It’s your responsibility to stay informed (Blog Post #6)

Democracy cannot succeed unless those who express their choice are prepared to choose wisely. The real safeguard of democracy, therefore, is education.

-Franklin D. Roosevelt

Roosevelt probably wasn’t talking about cyber security when he said that, but his words still hold just as true – to participate in a functioning democracy we must be educated on the issues. Cyber security touches every aspect of our modern lives from our personal computers and applications to global politics but ironically, many of us choose to go uninformed about the proceedings in this important field. I’ll go through a couple important pieces of news over the past couple years and you can choose if you are “prepared to choose wisely.”

Chinese Shenanigans

Typically when I talk to my peers about this subject I rarely get find anyone to be completely uninformed about the subject. They always have some background on the subject but often it is just the headline. “Is the Chinese government actually attacking US corporations?” “can we be sure?” “They aren’t really doing that much, are they?” I’ve even heard some misinformed individuals try to tell me that the severity of these escapades are sensationalized.

In 2013 Mandiant released a report officially calling out the Chinese presenting evidence that beyond a shadow of a doubt fingers the People’s Liberation Army (PLA – Chinese Military) as the perpetrators of these attacks. Watch the summary below and if you have time read the report. If anything is sensationalized, it’s the novelty of this news.

Stuxnet

Among the security conscious, the use of the computer worm labeled “Stuxnet” was one of the biggest and most important events of the 21st century but it continues to astound me how few people have even heard about it. Patrick Clair does an excellent job describing what exactly it was and what it did in the below video.

Analysts speculate that this piece of software set back the Iranian Nuclear program years. It is ironic, for all the people I’ve met who have strong opinions about the politics surrounding the Iranian nuclear program, a disappointing number of them have no idea what any of this is.

Both of these stories are from a couple of years ago however, important events in the expanding field where public policy and cyber security intersect happen daily. Especially with the presidential election coming up next year, you owe it not just to yourself but to your country to become informed before you cast your vote. If either of these stories surprised you, you’ve got some work to do.

It’s your responsibility to stay informed (Blog Post #6)

You can be Hacked By Viewing a Webpage (Blog Post #5)

You just got home from school. Excitedly you fire up firefox and plug in the website’s address. There are a couple of obnoxious advertisements, but it’s more than worth it for all the free web games you heard about a couple of hours ago. You click past a dozen offers to refinance your house and close a plethora of questionable dating advertisements to eventually get to your pinball game. Hours later, your computer starts running slow and you start to realize your computer has caught something nasty. Could simply viewing a webpage compromise your computer? Hint: the answer is yes but there are plenty of things you can do to protect yourself.

Webpages are constantly fighting to become more eye catching and more interactive. Plugins like Adobe Flash or Java Applets allow web developers to deliver lots of extra functionality that makes things like moving menus, web-games, and even intrusive advertising work. Things like the Youtube player* or games like Bloons Tower Defense rely on plugins to function so there is no reason to be afraid of them. You should be aware however, that these plugins also offer a convenient way into your computer for malicious actors as well. In 2014 alone, Adobe published literally hundreds of vulnerabilities for Flash Player – that’s literally hundreds of ways for the bad guys to mess with a 1-year old installation of Flash and many of them could lead to a total system takeover. Like your picture collection and homework? it could be held ransom. Like your identity? view the wrong web page while running an out of date plugin and it could be gone.

The web page does not even have to be built with malicious intent. Something nasty hidden in an advertisement could kick your ass as hard as any other malicious plugin. Reputable sites like Microsoft, Yahoo, and Youtube have all unwillingly hosted malicious ads  (malvertising). If you’re hoping to get away from dangers of the web by staying on reputable sites, you’re at less risk but you’re far from safe.

The most important thing you can do to protect yourself is keep your software up to date. That annoying “update available” popup is meant to be annoying. The only reason nasty code can jump from the web page without your permission is due to bugs in the software. Staying up to date will keep you safe from most malicious stuff in web pages but there is always a chance that you could run into something before the patch is released. In that case, no amount of updates will help you.

Thankfully, you can take some simple steps to protect yourself. Staying away from sketchy sites and keeping your browser up to date is a good start – lowering your exposure will lower your chance of infection but there is more you can do. Browser plugins like Safe Script or NoScript prevent all scripts from running without express permission. All you have to do is specify which domains (like “Youtube.com”) that you want to work while domains hosting the bad stuff are blocked by default. You can visit that sketchy site without fear of infection. You will have to avoid allowing suspicious domains but otherwise you’re significantly more safe.

Overall, it is important to know you are constantly under attack whenever you are online, that said just realizing this is already a step in the right direction. Keep yourself up to date and use script blocking software and you have nothing to fear.

You can be Hacked By Viewing a Webpage (Blog Post #5)

Educational Outreach is Effective but Underexposed (Blog Post #4)

While our students are passing on paper, we are failing our students. It goes without saying that the ultimate goal of education is to prepare students for their future. While ideologically I wouldn’t say education has any place dictating what this future should hold, it undeniably has a huge part in shaping students’ interests and goals. While we are in a STEM crisis, educators have fallen asleep behind the wheel in their jobs to motivate students into these important fields. Successful educational outreach programs like Cyberpatriot puts mandatory education to shame and highlights how much more the educational system can do.

Cyberpatriot is a cyber security competition open to high school students across the nation. The competition has students fighting to secure vulnerable computers while racing against the clock all the while developing valuable skills in cybersecurity and leadership. Besides fostering these skills at an early age, Cyberpatriot also has wider motivations. Tech giants eagerly support this program and others like it not because of the skills it directly teaches, but because of the interest and confidence it fosters in its participants.

As we discussed in my very first post, employers desperately need students interested in STEM fields — so much so that they are willing to donate millions every year to get more prospective employees. For instance, Cyberpatriot’s presenting sponsor, Northrop Grumman is willing to spend millions each year on its educational outreach programs. While this corporation and others like it frame these programs as altruism, it’s easy to see the correlations between this outreach and their human resources departments’ needs. The bottom line is, corporations are putting their money where their mouths are by trusting education to get students interested in STEM fields like cyber.

There is a hard logic behind this trust. Cyberpatriot is a prime example of how effective education is in guiding career choice. Recently, the Air Force Association (the association behind Cyberpatriot) published a survey of the program’s alumni. They found that nearly 90% of respondents enrolled in a 4-year degree wound up in a STEM related major. Compared to the national average of 14%, this shows a very obvious trend. Correlation is not necessarily causation however, the same survey also found that 87% of respondents said the competition somewhat or significantly impacted their education/career goals. It should seem obvious that education is highly effective in getting students into valuable, underfilled jobs like cybersecurity unfortunately, these high-paying, fulfilling positions are still starving for applicants.

CyberPat majors
Data and visualization credit: Air Force Association
CyberPat careers
Data and visualization credit: Air Force Association

Some high schools are starting to take notice but it’s often addressed in half-measure. I remember in my freshman year of highschool we had a mandatory technology education class for half of the year. Looking back on it now, the class was obviously a response to the lack of students in technology fields. We rushed between all sorts of technology-related subjects from robotics to agricultural engineering, from electronics to Microsoft Excel. Too little, too late. For every one of these technology classes students are required to take, those same students are also required to take three times the material in both english and history. I’m not saying liberal arts are not important but there should be no question as to why so few students take STEM degrees.

Educational Outreach is Effective but Underexposed (Blog Post #4)

Users Ignore Bad Certificates Way too Often (Blog Post #3)

If you’re anything like most users, you might be actively putting yourself at risk with your web browsing behavior. A study conducted by Berkeley and Google presented at the 2013 USENIX Security Symposium found that Google Chrome users click through 70.2% of all SSL Warnings. Although there are occasionally reasons that you might be warranted to bypass a security warning, if you don’t understand what the warning means, that’s not a decision you should make.

When using the web, have you ever seen a page like any of these?

edge-ssl
Microsoft Edge

firefox-ssl
Mozilla Firefox

safari-ssl
Apple Safari

chrome-ssl
Google Chrome

You would think that all the bright colors, bold red text, and strongly worded instructions to abscond would keep users away. Some browsers won’t even let you proceed until you navigate through an “advanced” menu and state you’re going against the browser’s recommendations but time and again I see people ignore everything. I’ve seen everyone from pilots filling out sensitive paperwork to computer science students skip past these pages without pause only to later admit they had no idea why it popped up.

These pages are each respective browser’s response to a bad certificate. Using some complicated math, websites present the user a certificate to prove they aren’t an imposter. If that certificate does not check out, the browser let’s you know like in the above examples. If you aren’t expecting to see this page, you really should not proceed. There are some common misconfigurations on your end that can cause this type of error but you should focus on your problems before putting your safety on the line.

One common reason for this error to occur is that your browser does not trust the authority that issued the certification. For a certificate to be valid, a Certificate Authority (CA) must vouch for/sign the certificate. What if you don’t already trust that certificate authority? Someone else can sign for that authority! By having more-important certificate authorities sign for less important CAs, a chain of trust is established. Eventually your browser will recognize one of these CAs as it works its way up the chain. Once it finds that trusted link, your browser can trust everything else.

CAs

Problems arise when you don’t trust any of the links in the chain. Consumer computers have common root certificate authorities (purple in our illustration) installed by default but some organizations choose to have their own chain of trust. This practice is common in high-security and military organizations or academic institutions. It is very easy however to install additional root CAs so this should never be an excuse to ignore a warning. Just contact the organization in question and request their root CA.

Another possible reason you might see this warning on a legitimate webpage is that your computer’s clock/calendar is incorrectly set. Certificates are only valid for a set period of time so if your clock is misset your browser might think the certificate is not yet active or expired. Changing the clock is similarly easy and should be no reason for you to bypass a warning.

If it is not a misconfiguration, chances are that the webpage you are trying to view is not what you think. You could be presented false information by the imposter, have any data you enter siphoned away for malicious purposes or even be at risk of a malware infection simply by opening the webpage. Whatever the imposter’s goal, you should want no part of it and you will gain very little by visiting the fake page.

You would think that this would be common knowledge but time and again I see my classmates put themselves at risk bypassing warnings. The unfortunate truth is that people simply are not adequately educated on the subject. This can change but only with your help. Tell your friends to heed warnings and practice safe browsing habits. If you like this post, share it and more than anything, stay cyberfluent.

Users Ignore Bad Certificates Way too Often (Blog Post #3)