Sunday, October 7, 2007

Show #50



[Download Show #50 as MP3]

News
  • 45% of US Mobile Subscribers Want Better Mobile Internet
    • People will consider mobile internet capability when purchasing their next handset
    • Currently only 26% of users subscribe to mobile internet packages
    • Some attribute this sharp change to the iPhone and other devices like it
    • The mobile internet is becoming a fast track item in most cell companies offerings because more people want their data on the go
  • Joost Opens to the Public
    • Joost is an IPTV that utilizes Peer to Peer technology to deliver video on demand over the internet
    • Currently sitting at 1 million users all acquired through an invite only system
    • Joost is currently ad supported and includes television shows from MTV, Nickelodeon, CBS, and some other specialty channels like National Geographic and Warner Bros. Music
    • Joost opening to to public could have a temporary impact on the service with so many people transferring data across the wire, but Derek and I have been using the service for months now and we have yet to notice any degradation.
Software / Hardware / Power Web Picks
  • Data Encryption
    • The Basics
      • The History of Encryption

        • Encryption started as a manul system where letters would be exchanged by offsetting by a certain number, the key was simple, if my key was 3 you knew that C stood for A, and D for B, by World War II, mechanical and electromechanical cipher machines were in wide use, although. At this time however, great advances were made in cipher-breaking, information about this period has begun to be declassified as the official British 50-year secrecy period has come to an end, and U.S. archives have slowly opened, assorted memoirs and articles have begun to appear.

        • As many of us learned in school, the Germans made heavy use, in several variants, of an electromechanical rotor machine known as Enigma. The US breaking the Enigma code and rebuilding a decyphering machine was the greatest breakthrough in cryptanalysis in a thousand years. At the end of the War, on April 19th, 1945 Britain's top military officers were told that they could never reveal that the German Enigma code had been broken because it would give the defeated enemy the chance to say they "were not well and fairly beaten".

        • US Navy cryptographers (with cooperation from British and Dutch cryptographers after 1940) broke into several Japanese Navy crypto systems. The break into one of them, JN-25, famously led to the US victory in the Battle of Midway. A US Army group, the SIS, managed to break the highest security Japanese diplomatic cipher system even before WWII began.

      • What is encryption?
        • In cryptography, encryption is the process of transforming information, often called plaintext, to make it unreadable to anyone except those possessing special knowledge usually in the form of a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted). [Wikipedia]
      • What is a key?
        • The key to a door has notches that push pins up to open the door
        • Your password is a key (a simple one), when the right one is typed, you can login to your computer or a specific website
        • In encryption a key is a piece of information that specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption. Keys are also used in other cryptographic algorithms, such as digital signature schemes and message authentication codes.
      • Public key cryptography / Asymmateic Key Encryption - A form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.
        • Pros
          • You can literally post your public key anywhere (many people do, there is a large online database of them, even I am in there)
          • You can use the key to verify without a doubt that an e-mail or document was sent from someone based on their electronic signiture
          • You can send a single file destined for multiple recipients using YOUR private key and their respective public key, that means you can make a single download work for multiple people, all they need is their OWN proviate key and YOUR public key to decrypt the e-mail, attachment, picture, or whatever type file you send. You can literally post the file for anyone to download, but only the five people (or one) that you marked can open it with their passphrase and key.
        • Cons
          • A much larger key is required to achieve the same security as a much simpler and smaller symmetric encryption scheme
          • This is a slower form of encryption (not an issue for today's computers on reasonable-size files, but for giant databases it can be an issue)
        • Software
      • Symmetric Key Encryption - A class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption. The encryption key may be identical or there is a simple transform to make them identical. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link.
        • Pros
          • Faster encryption / decryption
          • Smaller keys / still secure
        • Cons
          • Shared secret needed at both ends
        • Software
      • Hybrid Systems - This works by using symmetric encryption to actually do the work of encrypting the data, and asymmetric encryption to distribute the keys.
      • What kinds of data should you encrypt?
      • Why should you encrypt your data?
    • Built In Data Encryption
      • Encrypted File System
        • Windows Encryption of File System
          • Advantages
          • Disadvantages
          • Who should use this?
      • BitLocker
        • Available in Windows Vista Business & Ultimate Editions
        • Drive Encryption, not EFS
      • Secure Sockets Layer (SSL)
        • Layer
          • Physical Layer
            • Coaxial Cable
          • Data Link Layer
            • Ethernet
          • Network Layer
            • IP
          • Transport Layer
            • TCP
          • Application Layer
            • HTTP
            • TLS/SSL
        • TLS = Transport Layer Security
        • Designed to prevent eavesdropping, tampering, and message forgery.
        • Eavesdropping = Encryption
        • Tampering = Signature
        • Message Forgery = Trusted CA / Public Key
        • Web browsing encryption
        • Why this is important
          • Banks
          • PayPal
          • Stocks
          • Camera in your house
          • Router access
          • Instant Messaging
        • How to tell if you are using SSL encryption
          • There should be a locked padlock somewhere on the BROWSER, any you see on the page itself don't count.
            • Mozilla Firefox - There is TWO, one in the address bar on the far right side, the other at the bottom right in the status bar, clicking on either gives you information about the web site's identity.
            • Internet Explorer -
          • The bar at the top of your browser should be a friendly color other than white (green, yellow, etc)
          • What if its red? Well, your data is still encrypted, but the certificate is not 100% verified.

Security & Privacy
  • Social Engineering
    • Attribution - Refers to the way people explain their own behavior and that of others. A goal of the social engineer is to have the target attribute certain characteristics to him or her, such as expertise, trustworthiness, credibility, or likability. A social engineer might walk up to a lobby receptionist, put a $5 bill down on the counter, and say something like, “I found this on the floor. Did anyone say they lost some money?” The receptionist would attribute to the social engineer the qualities of honesty and trustworthiness. If we see a man hold a door open for an elderly lady, we think he’s being polite; if the woman is young and attractive, we likely attribute a quite different motive.
    • Liking - Social engineers frequently take advantage of the fact that all of us are more likely to say “yes” to requests from people we like. People like people who are like them, having similar career interests,
      educational background, and personal hobbies. Social engineers will frequently research their target’s background and equip themselves to fake an interest in things the target cares about — sailing, tennis, antiques, airplanes, collecting old guns, or whatever. Social engineers also increase liking through the use of compliments and flattery, and physically attractive social engineers can capitalize on their attractiveness.
    • Fear - A social engineer will sometimes make his or her target believe that some terrible thing is about to happen, but that the impending disaster can be averted if the target does as the attacker suggests. In this way, the attacker uses fear as a weapon. A social engineer masquerading as a company executive may target a secretary or junior staffer with an “urgent” demand, and with the implication that the underling will get into trouble, or might even get fired, for not complying.
    • Reactance - Psychological reactance is the negative reaction we experience when we perceive that our choices or freedoms are being taken away. When in the throes of reactance, we lose our sense of perspective as our desire for the thing we have lost eclipses all else. In a typical attack based on reactance, the attacker tells his target that access to computer files won’t be available for a time, and names a time period that would be completely unacceptable. “You’re not going to be able to access your files for the next two weeks, but we’ll do everything possible to make sure it won’t be any longer than that.” When the victim becomes emotional, the attacker offers to help restore the files quicker; all that’s needed is the target’s username and password. The target, relieved at a way to avoid the threatened loss, will usually comply gladly.
    • The other side of the coin involves using the scarcity principle to coerce the target into pursuing a promised gain. In one version, victims are drawn to a Web site where their sign-on information or their credit card information can be stolen (phinshing). How would you react to an email that promised a brand-new Apple iPod for $200 to the first 1,000 visitors to a particular Web site? Would you go to the site and register to buy one? And when you register with your email address and choose a password, will you use choose the same password that you use elsewhere? How many have you done that?

COUNTERMEASURES
Mitigating social engineering attacks requires a series of coordinated efforts:
  • Developing clear, concise security protocols that are enforced consistently throughout your company or your home
  • Developing security awareness training or reading up on security yourself
  • Developing simple rules defining what information is sensitive
  • Developing a simple rule that says that whenever a requestor is asking for a restricted action (that is, an action that involves interaction with computer-related equipment where the consequences are not known), the requestor’s identity must be verified according to company policy
  • Developing a data classification policy
  • Training employees on ways to resist social engineering attacks
  • Testing your employee’s susceptibility to social engineering attacks by conducting a security assessment

The most important aspect of the program calls for establishing appropriate security protocols and then motivating employees to adhere to the protocols.

Closing
  • Be Sure to visit our website at http://powerofinformation.net
  • Call us on The PowerLine at 866-55-44-POI -- That's 866-554-4-POI.
  • To See What Michael and I are blogging about: click on the links to our blogs at the Power of Information website
  • Special thanks to:
    • Wiley Publishing for allowing us to use parts of The Art of Intrusion by Kevin D. Mitnick and William L. Simon as well as for dending us the electronic copy of the book.
    • Wikipedia for allowing us, and everyone, to use their great encyclopedia under the GFDL - GNU Free Document License originally created by the Free Software Foundation.
  • Special thanks to the band Anberlin for supplying music for our program.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)