Friday, November 1, 2013

A New Kind of Cold War

For Americans, from almost as soon as World War II ended until around the end of the Reagan presidency, America experienced what is now known as the Cold War, a period in which Americans were in fear of nuclear threat from eastern Europe, specifically the former union of the USSR. Americans were fearful of Russia’s socialist and communist policies, as well as the fear that they could strike a nuclear attack; Russians despised Western values and democracy, and feared, too, a nuclear war. Thus, the Cold War, a war without soldiers, but threats of nuclear violence. My parents were born in the 1940s, and grew up during the Cold War, and I was born in time to see the end of the Cold War. However, a new kind of war has begun. In the late 1980s and early 1990s, the internet began to boom as a communications vehicle, no longer just for education institutions, but for businesses and private persons. Chat rooms became widely popular, and instant messaging and email because common place.

I have been a federal employee, on and off for the last 25 years and have worked for four different agencies. When September 11, 2001 happened, all Federal Agencies scrambled to put together not only physical, but technological defenses. The federal government learned quickly that of the thousands of IT Specialists they had, none of them had standard knowledge. In any given agency, IT Specialists skills were stovepiped. By stovepiping their knowledge and responsibilities, when critical execution was required, there was no standard knowledge available. As a result, many agencies, specifically the Department of Defense (DoD) and Department of Homeland Security (DHS), began a program in 2002 with final implementation by 2010 that all IT Specialists, regardless of actual job duties, would be minimally qualified in CompTIA Security+. This gives every IT Specialists in the DoD and DHS the minimum knowledge to maintain their agencies critical infrastructure.

This is vitally important because, since the end of the Cold War, the United States has been fighting a new type of war, a cyberwar. As a military spouse of an active duty Navy Chief, I have had to move across the country and back, and have worked on several military installations. As such, I have worked with and for military leaders for the past decade. I specifically and clearly remember one Marine Corps brief given where the Base General spoke; at that time, it was 2007, my husband had returned about 18 months before from one of the most dangerous areas of Iraq, and we had begun in earnest the fight in Afghanistan. The General said, the United States was currently involved in three wars, the one in Iraq, the one in Afghanistan, and a Cyberwar. He said, if we didn’t believe it, the DoD was daily fending off attacks from the Chinese, and it was getting worse every day. In addition, al Qaeda terrorists had become more advanced and figured out how to hide messages in images and transmit information electronically. But the biggest cyber threat is Asia, and specifically China.

In a congressional report release on October 8, 2012, Chinese firms Huawei Technologies and ZTE Corp. pose significant threats to U.S. national security, have strong ties to the Chinese government and military and should be avoided by U.S. business for their information technology and telecommunications business.(Clayburn, 2012)

Huawei and ZTE have grown to be leaders in the Chinese market in telecommunications and Huawei is one of the leading providers in China of 4G technology. For the U.S. government, the exponential growth of Huawei to the largest producer of telecommunications components in the world, combined with the fact that “that neither company cooperated sufficiently with the investigation”(Clayburn, 2012) has led the United States government to fear “that the Chinese government could exploit Huawei's presence on U.S. networks to intercept high level communications, gather intelligence, wage cyber war, and shut down or disrupt critical services in times of national emergency.”(Kroft, 2012) China has recently been linked to cyber attacks on the Department of Energy which includes the National Nuclear Security Administration, as well as servers at the New York Times and Wall Street Journal.(Gertz, 2013)

As a Department of Defense employee, I believe the threat is credible and reasonable. Spies who have been caught and convicted of espionage against the United States—an alarming number are spying on behalf of China. In today’s information technology age, it’s more than possible for the technology to be advanced enough for components to have embedded code that would permit remote spying and worse, theft of national secrets and the ability to take down the national infrastructure leaving us vulnerable. So, while the United States is founded on a free market system, the national interest trumps the free market; should Congress and the American people be worried, in my opinion, Yes.

Friday, February 22, 2013

Article Review: "Carhacking"

Most Americans have heard of cyber crimes and cyber security, but beyond what they hear on the news, know very little about it. Cyber crimes typically affect the average American only in terms of Personally Identifiable Information (PII) and identify theft. To that extent, many Americans are vulnerable to cyber crimes that target their social security numbers, dates of birth, et al; cyber criminals attempt to gain access to personal records, bank accounts, mortgage information, etc. I have personally had two credit cards “hacked,” in which the criminals did not gain the credit card information physically, they gained the information via some cyber means, most likely capturing the information via an online transaction conducted at another site, and then exploiting the information to make the transactions. Both hacks cost the two institutions several thousand dollars, with one being charged more than $6,500 in transactions in one day.
The article, “Carhacking” in the January/February 2013 issue of Government Executive by Aliya Sternstein, addresses a new concern in the cyber security realm. Cars today, even at the lower price range, often come standard with a wide range of multimedia and information-sharing and technology features, such as built-in CD and DVD players, UBS ports, Bluetooth systems, satellite radio systems, and wireless services such as the Ford SYNC or the OnStar system. Each of these features, while making the consumer’s drive more comfortable and enjoyable, also opens them up to potential cyber security threats.
The article references several real life examples where vehicles have been “carhacked” in recent times. In Austin, Texas in 2010, a disgruntled employee from an auto dealership remotely carhacked customer vehicles and deactivated the ignition systems. In another event, yet another disgruntled auto dealer employee “manipulated in-car systems that lock the engine when clients skip payments—essentially an alternative to repossession…he immobilized the starters and Global Positioning Systems on about 100 vehicles, leaving drivers’ parked cars stranded.” Presumably, the employee manipulated the system early to wreak havoc on the dealership, but that opens up the question about the dealership even having the system in place, and what would happen if the systems were immobilized while driving?
The article presents several other false but plausible scenarios; a Senator driving home, listening to a CD from a constituent. The CD is malicious, with code that causes the vehicle to brake suddenly while she is travelling at 60 miles per hour. In conjunction with terrorists behind her, she is killed. Another supposed scenario, an FBI agents car phone Bluetooth system is hacked into, and as the agents discuss a case in the “privacy” of the vehicle, their conversation is, in essence, bugged.
While the article indicates the chances of this occurring today are low, researchers have  been able to unlock doors, deactivate starters, and have overridden various car safety systems. During one research test, they were able to disengage brakes. The National Highway Traffic Safety Administration (NHTSA), the agency responsible for motor safety, has currently released a statement that “NHTSA is aware of the potential for ‘hackers’ and other cyber security issues whenever technology is involved; however the agency is not aware of any real-world cyber security issues in vehicles.” Yet, their 2013 budget request reveals a $10 million dollar line item to study vehicle cyber risk.
Personally, I own a 2010 Ford Fusion. The vehicle has a built in CD player, Bluetooth system, Ford SYNC, and built in USB ports to sync multimedia devices. I use the Bluetooth capability on a daily basis to synchronize my Bluetooth phone, and enable hands-free phone calling (as is now the law in Pennsylvania where I live.) The Ford SYNC system periodically asks me (unprompted by myself) to run a “vehicle health report” which it sends to our email address, which we pre-programmed when we purchased the vehicle. The vehicle records tire pressure, percent of oil quality left before the next change is required, and miles until empty on gas, among other things. We use the USB ports to charge our multimedia devices, as well as to connect those devices, and our smartphones, and broadcast podcasts and internet radio streams over the Bluetooth through the car’s stereo system.
On occasion, we’ve picked up other phone conversations in our vehicle on our car Bluetooth receiver. In theory, that shouldn’t happen; you pair your device to your vehicle only. In addition, the vehicle health report runs while you drive; could that be intercepted? According to many in the car industry, the belief is legislation and regulation would be ineffective; the government would always be a step behind cyber criminals. Most believe the car industry should lead the cyber security charge. According to Ford, they are already beginning to take “cyber security precautions when assembling vehicles, including SYNC-enabled cars” as well as “simulate possible vulnerabilities during production.” The Ford SYNC now has a “built-in firewall” and also determines “which programs can be launched in car systems. Also, the vehicle control system network is separate from SYNC’s [and] software updates much be ‘code-signed’ or validated as Ford-authored to launch.”
This is all good news for consumers, who are probably all unaware of the cyber security dangers in the first place. All car manufacturers who are employing newer technology on board cars should take the lead in protecting their consumers. I believe regulation will only bog down the innovative process of car manufacturing, and car manufacturers are able to self regulate and provide the highest tech, cyber secure equipment. If they don’t, consumers won’t purchase their products.
Sternstein, A. (2013, January). Carhacking.  Government Executive.

Friday, December 21, 2012

Hack Yourself---before someone else does---Twitter

In my previous post, I mentioned my attempts to hack my own Gmail account.

I entered a bad password 26 times, and Google Mail didn't blink---it just continued to display an error message indicating that either the user id or password was incorrect.

After eventually entering the correct password, I logged in successfully.

I was hoping that Google would alert me to the fact that someone had unsuccessfully attempted to log into my account 26 times.

No such luck.

I had decided to try this again with Google Mail, entering a bad password up to 1,000 times but I was distracted.

A friend of mine had forgotten her Twitter password, and I was assisting her with getting back into her Twitter account when I learned that Twitter has the best security I've seen so far.

After trying to log into Twitter a third time unsuccessfully, the next time Twitter displayed one of those graphic displays where there's a graphic of a word or a number that you need to enter to prove that you're not some kind of robot trying to hack an account. This is sometimes called CAPTCHA

In my previous post, I mentioned my attempts to hack my own Gmail account.

I entered a bad password 26 times, and Google Mail didn't blink---it just continued to display an error message indicating that either the use rid or password was incorrect.

After eventually entering the correct password, I logged in successfully.

I was hoping that Google would alert me to the fact that someone had unsuccessfully attempted to log into my account 26 times.

No such luck.

I had decided to try this again with Google Mail, entering a bad password up to 1,000 times but I was distracted.

A friend of mine had forgotten her Twitter password, and I was assisting her with getting back into her Twitter account when I learned that Twitter has the best security I've seen so far.

After trying to log into Twitter a third time unsuccessfully, the next time Twitter displayed one of those graphic displays where there's a graphic of a word or a number that you need to enter to prove that you're not some kind of robot trying to hack an account.

http://en.wikipedia.org/wiki/CAPTCHA

Wikipedia defines it this way:

A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a human being. The process usually involves a computer asking a user to complete a simple test which the computer is able to grade. These tests are designed to be easy for a computer to generate but difficult for a computer to solve. If a correct solution is received, it can be presumed to have been entered by a human. A common type of CAPTCHA requires the user to type letters and/or digits from a distorted image that appears on the screen. Such tests are commonly used to prevent unwanted Internet bots from accessing websites.

The term "CAPTCHA" was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford (all of Carnegie Mellon University). It is an acronym based on the word "capture" and standing for "Completely Automated Public Turing test to tell Computers and Humans Apart".

This was the first time that a bad password had been challenged in any way. Yahoo and Google both failed to do it.

I have several Twitter accounts, and so I decided to test Twitter's security by logging in with bad passwords several times.

I logged in with a bad password twice, and then a screen was displayed with two CAPTCHA boxes.

I entered a bad password again, but with the 2 correct CAPTCHA answers.

A screen was displayed saying bad user id or password, but no CAPTCHA.

Again I entered a bad password. This time, a screen saying bad user id or password, but no CAPTCHA.

Looks like it only displays the CAPTCHA after 3 bad attempts.

Eventually I had entered 26 bad passwords before finally entering the correct one and logging successfully into Twitter.

No message was displayed warning me that someone had tried to hack my account.

I checked the email address associated with the account.

No email warning me about a possible hacker.

Of the 3 accounts I've tried to hack, Yahoo, Google, and Twitter, so far Twitter has been the only one to put any sort of road block in my way.

Having to enter the CAPTCHA challenge answers sure does slow down a manual attempt to repetitively guess passwords. However, despite this added hurdle, Twitter does not seem to disable the account, nor does it send an email warning the user that someone is trying to log in with a bad password.

My next attempt will be with Facebook.

More to follow.

If I don't post again before 2013, I want to wish you all a Happy New Year!

Friday, December 14, 2012

Hack Yourself---before someone else does. Google Mail...

If you've been following my blog, you know that I've been intrigued lately by the notion of hacking my own email account.

I know it can be done by someone who really wants to do it---that's not the issue.

The issue is suppose someone I know: a friend, a not-so-friend, a neighbor thought it would be fun to try to guess my email password.

Surely my mail provider would let me know?

Or not?

It's been a few weeks since I last tried to hack my own Yahoo email account.

I was unsuccessful, but most importantly, once I successfully logged into Yahoo, Yahoo never once told me about the suspicious activity against my Yahoo account.

I guess Yahoo doesn't consider hundreds of attempts to guess my account password significant.

Perhaps this happens all the time?

I figured I would try one of my Google accounts---surely Google would be a bit more vigilant.

Well, my first attempts went this way---

Try to log into my Google account with a valid user id, but successively provide the letters 'a' through 'z; as password.

As was the case with Yahoo, all I received was a message indicating that my password was incorrect.

25 additional attempts with a bad password produced the same result.

When I logged in successfully, I anticipated that I might have an email in my Google email account indicating suspicious activity on my account.

I didn't.

My next attempt will be a bit more persistent---1000 attempts with a bad password.

Interestingly, this Google account I'm trying to hack is an account that I hadn't used in a while.

When I used it last week, Google prompted me for an alternate email address in the event my account became disabled or locked out.

So it does happen--but apparently not for 26 bad password entries.

More to follow :)


Sunday, December 2, 2012

So you'd like to work in Computer Forensics

 
According to Wikipedia

Computer forensics (sometimes known as computer forensic science[1]) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems.

One of my current students is a Computer Forensic Examiner, and responded recently to a question from another student in the class about the field and how to break into it.

His answer was so good I decided to include it here at a blog post---here it is

It's ever changing and always challenging.  However, it's not cheap. A typical course ranges from $2,500 to $4000 dollars. 

If you're truly interested in this then go to some of the big job sites like Monster.com and put in computer forensic examiner, which is my title, and see what comes up. 

Many provide certifications they are looking for and the're typically from one of the few major companies and/or groups:

Guidance Software (EnCE - EnCase Certified Examiner)
http://www.guidancesoftware.com/

AccessData (ACE - Access Data Certified Examiner)
http://www.accessdata.com/

International Association of Computer Investigative Specialists (IACIS)
(CFCE - Computer Forensic Certified Examiner)
https://www.iacis.com/

International Society of Forensic Computer Examiners (ISFCS)
(CCE - Certified Computer Examiner)
http://www.isfce.com/

Sans (GFCA - Certified Forensic Analyst & GFCE - Certified Forensic Examiner) http://www.sans.org/

The list goes on and on. 

Two books you might want to check out are

Guide to Computer Forensic Investigations 
http://www.amazon.com/Guide-Computer-Forensics-Investigations-Nelson/dp/1435498836

and

File System Forensic Analysis 
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

Saturday, December 1, 2012

Email of the week (December 1, 2012)

I just received this email from a fan of my Learn to Program with Visual C# book

Hello Mr. Smiley,

I recently purchased your book Learn to Program with Visual C# Express.
I know you've probably received many many Emails, letters, etc. saying thank you,
well here is another one... Lol.

I have read many many programming book in the last 30 years of my programming life.
But yours is so well done and was so great it was hard to put it down.  Most authors
write in a method that is so dry.  Your book was wonderful and engaging.  I enjoyed the
interaction with the students in the book.  You did a wonderful job of making me feel as
if I was part of the class. Thank you.  I hope all of the students from the class are doing well.

C# is not my first Visual programming experience.  But it is surely my favorite so far.

Anyway,  (Sorry to bore you) I was wondering if you have the C# intermediate class book published?

Sincerely,

Brad
Fort Worth, TX.

My Response...

Hi Brad

Thank you for your very kind email---I really appreciate it!

Actually, few people take the time to email me, but when they do it really makes my day!

Interestingly, I got the opportunity to write my first book when I emailed the publisher of a book I was using in my class to tell him how much I enjoyed using it, and offered a few suggestions to make it even better.

I don't have an Intermediate C# book that I've writen---I stick to introductory topics---but I can highly recommend the Murach C# book.

I'm currently using a Head First book in my HTML/CSS class, and I find the tone of the book (not dry, not too serious) to be very similar to mind. I'd recommend you check out the Head First C# book also.

As far as the students, the students in the book were based on actual students I taught at Penn State. Once in a while I'll hear from them, and I keep in contact with a few of them on Linkedin.

Thanks again for your email, and keep me posted on your C# progress.

John Smiley

-

Wednesday, November 28, 2012

Hack your own email account...before someone else does (Part 3)

As you may recall, I decided I would try to hack my own Yahoo email account and see if Yahoo might try to notify me of the hacking attempts.

My first try took this form...

I tried to log into my account on 26 successive attempts, feeding passwords ranging from the single letter 'a' to 'z'.

Each time, I was greeted with a message saying the password was incorrect, but nothing beyond that.

I then logged onto my Yahoo account with the correct password, checked my email, and nothing---no warning that someone had tried to log into my account 26 times in succession with an incorrect password.

My second try took this form...

I tried to log into my account on 100 successive attempts, feeding the single letter 'a' as my password.

Each time I was greeted with a message saying the password was incorrect, but nothing beyond that.


I then logged onto my Yahoo account with the correct password, checked my email and nothing---no warning that someone had tried to log into my account 100 times in succession with an incorrect password.

I'm pretty much convinced now that Yahoo doesn't care if someone tries to hack your Yahoo account---no surprise, I guess, since I get so many spam emails from Yahoo accounts and followups from my friends saying they've been hacked.

Even if Yahoo had directed me to another page, that might make the job of hacking my account harder.

As it is, there's simply a message displayed that the password is incorrect, and I'm still on the log in page.

This will end my attempt to hack into my own Yahoo account.

My next attempt will be to try to hack my Google Gmail account---I suspect that will have better security.

Stay tuned for Part 4.