Showing posts with label Computer Security. Show all posts
Showing posts with label Computer Security. Show all posts

Monday, April 29, 2013

INFOGRAPHIC: Twacked! When good Twitter accounts go bad.

Given that we do so much communicating via social media about a variety of topics both personal and professional and the permanence of the content we post, it should be no surprise that those social media accounts are being sought out more and more by nefarious parties. The question is what are you doing to protect your account.

                             (click to enlarge)

Saturday, March 16, 2013

VIDEO: Security Threats by the Numbers - Cisco 2013 Annual Security Report


The kind folks at Cisco published their Annual Security Report. What I like about what they did is they chose to publish in a video infographic format. As you can tell, I'm a HUGE fan of infographics. However, if you're a stickler for PDF reports, I'll have a link below the video of the entire report.

Some interesting facts:
  • Global cloud traffic will increase sixfold over the next five years, growing at a rate of 44 percent from 2011 to 2016.
  • Only one in five respondents say their employers do track their online activities on company-owned devices, while 46 percent say their employers do not track activity.
  • 90 percent of IT professionals surveyed say they do indeed have policies that prohibit company-issued devices being used for personal online activity—although 38 percent acknowledge that employees break policy and use devices for personal activities in addition to doing work.
  • Cisco’s research shows significant change in the global landscape for web malware encounters by country in 2012. China, which was second on the list in 2011 for web malware encounters, fell dramatically to sixth position in 2012. Denmark and Sweden now hold the third and fourth spots, respectively. The United States retains the top ranking in 2012, as it did in 2011, with 33 percent of all web malware encounters occurring via websites hosted in the United States.
To read more of the report, click here.

Saturday, February 2, 2013

INFOGRAPHIC: Everything You Ever Wanted To Know About Facebook Security

I found this infographic on Pinterest.com.  Some of this may be old news.  In light of what we know about Twitter's latest data breach, I wonder how Facebook has fared under similar attacks.  If you have any knowledge or even a broad understanding, we would welcome any commentary you might have.








Source: scribd.com via Return on Pinterest

Monday, December 17, 2012

HACKED: Anonymous Keeps Its Word and Pwns Westboro Baptist Church



As I reported yesterday, the hacker consortium known as Anonymous has targeted the members of Westboro Baptist Church.  The church announced, after the tragic events of 12/14/2012, it would be picketing the funerals of the victims.  Anonymous, along with the rest of the world, took this a bit personal and announced it would be lashing back.  It began with a release of personal information on Westboro Baptist Church members and leaders.  Most recently they decided to hack the church's spokesperson's Twitter account and the resulting Tweets have provided an insight into how the "hacktivist" organization may have found some redemption.

Check out the "tweets" from @DearShirley - the account hacked by Anonymous.






They've even called on the White House to declare Westboro Baptist Church a "hate group":

Even politicians got in the mix:
I'll be checking out the feed some more over the next few things.  It's bound to get even more interesting.

Sunday, December 16, 2012

VIDEO: Wi-Fi Security by disconnecters




I found this little gem on YouTube. Give it a look. The only its certainly very interesting with the relative ease it takes to hack into Facebook and other social media sites. Here's the description from the folks at Disconnected on YouTube.
See how your Google and Facebook accounts can now be broken into through social widgets and see a new feature in Disconnect that protects you. Get Disconnect at https://disconnect.me/. Contents: 1. Wi-Fi Snooping (https://youtu.be/g5mFbgxMHqQ?t=26s) 2. Widgetjacking (https://youtu.be/g5mFbgxMHqQ?t=1m32s) 3. Disconnect Security (https://youtu.be/g5mFbgxMHqQ?t=4m10s) Disclaimer: While we think understanding how quickly and easily a nonexpert can compromise your security is important, the attack shown in this video may be considered wiretapping where you live and shouldn't be tried at home except with consent! Credits: Written by Brian Kennish Filmed and edited by Dan Kwon Animated by Brian Kennish and Dan Kwon Music (http://soundcloud.com/folkmusicforrobots/widgetjacking) written and recorded by Brian Kennish Portions filmed at Coffee Adventure in Milpitas, California (https://www.facebook.com/pages/Coffee-Adventure/361643370157)

Thursday, December 13, 2012

Cyber Defense: The facts associated with the hacker mindset

I made a really awesome contact with Terry Beaver, a cyber security expert to say the least.  During a recent conversation on LinkedIn, he directed me to his blog, Cyber Integrity.  I was immediately impressed by the first article I saw.  I've included the link to the article and his blog throughout so you can check him out.  Terry, thanks again for continuing to push innovation in the cyber security realm.
The facts associated with the hacker mindset:
  1. Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
  2. Information is a commodity and tradeable.
  3. What man can conceive – man can and will hack
  4. Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
  5. Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
  6. While this statement was writing, attack vectors were exploited all over the world.
  7. In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
  8. Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
  9. Information has a shelf life and is subject to being exploited for hacker benefit.
  10. Intellectual property and sensitive data is a means for me to support my lifestyle.
Postulates of a Hacker:
  1. Understanding how things work is an advantage over ignorance.
  2. Curiosity and ego are more powerful motivators than money.
  3. Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
  4. Not all people are rational, therefore choices are not predictable.
  5. Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
  6. Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
  7. There are no borders on the Internet
  8. Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.
The Hacker’s conclusions:
  1. If you turn it on and connect it, they will come – and try and take it.
  2. It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
  3. The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
  4. Capture the flag is the best paradigm for understanding security.
  5. The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
  6. Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
  7. If someone wants to breach your security seriously or badly enough – they will.
  8. The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends.  Hackers sleep only when they need to.
  9. Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
  10. eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
  11. Advancing and emerging hacker technology always defeats information security policies.
  12. Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
  13. There is no accountability for poor security – only excuses.
  14. Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
  15. Confidentiality is a function of time and energy.
  16. Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.

Monday, December 10, 2012

Cybersecurity | Senator Lieberman speaks before Senate about the need for cybersecurity legislation by JoeLieberman



The U.S. Senate Wednesday rejected a second chance to move forward with critical cybersecurity legislation supported by top-ranking members of the nation's intelligence, national, and homeland security communities. By a vote of 51-47, the Senate failed to approve a procedural motion to end debate on the bill, S. 3414, and move to a final vote. Read the full text of the Senator's statement here: http://www.lieberman.senate.gov/index.cfm/news-events/news/2012/11/senate-rejects-second-chance-to-safeguard-most-critical-cyber-networks-protect-economic-national-security

Senator Feinstein on Cybersecurity by SenatorFeinstein



Senator Dianne Feinstein spoke on the Senate floor on Nov. 12, 2012, about cybersecurity and the need to protect the United States from devastating cyber attacks.

Sunday, December 2, 2012

South Carolina Governor Discusses Cyber Intrusion by ThePentagonChannel



South Carolina Governor Nikki Haley talks to TPC anchor SSgt Josh Hauser about South Carolina's recent cyber intrusion and what help is out there for those affected. http://www.dvidshub.net/video/192098/south-carolina-governor-discusses-cyber-intrusion

Tuesday, November 20, 2012

The Power of Sound In Security


 

So, I don't have my hover-board nor my flying car. However, we have seen numerous technological feats within the security industry. Whether it be BRS Labs' use of artificial intelligence to "learn" and detect human behavior via CCTV feeds or the ever-changing world of biometrics, we have witnessed some very interesting and promising tech tools for the industry. Some of them we have featured here at The Security Dialogue.  The other day I came across the Twitter feed for Audio Analytics, a UK-based company which has developed a new dimension to the electronic security world.

Being the curious soul that I am, I contacted Audio Analytics about an interview to learn more about their products.  I spoke with Dr. Christopher Mitchell (PhD), Audio Analytics's CEO and Founder.  Going over his LinkedIn profile and other information I gathered from the Internet, I was drawn to Dr. Mitchell's extensive knowledge of sound information and signal processing.  He's received training at Harvard and a NCGE Fellow.  I digress.

Using audio in security applications is nothing new. Sonitrol was the first and remains the only company using audio as part of its monitoring service. So I asked what was the difference between what we've seen traditionally done with sound in our industry.  Dr. Mitchell replied, "Where Audio Analytic differs is that it does not capture a sound and then trigger an alarm at a monitoring station based on audio level for a human to interpret." Audio Analytic analyses the sound looking for specific sound pattern that can be used to raise an alert into an existing piece of security equipment such as a IP camera or VMS. The sound is looked at as data rather than as a recording or real-time stream of sound.

What surprised me about was the breadth of sound the software can detect.  Dr. Mitchell said it currently looks for sound in four categories - glass breaks, signs of aggression, car alarms, and gun shots. As you can imagine, glass breaks, gun shots, and car alarms didn't trigger as much interest as "aggression".  We've seen glass breaks and gun shot detection in various forms.  In law enforcement, ShotSpotter has become the latest in a growing use of sound analysis technologies.  When asked how they detect for "aggression", Dr. Mitchell stated they look for changes in pitch mostly and sounds attributed to aggressive behavior. Applications where you might see this deployed are lone workers, hospitals, convenience stores, and other places where any sign of aggressive behavior would need to be detected and mitigated as soon as possible.

Speaking of deployments, given the vast array of sounds Audio Analytic could possibly detect with applicable algorithms, it is not surprising to imagine the customers and applications extend far beyond the traditional security realm.  When pressed about this, Dr. Mitchell was quick to inform me they had been contacted by various entities who also recognize its potential and whose specific requests could not be discussed.

Knowing many of our customers are particularly liability conscious, I also inquired as to its implications to privacy. Mr. Mitchell explained the software "analyzes the sound as bits of data".  Therefore, there is not the ability within their software to "hear" the data being analyzed.  That capability would need to be addressed by a secondary piece of software or hardware.

Like all analytics, this is purely software that would need to be integrated with existing hardware designed to capture both sound and video. A company who has already integrated many of Audio Analytics' features is Next Level Security Systems an integrator offering a full suite of security services. NLSS' Gateway Security Platform provides "Audio Analytic with Glass Break Analytic and optional Gunshot, Aggression and Car Alarm packages", among a slew of other features

Overall, I am quite impressed with what I see being developed in analytics and Audio Analytic's software is no exception.  I can only imagine its applications and deployments as it continues to develop.  One of the greatest problems we face in security are false alarms.  Audio Analytic has the ability look deeper into the environments we protect and aid us in determining more accurately the difference between the benign and an actual threat.  Dr. Mitchell said it best, "In the security world, we have affection for silent movies".  Perhaps it's time we move on.  As I stated before with BRS Labs, I have seen the future and it's now.

Wednesday, December 14, 2011

What happens online - NEVER stays there....


Pay VERY close attention to what I have to say:
  1. The information you see below is not stored on our site and is only visible to you.  I found this site while looking for resources on background check (mostly locating skips).
  2. The information was allocated using information (i.e. torrent files you downloaded, IP address) your computer provided when you, someone in your home, or someone who gained access to your WiFi network downloaded those files.
  3. I am publishing this tool with the hope people will gain a better insight into how their activities can and are being monitored on the Web via information they provide sometimes unknowingly.
  4. There is a removal tool.  However, it only removes your information from their site.  I HIGHLY, HIGHLY, HIGHLY suggest you use it and never have a need for it again.

Wednesday, November 30, 2011

HOT!!:: FREE ONLINE CRYPTO CLASS AT STANFORD



So when Ivy League schools give FREE classes in cryptography, I don't waste any time in signing up.  Looks like Stanford University is doing just that.

Here's some info direct from the FAQ section:
When does the class start?
The class will start in January 2012.
What is the format of the class?The class will consist of lecture videos, which are broken into small chunks, usually between eight and twelve minutes each. Some of these may contain integrated quiz questions. There will also be standalone quizzes that are not part of video lectures, and programming assignments. There will be approximately two hours worth of video content per week.

Will the text of the lectures be available?
We hope to transcribe the lectures into text to make them more accessible for those not fluent in English. Stay tuned.
Do I need to watch the lectures live?No. You can watch the lectures at your leisure.
Can online students ask questions and/or contact the professor?Yes, but not directly There is a Q&A forum in which students rank questions and answers, so that the most important questions and the best answers bubble to the top. Teaching staff will monitor these forums, so that important questions not answered by other students can be addressed. 
Will other Stanford resources be available to online students?No.
How much programming background is needed for the course?The course includes programming assignments and some programming background will be helpful. However, we will hand out lots of starter code that will help students complete the assignments. We will also point to online resources that can help students find the necessary background.
What math background is needed for the course?
The course is mostly self contained, however some knowledge of discrete probability will be helpful. Thewikibooks article on discrete probability should give sufficient background.
How much does it cost to take the course?Nothing: it's free! 
Will I get university credit for taking this course?No.
The course is being taught by Professor Dan Boneh who heads the applied cryptography group at the Computer Science department at Stanford University. Professor Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, web security, security for mobile devices, digital copyright protection, and cryptanalysis. He is the author of over a hundred publications in the field and a recipient of the Packard Award, the Alfred P. Sloan Award, and the RSA award in mathematics. Last year Dr. Boneh received the Ishii award for industry education innovation. Professor Boneh received his Ph.D from Princeton University and joined Stanford in 1997.

Here's another look at the link for the class:

http://www.crypto-class.org/

Monday, October 3, 2011

My, how times have changed....Haven't they????....

Saw this gem on Twitter......Can't remember from whom (sorry)......Makes you wonder how far we've come with our perceptions of hackers and the threat they pose......


Sunday, September 11, 2011

Ummm...I think it's safe to say someone might get fired for this one....

Boys and girls, this is something you should NEVER EVER EVER EVER do.....During tonight's Redskins' post-game interviews, this little gem was revealed by one of Fox News' cameras....And blasted all over Twitter.....Safe to say, someone probably got fired....


Thursday, May 22, 2008

Time for a Product Review - IronKey

Let me say I was a bit skeptical at first. But one day, while listening to my favorite podcast - SecurityNow, I became intrigued by IronKey. If you know me, then you know "intrigued" usually me spending hours on Google learning as much as I can before I put down the cash to buy anything. I did just that.

I'm avid user of encryption so I have a slightly above basic understanding of how encryption works. Looking into the product, my first impression was that it was just another USB drive with the software on it. Nope. This thing has the encryption on its RAM chip - embedded. To say the least, I was impressed. The casing is almost indestructible without destroying the chips inside. It even has an aluminum backing which you use to engrave you signature in pen - very thin overcoat. It also has a serial number.

To make it sound even cooler - would you believe this thing has a self-destruct sequence? I'm not talking about Mission Impossible countdowns, but it only gives you ten tries to guess the wrong passphrase and then it destroys your data to include the encryption making the drive useless. I love this thing. I HIGHLY recommend this product. Did I forget to mention that IronKey also has its own TOR router with FireFox preloaded? Very cool!


Chinese Really Dig Cyberwarfare...You Think?

My ultra-favorite security magazine Security Management has written an articlle detailing the testimony of certain government officials and contractors before the U.S.-China Economic and Security Review Commision. They informed the panel "that the Chinese government has embraced cyberwarfare and is directing its intrusions at U.S. government and critical infrastructure networks." According to Colonel Gary D. McAlum, director of operations for the Joint Task Force for Global Network Operations,
"The People's Republic of China has concentrated primarily on cyber-reconnaissance, particularly data mining, rather than cyberattacks."

What about all of the attacks originating from China we've been reading about? Don't fret. The Chinese have set a goal of 2050 to achieve "electronic dominance" through attacks on information infrastructure.


The DoD won't come out and say the world's second largest econoomy is vying for supremacy through hacking, it did note "a 31percent increase in malicious activity on its networks from 2006 to 2007." What attraction does cyberwarfare have fo such a country as China? It provide anonymity and an "asymetrical advantage", according to Dr. James Mulvenon, director of advanced studies and analysis for Defense Group, Inc..


Commission Co-chairman Peter T.R. Brookest cited attacks last spring on Estonia recalling that it wanted to evoke the collective defense clause of the NATO Charter and said "this is a question of escalation" moving from non-conventional to conventional, i.e. military, responses.

Mulvenon said there's no reason why the United States should restrict itself to trying to deter cyberattacks electronically. His next remark should sound familiar.

"We should ... begin with the premise that we have all the tools of ... national power, and in many cases it might not be to the U.S. advantage to respond to an electronic or cyberintrusion or cyberattack simply in that realm," he said. "We may, in fact, want to take advantage of escalation dominance that we have in other elements of national power, whether it’s military or economic."

CyberCommand anyone? What about this little tidbit from the article?

Michael R. Wessel said he fears that the perimeter security methods such as routers and firewalls used to protect against network intrusion are produced overseas, increasingly in China." Can we in fact have a secure perimeter," he wondered, "if in fact the Chinese are helping to build that perimeter?"

The nasty Cisco routers are keep creeping back into the blogosphere. For more information from Security Management, click here.

Tuesday, May 20, 2008

A new kind of war to fight....


Looks like the US Air Force Cyber Command is looking to establish the same level of superiority the Air Force has in the skies as it wants in cyberspace. The Cyber Command wants a new set of "hacker" tools to engage in both offensive and defensive attacks against cyber-based threats which pose a risk to American interests. No word yet on where the headquarters will be. As we hear more and more in the news about the growing murky criminal/hostile terrain that exists online, I suspect we'll see more justification for such units to exists. China has their own unit dedicated to this. Why not us?

About Us