Category Archives: student editorial

Cats Being Used in the IT Field

In this year’s Def Con convention this year showcase had a different twist on IT work. One that merged animals and IT working together. It sounds like a crazy combination and a highly unlikely one that would work well but it did. Gene Bransfield used his friend’s cat, he put on the cat’s color a kit that had Spark Core Wi-Fi development board and had Internet connectivity where ever the cat ended up going.

Now this may sound stupid because cats are going to wander around and do whatever they want to do. But the purpose of the experiment was to see how many people had unsecured, or weak Wi-Fi in their homes. In simple terms who could easily access their Internet just from being on their street.

When the cat was sent out, there was 23 Wi-Fi hotspots found and what they found was more interesting. Four of the networks had been completely open with no security what so ever and four using WEP rather than the WPA-2 standard. The purpose of this was to show that people need to be more aware of the fact that when it comes to Internet you have to have the right safety and protective measures when using the Internet. You never know when a cat or dog with a pack on them will be lurking around to see if you have secure Internet.

Top 5 Skills Employers Look For

If you are anything like me, the job hunt following graduation is one of the top stressors currently on your mind. Finding a position that pays well and is what you truly love to do takes a backseat to just getting your foot in somewhere. I often worry that I do not possess the technical knowledge to land even an entry-level position. According to Zachary Scott, NRI Secure Technologies’ VP of business security, “soft skills” are oftentimes just as important to employers as “hard skills.” The following are the top 5 skills that companies look for in entry level computer security employees:

1. Troubleshooting
Troubleshooting skills are vital in all potential candidates. Any detected problem or anomaly can be viewed as something that troubleshooting skills can be applied to. Security pros with exceptional troubleshooting skills can figure out where things are broken, what’s still working, and how to fix the problem. This is vital in the field.

2. Innate Curiosity
Innate curiosity refers to a person’s willingness to dive deeper into a subject. Companies look for potential candidates who want to get deep into an issue and discover not just how to fix it, but what is causing it and to learn the best method to deal with said issue. “This is a trait that can not be learned, but is a monster that needs constantly fed.”

3. Knowledge of the Latest Attack Trends
Computer security is constantly changing and evolving. It is important that candidates have a rudimentary knowledge of how attacks are being perpetrated and who/what the common targets are.

4. Knowledge of the Latest Vulnerabilities
Knowledge of modern vulnerabilities helps employees determine the path that was taken by the hacker pre-breach, and where in the system hackers could be heading. In short, it increases awareness and helps to get a foot up on hackers to help prepare the system against them.

5. Data Analysis and Visualization Creation
In short, candidates who are able to create and implement systems that monitor and parse the vast arrays of data that enter a system. This is part development and part visionary in the sense that it helps to be able to plan the system and also how to create it.

I can’t stress enough that this is not a be-all/end-all definitive list, but these are areas that graduates and really anyone in the hunt for a job in the IT security field should look into and become familiar with. As I mentioned earlier, as a soon-to-be graduate still looking for a job in the field, tips like these are always helpful. Hopefully they will be of aid to you!

Best of luck!

Spotify Services Hit by Malicious Advertisements

Over the past few weeks, users have been reporting that advertisements inherent in the free version of Spotify have been leading to malware links and even automated malware downloads on a handful of user’s devices. For those who are unaware, Spotify provides its free music streaming service by interrupting streams between songs with commercials and clickable links. The ad revenue generated by this practice makes up for the money lost in allowing the option of free usage of the service.

This practice, known as “Malvertising”, has hit numerous companies since the inception of “free” subscriptoin options became popular a few years ago. Yahoo, the New York Times, and BBC are three major entities that have been hit by malware-infected advertisements. The problem is relatively common because ad space is typically sold via third-party auctioneers to the highest buyer. If malicious code makes its way through the auctioning process, then it can potentially bypass the screening of the site that it will be advertised on.

Spotify claims that it has looked into the situation and has removed the malicious advertisements but the safest bet for users is to fork over the cash to unlock the premium service.

Ransomware Dundee: A Report on Cyber Crime Down Under

Taking advice from the internet and using it in real-life situations is not usually a lifehack that I would advise; that being said, I am here to offer a bit of advice. If you ever open your mailbox and find a USB flash drive, please do not insert said drive into your computer unless you know who put it there and why they didn’t just deliver it to you directly. This may seem like common sense to most people, but residents of a Melbourne, Australia suburb did not seem to possess this rudimentary level of technological knowledge.

Police in Pakenham, Australia are currently investigating reports from numerous residents that mysterious USB drives have been appearing in mailboxes throughout the community. When inserted into a computer, the flash drive runs a program offering a free Netflix subscription. Once the user initiates the process of signing up for the service, ransomware installs itself onto the machine. For those unfamiliar with the technology, ransomware has become a relatively common method of predatory cyber activity. Ransomware works by encrypting files stored on the user’s computer, then charging the user a fee to unlock their personal files. The ransomware forces the user to pay the fee in Bitcoin so there is no trace as to where the funds are going to or who is receiving them.

So far, only three residents have stepped forward and admitted to being duped into installing the application, though police believe that others have been impacted and are too embarrassed to step forward. Over the past few years, large-scale organizations have been impacted by ransomware and have paid extreme amounts of money to unlock their files. One of the more popular targets of ransomware purveyors are healthcare organizations. One prominent example of this is an attack earlier this year on the Kansas Heart Hospital. Ransomware forced the hospital to pay over $17,000 (miniscule compared to the original request of $3.4 million) to unlock patient and personnel files and then demanded a second payment to unlock the rest of the files that were still being held captive. Experts claim that the ransomware problem will “get worse before it gets better.”

As students, and as humans in general, we love free stuff. Next time you come across a free flash drive in your mailbox, take a second to think of the potential costs that this “free” piece of technology may bring on you. Personally, I’d much rather pay the $10 for a new flash drive than run the risk of obliterating my computer’s integrity for free.

Cybersecurity in the Automotive Industry

Over the past decade or two, RMU has grown into a rather diverse university in regards to the variety of degrees available. With the influx of new technology during this time period, the need for cybersecurity has risen exponentially. RMU’s cyberforensics and information security program has done nothing but grow since its inception. If you were to ask students in the program where their dream job would be, most would probably respond with a government, law enforcement, or financial institution of some sort. If you happen to ask the same question at some point in the near future, you may be surprised to discover students who are looking for work in the automotive industry.

As I mentioned before, the growth of technology and integration of tech into our everyday lives has created new weak points for cyber criminals to exploit. Computers are increasingly being used in vehicles to control and operate basic functions and a number of features, such as remote engine start, can now be controlled through the use of smartphone apps. To combat the risk that modern vehicles are threatened with, Volkswagen is teaming up with Yuval Diskin, the former head of Israel’s intelligence agency. The joint venture was created with the goal of protecting the next generation of cars from hackers. The new company, called CyMotive Technologies, will be primarily run by acting chairman, Diskin, while Volkswagen will possess a 40% stake in the company.

This may be the first time you have heard of a cybersecurity firm dedicated specifically to automotive security, but it won’t be the last. IBM and Harman are two other major companies that have previously invested money in other Israeli firms focused on automotive security. These companies are hoping to restrict and limit automotive hacking while it is still in its infant stages. While we do not know what automotive advances will look like in the future, or what kind of features will become the new standard, one thing can be assumed for sure: the need for competent cybersecurity professionals will continue to increase.

Galaxy Note S7: Is It Safe?

Unless you’ve somehow been able to avoid social media and the news over the past few weeks, there’s a good chance that you’ve heard about the two hottest (literally and figuratively) pieces of recent tech news. I, of course, am referring to the announcement of the iPhone 7/7s and the spontaneous combustion of Samsung Galaxy Note 7 batteries. I won’t waste your time by touching on my opinion of the new iPhone in this article but will instead give you a summary of what is going wrong with the Note 7’s.

When I first heard about the exploding Note 7 batteries, my immediate reaction was along the lines of “just like those hoverboards!” I’m sure we all remember the emails from last year informing students that they were no longer allowed to ride or even store hoverboards on campus grounds. It turns out that the Note 7’s are having the same exact issue as some of the cheaper hoverboard models did.

Much like hoverboards, cell phones utilize lithium ion battery packs as their primary power source. The science behind lithium ion battery packs is fairly simple and has been around for many years. Issues arise when the thin piece of plastic separating the positive and negative ends of the battery becomes punctured. This forces the battery to short circuit and, in turn, forces the point where the separating plastic was ruptured to become the path of least resistance for the electrical current. When this happens, the liquid electrolyte, which makes up most of the battery internals and also happens to be very flammable, heats up. If the electrolyte solution heats up too quickly, it can cause the phone to heat up to an extreme temperature or even explode in rare cases.

As I mentioned before, the Note 7 is by no means the first phone to encounter this issue. The reason that it is affecting Note 7’s in particular is because of too much external pressure during the manufacturing process. The pressure plates used during the manufacturing process squeezed the battery too tightly and forced the positive and negative poles of the battery to come into contact. These poles can only come into contact if the piece of separating plastic is punctured, thus creating the path of least resistance directly between the two poles.

The phone industry is well aware of the potential risks that lithium ion battery packs can cause but most likely will not move away from the use of the packs until a better (affordable) technology comes along. Frankly, the lithium ion route is cheap and relatively safe, so advancement in terms of power supply will only happen when alternatives can be produced cheaply. Samsung is not the only company to have had issues with lithium ion battery technology. Nokia and Apple have both had issues with dangerous batteries in the past (in 2004 and 2009 respectively).

The risk of your battery exploding is very small but it is better to be safe than sorry. Independent analysis states that less than 1,000 of the 2.5 million Galaxy Note 7’s (.01%) that were previously manufactured have experienced issues.  Samsung is offering refunds to users who have purchased the faulty Galaxy Note 7’s and has already switched battery suppliers. If you happen to have a Galaxy Note 7, it is within your best interest to return the phone as soon as possible to eliminate potential risk. You will either receive a full refund or you can trade it in for a different Samsung smartphone.

Apple App Store Suffers First Malware Infiltration

I would like to start today’s post with a question to my fellow iPhone-owning students, faculty and staff. How many apps do you have installed on your device? For comparison’s sake, I’ll limit this example to just iPhones. At the time of this post I counted 47 installed on my own device. Now that you have that number for your own device, stop and ask yourself, how many of these apps do I know were written and published using trusted code sets and verified publishers? Would I have installed these apps if I knew that they were not trusted and potentially malicious?

In order to thwart the publication of malicious apps Apple, Inc. has developed stringent policies and review processes around application development for their OS X and iOS platforms. To complement these processes, developers are required to use a specific software development package called Xcode.

Earlier this week Apple News announced that it had found that an unprecedented number of apps had made it past the review process and were published to the App Store, subsequently downloaded. To put this in perspective, “Prior to this attack, a total of just 5 malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks, Inc.”, says Jim Finkle from Reuters.  To be more precise, 344 apps have been discovered by Chinese security firm Qihoo360 Technology Co. to be potentially affected by this attack.

This begs the question, how could this have happened? How could an organization with such strict requirements on app development inadvertently release apps infected with malicious code? The answer to this question lies with the software that we discussed earlier. Essentially a malicious copy of Xcode was created, also known as XcodeGhost. This framework almost identically mimics Xcode, with the exception that it can be modified to contain malicious code. While this may appear to be a rather simple concept the underlying logic of XcodeGhost is far more complex, a discussion which deserves its own white paper.

The fundamental issue with XcodeGhost is that it could potentially be used by legitimate app developers without their knowledge. Therefore we can assume that legitimate applications that leverage this malicious framework could be susceptible to SQL injection, XSS, or other client-based security flaws that could result in data leakage from a mobile device. Considering the types of apps that are available for banking, location tracking and social media, the problem of data leakage poses a very large and very real problem.

With that in mind, I think back to the 47 apps I have installed on my iPhone and wonder which apps I have installed that could potentially be vulnerable. Should there be a more strict verification process for app development that evaluates even the underlying development software that is being used? While we could leverage peer review methods or even the use of trusted certificates to avoid these situations we may continue to see these types of threats at a high frequency in the very near future. What do you think? Any discussion is welcome in the comments on how an organization might be able to avoid these situations.

Source:
http://www.reuters.com/article/2015/09/20/us-apple-china-malware-idUSKCN0RK0ZB20150920?utm_source=applenews

MUST READ Article on Cybersecurity

Student Editorial

I hope everyone’s summer has gone well so far, and I hope that everyone is almost ready for another great school year as August nears. The article below is by far one of the best articles I’ve seen/read on cybersecurity. With the pool of both the good and bad guys involved with cybersecurity only continuing to grow, the battle to protect and damage critical infrastructure will continue to rage on. Shawn Henry, current president of CrowdStrike Services and former FBI Assistant Director, discusses how cyber adversaries are adapting and finding new ways to attack. In addition, he discusses the growing issue with China continuing to illegally access the U.S.’s private data, and how our nation must provide a better response to these incidents.  In addition, a few other topics in cybersecurity are discussed.  All in all, this blog post cannot give you all of the detail provided by this marvelous article. Please take the time to read it.

http://www.afcea.org/content/?q=Article-destructive-cyber-attacks-increase-frequency-sophistication#

The New #1 Cyber Security Threat

Student Editorial

Starting off on a quick personal note, I will be graduating this May with my degree in Cyber Forensics and Information Security.  Robert Morris University has provided more knowledge for me than I ever thought possible.  With regard to cyber security, I have learned that the number one threat / weakness is user error.  Uneducated people can cause more damage in the blink of an eye than almost any other weakness.  That being said, I have discovered that this is almost common knowledge now, even among non IT people.  Organizations have gone to great lengths to educate employees to prevent attacks.  Perhaps, the number one threat has changed because of this.

When a user sits down at a machine, what is the first thing that they do?  They open up a web browser of their choice and check their email, and often times social media as well.  These web applications are used billions of times a day by billions of people.  If a hacker wants to gain information from a company, planting a bug on these web applications is quite possibly the best way to go.  In this case, educating people can only do so much.  If you tell employees to not check their Facebook, how long before they break that rule?   So the next logical question becomes, why are these web applications so vulnerable?

The biggest reason is that they were not created with security in mind.  The world wide web was created with the idea that it would be a place to openly share ideas and information across the globe in an instant.  Security would defeat this original purpose.  The founders never could have imagined what their creation would become.  It is because of this that web applications have become the number one threat to companies today.  Hopefully those of us who are graduating in a few weeks will someday be able to make a difference in the cyber future.

For more information, check out the link below:

http://www.forbes.com/sites/sungardas/2015/03/12/cyber-security-threats-to-information-systems-today/

My New Shoes: Tips for Software Evaluation and Selection

Student Editorial

I recently have been in the market for a new pair of running shoes. To most people, purchasing a new pair of shoes comes without a second thought; I see things a little differently. A good friend once told me that if there were two items that were worth spending money on it’s mattresses and shoes, because you spend half your lifetime in one or the other. So in search for my new pair of shoes, I found myself evaluating many different aspects of footwear. The materials, quality, fit, purpose, reputation, price, even the level of support and warranty offered by the manufacturer of the shoe all came under scrutiny in my evaluation. Once my criterion was met I was able to make a conscious decision.

At this point, you’re probably wondering what my search for new footwear has to do with anything IT related. Over the past few weeks I’ve been involved in consultation engagement to select a software solution for an ongoing project at my full time job. It was during the second proof of concept testing that it dawned on me that my evaluation of this security implementation has a lot in common with my search for my next pair of kicks. Critically evaluating the same areas of concern as my running shoes, I was able to provide greater value to the project by selecting an appropriate solution. In the following sections I’ve selected the three most important factors that I found helpful in both cases.

Purpose:

I found that this aspect of the software evaluation process was the most important of the metrics. Like shoes, purchasing a software solution is meaningless unless it fits its intended purpose. When you think about it, you wouldn’t purchase stilettos for running a marathon… then again, maybe you would, who am I to judge. The point is to select the best piece of software for the intention of its use. There are many good resources from companies like Gartner that show software solutions for many different technology paths.

Fit/Size:

Size is one of the most important aspects of shoe and software purchasing. Of course you wouldn’t purchase a size 4 shoe for a size 11 foot. The fit alone would make the product unusable. In the same respect purchasing a larger shoe for a small foot may serve a purpose if you anticipate growth to support the purchase of a larger shoe. These same concepts apply to the selection process of software solutions. Let’s say your user base is 100 people, selecting a solution that is only scalable to 20 users will likely under perform and result in system stability issues following implementation. Adversely, selecting a program that is designed for hundreds or thousands of users may result in higher costs and wasted funds. As such this translates to our next element of evaluation, cost.

Price:

Whether for shoes, software, clothes or cars, price is likely a factor by which you make your selection. In most cases price negotiation is possible when the software implementation is of a substantial price. However when the software is lower in cost, room for negotiation is sometimes nonexistent. While cost analysis is something that could be compared between both shoe buying and software, there would likely not be any negotiation process for footwear. Ultimately cost of either item is something that will come under the most scrutiny.

Support/Warranty:

Finally, I took the liberty to look into product warranty and support standards. In the case of the shoe purchases I took into account the warranty that was offered by the manufacturer. Shoe manufacturers that offer extended support for the product line often produce a premium product over their competitors. In the world of software vendors, the saving grace relies with the support of the product. When a vendor takes the time and cost to setup a superior support structure around their product, this can speak volumes of the product line and company as a whole. Having premium support and backing for a product will save lots of headaches down the road.

After assessing each point for my software evaluation, I was able to make a conscious recommendation to my customer. The end result being a product that fit appropriately to the user scope and cost less than alternate products. Additionally the support agreement was suitable for the implementation and on going support of the environment.  I also purchased my new running shoes, which after all of my assessment I ended up with great pair of shoes that were admittedly more expensive than I budgeted. I suppose that sometimes you get what you pay for.