Don’t steal my information

It’s important to take the precautions to protect you and your products from information theft these days, because it’s getting easier and easier for people to share digital products.  Information theft is a type of computer security risk and it’s defined as stealing an individual’s personal or confidential information.  When this is stolen this can cause as much damage, or possibly more then hardware or software theft.

Business or home users are both at risk of information theft. One example is a malicious individual stealing credit cards so they can make unauthorized purchases on another person’s account. If information is transmitted over a network then it has a very high chance for malicious users to intercept the information. Every computer in the path of your data can see what you send, and they can also see what you send.  A lot of companies try to stop information from being stolen by applying some user identification and authentication controls. These constraints are best for protecting computers along a company’s premise. However, to protect information on the Internet and on networks, companies use a handful of encryption methods.

Encryption refers to the process of converting data into an unreadable form. One type of encryption software is Obfuscated code which is a programming language that is extremely hard to read. Encrypted data is like any other data because you can send it through a lot of options, but to read it you must decrypt or decipher it into a more readable form. Throughout the encryption process, the unencrypted data or input is known as plaintext and the encrypted data, or output is known as ciphertext.  To encrypt information, the programmer converts the plaintext into ciphertext using some type of encryption key. An encryption key is the programmed formula that the person who receives the data uses to decrypt the ciphertext.

There are a variety of encryption or algorithm methods. However, with an encryption key formula, you will be using more then one of these techniques.  Some business use available software, while others develop their own. When an individual send information online such as through an email for example, they will never know who might intercept it, or to whom it could possibly be forwarded to.  That’s why it’s not such a good idea to send confidential information online. However, an individual can help protect themselves by encrypting the information, or signing it digitally. Some very popular email encryption software is known as Pretty Good Piracy (PGP) and Centurion Soft Secure Protection.

Pretty Good Piracy is known as freeware, which means that individuals can use it for their personal needs but not for commercial purposes. You can download this for no cost. A digital signature is a type of encrypted code that a individual, website, or company pastes to an electronic document to make sure that the individual is who they claim to be.  The code will most likely consist of the user name and a hash of usually part of the message. A hash is a type of mathematical formula that generates content from a specific message, so it is different from a message. The recipient will have to generate a new hash from the received message and compares it from the one with the digital signature to make sure that they match appropriately. The main purpose behind using digital signatures is to make sure that it’s not a deceiver participating in the transaction. So, digital signatures help narrow down e-mail scams. A digital signature can also make sure that contents of a message have not been changed. A lot of web browsers use encryption that is regarded as 40 bit encryption, and this is a very low level. A variety of browsers also offer 128 bit encryption which has a higher level of protection because the encryption key is longer.  Some important places that require extremely hire security like banks, and online retailers needs at least 128-bit encryption. A website that successfully uses encryption methods to secure information is known as a secure site.  A secure site uses digital certificate with security protocol.  The two most popular security protocols are secure sockets layer, and secure HTTP.

A digital certificate is a notice that verifies that a user or a website is for real or not a scam. A lot of ecommerce websites will usually have digital certificates. A certificate authority (CA) is an authorized company or individual for that matter that has the ability to issue and verify digital certificates.  There are several of websites that offer a digital certificate. Some popular ones are Verisign http://www.verisign.com/, Godaddy www.godaddy.com, Digicert http://www.digicert.com/, and Thawte http://www.thawte.com/.

The digital certificate will usually contain information such as the username and the serial number of the certificate. By the way, the information in the digital certificate is also encrypted. Next, the Secure Sockets Layer (SSL) provides encryption of every detail that passes between a server and a client.  SSL also requires the client to have a digital certificate, so the web browser can communicate securely with the client.  The web pages that use SSL will usually begin with https as opposed to http. SSL is available in 40 and 128-bit encryption. Secured HTTP (S-HTTP) allows individuals to choose encryption for data that pass through a client and a server.  When using S-HTTP, the client and the server must have a digital certificate.  This makes S-HTTP more difficult to use then SSL, but on the other hand, it is more secured. Companies that have to use verify a client such as online banking companies use S-HTTP.

Also, mobile users can also access computer networks through a virtual private network. When mobile users successfully logon to a main office using some type of standard Internet connection, a virtual private network (VPN) allows the mobile user to secure the connection.  VPNs encrypt data as it passes from a notebook computer or any other mobile device so it won’t be intercepted.  Regardless of your security method, I will highly recommend using the most powerful safeguard which is a backup. It prevents data loss from several of sources such as system failure for one.  A backup is simply a backup of a file, program, or desk that can be used in place of the original if its loss, destroyed, or corrupted.  If the files are destroyed, then you can replace them by restoring it, which copies the backed up files into their original position in the computer.

 

 

Advertisements

Computer Security Ethics and Privacy

Today, many people rely on computers to do homework, work, and create or store useful information. Therefore, it is important for the information on the computer to be stored and kept properly. It is also extremely important for people on computers to protect their computer from data loss, misuse, and abuse.

For example, it is crucial for businesses to keep information they have secure so that hackers can’t access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions.

A computer security risk is any action that could cause lost of information, software, data, processing incompatibilities, or cause damage to computer hardware,   a lot of these are planned to do damage. An intentional breach in computer security is known as a computer crime which is slightly different from a cybercrime.

A cybercrime is known as illegal acts based on the internet and is one of the FBI’s top priorities.  There are several distinct categories for people that cause cybercrimes, and they are refereed as hacker, cracker, cyberterrorist, cyberextortionist, unethical employee, script kiddie and corporate spy.  The term hacker was actually known as a good word but now it has a very negative view. A hacker is defined as someone who accesses a computer or computer network unlawfully.  They often claim that they do this to find leaks in the security of a network. The term cracker has never been associated with something positive this refers to someone how intentionally access a computer or computer network for evil reasons. It’s basically an evil hacker.  They access it with the intent of destroying, or stealing information. Both crackers and hackers are very advanced with network skills.

A cyberterrorist is someone who uses a computer network or the internet to destroy computers for political reasons.  It’s just like a regular terrorist attack because it requires highly skilled individuals, millions of dollars to implement, and years of planning. The term cyperextortionist is someone who uses emails as an offensive force. They would usually send a company a very threatening email stating that they will release some confidential information, exploit a security leak, or launch an attack that will harm a company’s network. They will request a paid amount to not proceed sort of like black mailing in a since.

An unethical employee is an employee that illegally accesses their company’s network for numerous reasons. One could be the money they can get from selling top secret information, or some may be bitter and want revenge.

A script kiddie is someone who is like a cracker because they may have the intentions of doing harm, but they usually lack the technical skills. They are usually silly teenagers that use prewritten hacking and cracking programs.

A corporate spy has extremely high computer and network skills and is hired to break into a specific computer or computer network to steal or delete data and information. Shady companies hire these type people in a practice known as corporate espionage. They do this to gain an advantage over their competition an illegal practice. Business and home users must do their best to protect or safeguard their computers from security risks.

The next part of this article will give some pointers to help protect your computer. However, one must remember that there is no one hundred percent guarantee way to protect your computer so becoming more knowledgeable about them is a must during these days. When you transfer information over a network it has a high security risk compared to information transmitted in a business network because the administrators usually take some extreme measures to help protect against security risks. Over the internet there is no powerful administrator which makes the risk a lot higher. If your not sure if your computer is vulnerable to a computer risk than you can always use some-type of online security service which is a website that checks your computer for email and Internet vulnerabilities. The company will then give some pointers on how to correct these vulnerabilities.  The Computer Emergency Response Team Coordination Center is a place that can do this.

The typical network attacks that puts computers at risk includes viruses, worms, spoofing, Trojan horses, and denial of service attacks.  Every unprotected computer is vulnerable to a computer virus which is a potentially harming computer program that infects a computer negatively and altering the way the computer operates without the user’s consent. Once the virus is in the computer it can spread throughout infecting other files and potentially damaging the operating system itself. It’s similar to a bacteria virus that infects humans because it gets into the body through small openings and can spread to other parts of the body and can cause some damage. The similarity is, the best way to avoid is preparation.

A computer worm is a program that repeatedly copies itself and is very similar to a computer virus. However the difference is that a virus needs o attach itself to an executable file and become a part of it. A computer worm doesn’t need to do that I seems copies to itself and to other networks and eats up a lot of bandwidth.

A Trojan Horse named after the famous Greek myth and is used to describe a program that secretly hides and actually looks like a legitimate program but is a fake.  A certain action usually triggers the Trojan horse, and unlike viruses and worms they don’t replicate itself. Computer viruses, worms, and Trojan horses are all classifies as malicious-logic programs which are just programs that deliberately harms a computer.  Although these are the common three there are many more variations and it would be almost impossible to list them. You know when a computer is infected by a virus, worm, or Trojan horse if one or more of these acts happen:

  • Screen shots of weird messages or pictures appear.
  • You have less available memory then you expected
  • Music or sounds plays randomly.
  • Files get corrupted
  • Programs are files don’t work properly
  • Unknown files or programs randomly appear
  • System properties fluctuate

Computer viruses, worms, and Trojan horses deliver their payload or instructions through four common ways. One, when an individual runs an infected program so if you download a lot of things you should always scan the files before executing, especially executable files. Second, is when an individual runs an infected program. Third, is when an individual bots a computer with an infected drive, so that’s why it’s important to not leave media files in your computer when you shut it down.  Fourth is when it connects an unprotected computer to a network. Today, a very common way that people get a computer virus, worm, or Trojan horse is when they open up an infected file through an email attachment. There are literally thousands of computer malicious logic programs and new one comes out by the numbers so that’s why it’s important to keep up to date with new ones that come out each day. Many websites keep track of this. There is no known method for completely protecting a computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances of being infected by one of those malicious programs.

Whenever you start a computer you should have no removable media in he drives. This goes for CD, DVD, and floppy disks. When the computer starts up it tries to execute a bot sector on the drives and even if it’s unsuccessful any given various on the bot sector can infect the computer’s hard disk. If you must start the computer for a particular reason, such as the hard disk fails and you are trying to reformat the drive make sure that the disk is not infected.

 

British ISPs are trying to bring down Pirate Bay

It has been a long-lasting UK’s struggle to block access to The Pirate Bay, and it finally turned out that the country’s High Court delivered the following decision: the UK’s broadband providers must get involved with the measures taken against the BitTorrent tracker.

According to the BBC report, Everything Everywhere, Sky, Virgin Media, TalkTalk, and O2 are ordered to stop their subscribers from accessing the stigmatized BitTorrent tracker. The BPI claimed that the websites like The Pirate Bay destroy jobs in the United Kingdom and undermine investment in new UK content creators. However, BT asked for a couple more weeks to consider their position on blocking access to the website.

Since November last year, the BPI has been asking a number of Internet service providers to voluntarily block access to The Pirate Bay, after doing the same with another site offering infringing links – Newzbin2. But the broadband providers replied they wouldn’t do so unless court ordered.

Now the ISPs admit that they will have to follow the High Court’s request, but add that such measures aren’t part of a long-term solution. Responsible companies will comply with court orders addressed to them, but they strongly believe that changing consumer behavior to fight copyright violation also needs compelling legal alternatives, like the agreement with streaming services, to provide users legitimate access at the right price.

Meanwhile, the British Pirate Party claimed that this move won’t help the content creators get more money. Although the court order didn’t come as a surprise, the truth remains that the country finds itself on a slippery slope towards online censorship.

Everyone knows that there are many alternatives to bypass website blocking, but the industry believes it should keep trying. It also points out that the principle that downloading copyrighted music is against the law hasn’t been reinforced by schools or parents. However, this opinion isn’t shared by Jim Killock, the executive director of the Open Rights Group, who said that the court ruling was pointless and dangerous, because it will fuel calls for stricter online censorship of many kinds, from porno to extremism. As you can see, online censorship keeps growing in scope and becoming easier.

Anti-Sharing Law will be Rejected

The Office of Management and Budget published an email saying that if the new anti-piracy law known as CISPA reaches the president’s desk in its nowadays form, his senior advisors will recommend him to veto the bill.

The email says that the proposed bill should address critical infrastructure vulnerabilities without having to sacrifice the human rights of the citizens, particularly when the country is facing challenges to economic well-being and national security. Although the Administration of the President wants to engage with the Congress to enact cybersecurity law to tackle these critical issues, if CISPA were presented to the President, his senior advisors would recommend that he veto it.

There are many reasons why the office opposes the suggested legislation, like the bill “significantly departing from long-standing efforts to treat the web as civilian sphere”. In response, the creators of the legislation explained that the recent revisions take into account each criticism levelled by the Administration, especially those about privacy and civil liberties of people.

The legislation is set for a vote before the House of Representatives. Meanwhile, the EFF pointed out that Rep. Rogers is convinced that the CISPA is an information “sharing” law. Although this may sound innocent, the truth is that the bill itself is a surveillance bill as well. Indeed, its provisions allow private companies to monitor network traffic and stored information (like private e-mails) with no oversight or legal accountability.

Moreover, the legislation creates expansive legal immunity, making outfits and the government largely unaccountable to users. So, the law will grant surveillance power to private entities, bypassing the existing rights to sue under other laws. This means that if CISPA passes, the organizations will lose their legal right to protect your privacy, like federal or state privacy laws keeping them from sharing sensitive personal data.

An amendment was proposed to file lawsuits against the federal government if it violates some restrictions on the use of the obtained information, bit in practice it’s meaningless. In fact, it only allows a lawsuit if brought within 2 years of the date of the violation and exempts all information received by the government from the Freedom of Information Act.

Glossary Of Computer Security Terms

Access
A specific type of interaction between a subject and an object that results in the flow of information from one to the other. (Source:
GCST).
Access Control
The process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). Synonymous with controlled access and limited access. (Source: GCST)
Accreditation
A formal declaration by the designated approving authority (DAA) that the automated information system (AIS) is approved to operate in a particular security mode using a prescribed sete of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation
statement affixes security responsibility with the DAA and shows that due care has been taken for security. (Source: GCST)
Assurance
A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. Compare with trusted computer system. (Source: GCST)
Audit Trail
A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. (Source: GCST)
Authenticate
1.To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
2.To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.
(Source: GCST)
Authorization
The granting of acccess rights to a user, program, or process. (Source: GCST)
Automated Information System
An assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information. (Source: GCST)
Availability
The state when data is in the place needed by [or accessible to] the user, at the time the user needs them, and in the form needed by the user. (Source: GCST)
Certification
The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a  particular design and implementation meet a specified set of security requirements. (Source: GCST)
Compartmented Mode of Operation
An AIS is operating in the compartmented mode when each user with direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for the most restricted information on the system.
Formal access approval for, and has signed nondisclosure agreements for, that information to which the user is to have access.
A valid need-to-know for that information to which the user is to have access.
(Source: GCST)
Covert Channel
A communications channel that allows two cooperating processes
to transfer information in a manner that violates the system’s security policy. Synonymous with confinement channel. (Source: GCST)
Covert Storage Channel
A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channnels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. (Source: GCST)
Covert Timing Channel
A covert channel in which one process signals information to another by modulating its own use of system resources (e.g., CPU time) in such a way that this manipulation affects the real response time observed by the second process. (Source: GCST)
Dedicated Mode of Operation
An AIS is operating in the dedicated mode when each user with
direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for all information contained within the system.
(Source: GCST)
Denial of Service
Any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. Synonymous with interdiction. (Source: GCST)
Designated Approving Authority (DAA)
The official who has the authority to decide on accepting the security safeguards prescribed for an AIS, or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards. (Source: GCST)
Discretionary Access Control (DAC)
A means of restricting access to objects based on the identity and need-to-know of the user, process, and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. Compare mandatory access control. (Source: GCST)
Evaluation
An assessment of a product agains the Trusted Computer System Evaluation Criteria (The Orange Book).
Information Warfare
Information warfare is the activity by a hacker, terrorist, or other adversary to disrupt an information system. Traditional security addresses the protection of information. Information warfare is aimed at protecting the systems that collect, store, manipulate, and transport information so that they are not accessed by unauthorized persons and are available as needed. (Source: Defense Information Infrastructure Master Plan)
Mandatory Access Control (MAC)
A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity. Compare discretionary access control. (Source: GCST)
Multilevel Mode of Operation
An AIS is operating in the multilevel mode when all of the following statements are satisfied concerning the users with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts:
Some do not have a valid personnel clearance for all of the information processed in the system.
All have the proper clearance and have the appropriate formal access approval for that information to which they are to have access.
All have a valid need-to-know for that information to which they are to have access.
(Source: GCST)
Multilevel Security (MLS)
An MLS system is a system containing information with different security classifications that simultaneously permits access by users with different security clearances and needs to know. This system prevents users from obtaining access to information for which they lack authorization. (Source: DOD Directive 5200.28)
Risk
The probability that a particular threat will exploit a particular vulnerability of the system. (Source: GCST)
Risk Analysis
The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management. Synonymous with risk assessment. (Source: GCST)
Risk Management
The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost/benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. (Source: GCST)
Sensitive Compartmented Information
Information restricted to people who have been given formal access to the security program, called a compartment.
Security Policy
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. (Source: GCST)
System-High Mode of Operation
An AIS is operating in the system-high mode when each user with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for some of the information contained within the system.
(Source: GCST)
Trusted Computer System
A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information. (Source: GCST)
————————————————————————

Note: “GCST” means the Glossary of Computer Security Terms, NCSC-TG-004, 21 Oct 88 (the “Olive” Book).