Exercise 5~1 - Consider the passwords that you use for common tasks like logging into your computer, email, social networking sites, and so on. How many of those passwords meet the criteria in the table below? How many of your passwords would you consider strong?
|Password for||Password length (characters)||Password uses numbers?||Password uses uppercase and lowercase?||Password uses symbols?||Password age (last changed?)|
In 2006 Mythbuster proved that biometrics has issues.
As you watch the videos below, ask yourself:
- Why is this tech needed?
- How could this be circumvented?
- Who should use such tech?
- Is biometric data collection GOOD for society?
- Is biometric data collection a violation of my rights?
At the 2001 Super Bowl, a new biometric technology was tried out on sports fans for the first time. Facial recognition software, linked to security cameras at the stadium entrances, scanned the face of everybody entering, and compared them with a police database of known criminals.
- Unlike most systems, this system did not require people to stand still to submit a biometric sample-it was capable of working from live video feeds. Explain why this is so significant. [4 marks]
- Describe what the risks might be if this system gave a false negative or a false positive. [4 marks]
- Discuss the benefits and drawbacks of using such a system. [8 marks]
We will analyze the subculture of hacking, its potential threats and implications for individuals and societies.
Hacking refers to gaining unauthorized access to computer systems. This is usually done by exploiting weaknesses in the target system's security, such as problems with network security or vulnerabilities in specific software being used on the system. We will start by watching the following video:
The Telegraph's Five of the biggest hacking attacks is a good introduction to hacking and its social impacts. Security lapses at Apple and Amazon lead to an epic hack is an excellent resource explaining how a major hack was performed using a variety of techniques, including social engineering.
With information technology systems becoming ever more ubiquitous, more and more systems are potentially vulnerable to hacking, including transportation systems, television stations, telephone networks, and even electronic hotel door locks. Many organizations also store customers' personal and credit card data and passwords, making them tempting targets for hackers. Multiple companies, including AT&T, Sony, McDonalds and Twitter have been the victims of such attacks.
Hackers sometimes take novel approaches to their crimes: in 2013 a group of Australian hackers broke into a CCTV network at a casino (Wired) and used it to watch other players' hands - winning $33 million before they were caught.
Hacking humans is an article from the Washington Post explaining just how easy and effective social engineering attacks can be. Using social media to launch a cyberattack discusses the risks of revealing personal information on social networks and explains how criminals can use this against you. My career as a professional bank robber is a first hand account of a man who used to use social engineering techniques to commit crimes.
Read an article on the 15 Greatest Hacking Exploits.
From home, access the SlaveHack web site. This site features a completely safe and virtual environment that allows you to learn about hacking by participating in an online game that teaches you some of the techniques that hackers use to break into computers.
Can you solve this!!! Puzzlers World - Hacker Puzzle
After research about hacking, please take a moment to think about the social and ethical consequences of hacking
- Research White Hat, Black Hat, and Grey Hat Hackers
- Identify 2 positive and 2 negative ethical concerns for White/Black Hats [2 mark]
- provide feasible solutions to the negative concerns [4 mark]
Viruses, Worms, Trojan Horses, Spyware, Rootkits, Malware, Denial of Service, Drive-by Downloads... oh' my!
Research the following infamous computer viruses and worms
- CIH/Chernobyl (1998)
- Melissa (1999)
- I love you (2000)
- Code Red (2001)
- Slammer (2003)
- Stuxnet (2010)
You are to create a presentation (Prezi etc.) of one of the above internet threats. Your presentation should include the following:
- An explanation of the internet threat
- Identify the ways users can be tricked into falling for this scam
- Describe the steps users can take to prevent this crime/scam
- Describe how computer security relates to personal privacy issues
- Extra - Create your own scam!
Be sure to distiguish between:
- Phishing & pharming
- Keystroke monitoring
- Spyware, adware & spam
- Spoofing & Identity theft
Think you can outsmart the Internet scammers - Take the Phishing Quiz
Passed that one? OK, then try the Pharming Quiz
- Plenty of valuable social engineering at www.social-engineer.org
- The full wiki: What's hot list for malware
- Tomorrow's Tech Chapter 10: Computer Security & Risks ppt (download only)
- Tomorrow´s Tech - Computer Security & Risks: - on-line resource
- Computer Shopper Sept. 2010 - Inside the Botnet
- PCPlus Dec. 2010 - Learn the Science of Social Engineering
- Daily Telegraph - Six questioned over £1m student phishing scam (9 Dec 2011)
- ViewsWire - Internet Security
Spammers often take advantage of people's interest in gossip and breaking news, frequently 'hijacking' the latest story by sending emails purporting to offer more information.Hi-tech thieves target Olympics (BBC) and The Michael Jackson spammers (BBC) illustrate this well.
Despite the inherent difficulties caused by the nature of the Internet, spammers and botnet creators are sometimes caught, as 'Spam gang' leader faces $15m fine (BBC) , Spam text message pair are fined £440,000 (BBC), and Jail sentence for botnet creator (BBC) prove.
Some people have suggested that making a small charge for sending an email could drastically reduce the problem of spam. Even a price of one cent per email would make mass emailing expensive but be minor for most users. Discuss the effectiveness of this solution. [8 marks]
SonicWALL Phishing IQ Test and Anti-Phishing Phil are two resources that test a user's ability to spot phishing attempts - they are both harder than you might imagine!
How to Recognize Phishing Messages (Microsoft) and the Anti-Phishing Working Groupare valuable resources for advice on avoiding being a victim.
Vishing attacks are phishing attacks that are performed using VoIP systems.
Protecting your business from phishing attacks contains useful advice.
After learning about hacking and how it compromises data security, we will learn about the next step in protecting data, by means of encryption.
Make any enquiry about computer security, and you will almost immediately fall over the terms cryptography and encryption (and also decryption), but what exactly is meant by this? The Oxford English dictionary, defines cryptography as hidden writing. It has been around for a very long time. The Ancient Egyptians, the Arabs and the Romans developed their own encryption systems.
The most famous encryption machine invented was the Enigma (see picture on the right - Click picture for Enigma Similation), used in the Second World War to send military messages.
How does cryptography & Encryption work?
One of the best examples of early cryptography is the Caesar cipher, named after Julius Caesar because he is thought to have used it even if he didn't actually invent it.
It works like this. Take a piece of paper and write along the top edge the alphabet. Take another piece of paper and do the same thing. You should then have two lines of letters like this:
Now write your message. SEND MONEY TONIGHT
Move one of your pieces of paper along to the right one or more letters so that they no longer line up. That should look like this:
Now every time you see a letter of your message in the top line, write down instead the letter on the bottom line.
SEND MONEY TONIGHT becomes QCLB KMLCW RMLGEFR
What you have done is performed a cryptographic transformation (encrypted) your message.
Secret key encryption
The method described above, where the same key is used for both encryption and decryption, is known as secret key encryption (also called symmetric key encryption or single key encryption). A fundamental problem with this approach is that the key used for encryption and decryption must be kept secret. If someone discovers the key they could:
- decrypt our private messages
- decrypt messages with our key pretending to be us
Diagram of the secret key encryption (symmetric key encryption) process, from page 107 of the book.
Public key encryption
A much better approach is public key encryption (also called asymmetric key encryption). This uses a key pair: a public key which is used only for encryption, and a private key which is used only for decryption.
Diagram of the public key encryption (asymmetric key encryption) process, from page 107 of the book.
Diagram of the biometric enrolment and authentication process, from page 92 of the book.
Digital signing & digital certificates
When Bob receives a message from Alice, how can he be sure it was really Alice who sent the message?
A digital certificate can be used to authenticate the sender of the message. Alice uses her private key to digitally sign her message. When Bob receives the message he can use Alice's public key to verify that Alice was the real sender.
However, how does Bob know that the message is from the correct Alice? An imposter could have claimed to be Alice and given Bob her own public key. To solve this problem , Bob can use Certificate Authority (CA) to verify the owner of the public key. Certificate authority's are resposibe for issuing digital certificates (key pairs) to organisations, after checking their identity.
- Encryption - How Stuff works
- Cryptography explained - Encryption for dummies Tutorial: SSL explained & Cryptography demystified (Bill Childers)
- Explain that stuff - Encryption e-tutorials Asymmetric encryption explained(RSA)
- Encryption - Try it for yourself
- Codes & Cyphers - CIMT Plymouth University
- Public key cryptography Assignment
- PC Plus Dec 2011 - Safe online Transactions SSL/TLS
Encryption is essential to many industries, including e-commerce and banking. Without encryption it would be too risky to purchase anything online.
However, strong encryption effectively guarantee that nobody without the encryption key can view the plaintext - including law enforcement officials. Different solutions have been suggested. The USA has proposed key escrow, where an authorised authority holds users' encryption keys, and reveals them to law enforcement if requested.
In the year 2000, the UK passed the controversial Regulation of Investigatory Powers Act (RIPA) which required users to reveal their encryption keys when requested by authorities. Failure to do so could result in a two year prison sentence.
Read the following three articles which discuss the potential problems caused both by criminal and terrorist use of encryption, and by attempts to control the use of such technology:
- Teenager jailed for refusing to reveal encryption keys (PC Pro)
- Pro-Privacy Senator on Fighting the NSA From Inside the System (Wired)
- Case Involving Encryption in Crime and Terrorism
Crypto kids - puzzles explanations
After studying some of the methods and algorithms for encryption, we need to understand how this is done in real life.
Suppose you are an IT security consultant, and one of your clients asks you to review for him the varios options (free and paid) that exist for encrypting sensitive data in his hard drive. Answer the following questions:
- Identify at least one piece of software for encrypting sensitive data.
- Write a detailed sequence of instructions as to how to effectively encrypt the data.
Answer the question in a Word file. This file must be sent to my @natomasunified.org account, in encrypted form, together with another unencrypted file that explains how to decrypt it, and why you have chosen that particular software.
- Define the term WPA. [2 marks]
- Distinguish the terms spam & phishing. [4marks]
- Explain the process through which data is encrypted using public key encryption. [4 marks]
Create a survey that can be used to assess people's understanding of good computer security practices. The survey should focus on the methods people use to protect themselves and their computer, rather than testing any technical knowledge. You might want to create different levels of answer, for example for the question "Do you use antivirus software?", the poorest answer would be No, the next answer would be Yes - but it is not up to date, and the best answer would be Yes-updated regularly. Give your survey to a number of people (over 10). What do your results tell you?
Use Desktop Publishing (DTP) software to create an advice booklet called Computer Security for Beginners (or something similar). This should be designed to be handed out in a computer store to people buying a new computer for the first time. The booklet should detail the most common security problems, their effects on people, and their solutions. The emphasis should be on reliable, practical advice and tips that users can follow to improve the security of their computer. You might want to include both solutions and preventative measures.
- Tutorial on how to use MS Publisher
- PagePlus SE - Serif offer a cut down version of their DTP software for free.
- Scribus - open source desktop publishing program.