The End (Blog Post #10)

This post marks the 10th and final post in this blog. Through out my 9 previous posts I’ve tried to motivate people (not just the experts) to become knowledgeable in the field of cybersecurity. Hopefully you realize now either through the threats you face on a daily basis, or from its geopolitical importance few people are aware of, this field needs the attention of everyone – not just the experts. Unlike this blog, the importance of cybersecurity can only grow.

Post #7 should make it clear the geopolitical  importance of security. Between Stuxnet and China’s escapades into American networks, it should be apparent how much these under-exposed actions influence international relations relations as much as any of the mainstream news.

Similarly, I hope you’ve been able to grow your working knowledge of the field not just to see how it affects the world in general, but how it affects you specifically. There are a lot of threats out there that few people acknowledge. What you don’t know can hurt you. Stay aware of current threats like the news of bad root CAs from Dell and you will be a little more fearful but a lot more secure.

Finally, I hope you’re also aware now of the employment deficiencies in cybersecurity. All the way back in the first couple of blogs, I went into detail on how the educational environment causes this problem. In all honesty, when I first started writing this my main goal was to encourage more common education on the subject however, if you’re at all more interested in the subject of security I feel I’ve done my job.

Advertisements
The End (Blog Post #10)

Are Macs Secure? (Blog Post #9)

 

One of the most common misconceptions I’ve heard while chatting about cybersecurity is that Macs don’t get malware. Time and again my friends ignore basic rules of online safety under the ruse that fruit shaped logo on the back of their case protects them from the dangers of the internet. Things like the above ad seem to reinforce this but, while it is true there are statistically less attackers going after Macs, they are anything but secure.

The key phrase in that ad is that Macs don’t get Windows viruses. Windows dominates the market for operating systems hence the massive amount of Windows-exclusive software. Developers would have to put considerable work into moving their designs to OSX so, unless they can justify the work with projected revenue they don’t bother. The same is true for malware developers. Why develop attacks against the 10% of users who run Macs when you could spend your time and money targeting the 90% who run Windows?

The problem is, there are a number of malicious people out there who do target that 10% and, like Apple’s market share, that number is growing. For instance, the Flashback Trojan alone infected more than 500,000 Macs between 2011 and 2012.  In fact, this year (2015) was the most prolific year in history for OSX malware according to Bit9 and Carbon Black. Obscurity does not equate security and with Macs becoming more popular, the little safety it provided is quickly shrinking.

While Macs like anything are not perfectly secure, Apple’s reaction to these threats is cause for even more concern. Even when a patch was released to remedy the Flashback Trojan, Apple waited 8 weeks before releasing it to their users. Even when Apple moves quickly to protect its users, the updates they deliver don’t always work as was the case with iWorm.

Now, I’m not saying you shouldn’t from Apple based on security concerns but you should be aware that you can’t trust Apple to protect you. Get a good antivirus like ESET or Avast. In independent tests they both do well at detecting known malware samples. Never hope for safety when you can instead be secure.

Are Macs Secure? (Blog Post #9)

Big Bug Bounties (Blog Post #8)

Recently, an anonymous team of hackers claimed Zerodium’s $1,000,000 bounty for a particularly dangerous bug in Apple’s iOS mobile operating system. That’s right, by finding a software flaw that team just made more than the average American will in 20 years. Unknown security vulnerabilities are very valuable and there are plenty of reasons you should take notice.

First of all: what is a vulnerability? Basically it’s a bug in a program. While some bugs do little more than crash a program, others, like in the case of Heartbleed, might leak sensitive data, and others still like the above case allows an attacker, armed with knowledge of how the vulnerability functions, to take total control of the target device. For the parameters of that $1,000,000 payout, that means by simply opening a web page an attacker can install and run persistent, arbitrary software on up-to-date devices. Front facing camera? Check. Passwords? Stolen. Location? Tracked. In this case, you can imagine why that capability is so valuable.

Heartbleed (an example of a big vulnerability) illustrated. Source: Wikipedia

That payout, although abnormally large, is nothing new. Like arms dealers, companies like Zerodium aren’t just in the business to improve software, they exist to make money and the software developers aren’t the ones buying. To be clear, Zerodium, and Grugq (the vender from the Forbes article) only sell to reputable sources (namely NATO governmental institutions) but the fact exists, the developers are being outbid by entities who are using these vulnerabilities. Microsoft, Google, and most other tech companies offer their own programs to buy these vulnerabilities so the can be patched. Unfortunately, they offer orders of magnitude less for these weapons.

So how does this apply to you – the consumer? Most people I’ve met still carry on the assumption that the business cyber attack and defense is limited to wiz-kid outcasts and disgruntled IT guys. The truth is, hundreds if not thousands of vulnerabilities are discovered each month and they are big business.

Big Bug Bounties (Blog Post #8)

Writing Good and Memorable Passwords aka the “Your Password Sucks” Post (Blog Post #7)

Any series on personal computer security is not complete without the arbitrary “write good passwords” part. I’m sure you’ve heard it all. Pick some long word you can remember like “bookkeeper” substitute in some 3s for the ‘e’s  (bookke3per) and some 0s for ‘o’s (b00kke3per) then add some some random special character at the end (b00kke3per^). That’s secure, right? Wrong! If you were still under the impression that that’s a good way to write a password, you’ve got some learning to do.

In reality, everyone knows dictionary words are a big no-no but common substitutions doesn’t help you much either. Attackers can guess trillions of passwords every second under the right conditions so throwing in a substitute 3 for an ‘E’ or # for an ‘H’ is computationally easy. In fact, password security checkers like Kaspersky’s and My1Login’s find that this password could be broken by a consumer computer in under 10 minutes and in under one second on the right machine. If you’re using memorable substitutions for letters, your password is bad and you should feel bad.

So what then? An alternative is to create a random string of all types of characters. Lower case, upper case, special, numbers, get them all in there in no predictable order. There are even websites that will do this for you. This is also a bad idea for numerous reasons. Who knows what that site could be doing with your brand new password? The site that just generated your password might keep track of it for malicious means. Secondly, any passwords you generate this way will be a major pain to remember. Take for instance this site. It generated the password “ur-YqR9PQa46BjZg”. Sure, that would take until the heat death of the universe to crack however, I can’t see anyone but a genius remembering that.

But wait! it has a helpful hint to remember the password: “usa rope – YELP queen ROPE 9 PARK QUEEN apple 4 6 BESTBUY jack ZIP golf.” Nope, that doesn’t help at all. You could write the password down but then you have to secure the note that holds that big password. If that note gets seen, whatever you’re trying to protect is exposed. No sticky note should ever be worth as much as you bank account. There are better ways.

This comic from XKCD explains it perfectly. You should never use a password. Instead, you should use a passphrase. By combining a number of words, you have so much entropy you no longer have to worry if you’re using words or special characters. “usa rope – YELP queen ROPE 9 PARK QUEEN apple 4 6 BESTBUY jack ZIP golf” is hard to remember but “usa rope – YELP queen” is not.

While there are plenty of other solutions to this problem of password storage, hopefully I’ve dispelled some misconceptions. Common substitutions help noone and random strings are a pain. It can be a lot easier to create and remember secure passwords if, instead of using a word, you use a passphrase instead.

Writing Good and Memorable Passwords aka the “Your Password Sucks” Post (Blog Post #7)

It’s your responsibility to stay informed (Blog Post #6)

Democracy cannot succeed unless those who express their choice are prepared to choose wisely. The real safeguard of democracy, therefore, is education.

-Franklin D. Roosevelt

Roosevelt probably wasn’t talking about cyber security when he said that, but his words still hold just as true – to participate in a functioning democracy we must be educated on the issues. Cyber security touches every aspect of our modern lives from our personal computers and applications to global politics but ironically, many of us choose to go uninformed about the proceedings in this important field. I’ll go through a couple important pieces of news over the past couple years and you can choose if you are “prepared to choose wisely.”

Chinese Shenanigans

Typically when I talk to my peers about this subject I rarely get find anyone to be completely uninformed about the subject. They always have some background on the subject but often it is just the headline. “Is the Chinese government actually attacking US corporations?” “can we be sure?” “They aren’t really doing that much, are they?” I’ve even heard some misinformed individuals try to tell me that the severity of these escapades are sensationalized.

In 2013 Mandiant released a report officially calling out the Chinese presenting evidence that beyond a shadow of a doubt fingers the People’s Liberation Army (PLA – Chinese Military) as the perpetrators of these attacks. Watch the summary below and if you have time read the report. If anything is sensationalized, it’s the novelty of this news.

Stuxnet

Among the security conscious, the use of the computer worm labeled “Stuxnet” was one of the biggest and most important events of the 21st century but it continues to astound me how few people have even heard about it. Patrick Clair does an excellent job describing what exactly it was and what it did in the below video.

Analysts speculate that this piece of software set back the Iranian Nuclear program years. It is ironic, for all the people I’ve met who have strong opinions about the politics surrounding the Iranian nuclear program, a disappointing number of them have no idea what any of this is.

Both of these stories are from a couple of years ago however, important events in the expanding field where public policy and cyber security intersect happen daily. Especially with the presidential election coming up next year, you owe it not just to yourself but to your country to become informed before you cast your vote. If either of these stories surprised you, you’ve got some work to do.

It’s your responsibility to stay informed (Blog Post #6)

You can be Hacked By Viewing a Webpage (Blog Post #5)

You just got home from school. Excitedly you fire up firefox and plug in the website’s address. There are a couple of obnoxious advertisements, but it’s more than worth it for all the free web games you heard about a couple of hours ago. You click past a dozen offers to refinance your house and close a plethora of questionable dating advertisements to eventually get to your pinball game. Hours later, your computer starts running slow and you start to realize your computer has caught something nasty. Could simply viewing a webpage compromise your computer? Hint: the answer is yes but there are plenty of things you can do to protect yourself.

Webpages are constantly fighting to become more eye catching and more interactive. Plugins like Adobe Flash or Java Applets allow web developers to deliver lots of extra functionality that makes things like moving menus, web-games, and even intrusive advertising work. Things like the Youtube player* or games like Bloons Tower Defense rely on plugins to function so there is no reason to be afraid of them. You should be aware however, that these plugins also offer a convenient way into your computer for malicious actors as well. In 2014 alone, Adobe published literally hundreds of vulnerabilities for Flash Player – that’s literally hundreds of ways for the bad guys to mess with a 1-year old installation of Flash and many of them could lead to a total system takeover. Like your picture collection and homework? it could be held ransom. Like your identity? view the wrong web page while running an out of date plugin and it could be gone.

The web page does not even have to be built with malicious intent. Something nasty hidden in an advertisement could kick your ass as hard as any other malicious plugin. Reputable sites like Microsoft, Yahoo, and Youtube have all unwillingly hosted malicious ads  (malvertising). If you’re hoping to get away from dangers of the web by staying on reputable sites, you’re at less risk but you’re far from safe.

The most important thing you can do to protect yourself is keep your software up to date. That annoying “update available” popup is meant to be annoying. The only reason nasty code can jump from the web page without your permission is due to bugs in the software. Staying up to date will keep you safe from most malicious stuff in web pages but there is always a chance that you could run into something before the patch is released. In that case, no amount of updates will help you.

Thankfully, you can take some simple steps to protect yourself. Staying away from sketchy sites and keeping your browser up to date is a good start – lowering your exposure will lower your chance of infection but there is more you can do. Browser plugins like Safe Script or NoScript prevent all scripts from running without express permission. All you have to do is specify which domains (like “Youtube.com”) that you want to work while domains hosting the bad stuff are blocked by default. You can visit that sketchy site without fear of infection. You will have to avoid allowing suspicious domains but otherwise you’re significantly more safe.

Overall, it is important to know you are constantly under attack whenever you are online, that said just realizing this is already a step in the right direction. Keep yourself up to date and use script blocking software and you have nothing to fear.

You can be Hacked By Viewing a Webpage (Blog Post #5)

Educational Outreach is Effective but Underexposed (Blog Post #4)

While our students are passing on paper, we are failing our students. It goes without saying that the ultimate goal of education is to prepare students for their future. While ideologically I wouldn’t say education has any place dictating what this future should hold, it undeniably has a huge part in shaping students’ interests and goals. While we are in a STEM crisis, educators have fallen asleep behind the wheel in their jobs to motivate students into these important fields. Successful educational outreach programs like Cyberpatriot puts mandatory education to shame and highlights how much more the educational system can do.

Cyberpatriot is a cyber security competition open to high school students across the nation. The competition has students fighting to secure vulnerable computers while racing against the clock all the while developing valuable skills in cybersecurity and leadership. Besides fostering these skills at an early age, Cyberpatriot also has wider motivations. Tech giants eagerly support this program and others like it not because of the skills it directly teaches, but because of the interest and confidence it fosters in its participants.

As we discussed in my very first post, employers desperately need students interested in STEM fields — so much so that they are willing to donate millions every year to get more prospective employees. For instance, Cyberpatriot’s presenting sponsor, Northrop Grumman is willing to spend millions each year on its educational outreach programs. While this corporation and others like it frame these programs as altruism, it’s easy to see the correlations between this outreach and their human resources departments’ needs. The bottom line is, corporations are putting their money where their mouths are by trusting education to get students interested in STEM fields like cyber.

There is a hard logic behind this trust. Cyberpatriot is a prime example of how effective education is in guiding career choice. Recently, the Air Force Association (the association behind Cyberpatriot) published a survey of the program’s alumni. They found that nearly 90% of respondents enrolled in a 4-year degree wound up in a STEM related major. Compared to the national average of 14%, this shows a very obvious trend. Correlation is not necessarily causation however, the same survey also found that 87% of respondents said the competition somewhat or significantly impacted their education/career goals. It should seem obvious that education is highly effective in getting students into valuable, underfilled jobs like cybersecurity unfortunately, these high-paying, fulfilling positions are still starving for applicants.

CyberPat majors
Data and visualization credit: Air Force Association
CyberPat careers
Data and visualization credit: Air Force Association

Some high schools are starting to take notice but it’s often addressed in half-measure. I remember in my freshman year of highschool we had a mandatory technology education class for half of the year. Looking back on it now, the class was obviously a response to the lack of students in technology fields. We rushed between all sorts of technology-related subjects from robotics to agricultural engineering, from electronics to Microsoft Excel. Too little, too late. For every one of these technology classes students are required to take, those same students are also required to take three times the material in both english and history. I’m not saying liberal arts are not important but there should be no question as to why so few students take STEM degrees.

Educational Outreach is Effective but Underexposed (Blog Post #4)