Sunday, March 18, 2012

Bad, Bad Browsing

DUE DATE EXTENDED TO MONDAY AT 11 PM.
Most users access the Internet through a web browser.  But we have learned that even if we are using the HTTPS protocol it cannot protect us from lots of bad, bad browser based stuff.For this week's blog we will wrap up our unit on web application security by looking at browser based vulnerabilities.
 My article is about the BEAST (Browser Exploit Against SSL/TLS) and how it exploits a weakness in the SSL 3.0/TLS 1.0 protocols to break the encryption on your session.  The scientists who proved the vulnerability have published the info AND they have shown that TLS 1.1 or 1.2 would be effective encryption.  However, most web browsers and web servers have not shifted to the safer protocols because the expense and trouble are significant.  There is a graph in the article that shows exactly how little TLS 1.1 / 1.2 are being used.  I tried implementing TLS1.1 on my computer for IE9, Chrome and Firefox - only IE9 even lets you make that change, but when I tried to access https sites with TLS1.1 set, the sites gave me an error message. The article advises to practice safe surfing, but I'm not sure that helps when you are talking about ecommerce.
http://www.pcworld.com/businesscenter/article/240933/hackers_crack_internet_encryption_should_you_be_worried.html

You need to find a news article about a web browser vulnerability. Write several sentences to explain the vulnerability, how it was used or can be used to attack and if there is any solution.  Make sure you understand the article and summarize it in simple terms.

Thursday, March 1, 2012

What a Tangled Web!

We have just started a unit on hardening Web applications.  You will need to learn how to identify what the vulnerabilities are and how to remember the difference between them. So to get a start on this topic, the assignment this week is to find a website that gives a good explanation on one of these topics:
  • Buffer Overflow
  • CGI Script
  • Java applets
  • Java Script
  • Active X
  • Cross-site Scripting
You can post a link to a text article OR a video - as long as it really helps our understanding of the topic.  Write a 3 sentence summary of the content in your link.
My post for this week is on Buffer Overflows. The Wired website has a cool cartoon animation of how good code should accept limited input and then discard any extra. It then shows what happens when bad code allows for a buffer overflow that corrupts operating code.  http://www.wired.com/threatlevel/2009/03/conficker-how-a/
Enjoy!

Thursday, February 16, 2012

Broken Keys

Encryption is the only real tool we have right now to protect our private communications from prying eyes or our valuable business plans from being stolen.  Or, to put it simply, encryption is our lock and key to keep people out of our stuff.

BUT a New York Times article this week reported that the strongest encryption we have actually has a significant flaw.  http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html.   The encryption algorithm starts by RANDOMLY selecting two very large prime numbers and uses these as the basis to create the public and private keys.  Unfortunately, scientists have proven that in some cases the selection is not truly random - i.e. it could be predictable.  And they say that means "2 out of every 1000 keys would not be secure".  Wow!  That's scary . . . and makes me think what other encryption methods are not as solid as we thought?

Your job is to find an article that deals with encryption AND something going wrong.   You could try these words in your search with ENCRYPTION or CRYPTOGRAPHY: weakness or vulnerability or hack or broken or RSA. In your posting, give a minimum 3 sentence summary of the article and be specific about what went wrong with this encryption method.

Friday, January 13, 2012

BYOD = Mobile Danger

There has been an explosion in the use of mobile devices like smartphones and tablets. Users expect to be able to use these mobile devices everywhere they go, including and especially at work or at school.  This has coined a new term called “BYOD” which means Bring Your Own Device and has created new problems because the Net Administrator does not have control over securing these devices.

Read my article “Enterprise must protect against malware with BYOD rise” to get an idea of the vulnerabilities that can exist in mobile devices

Post an article about a specific malware for an Android, Iphone or tablet device.  Answer these three questions in full sentences:
1.       What does the malware do? (be specific)
2.       What is the vulnerability that makes this malware possible?
3.       What security advice would you give to the owner of this mobile device?

Friday, January 6, 2012

Virtual Woman!!

Virtualization = specialized software that makes it possible to host multiple operating systems working simultaneously on one server. 

Our goal for this blog is to get a better understanding of Virtualization.  Start off by reading the VirtualWoman comic which gives a pretty good idea of how virtualization works and its benefits. Since “the cloud” is all virtualized servers, you can use this as your search term too.

Your job is to find an article that talks about virtualization and /or clouds AND security.  It could be how virtualization is improving security . . . or it could be how virtualization has created a security vulnerability. 

Write a summary of your article, at least 4 sentences.  Remember you must restate the ideas, please DO NOT cut and paste from the article.

No duplication of articles, due Sunday 1/8 by 11 pm

Sunday, December 18, 2011

Blog Time!! - Locking Down Air

Blogging Instructions: Every Friday evening I will post a blog topic with a link to an article AND a question.  You are required to find an article of your own on that topic.  Put a link to your article into a comment on my blog posting AND write a few FULL sentences in the comment that answers my question. You should use my article and answers as models for your own posts.  
Due every Sunday night by midnight.


Week 1:The most popular form of network access right now is wireless - so it's time to look at the security issues associated with using the air as your media for data transmission. My article explains the term "Bluejacking" which is basically a method of sending annoying messages to Bluetooth devices in your physical vicinity. It's not a real security threat - the article says it's more of an annoyance like ringing a doorbell and running away. 
  http://electronics.howstuffworks.com/bluejacking.htm (Read the 1st two pages, they are short ) then watch the video at this link:    http://www.youtube.com/watch?v=vkAjPWNSIsg&feature=related (also very short)

The vulnerability exists because bluetooth is always on by default and available for associaton.  The solution is to turn off your bluetooth when you don't need it. For instance, my iphone only needs bluetooth when I am using my headset in the car. Otherwise, I can disable that function and that will keep me safe from Bluejacking.

So, your job is to:

  1. find a website / article about a wireless vulnerability - give us the link
  2. describe the problem AND
  3. tell us how to protect against it. 
If you need an idea for a search term, here are some items that will be on the Cert test: War Driving, Bluesnarfing, Rogue Access Points, Weak Encryption, SSID Broadcast. Or you might want to check out the term "TJX breach" for a look at the largest wireless crime ever.