it-security

10

Russian Photographer’s Experiment Destroys the Illusion of Privacy

Russian photographer and art student Egor Tsvetkov used his own photos and a facial recognition app to destroy any illusion of privacy we might have with his latest project “Your Face is Big Data.” 

First, he took photos of about 100 strangers on the subway. 

“The people did not react in any way,” said Egor, “although I was quite obviously photographing them.” 

Then came the main step. He put his photos into an app called FindFace to see if it could identify the people he had taken pictures of on Russia’s main social media site VKontakte. Long story short: the app did VERY well. He was easily able to identify 70% of the people he photographed, even though many of them looked (or at least their expressions looked) vastly different on the subway than in their social media profile pictures. 

The message Egor is trying to convey is simple: “My project is a clear illustration of the future that awaits us if we continue to disclose as much about ourselves on the internet as we do now.” 


Fun fact: the security forces have been able to do this for years. #Hate it!

Getting To Swift Cyber Justice
External image

The first Department of Defense Strategy for Operating in Cyberspace is out (July 2011).

Of course, like the plans that came before (e.g. Cyberspace Policy Review), it emphasizes the imperative for cyberspace protection. Some highlights:

  • DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial or service of access or service…, and the destructive action–including corruption, manipulation, or direct activity that threatens to destroy or degrade network or connected systems.”
  • Cyber threats to U.S. national security go well beyond military targets and affects all aspects of society. Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks and systems that control civilian infrastructure.”
  • Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies.”
The strategies for cyberspace protection in the DoD plan include treating cyberspace as an operational domain; innovation; partnership; and so on. But we need to leverage our strengths even more.

As the Wall Street Journal pointed out on 15 July 2011: “The plan as described fails to engage on the hard issues, such as offense and attribution.” If we can’t even identify who’s attacking us, and fight back with precision, then we’re flailing. Some may express the concern that we would have all-out war by attacking those who attack us. However, what is the alternative besides confronting our aggressors?

The concept of operations is straightforward: Any computer device that is used to attack us, would immediately be blocked and countered with equivalent or greater force and taken out of play. This would mean that we are able to get past cyber-bot armies to the root computers that are initiating and controlling them, and dealing with them decisively. This would hold regardless of the source of the attack–individual or nation-state.

The DoD plan acknowledges our own unpreparedness: “Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity.” As in the Cold War, there must be no doubt with Cyber Warfare (as with nuclear) of our ability to inflict devastating second-strike or preemptive attacks with deadly precision.

Until we have unambiguous hunter-killer capability to identify and locate perpetrators of cyber attacks against us and the ability to impose swift justice, we are at the mercy of our aggressors. We can only have peace in cyberspace when we have the strength to stand up and defend it.

Now we must move with cyber speed to build this capability and stand ready to execute our defenses. Admiral Mike Mullen was quoted this week (18 July 2011) in Federal Times as saying: “The single biggest existential threat that’s out there is cyber...It’s a space that has no boundaries. It has no rules.”

We must become even better–much better!(Source Photo: here)
External image
Essay time!

This is a submission for my ITsec Law class…not sure if I can post this yet without getting in trouble…I really don’t care.

Backdoors to Encryption Programs – Where and why they fail

With the ever-changing information landscape, it is not uncommon for governments to seek ways they can control communication in the interests of both law enforcement and national security. One piece of legislation here in the US that originally appeared in 2001, and again in 2010, proposes a requirement for vendors of encryption software to create back doors in their methodology, and to disclose that back door to the government. This has several flaws, from the inherent security risks of leaving easily exploitable holes, to hindering business’ protection from competitive spying. This also leaves our communications wide open for adversarial countries, such as China, to eavesdrop.

Keep reading

Virtualization and Enterprise Architecture

“[Virtualization is] a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource.” (Mann, Andi, Virtualization 101, Enterprise Management Associates (EMA), Retrieved on 29 October 2007 according to Wikipedia)

Virtualization places an intermediary between consumers and providers; it is an interface between the two. The interface allows a multiplicity of consumers to interact with one provider, or one consumer to interact with a multiplicity of providers, or both, with only the intermediary being aware of multiplicities. (adapted from Wikipedia)

ComputerWorld, 24 September 2007, reports in “Virtual Machines deployed on the Sly” that according to an InfoPro survey “28% of the respondents said they expect that half of all new servers installed at their companies this year will host virtual applications. And about 50% said that, by 2010, at least half of their new servers will likely host virtual software.

What are the major concerns in going virtual?

  • Service levels—users are concerned that performance will suffer without having dedicated hardware to run their applications.
  • Security—there is concern that application and information security will be compromised in a virtual environment.
  • Vendor support—“some vendors won’t support their software at all if it’s run on virtual machines.”
  • Pricing—pricing for software licensing utilized in a virtual environment can be higher due to added complexity of support.

From a User-centric Enterprise Architecture perspective, plan on moving to virtual machines. There is potential for significant cost savings from consolidating IT infrastructure that includes reducing the number of servers, reducing related facility costs, as well as increasing overall utilization rates of machines and balancing loads to achieve greater efficiency. Soon there is no need for a dedicated server to host applications anymore.

External image
Ποιές πόλεις είναι ευάλωτες σε διαδικτυακά εγκλήματα το 2012;

External image
Μια νέα έρευνα της εταιρείας Norton αναφέρει ποιες είναι οι 10 πιο ευάλωτες πόλεις σε επιθέσεις hacking. Κάθε πόλη κατατάχθηκε ανάλογα με τον αριθμό υπολογιστών και smartphones που χρησιμοποιούνται σε αυτή καθώς και τα Wi-Fi hotspots. Το Μάντσεστερ φαίνεται πως είναι η πιο επικίνδυνη πόλη αναφορικά με έκθεση σε διαδικτυακά εγκλήματα ενώ το Βανκούβερ βρίσκεται […]

Διαβάστε περισσότερα »»» http://dlvr.it/1FTrs8

Security Tips

     First let me introduce myself.  I am Josh Roseberry of Greensburg, Indiana.  I have lived in this small town my entire life.  I made the so wise decision to attend online courses at Phoenix University.  Yes I realize Phoenix is not exactly a well respect school.  I also realize online courses don’t gain a lot of respect either.  I spend a good portion of my time studying Information Technology concepts.  I am pursuing my Bachelors of Science in Information Technology with a focus on Networking and Telecommunications.

     I currently live in a one bedroom apartment complex.  This makes wireless security a bit of a concern for me as all my devices are currently wireless.  I currently have a Cisco® Lynksys WRT320N Dual Band wireless-n gigabit router.  I do use WPA2 security mode yet with a recent firmware upgrade I no longer have the choice to select encryption and authentication protocols.  This is a shame because I do prefer TKIP over AES.

     I can provide some tips.  If you live in a crowded area and are concerned about other people getting into your network through a wireless router do some of these steps.  Make sure you use a strong pass phrase.  It should be between 8 and 10 characters long and include both upper and lower case letters as well as numbers.  To take the security higher through in some special characters as well.  Some special characters that are commonly used are $%#@^&.

     The next step is to use mac filtering and reservation.  On my home network only mac addresses I enter into the wireless mac filter will be allowed wireless access.  Adding a DHCP mac reservation for those mac addresses will give you an idea of what is connected to which IP.  This takes a bit more setup but is perfect for smaller networks.

     While these tips should be common sense to IT experts, not all consumers are aware.  I will be back later with some more tips.

computerworld.com
Facebook's Timeline will be boon for hackers - Computerworld

Because people often use personal information to craft passwords or the security questions that some sites and services demand answered before passwords are changed, the more someone adds to Timeline, the more they put themselves at risk, said Wisniewski.

As always, our mish-mash approach to IT security leaves us vulnerable to social engineering.  In this case, one of the greatest weaknesses is the “secret question” formula where we’re asked to give up our mother’s maiden name or our high school mascot in case we are unable to remember our password.  These are questions with finite, guessable, or easily researched answers, and they serve as a kind of “password lite” into our accounts.  But we can’t make up bogus answers without facing the possibility of being locked out of those accounts forever.  The answer, the REAL answer, is to stop using fucking passwords and use an assured identity token.  Kinda like, you know, your debit card (don’t use those for this, though).  

FDCC and Enterprise Architecture

Setting standards help us to reduce complexity, contain costs, build interoperability, and secure the enterprise.

The Air Force is leading the way in setting standard configurations for the Federal government for computers, servers, printers, and cell phones.

Government Computer News, 4 August 2008, reports that “The Air Force started taking delivery in July on the first of 150,000 new PCs…the first to come equipped with their Windows Vista operating systems, including Internet Explorer 7, preset to meet Federal Desktop Core Configuration (FDCC) 2.1 standards.”

The FDCC is an outgrowth of the Air Force’s IT Commodity Council (ITCC) “efforts with Microsoft in 2006 to test and develop a standard software configuration.” This was coordinated with NIST, NSA, and DISA, and other agencies. Further, OMB “required agencies to implement FDCC’s Windows XP and Vista standards by Feb, 1, 2008.”

Now ITCC is working with DISA, NSA, Army, Navy, Marine, and Coast Guard to build Server configurations. Microsoft is taking these base configurations and “will develop configurations for ‘roles placed on top,’ says Michael Harper, Microsoft Service Director.

“Those will include the file and print servers, the domain controller, Exchange, SQL server, SharePoint, Web, and Windows deployment services.”

FDCC is “forcing the software industry to pay greater attention to the default settings of its products”. This is helping to reduce security vulnerabilities, and reducing costs.

Some examples of reducing costs and achieving other benefits from FDCC include:

  • “Preinstalling software at the factory rather than retrofitting a machine.”

  • Reducing energy costs by “preconfiguring Vista’s energy management settings.”
  • Steamlining the number of…device categories.”
  • “Standardizing…software…makes it easier to manage network and document security.”

FDCC has been so successful that ITCC is now moving forward with doing the same standardization for mobile devices.

FDCC is a step forward in terms of inter-agency collaboration, working with the vendor community, and creating an enterprise architecture that hits the mark for improved IT planning and governance.

External image
Internet Apocalypse and Enterprise Architecture

It is the 21st century and we are a nation dependent on everything internet. We rely on the internet for communications, like email, text messaging, and even voice over IP. We also use the internet for getting news and information, social networking, storing and sharing blogs, videos, music, and photos, accessing various applications, shopping, and conducting financial transactions.

What happens if the internet is attacked or otherwise fails us?

This is the question asked in ComputerWorld, 21 January 2008: “If the internet goes down will you be ready?”

ComputerWorld states: “It’s likely that the internet will soon experience a catastrophic failure, a multiday outage that will cost the U.S. economy billions of dollars. Or maybe it isn’t likely. In any case, companies are not prepared for such a possibility.”

The Business Roundtable says: “The threat is ‘urgent and real.’ There is a 10% to 20% chance of a ‘breakdown of the critical information infrastructure’ in the next 1o years brought on by ‘malicious code, coding error, natural disaster, [or] attacks by terrorists and other adversaries.’”

What will be the effect of a major internet interruption?

An internet meltdown would result in reduced productivity and profits, falling stock prices, erosion of consumer spending, and potentially a liquidity crisis.” It would disrupt our everyday ability to communicate, get and share information, work and conduct transactions. And let’s not forget the effect on the human psyche—there would be chaos.

Why have we not prepared ourselves adequately?

The Business Roundtable says that “business executives often fail to realize how dependent they have become on the public network—for email, collaboration, e-commerce, public-facing and internal Web sites, and information retrieval by employees.”

Where are we most vulnerable?

The Internet Corporation for Assigned Names and Numbers (ICANN) says that “the Internet is pretty robust at the physical layer. There are just too many alternate paths available. But the Internet is not so robust at other layers.” Hence, the risk of operating system failures, penetration by worms, and denial of service attacks.

Is there any reason for optimism?

The CIO of Yuma County, Arizona, reminds us that the Internet “having been based on the Arpanet [from DoD] and designed to keep functioning when pieces are broken, it seems less likely that the entire Internet would stop working.”

What can enterprises do to prepare for the worst?

Of course, all organizations need to fully address security concerns in terms of managerial, operational, and technical controls.

They need the best and brightest security personnel.

Additionally, they need to perform regular risk assessments, vulnerability testing, intrusion detection and prevention, back-up and recovery.

They need to have strict access controls, security awareness training of employees and contractors, and an IT security policy.

Our organizations need a comittment to continuity of operations planning (COOP).

ComputerWorld points out that the financial services sector is out in front in making preparations Here’s some of the architectural preparations that financial companies have undertaken:

  • Dedicated networks—“set up dedicated networks independent of phone companies.”
  • Guaranteed diverse routing—“negotiate more aggressively with communications companies to guarantee diverse routing.”
  • Geographic dispersal—“separate data centers and communications centers more widely geographically.”

In general, enterprises need “diversity and redundancy” of communications.

Most importantly, we need to recognize the risks out there and prepare, prepare, prepare.

External image
Planning your career path

If you have just completed your studies, it is time to sit down and think of jobs and a long-term career strategy, we have some tips to help.

1. Your first career plan-of-action is to identify jobs where locals are preferred. Such jobs usually combine some technical expertise (known in HR jargon as “domain knowledge”) and lots of leadership and people-relationship skill.

An example is IT Project Management, such as upgrading all the computers in institutions or building a Web portal for a shopping mall. For that matter, any project management career is highly desirable.

Other areas where it would be much preferable to hire locals include:

  • Managing IT security, Web and social media and computer-based creative tasks
  • Working in the creative and media industries – publishing, Web content design writing and production, mass media communication, and of course good old fashion journalism
  • Training and teaching, counselling, human resource development and social work.

2. Next, identify your own skills and inclinations, which would include those outside of your current school studies. Think of all the things you would dearly love to do even if you have no idea how to do them.

3. Do research on those skill sets that you don’t have, but like to, and find out where you can acquire them. Set out a timeline on how and when you intend to accomplish it.

Note that your timeline is not cast in concrete. It is an evolving plan, and it will have to be amended continually after you’ve graduated and started on your first job.

There are many more tasks and challenges ahead in your career strategy planning. The one key message you must remember is to avoid setting out on a career path where the available jobs are often outsourced to foreign talents who may be asking only a fraction of what you expect.

Remote Desktop Services Listening Ports

Occasionally the need arises to allow access to multiple Remote Desktop Services computers from behind a NAT device.  In a small business context this often means allowing access to a Small Business Server whilst allowing users access to a traditional RDS or TS host.

If you’re working on this problem you may well find a number of references to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp  … this does work as a solution, however it’s not advisable. A better option is usually to alter the port mapping on the NAT device itself.  Almost all NAT capable routers also port redirection, so start looking here.

The issue is not a technical but an entirely human one.  Forcing administrators that follow you (and in almost every case there will be an administrator who will have to follow you at some stage) to hunt through the myriad of registry keys just to discover your port mappings is bad practice.  If you keep all of your mappings from outside of the network stored in a single location - such as the NAT table of the router then they have only to glance down and locate the appropriate setting.

Also consider whether your external access is really necessary.  Remember any thing that adds convenience to your life also has the potential to reduce your networks security, and the last thing you want is a quick jumping off point on to one of your domain controllers.   

theregister.co.uk
Hackers break SSL encryption used by millions of sites • The Register

Theory, meet practice.

Instead, BEAST carries out what’s known as a plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. During the encryption process, the protocol scrambles block after block of data using the previous encrypted block. It has long been theorized that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks.

Σημαντικό σφάλμα στους νέους επεξεργαστές της AMD

External image
Ο Matt Dillon (όχι, όχι ο ηθοποιός), γνωστός ως ο δημιουργός του Dragonfly BSD και, παλαιότερα, της εφαρμογής μεταφοράς αρχείων Diablo (όχι, όχι το παιχνίδι), εντόπισε ένα σημαντικό πρόβλημα στους επεξεργαστές της AMD – το οποίο επιβεβαίωσε και η ίδια. Αν και το πρόβλημα δεν επηρεάζει τον τυπικό, “μέσο χρήστη”, ούτε τις περισσότερες περιπτώσεις χρήσης, […]

…Διαβάστε περισσότερα → http://dlvr.it/1HlBQB

5 Lessons For Implementing Mobility Solutions
External image

[Pictured from Left Kevin Brownstein, McAfee; Andy Blumenthal, ATF; John Landwehr, Adobe; Jack Holt, DoD]

Today, I participated on behalf of my agency at the Adobe Government Assembly: Engage America on a panel for mobility solutions.

I shared the lessons learned from our experience and pilot of mobile devices, including:

1) Be prepared to give the end users as many apps as possible—they want it all just like on their desktops.

2) In mobile devices, size and resolution matters. Although people like miniaturized devices, they want the display of the information and graphics to be clear and visible.

3) Users did not like using a stylus for navigation.

4) Users in the field don’t have time or patience to decipher complicated instruction guides—it’s got to be intuitive!

5) While security is critical, usability is key and it’s a balancing act.

External image