Reflections

On my blog, I primarily wrote about vulnerabilities or solutions to vulnerabilities or occasionally new cyber security laws. I wrote about the vulnerabilities because I believe that people as a whole can frequently become very relaxed when it comes to security, especially with cell phones. If one person can read what I posted and think “oh, I never even thought about that being a risk or vulnerability, maybe I should take another look at what I am doing” then my job is done. I wrote about new laws because I think it is interesting to watch the judicial and legislative system evolve based on the ever-growing world of technology. I typically used cnet.com as my source because I find their articles to be more captivating than some of the other tech sites. I also used wired.com to gain ideas for this blog. I don’t think this type of blog would be useful to an information security professional because I tend to write about things that are trending now and most tech sites have an article that reiterates what I have written.

A few lessons to the next group of students:

1.       Do your work ahead of time or at least get a rough draft of what you will write about. There are times when there isn't too much new news out there for you to write about, so don’t wait until the last minute to start looking.

2.       Ask questions if you don’t understand an assignment.

3.       You get back what you put into this class. The more you put in the better off you will be in the long run. 

Google Security Vault

Google is attempting to make your smart phone more secure. At the end of May Google came forward with Project Vault, a digital security system in the form of a microSD card called the Vault Card. The Vault Card can protect the personal information of the owner’s phone. It can encrypt messages from an app and provide additional authentication level so that your device recognizes that you are the owner of the phone. The Vault Card has 4 GB of data and uses NFC, near-field communication, to communicate with devices that are in range. The Vault Card is also compatible with any operating system. The Vault Card is still in the works and is being developed for enterprise companies. 

http://www.cnet.com/news/googles-project-vault-is-a-security-chip-disguised-as-an-micro-sd-card/

Norton Identity Safe

This week I stumbled upon Norton’s Identity Safe, which is a password manager that is absolutely free. While I understand that it is owned by Norton, I still do not feel safe with using any type of password manager. I’ll tell you a little bit about Norton Identity Safe. It offers a desktop client, a web based vault, and apps for both Android and iOS. Norton ID collects and manages log-ins, passwords, and billing and shipping addresses. In addition there is a wallet feature that manages your credit card information. Norton locks your passwords and allows you to quickly access sites without providing log in credentials. I like the idea of the ease and convenience but what happens when it gets compromised? Do I then have 15 passwords to change? I’m not a big proponent of storing passwords in any capacity. But if that is your thing, Norton seems to be doing pretty well at handling that for you. 

http://www.cnet.com/news/manage-your-passwords-for-free-with-norton-identity-safe/

Bodyprint by Yahoo Labs. A new type of Biometric Authentication?

This week I read about a new biometric scanner created by Yahoo Labs called Bodyprint. The scanner would allow a person to unlock their smartphone using their ear print, fist, phalanges, palm, or fingers instead of a single fingerprint. The reason that there are so many different body parts that can be used is because the scanning device is bigger than a fingerprint scanner. Yahoo Labs is taking the capacitive touchscreen of a smartphone and turning it into a biometric scanner that has a 99.52% accuracy rate while it has a false rejection rate of 26.82%. Even though a capacitive touchscreen cannot capture every single line on a fingerprint, it can detect large prints such as the ear or fist. Bodyprint analyzes touch patterns on the screen as opposed to 2D location mapping like the ones used to track gestures on smartphones now. Bodyprint can even be used by multiple people on one device. The video in the link below shows a device calling for the authentication of two users to gain access to a document. Bodyprint is still in the early testing phases but hopefully this will one day be widely used as a better biometric authentication source.

I like the accuracy rate while it still has a relatively low false rejection rate. At some point in the future I think everything will have some form of biometric authentication because of how easy it is to commit identity theft now. All you really need is a first and last name, address, last four of SSN, and sometimes a phone number. Biometrics is the future of safer transactions in my opinion.

http://www.cnet.com/news/bodyprint-could-let-you-unlock-your-phone-with-your-ear-print/

Obama's Email Hacked?

Earlier in the month, US officials confirmed that there was a cyber-event last year but would not confirm that Russia was involved in the attack. But now a senior American official is stating that the hackers may be working for Moscow. They have stated that the hackers infiltrated the State Department’s unclassified system, and from there got into the email archives of White House personnel whom Obama had emailed regularly. Officials don’t believe that the hackers got into the server that holds messages from Obama’s BlackBerry nor have the hackers penetrated any classified networks. However, officials said that the unclassified system often holds highly sensitive material such as schedules, emails with ambassadors and diplomats, personnel moves, and debates about policy. The email account of Obama’s had not been breach itself, but it is unclear how many emails were read that Obama had sent. Even so, the fact that it came from Russia is scary enough. It is unclear what their exact motives were as of yet. 

http://www.securityweek.com/russian-hackers-read-obama-emails-report

Amnesty Blog for week 3

Compensation for the Target Breach?

Everyone remembers the Target breach that happened in 2013. It was all over the news and millions of people had to go through quite a bit of trouble to get new credit cards or hurry up and freeze their accounts before anything was taken from them. Well apparently, Target has come to an agreement with MasterCard to help pay for some of those expenses. Target has agreed to pay MasterCard $19 million to cover the cost of replacement cards, new account numbers, and cancellation of old the affected accounts. So far, the agreement is only with MasterCard but Target is currently trying to work something out with Visa as well. The breach affected 110 million customers and 40 million credit cards. No one has been charged with the crime as of late. 

http://www.cnet.com/news/target-settles-with-mastercard-for-19m-over-data-breach/ 

This is an Amnesty Post for Week 2

Boeing Vulnerabilities Shown

Remember last week when I told you that the FAA said that Boeing was vulnerable? Well that happened. A security expert named Chris Roberts was on a United Airlines flight when he tweeted “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM. ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone? :)”  This message essentially translates to the fact that Roberts could get the passenger oxygen masks to deploy. After Roberts tweeted, he was removed from the plane by the FBI and questioned but was later released and allowed to take another flight.  Apparently, the company Roberts works for has been telling Airbus and Boeing for quite some time that their aircrafts were more than vulnerable to attack. Roberts said that he has tried to connect to flight systems 15 to 20 times and has seen all sorts of things, including the flight management system. At the time, he has not been deemed a security risk as is still allowed to fly. This just goes to show that if you even remotely know what you are doing, you can hack all sorts of things. That is a scary thought.

http://www.cnet.com/news/fbi-pulls-computer-security-expert-off-flight-after-he-tweets-about-hacking-its-systems/

Hacking a Plane via their Wi-Fi

Boeing had been warned by the FAA seven years ago that its Dreamliner plane’s Wi-Fi was susceptible to hacking. Now, that threat is still very possible. Boeing’s 787 Dreamliner, Airbus A350 and A380 all have Wi-Fi that is available to passengers. This Wi-Fi is also the same network that the avionics system uses. This raises concerns that a flight could be hijacked by a hacker who could be able to take over the navigation system. The system could also be hacked remotely due to a passenger going to a malicious website. In 2008 the FAA told Boeing that the issue had to be fixed before rolling out their new line of planes. Boeing is saying that they are taking steps to fix the problem, possibly with physically air-gapping the networks. Boeing however, refused to release that information. Overall, this could turn into a very serious situation very, very quickly. All it takes is someone who can breach the network and this could turn into another aircraft tragedy.

http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/

On Wednesday, President Obama has put an executive order into action that will allow the Secretary of the Treasury, Secretary of State, and the Attorney General to impose sanctions on cyber attackers that hack into US companies or government agencies networks. The White House is attempting to make it more difficult for hackers to profit from stolen information. The new executive order would ban individual hackers from traveling to the US as well as possibly imposing sanctions to prevent US companies from doing business with individuals, companies, or countries that are involved in cyber attacking. This executive order is designed to go after the most dangers attackers and is not meant to be used against the lower level hackers. President Obama has recently made a push to make cybersecurity more of a priority, in the wake of 50% increase in data breaches since 2013. Obama has also proposed adding $14 billion to the budget in hopes of improving corporate and government cyber security. I think this is the start of making the cyber world more secure and I’m personally glad to see these things happen.

http://www.cnet.com/news/obama-issues-executive-order-to-sanction-malicious-cyber-actors/

Introduction

Hello InfoSec World!

         I am creating this blog for an Information Systems Management class at Bellevue University. I am starting this blog with the intention of covering InfoSec issues that are currently happening. I hope you enjoy reading what is posted here.

Thanks,
Allison