of criminals is not a new field, should we attempt to profile cyber criminals? What sort of things do we already know about the personalities of cyber criminals? Do we have enough evidence to indicate there is a distinct psychological pattern that would help in the apprehension of cyber criminals?

Psychological profiling is a lot like static malware detection. Researchers correlate observable behaviors of known criminals to the underlying motivations and other observable traits. The signatures and heuristics derived from that research is then applied to unknown persons to determine the likelihood of being a future criminal of the same pattern which was researched. If both the false positive and false negative rates can be kept low, application of the profile keeps society safer, just as successful anti-malware scanning keeps a computer safer. Attempts should definitely be made to incorporate profiling into the handling of cyber criminals.

When studying the personalities of cyber criminals, we should avoid using the definition that Campbell and Kennedy attribute to National Institute of Justice of anyone that utilizes any cyber technology when planning or executing their crime. (Campbell & Kennedy, 2009) A criminal that merely utilizes a computer to commit their crime will have the same motivations as someone committing the same crime decades ago. The profile of a cyber criminal needs to be limited to those “individuals for whom the computer represents an alternative way of life apart from social norms.” (Campbell & Kennedy, 2009, pp. 12-2)

Those computer-dedicated criminals are known, through various types of after the crime self reporting, to share a set of six motivators: addiction, boredom, curiosity, politics, power, and recognition. Through psychological behavioral research applied to cyber criminals, we also can attribute enabling factors which the criminals themselves may not be consciously aware of: aggression, anonymity, and social distance. (Campbell & Kennedy, 2009)

The writings of Campbell and Kennedy suggest that there is currently a great deal of evidence to support cyber criminal profiling to be used in the reduction of criminal acts. By recognizing the conscious motivations and the unconscious enablers, they can be addressed such that the computer obsession is not turned to crime. The reform of significant historical cyber criminals supports this fact. Identifying persons matching the patterns without having addressed the concerns will assist in the selection of suspects, so yes the pattern should assist in the apprehension of cyber criminals.


Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Friday, November 16, 2012

Computer addiction and cybercrime

Topic - Some mental health and criminal justice professionals contend that hacking is an "addiction," and causes obsessive, risk taking behavior in a manner similar to illegal narcotics - hackers hack to "get high" from the thrill of breaking into a system and getting away with it. Should policymakers look towards treatment, rather than incarceration, as the disposition of hacker cases? Why or why not?

Just as chemical addicts develop a tolerance and require a stronger drug to get their high, cybercriminals exhibit a similar pattern in the evolution of their habit. Many beginners start with attacking DRM and pirating, but then start to escalate. (Campbell & Kennedy, 2009)

Successful treatment is possible, as shown by “some reformed computer criminals … were able to focus their skills on practical endeavors instead of illicit undertakings” (Campbell & Kennedy, 2009, pp. 12-3). Such reform only occurred after being given significant responsibility, which provides the intellectual challenge and stimulation that previously was presented by the challenges of the illicit actions.

Not every criminal can be moved to a position that provides the requisite challenge. A significant reason for that is that security requires a great deal of trust. It is easy to see why someone would be hesitant to hire them for the tough, highly trusted position. If the job doesn’t actually provide enough stimulation, then you may have just hired the fox to provide security for your hen house.

Without the addict getting a safe way to get their fix, we are back to treatment versus incarceration. Taken from the philosophy declaration by Addictions Rehabilitation Association, “It is important for each recovering addict to develop an understanding and insight into his or her addiction and make behavioral changes.” (ARA, 2010). Unlike chemical addicts, computer addicts have their whole life centered around their addiction. Those tech-savvy people will have gone into technical careers. Acknowledging and leaving the addiction means walking away from not just the addiction, but their job, their hobby, their social circle. Realistically, it is not going to happen often enough to consider it a general solution.

Unfortunately, this leaves incarceration. Campbell and Kennedy discuss that the obsessive traits of computer addicts may actually be just keeping up with the rapidly changing nature of the technical landscape. (2010) Possibly, a long enough incarceration will put the addict far enough behind the technical curve that they can implement the lifestyle changes discussed above rather than get back into the field that no longer resembles what they left.


ARA (2010). Philosophy. Addictions Rehabilitation Association Retrived November 10, 2012 from http://www.a-rehab-a.org/philosophy

Campbell, Q., & Kennedy, D.M. (2009). The psychology of computer criminals. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Thursday, November 15, 2012

Hacker motivation: Why I do what I do

Topic - What factors motivate hackers? What can organizations do to be more proactive in identifying and mitigating hacker threats?

Hackers are driven by a desire to discover, to tinker, and to be an expert. They don’t gain expertise or discover for the primary purpose of career advancement or money, but because they want to learn what there is to know. (Harvey, 1985)

During the Human Factors module we walked through the interviews with Claire and Dalen. Claire is a solid example of a hacker, lots of hobby projects, experimenting with a variety of tools. (UMUC, 2010)

The best way to combat the hacker threat is to embrace it. Closed systems, code, and protocols result in secrets which draw the curiosity of hackers. When the hackers can dive into code they find bugs and fix them, find interesting techniques and expand on them, and build complementary tools which make the original more valuable. When hackers are confronted with closed components they dive into the binaries to reverse engineer them, identify where functionality is impeded and free it. They reverse engineer the protocols and formats to create tools to replace the closed tool, like Open Office manipulating .doc files.


Harvey, B. (1985). What is a Hacker? University of California, Berkeley Retrieved from http://www.cs.berkeley.edu/~bh/hacker.html

UMUC (2010). Human Factors. UMUC CSEC620 Module

Wednesday, November 14, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Account Safety

Passwords are usually the only thing unknown about social networking site credentials and that makes them gold for those will malicious intent. In fact, according to Kim, site passwords along the the username have even been sold through illicit channels. Once the account’s credentials have been compromised, the new holder can harvest the owner’s posted information, any information that has been shared with the owner, and even impersonate the owner. Such impersonation can facilitate phishing attacks against the owner’s contacts with messages made plausible by accessing the private information which the victims have thought they only shared with friends. (Kim, 2012)

Account compromise can result in devastating damage to all three facets of cybersecurity. All confidentiality is stripped away from unencrypted data when an unauthorized user accesses the account. If there is modify access to posted data then the intruder has the ability to damage the integrity of such data. Through password modification the attacker can even lock the owner out of their account, impacting the availability, as was reported to have happened to the interviewed user Brian twice. (Debatin et al, 2009, pp. 98)

Account compromise is a high risk threat because of the extremely high amount of damage which can be inflicted upon a user, their social network, their data, their reputation, and other accounts that use the same credentials. Thankfully, the rate at which account credentials end up compromised is far less than the rate that private data is exposed. Policies prevent account compromise have to be broad to cover both prevention of malware as well as to prevent social engineering attacks. Users must be trained to avoid shady websites and not download unauthorized software. They must have it ingrained to never share or reveal their account details, even to persons that seem like legitimate support personnel. Systems administrators need to keep the machines patched to prevent automatic exploit access to the machine for malware.

Such policies and training can impose a significant burden on users. If the machines are not kept stocked with all authorized tools to address any needs they may have occur then the prohibition to download the requisite tools will impact their system use.


Debatin, B., Lovejoy, J. P., Horn, A. K., & Hughes, B. N. (2009). Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer‐Mediated Communication, 15(1), 83-108.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Conclusion

Vulnerabilities abound when confronting cybersecurity issues with online social networking, but they are manageable. Careful user practices can protect both the privacy of their shared data and the safety of their account, system, and reputation. Assuming that all posted information will be broadcast publicly and minimizing trust granted to others will maximize the security of the user.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Monday, November 12, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Interaction Safety

Interacting with contacts on an online social networking site has two dangerous scenarios which a user must protect themselves from. The first, and more readily apparent, is interacting with a new contact. This can be either someone whom the user thinks they know, but has not established a connection with through the site, or a stranger. In either situation, the person behind the persona may be a malicious actor attempting to gain access to the user’s private data. The second is that a user to communicating with a malicious actor impersonating a friend through compromised account credentials.

Both of these scenarios are cases which pose dangerous to the user’s confidentiality, as any private information divulged is being turned over to unauthorized recipients. Any files received from such an actor may very possibly be trojan horse malware which poses threats to all three cybersecurity facets.

Risks from tainted interactions are low when there is a reasonable belief that the other party is known and medium when the other party is unknown. Rarely will the friend you talk to actually be an imposter and even among strangers, most are not malicious. As the impact of a tainted interaction is potentially very high, the mitigation policies should still be followed.

Mitigation of these dangerous scenarios can be achieved through policies which instruct users to view all online interactions as potentially compromised, and as such not to ignore any suspicious indicators in a conversation. Before friending a ‘known’ contact, an out-of-band communication should be performed to verify that the account in question belongs to the expected person. Any conversation that only includes the other party referencing data available on the site should be questioned as well, because it may be an impostor.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Sunday, November 11, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Network Safety

Utilization of social networking sites over untrusted network infrastructure can result in account compromise, privacy compromise, or even system compromise. Unsecured Wi-Fi, a LAN with a hostile workstation (such as a hotel or an intranet with a compromised host on it), and a malicious router can all create hostile network conditions. Once the traffic on the wire cannot be trusted, an attacker could change in transit the link that a friend posted and the user wants to follow. They could change the poster’s upload such that the executable they are attempting to share is actually a trojan horse. A user’s communications can be eavesdropped on to sniff out the private data that is being posted, or even sniff out credentials if they are sent unencrypted, as was the case for the first two years of Facebook. (Mensch & Wilkie, 2011)

With ISP and Internet backbone infrastructure typically being considered trusted, most network accesses will not be reasonably unsafe, leading to this vulnerability to be low risk. The damage at risk during an incident is extremely high, but the likelihood of an incident is small, averaged across all accesses to the social network. When only addressing reasonable unsafe networks, the risk escalates to high.

Untrusted network situations are severe risks for social networking users, especially as a lot of social networking sites still utilize HTTP. Confidentiality is stripped away when eavesdroppers can view and record your plaintext communications with the site. Integrity is lost if routers, legitimate or spoofed, can perform in-transit packet modification. Dropped packets, TCP-reset injections, and wireless jamming are all methods that the untrusted network can impact the availability of the social networking service.

Outside of the implausible command to only utilize trusted infrastructure, the policy recommendations which prevent some of the problem, loss of confidentiality, is to use a VPN to connect to a mostly trusted infrastructure and then still only use social networking sites that can use HTTPS. The damage to integrity can be changed to the less damaging loss of availability by a signed and encrypted protocol. It doesn't prevent a hostile router from modifying the packets, but it will keep the other end from accepting them as clean.


Mensch, S., & Wilkie, L. (2011). INFORMATION SECURITY ACTIVITIES OF COLLEGE STUDENTS: AN EXPLORATORY STUDY. Academy of Information and Management Sciences Journal, 14(2).

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Safety Intro

Account safety, network safety, data safety, interaction safety, application safety, and monetary safety; there are a lot of ways to get something damaged through online social networking. Your traffic gets viewed, BAM! Compromised. A third party now knows more about your trip to Florida and you are being successfully phished because of it. Your account credentials get stolen and then the bank account which uses the same information is drained. Online social networking vulnerabilities directly threaten your safety with cyber attack and cyber exploitation. (Mensch & Wilkie, 2011)


Mensch, S., & Wilkie, L. (2011). INFORMATION SECURITY ACTIVITIES OF COLLEGE STUDENTS: AN EXPLORATORY STUDY. Academy of Information and Management Sciences Journal, 14(2).

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Saturday, November 10, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Privacy Protection

Privacy violations can be completely prevented through a single, strict policy: do not post content to online social networking sites. The complete lack of control over disseminated content means that any distribution is a potential redistribution. Damage mitigation can be achieved through one of three fairly disjoint policies. One option is to encrypt posted content and only distribute the key to the trusted recipients out-of-band. This way if either the first or second of the above privacy violations occur then the secondary recipients will be unable to view the content. The third violation is still possible, in that the authorized recipient can either forward/post the key or repost the received, but decrypted, content. Alternatively, a policy of treating all, even limited, distributions as full public postings. Anything, and everything, posted should be classified as approved for public dispersal, because each post has the potential to be released publicly. (UMUC, 2010) Lastly, any postings of non-publicly releasable content can be performed under careful scrutiny of the social networking site’s privacy settings and to be released to recipients under a legally binding and enforceable non-disclosure agreement. Such an agreement will still not physically prevent redistribution, but does permit a legal recourse in the event of redistribution.

Of the four policy suggestions to prevent or mitigate the damage from the discussed privacy violation, only one truly maintains the usability of the social networking site. Personal poster responsibility and operating under the assumption of full public disclosure allows the user to continue operating as is expected on the site. Not posting equates to not using the site. Posting only under encryption or a non-disclosure agreement runs significantly counter to the social, as opposed to business, nature and focus of most social networking sites.


UMUC (2010). Cybersecurity Policies in the Private and Public Sector. UMUC CSEC620 Module

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Friday, November 9, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Privacy Risk

The likelihood of such privacy violations is very high, especially when default settings result in a user’s data being exposed to everyone who is connected to their friends. A given user may practice safe social networking, but it is unlikely that every one of their friends do. It only takes one friend making one bad connection for a user’s data, with such protections, to become exposed to dangerous actors. In fact, in the time it took to write this paper, a fake account on Facebook that the author created and spammed random friend requests was able to become friends with 28 users, even with a public description that the account was a test to access their information. To most users, though, the risk is at the most medium, as they see a negligible value associated with such a breach, despite the extremely high occurrence rate. This is supported by a reported 30% acceptance rate to complete strangers. (Debatin et al, 2009, pp. 87)

The cybersecurity threat posed by the lack of content privacy severely damages the confidentiality of the messages intended for the originally limited audience. In the case of secondary uploading of a poster’s content, there is also a danger to the integrity of the message, because the secondary uploader can manipulate the content and repost it as if simply re-sharing it. The victim of the integrity damage is twofold: the recipient of the counterfeit message is damaged by collecting mis-information, the sender of the original message is damaged by the counterfeit by weakening the audience’s view of the sender (Counterfeit, 2012).


Counterfeiting (2012) Fact Sheets Protecting a Trademark. Global Trademark Research. Retrieved November 3, 2012 from http://www.inta.org/TrademarkBasics/FactSheets/Pages/Counterfeiting.aspx

Debatin, B., Lovejoy, J. P., Horn, A. K., & Hughes, B. N. (2009). Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer‐Mediated Communication, 15(1), 83-108.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Thursday, November 8, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Unremovable Content

All content posted onto a social networking site is released permanently, for the intents of a technically knowledgeable user. Whether that content is in the form of thoughts, images, videos, or otherwise, once it is made available to a second user it is out of the control of the poster. Often misunderstood, even by those that should know better as shown by the prohibition on downloading content in the YouTube terms of service (YouTube, 2010), is that all content displayed to the screen of another user has been downloaded by them. That content, technically rather than legally, is then the property of that other user to do with as they will. If it has been viewed, even if the poster tries to delete it, then it has been distributed.

Once distributed, the poster no longer controls where their content is sent, no longer controls how it is used. Social networking sites often provide visibility or access control options which limit the initial distribution, but these do very little to impact the vulnerability to privacy. First, the default settings tend to lean toward open, rather than closed, because “creation and preservation of this social capital is systematically built upon the voluntary disclosure of private information to a virtually unlimited audience” (Debatin et al, 2009, pp. 87) Thus, having users broadcast their content to the greatest audience in turn leads to the most people joining the audience. Secondly, the sites themselves tend to have controls built into them to allow those with viewing permission to directly share that content to an audience of their choosing. Posting content to only be accessed by a select group of people does not limit the audience at all if one of those recipients in turn just forward the content to the public. Thirdly and lastly, the recipient audience can claim the content as their own and directly post it themselves to the site, or even to a different social networking site. With such a sharing, the sharer may not even provide proper attribution to the content.


Debatin, B., Lovejoy, J. P., Horn, A. K., & Hughes, B. N. (2009). Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer‐Mediated Communication, 15(1), 83-108.

YouTube (2010). Your Use of Content. Terms of Service. Retrieved November 3, 2012 from http://www.youtube.com/static?gl=US&template=terms

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Privacy Intro

Privacy concerns, in online social networking as well as elsewhere, are primarily centered around data control. Before digital content, albums of family photos were accessible to the family and those that were given access to the images. Duplication was time consuming and costly, so surreptitiously doing so was impractical. A viewer keeping the image to view at a later time would be noticed by the owner, because their copy of the image would be physically taken from the album. Digital content has invalidated these assumptions. Data control no longer can be exercised by the owner keeping the original.

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Wednesday, November 7, 2012

Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking: Introduction

Online social networking is chock full of cybersecurity vulnerabilities and they are primarily disregarded by the users. For various reasons, users engage in behaviors related to social networking sites in ways that they would not normally perform in the physical realm. Trusting random people while knowing nothing about them. Exposing private data to perfect strangers. Providing intimate details of themselves to the public where the details can be viewed anonymously without the subject even knowing how many times it was viewed. These activities all expose the social networking users to cybersecurity vulnerabilities which pose true risks to them.

This paper will classify each presented vulnerability as a threat to one of the major principles of cybersecurity: confidentiality, integrity, availability. The risks associated with the threats of each vulnerability shall be discussed as well as prevention and mitigation possibilities as encapsulated in policies and procedures. Finally, the impact to customer satisfaction related to the prevention effort is covered.

The full paper in document form.
Vulnerabilities To Be Addressed To Safely Utilize Online Social Networking
INTRODUCTION
PRIVACY
 UNREMOVABLE CONTENT
 PRIVACY RISK
 PRIVACY PROTECTION
SAFETY
 ACCOUNT SAFETY
 NETWORK SAFETY
 INTERACTION SAFETY
CONCLUSION

Sunday, November 4, 2012

Another paper dragging

Monday night I was busy compensating for a disrupted work schedule and Tuesday I had no word processor nor Internet due to a Sandy-related power outage. As such, Wednesday was spent working and taking care of problems caused by 30 or so hours of no power. The end of the week then sprinted up way too fast.

So now I sit here 18 hours before my second individual paper of the semester is due and still typing away. The sections in this paper are turning out much larger than in my previous one, so I will probably post the introduction with a link to the paper instead of posting the whole paper. Sorry if you prefer the fragmented presentation, I don't want to break it up by paragraph and I don't want to publish a post that is four pages long.

Oh man, I'll sleep good and early tonight.

Thursday, November 1, 2012

Mitigating an insider threat

Topic - One of the biggest risks that companies face is advanced persistent threats. Discuss the most effective way to implement policies that mitigate the chance of an insider either taking part in or facilitating an advanced persistent threat. Integrate the concept of separation of duties into your discussion.

Separation of duties requires that there be limits on access and checks on actions. When one person is responsible for overseeing their own work then there is not any oversight. A failure to sufficiently implement this principle fails to prevent a situation such that “a single individual cannot subvert a critical process”(Swanson & Guttman, 1996, p 27).

In the event that an inside actor has the ability to avoid or compromise procedural safeguards, they have a great deal of power to impact any of the three major security traits: confidentiality, integrity, or availability. Kabay and Robertson tell about a disgruntled system administrator that resigned from UBS Paine Webber, but before he left he released a malicious logic bomb of his creation (2002). Since the malicious code deleted files and generally caused chaos in the network, it damaged both the integrity of the data on the network and interfered with the availability of the systems it disrupted.

Such an attack could have been entirely prevented if the saboteur had his accesses properly compartmentalized with mandatory oversight. Disallowing him the ability to both generate code and to release it onto the production systems would have forced an accomplice to be involved, or stolen credentials. Gregg et al recommend not even having compilers available on production systems, which prevent the creation of low level malware on them. (2012) This is not a perfect protection by a long stretch because interpreted scripting languages, like Python, Perl, or Bash, can be used to create malicious scripts directly on the live systems.


Gregg, J., Nam, M., Northcutt, S. & Pokladnik, M. (May 5th, 2012) Separation of Duties in Information Technology. Sans Security Laboratory. Retrieved from http://www.sans.edu/research/security-laboratory/article/it-separation-duties

Kabay, M. E. & Robertson, B. (2002). Employment Practices and Policies. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Swanson, M., & Guttman, B. (1996). Generally accepted principles and practices for securing information technology systems (pp. 800-14).

Mobile Device Impact on Network Analysis

Topic - As new technology becomes adopted by organizations, standards must also adapt to meet the change. Using mobile device technology as an example, discuss the differences that will need to be addressed for penetration testing. What about vulnerability assessments?

The changing landscape of technology with regard to mobile computing requires a reassessment of potential access points into a network. Wireless access points were already dangerous, as they extended the accessibility of your network outside of the relative safety of your walls. Connecting a mobile phone to the wireless network is directly creating a bridge between the network and the Internet by way of the cellular data connection.

Such a bridge opens up new pathways, and expands existing ones, to be tested via penetration testing.

  • New pathway: ARM Malware. Mobile devices with ARM processors are miniature computers that cannot run the executable binaries which are created for traditional Intel-compatible x86 and x64 processors and desktop operating systems. Such malware requires a toolset designed for analyzing mobile applications to be analyzed. Malware for popular mobile operating systems, iOS and Android, are in the wild and on the rise (Schmidt, et al, 2009).
  • Expanded pathway: Social Engineering. Because the mobile device doubles as a phone three additional vectors of social engineering attacks are made available.
    1. The most straightforward is simply asking an employee to use their phone to make a phone call.
    2. Spear phishing via SMS can send links to malicious web servers. Due to the reduced character count, there is less room for explanation with the link, which can lead to users being less suspicious of concise messages containing links.
    3. QR Code exploits and links to malicious web servers. Due to the opaque nature of QR codes, a user does not know where they point until they scan them. A malicious QR code sticker can be placed on any number of signs, objects, or such where a target is likely to go (Kieseberg, et al, 2010).
  • Expanded pathway: Man in the Middle. The data connection of the phone to the cell network can be attacked Man-in-the-Middle style by an actor impersonating a cellular base station (Meyer & Wetzel, 2004).

Vulnerability assessments are impacted because it can become very difficult to inventory the systems on the network and to assess their potential vulnerability if the network is suddenly and unexpectedly no longer homogeneous (Bace, 2009). An easy-to-see example of this is a fully managed windows domain. All of the expected systems run Windows 7, so the VA tools utilized are designed for identifying and scanning Windows 7 systems. When an Android device is connected it changes the network make-up. Now the VA tools fail to identify all the devices or, even worse, fail to even find all the devices if discovery was being done by reading the expected devices via Active Directory.


Bace, R.G. (2009). Vulnerability assessment. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010, November). Qr code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (pp. 430-435). ACM.

Meyer, U., & Wetzel, S. (2004, October). A man-in-the-middle attack on UMTS. In Proceedings of the 3rd ACM workshop on Wireless security (pp. 90-97). ACM.

Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., Albayrak, S., & Yildizli, C. (2009, October). Smartphone malware evolution revisited: Android next target?. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on (pp. 1-7). IEEE.