Category Archives: student editorial

Apple App Store Suffers First Malware Infiltration

Leave a reply

I would like to start today’s post with a question to my fellow iPhone-owning students, faculty and staff. How many apps do you have installed on your device? For comparison’s sake, I’ll limit this example to just iPhones. At the time of this post I counted 47 installed on my own device. Now that you have that number for your own device, stop and ask yourself, how many of these apps do I know were written and published using trusted code sets and verified publishers? Would I have installed these apps if I knew that they were not trusted and potentially malicious?

In order to thwart the publication of malicious apps Apple, Inc. has developed stringent policies and review processes around application development for their OS X and iOS platforms. To complement these processes, developers are required to use a specific software development package called Xcode.

Earlier this week Apple News announced that it had found that an unprecedented number of apps had made it past the review process and were published to the App Store, subsequently downloaded. To put this in perspective, “Prior to this attack, a total of just 5 malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks, Inc.”, says Jim Finkle from Reuters.  To be more precise, 344 apps have been discovered by Chinese security firm Qihoo360 Technology Co. to be potentially affected by this attack.

This begs the question, how could this have happened? How could an organization with such strict requirements on app development inadvertently release apps infected with malicious code? The answer to this question lies with the software that we discussed earlier. Essentially a malicious copy of Xcode was created, also known as XcodeGhost. This framework almost identically mimics Xcode, with the exception that it can be modified to contain malicious code. While this may appear to be a rather simple concept the underlying logic of XcodeGhost is far more complex, a discussion which deserves its own white paper.

The fundamental issue with XcodeGhost is that it could potentially be used by legitimate app developers without their knowledge. Therefore we can assume that legitimate applications that leverage this malicious framework could be susceptible to SQL injection, XSS, or other client-based security flaws that could result in data leakage from a mobile device. Considering the types of apps that are available for banking, location tracking and social media, the problem of data leakage poses a very large and very real problem.

With that in mind, I think back to the 47 apps I have installed on my iPhone and wonder which apps I have installed that could potentially be vulnerable. Should there be a more strict verification process for app development that evaluates even the underlying development software that is being used? While we could leverage peer review methods or even the use of trusted certificates to avoid these situations we may continue to see these types of threats at a high frequency in the very near future. What do you think? Any discussion is welcome in the comments on how an organization might be able to avoid these situations.

Source:
http://www.reuters.com/article/2015/09/20/us-apple-china-malware-idUSKCN0RK0ZB20150920?utm_source=applenews

MUST READ Article on Cybersecurity

Leave a reply

Student Editorial

I hope everyone’s summer has gone well so far, and I hope that everyone is almost ready for another great school year as August nears. The article below is by far one of the best articles I’ve seen/read on cybersecurity. With the pool of both the good and bad guys involved with cybersecurity only continuing to grow, the battle to protect and damage critical infrastructure will continue to rage on. Shawn Henry, current president of CrowdStrike Services and former FBI Assistant Director, discusses how cyber adversaries are adapting and finding new ways to attack. In addition, he discusses the growing issue with China continuing to illegally access the U.S.’s private data, and how our nation must provide a better response to these incidents.  In addition, a few other topics in cybersecurity are discussed.  All in all, this blog post cannot give you all of the detail provided by this marvelous article. Please take the time to read it.

http://www.afcea.org/content/?q=Article-destructive-cyber-attacks-increase-frequency-sophistication#

The New #1 Cyber Security Threat

Student Editorial

Starting off on a quick personal note, I will be graduating this May with my degree in Cyber Forensics and Information Security.  Robert Morris University has provided more knowledge for me than I ever thought possible.  With regard to cyber security, I have learned that the number one threat / weakness is user error.  Uneducated people can cause more damage in the blink of an eye than almost any other weakness.  That being said, I have discovered that this is almost common knowledge now, even among non IT people.  Organizations have gone to great lengths to educate employees to prevent attacks.  Perhaps, the number one threat has changed because of this.

When a user sits down at a machine, what is the first thing that they do?  They open up a web browser of their choice and check their email, and often times social media as well.  These web applications are used billions of times a day by billions of people.  If a hacker wants to gain information from a company, planting a bug on these web applications is quite possibly the best way to go.  In this case, educating people can only do so much.  If you tell employees to not check their Facebook, how long before they break that rule?   So the next logical question becomes, why are these web applications so vulnerable?

The biggest reason is that they were not created with security in mind.  The world wide web was created with the idea that it would be a place to openly share ideas and information across the globe in an instant.  Security would defeat this original purpose.  The founders never could have imagined what their creation would become.  It is because of this that web applications have become the number one threat to companies today.  Hopefully those of us who are graduating in a few weeks will someday be able to make a difference in the cyber future.

For more information, check out the link below:

http://www.forbes.com/sites/sungardas/2015/03/12/cyber-security-threats-to-information-systems-today/

My New Shoes: Tips for Software Evaluation and Selection

Student Editorial

I recently have been in the market for a new pair of running shoes. To most people, purchasing a new pair of shoes comes without a second thought; I see things a little differently. A good friend once told me that if there were two items that were worth spending money on it’s mattresses and shoes, because you spend half your lifetime in one or the other. So in search for my new pair of shoes, I found myself evaluating many different aspects of footwear. The materials, quality, fit, purpose, reputation, price, even the level of support and warranty offered by the manufacturer of the shoe all came under scrutiny in my evaluation. Once my criterion was met I was able to make a conscious decision.

At this point, you’re probably wondering what my search for new footwear has to do with anything IT related. Over the past few weeks I’ve been involved in consultation engagement to select a software solution for an ongoing project at my full time job. It was during the second proof of concept testing that it dawned on me that my evaluation of this security implementation has a lot in common with my search for my next pair of kicks. Critically evaluating the same areas of concern as my running shoes, I was able to provide greater value to the project by selecting an appropriate solution. In the following sections I’ve selected the three most important factors that I found helpful in both cases.

Purpose:

I found that this aspect of the software evaluation process was the most important of the metrics. Like shoes, purchasing a software solution is meaningless unless it fits its intended purpose. When you think about it, you wouldn’t purchase stilettos for running a marathon… then again, maybe you would, who am I to judge. The point is to select the best piece of software for the intention of its use. There are many good resources from companies like Gartner that show software solutions for many different technology paths.

Fit/Size:

Size is one of the most important aspects of shoe and software purchasing. Of course you wouldn’t purchase a size 4 shoe for a size 11 foot. The fit alone would make the product unusable. In the same respect purchasing a larger shoe for a small foot may serve a purpose if you anticipate growth to support the purchase of a larger shoe. These same concepts apply to the selection process of software solutions. Let’s say your user base is 100 people, selecting a solution that is only scalable to 20 users will likely under perform and result in system stability issues following implementation. Adversely, selecting a program that is designed for hundreds or thousands of users may result in higher costs and wasted funds. As such this translates to our next element of evaluation, cost.

Price:

Whether for shoes, software, clothes or cars, price is likely a factor by which you make your selection. In most cases price negotiation is possible when the software implementation is of a substantial price. However when the software is lower in cost, room for negotiation is sometimes nonexistent. While cost analysis is something that could be compared between both shoe buying and software, there would likely not be any negotiation process for footwear. Ultimately cost of either item is something that will come under the most scrutiny.

Support/Warranty:

Finally, I took the liberty to look into product warranty and support standards. In the case of the shoe purchases I took into account the warranty that was offered by the manufacturer. Shoe manufacturers that offer extended support for the product line often produce a premium product over their competitors. In the world of software vendors, the saving grace relies with the support of the product. When a vendor takes the time and cost to setup a superior support structure around their product, this can speak volumes of the product line and company as a whole. Having premium support and backing for a product will save lots of headaches down the road.

After assessing each point for my software evaluation, I was able to make a conscious recommendation to my customer. The end result being a product that fit appropriately to the user scope and cost less than alternate products. Additionally the support agreement was suitable for the implementation and on going support of the environment.  I also purchased my new running shoes, which after all of my assessment I ended up with great pair of shoes that were admittedly more expensive than I budgeted. I suppose that sometimes you get what you pay for.

Online Gaming Hack

Student Editorial

Activist groups, regardless of which ones you are examining, have a message that they want to get across to the public.  Sometimes it is with regard to religion, or a political figure.  No matter the message, the ultimate goal is to convey this message in a way that gets the public’s attention.  However, there are so many activist groups out there these days that you have to get creative in order to stand out.  A few months ago, an activist group did just that.

It has been a few months since the activist group “Lizard Squad” took down both the PlayStation Network as well as the X Box Live Network.  Why target gamers for a message?  Stereotypically speaking, they do not worry to much about these kinds of things.  However when the number of gamers affected by taking down their networks is 56 million, I think it is safe to say that you have gained the attention of a huge population of people.  It is creative, effective, and depending on your perspective, devastating.  What was the message that was so important then?

In reality, this group of hackers are what is known as ‘White Hat’ hackers.  They infiltrate various networks for good intentions.  The Lizard Squad wanted to bring down the gaming networks to show how weak their security really was.  By doing this, it can become public knowledge that Microsoft and Sony, powerhouses in the technology world, still have a lot to learn in the area of security.  Eventually, there is going to be a cyber attack that is much more devastating than that of The Lizard Squad.  One with real consequences.  Hopefully major organizations become aware that there is a problem that needs to be addressed.

For more information on the attack that took place this past Christmas, you can check out the links below:

http://www.nytimes.com/2014/12/29/technology/playstation-network-returning-after-hacking-that-also-targeted-xbox-live.html?_r=0

http://www.independent.co.uk/news/world/americas/what-is-the-lizard-squad-and-what-does-it-want-9945949.html

An Idea for Predicting Future Technologies

Leave a reply

Student Editorial

So you want to be the next Steve Jobs, eh? You want to see the future before it happens? You want the ability to determine which ideas will be embraced by the world? Then you must pay close attention to the way things are going, and find the places where the flow is being blocked, or dammed up. Those are the points where new streams are waiting to be formed.

Successful technologies solve problems. Using a flowing stream as an analogy, the water is the public, the people who say, “this product solves my problem, I’m going to buy it.” The current is the way the public is going, the technologies they’re using, and the things they’re doing. Dams in the stream are the problems. They’re causing problems for the people. If you can identify the dams, you’ve taken a big leap in predicting future technologies.

What is the solution to a dam? If you guessed a new stream, you’re right. Most great technologies, if not all, solve problems or improve upon solutions by creating new ways of doing the same thing. Smart phones are a new way of communicating, the wheel was a new way of moving heavy things, sliced bread was a new way of selling the same old bread. All of these new ways simply changed the old ways, usually for the better.

Identify The Dams

Great innovators like Steve Jobs, Thomas Edison, and Bill Gates don’t necessarily solve problems. They have teams of people to do that for them. What they do is find the places in the stream that are dammed up. They predict which future technologies will be embraced by consumers.

The most important thing is finding the problems. If you can find where people are having problems, you’ve won a major battle. Here are a couple examples.

Example #1: New Yorkers

Every day, the New York City subway system is packed with people – much like a can of sardines, maybe a little stinkier. Most of the people are on their way to work. Before tablet computing, the subway people made their commute bearable by reading the New York Times. Tons of people standing shoulder to shoulder reading newspapers, can you see the problem (the dam)? Well, people got pretty smart and began folding their newspapers into little rectangles, approximately the size of an iPad. Of course, this was before the iPad existed.

So, you can see the water was really built up at the dam. It was built up so much that a make-shift solution (stream) had formed. There was an art to folding one’s New York Times just right so that the pages could be turned without disrupting everyone else on the tightly packed train. That’s not a great solution, but it is a solution that showed how badly the water was dammed up. Well, Apple made a new stream when they created the iPad, and the water poured.

Example #2: Teenage Girls in Love

There’s a great song from the pre-Skype era called “Four” by a killer 90s pop punk band named Lit. In that song, there is one very important line – important to this example anyway – it goes, “she hangs our picture by the phone.” Notice the water building up at the dam? You can tell it’s almost overflowing by the make-shift solution the girl has made. The problem, the dam itself, is described perfectly in the chorus of the song, “she doesn’t think we’re gonna make it.” The singer and his girlfriend are having trouble with their relationship, and the fact that they are apart so much is to blame. As a make-shift solution to the problem of not seeing her boyfriend enough, the girlfriend hangs a picture of them by the phone, so she can picture him when they talk.

Someone could have heard this song, and identified the problem, and they would have been able to predict a future technology. It’s almost like video chat was invented by a teenage girl in love. Except, it wasn’t quite as good as video chat. So, when video chat came along, there was plenty of backed up water to flow down the stream, and the companies that built the stream – Skype, Oovoo, Google Hangouts – saw plenty of success.

Where the Dam is About to Flood

So, obviously great technologies solve problems. That’s easy. The trickier part is figuring out which problem is so bad that tons of people will pay for the solution; figuring out where the water is about to spill over the dam. If you can figure out the big problem, you’re more than half way there. You can predict future technologies, future tools. Then all that’s left is solving the problem, or coming up with a better solution, and that is why we go to Robert Morris University!

Information on Stuxnet Virus

Student Editorial

Many of us who study computers whether it be Cyber Forensics, Information Technology, or Computer Information Systems, know that cybercrime is among us. I would like to bring to everyone’s attention a situation recently in the news, and that is a virus called Stuxnet.

Stuxnet, for those who don’t know, is a worm (a type of computer virus) that was developed to attack Iran’s Natanz nuclear facility (Fingas, 2014). The worm is meant to attack PLC which are Programmable Logic Controllers. I hope I grabbed your attention because, yes, this is a very bad infection for controls that can override functions in a nuclear facility. The Natanz nuclear facility has no direct Internet connection, so the virus couldn’t be spread to it via an Internet connection.  It is now known that before the virus reached Natanz, it attacked 5 key vendors that affiliate with Natanz and was brought in by one of the employees, or someone who works in the facility.

I know many people don’t care what is happening hundreds of miles away, but according to Kaspersky Labs, the virus has now spread all over the Internet.  Since the virus is intended for corporations, it is not a major concern for end users, but companies need to ensure that private data stored on their networks is protected.  Many people believe this virus contains American roots. (Fingas, 2014). The Issue I have with claiming that it has come from America is that there is no proof.  Kaspersky apparently can tell you where the rogue code (Stuxnet) has been, but not its origins.

If you would like to read more about Stuxnet, please refer to:

Fingas, J. (2014, November 13). Stuxnet worm entered Irans’s nuclear facilities through hacked suppliers. Retrieved from: http://www.engadget.com/2014/11/13/stuxnet-worm-targeted-companies-first/

http://www.engadget.com/2013/11/30/Recommended-Reading-Stuxnet-fake-memories/

If you would like to discuss this further, please comment below.