Kevin Mitnick, age 13, used social engineering and dumpster diving to produce punch cards to ride buses for free, he would go on to be the world’s most famous hacker by stealing sensitive information and software from some of the world’s largest companies. In his book, ‘the Art of Deception’, he shows how a ‘social engineer’ can use the human factor of almost any system to gain valuable information and use it to their own benefit. Mitnick shows that the social engineer is a potential and likely attacker.
Three flawed security methods are sometimes called ‘Candy security’, ‘Speakeasy security’ and ‘Security through obscurity’. ‘Candy security’ means that the system has a hard shell but soft inside; strong safeguards against things outside the system but the intranet is weak. ‘Speakeasy security’, in reference to the speakeasies of the prohibition era, relies on having knowledge of where to find information and using a word or password to gain access which is almost equivalent to ‘Security through obscurity’ which assumes that no one else can navigate through your system besides legitimate users. The common flaw in all three is to assume that access to information can only be supplied knowingly however it could be entirely possible to gain access to the internal workings of a system by gaining the trust of a user, or closer to home, a student. A phishing email could be sent from a UoB account or I could unknowingly fall victim myself.
“When in doubt, verify, verify, verify.” -Kevin Mitnick
On making an Apple store purchase I was sent an email to phone a given number. Instead I used the customer services number on the official website to verify this email and they subsequently forwarded the call to the number in the email after verifying that the email was genuine.
In a company a strict data classification policy, that determines which data is actually innocuous for public consumption and for what you throw out too, should be used
A policy to prevent sharing internal phone numbers should be implemented in a company to limit phishing calls. I rarely share my phone number hence it is difficult yet possible for a determined individual to find it, I would pray that other user verification safeguards, such as password, in online services would prevent a successful attack.
Verify telephone numbers with the company that callers claim to be associated with.
Change passwords regularly and make them unique. Two factor authentication can safeguard against an attacker who only has only got access to a single account. I write my passwords down and store them in a secure location to make it easier to have many ‘strong’ passwords. I don’t store highly sensitive passwords in plain text format instead I write hints that would be obscure to someone else.
Don’t immediately trust someone that uses the right jargon since companies often make terminology open for their staff which can be used against them to gain their short-term trust to gain a bit more information.
I can report particularly suspicious activity to IT services.
Distributed Denial of Service attacks are a form of attack on a network by flooding with useless traffic where multiple compromised sources (distributed via botnets) attack a single target. This is different to Denial of Service attacks which will be one attacker on one target whereas DDoS attacks can have hundreds of C&C servers attacking which is much harder to prevent since with DoS one can block a single IP address but a DDoS attack makes it trickier to identify attackers from legitimate users.
Hardware asset identification
MacBook Pro System Version: OS X 10.11.6 (15G1004)
Vulnerability appraisal This year, 2016, Apple devices with OS X before 10.12 were found to be vulnerable to several types of DoS attacks. The kernel allows attackers to obtain sensitive memory-layout information or cause DoS (out-of-bounds read, unintended lock, and memory consumption) via crafted app.
Other discovered vulnerabilities involved the Kerberos 5 PAM module, making it easy for remote attackers to enumerate user accounts, and CCypt, allowing attackers to discover cleartext information by leveraging a function call that specifies the same buffer for input and output.
Risk mitigation To prevent myself from getting infected I have installed apps, antivirus and antispyware programs from trusted sources, anti-malware programs scan and monitor my computer for known viruses and spyware; I try to keep all software up to date; I use strong passwords and keep them secret (I write them down); and I never turn off my firewall.
One could, to defend against DDoS, divert traffic to a “scrubber”, e.g. Black Lotus, which removes malicious packages; set a rate limit; filter obvious sources of attack; time out half-open connections more aggressively; drop spoofed or malformed packages; set lower SYN, ICMP and UDP flood drop thresholds.
I use Google drive for the majority of my files, including but not limited to: programming assignments, coursework and notes. The University of Bristol recommends we use Google Drive over alternative cloud data storage options, for example: Dropbox which I used to transfer holiday photos.
UoB data classification policy makes clear who should be able to view classifications of data and that not encrypting personal data subject to the Data Protection Act is in breach of the 7th data protection principle. I do not store any of the data rated ‘critical’ on Google Drive, i.e. passwords and data covered under the official secrets act 1989. For strictly confidential data, such as: medical history and candidate numbers, I may have to consider encryption.
Encryption of files is not a feature offered by Google Drive, however Google boasts of their use of HTTPS (Hypertext Transfer Protocol) and PFS (Perfect Forward Secrecy) for all services. Also TLS (Transport Layer Security) for message transmission and 2048 RSA keys for validation and key exchange. PFS require that private keys, used for connection, not be kept in persistent storage to prevent hackers from uncovering months of connections with a single cracked password. To add an extra layer of security to my ‘strictly confidential’ data I will encrypt the files before uploading them and keep my passwords secure.
Virus detection is a feature that is offered by Google Drive. When downloading files from Drive a pop up says “scanning for viruses..” which I looked into. Various techniques exist but, as theoretically proven by Fred Cohen, no infection can exist that can’t be detected and no defensive mechanism can exist that can’t be infected, he likens this to any horse can be ridden and any man can be thrown off.
Cloud anti-virus protocol involves multiple virus and behavioural detection methods, for example: sandbox detection, that executes the program in a virtual environment which is slow; Data mining techniques, also using machine learning, detects patterns in data to classify the behaviour; Retrospective detection compares against all files in history. If a virus is detected, users can\'t share the file with others, send the infected file via email, or convert it to a Google Doc, Sheet, or Slide, and they\'ll receive a warning if they attempt these operations. The owner can download the virus-infected file, but only after acknowledging the risk of doing so however a file larger than 25MB will not be scanned. In fact I tested Drive’s feature using an EICAR test file to test signature and behavioural based detection.
Google Drive offers a level of security that meets my current needs. The University of Bristol advises against using it for long term storage and archiving which is tempting considering the ‘unlimited size’ offered but I have elected to download important files, such as: coursework and assessed programs, to store locally as the University advises.
...(download the rest of the essay above)