SECURITY AWARENESS PROGRAMME FOR MOBILE DEVICES(SMARTPHONE USERS(ESPECIALLY MY COURSE MATES)

Mobile phones(mostly smartphones are so in used that it does practically all PCs does and the advantage is that it is really mobile and portable but little is known by the users of the security threats smartphones could pose not only to the owner but also to the employers as well.

It is necessary to adopt the following dos and dons to reduce our vulnerabilities to the security threats:

1. Keep a clean phone: It is important to note that mobile devices are also computers with software that also requires to be updated like the PCs, laptops and Tablets, so it is necessary to ensure that our your devices have latest protections, this could be achieved by  having the latest mobile security software, web  browser and operating system running on our mobile devices as they have strong defences against  malware and other on-line threats.
2. Protect your personal information: As phones contain valuable information not only of us but of friends and company(employer), it is advisable to guide this information jealously by using strong passwords(better still pass-phrase)  to lock our phones when not used, always reviewing the privacy policy and understand what data an application can access on our phones before we download them, disabling the geotagging feature of our phone to keep low profile of where we are or what do per to´time as commonly done by social networks users.
3. Do not exchange your numbers with strangers, this may lead us to the den of social engineering with serious consequences. It also not good to give another person's number out to a stranger without the consent of the rightful owner.
4. Connect or respond care: just as it is possible to get into security and privacy trouble by downloading attachment from an unknown source, so it is to fraudulent texting, voice niotes, hence, always connect and respond with care using your mobile devices. Personal informations might be requested for, but never respond when in doubt. Also do not connect to networks you are not 100% sure of, Criminals are found of enticing their victims with the phrases such as; Free WiFi, The truth is that there is hardly free launch anywhere.

Guys be mobile wise!

For more details, do visit:

http://www.rbc.com/privacysecurity/ca/alert-security-and-privacy-in-a-mobile-device-world.html

https://www.staysafeonline.org/stay-safe-online/mobile-and-on-the-go/mobile-devices

TECHNOLOGY

Overview of Intrusion Detection System(IDS) using case of University library, high school and retail store.

Intrusion detection system is a software application that monitors network or system activities for malicious activities or policy violations and invariably produces report to a management station e.g administrator for action to be taken.

There are Two types of IDS with the placed at points within the system to monitor to and from all devices on the network called Network  Intrusion Detection System (NIDS) while those that run on only the host or devices on the networks are referred to as Host Intrusion Detection System.

Functionally, it can be passive or reactive in nature, the passive ones only send signal to the administrator console when suspicious activity is detected and the reactive ones prevent the occurrence of the  suspicious activities by reconfiguration of the firewalls to combat the malware.

In a public university library, the likelihood of attack is high considering the intellectual assets under their care and even the curious users, hence, i will recommend NIDS  having both the passive and reactive nature.

Also in case of High school, i will recommend the same looking at the students exploratory nature, i will recommend the same as in the case of the university library above.

For a retail shop,  HIDS would suffice with passive nature so that administrator would be able to respond to detected suspicious activities within the system.

IDS limitations could be dangerous anyway, one of such is the fact that number of false alarm in most cases surpass that of positive alarm and this might deceive administrator to ignore the real threats.

Also Invalid data and IP stacks may cause an NIDS to crash, it also difficult to detect encrypted packets.

The evasion techniques used by attackers varied from fragmentation,avoiding default, coordinated low-bandwidth attacks, address spoofing/proxying  to pattern change evasion.  These evasion techniques need to be considered when thinking of the choice of IDS to use in any case.

In summary, technology in itself is not enough for network security, appropriate security policy covering accessibility, availability, audit even password usage should be in place in all organisation. Also training and education of the users should also follow.

both the technology, policies and training need to be updated from time to time considering the dynamic nature of the networked society we operate in today.

Sources;

https://en.wikipedia.org/wiki/Intrusion_detection_system

https://beta.wikiversity.org/wiki/Security_and_Privacy_in_a_Networked_World/Technology:_A_mighty_knight_with_no_pants_on%3F

THE WORLD OF MALWARE : then and now.

Malware attacks has a history and the truth is that it has come to stay or even more viral and harmful with the technology development and outbreak of internet.

The  414s of the  80s: name derived from the area code of the perpetrators  in US (Milwaukee, Wisconsin) A typical case malware attack back in the 80s was that of the  US high-school  hackers who hacked into the  Digital Eguipment Corporation  with the motive of having fun, categorized as ....... by Kaido, but they broke into Digital Eguipment Corporation VMS operating system causing damage worth 1,500usd with the aid of personal computers  and simple hacking techniques leverage on common /default passwords by deleting the corporation billing records

Need to say that most of the hackers were not persecuted but they only agreed to stop their potentially harmful activities. The Duo prosecuted(Wondra  and co.) were based on harassing calls that followed their hacking. I would say this case was a true picture of the legislation crawling to meet up with technology as the computer crime legislations were passed after the case by the legislators.

Visit http://www.washingtonpost.com/wp-dyn/articles/A50636-2002Jun26_2.html

And https://en.wikipedia.org/wiki/The_414s for details

As opposed to individuality or group of young hackers approach with the primary motive of fun seen in the above case, malware attack has today turned into  political weapon in the hand of the world superpowers, a recent case as revealed by Edwards Snowden  is that of  US and UK using malware as a tool to for power  uphold (politically and business wise.  Hacking which was initially for fun has today been converted for spy and surveillance in the quest for national supremacy. This was done by NSA hacking not only the likes of Facebook, Microsoft and other international conglomerates but also by hacking US rival countries such as Russia and China among others.

Visit www.bbc.com/news/world-us-canada-23123964 for more details

Comments:

Malware attack has evolve from stage of individualistic to national weapon.

From no gain motive to business motive.

But the fact is that it has always been supremacy driven, among individuals, business and nations.

My question is, can malware attack as national tools of destruction be regulated as recorded in the case of 414s?  Or has this come to stay to replace physical(traditional  international war)? May be time will tell.

As  summarised by the following souce, world of malware has evolved as shown below:

• Hackerly exploration (“What's in there?”)
• Clueless experimentation (“What happens if”)
• Expression of frustration (“I'll show you all!”)
• Expression of politics (“Free X or suffer!”)
• Malware as a weapon
• Malware as a business model 

(Source:https://beta.wikiversity.org/wiki/Security_and_Privacy_in_a_Networked_World/The_World_of_Malware)

PUBLISHED CASE OF CYBERWAR

US VERSUS CHINA AN “EXPOSE” BY EDWARD SNOWDEN  , REPORTED as “Tsinghua`s hub role made its target for NSA”  This article appeared in the South China Morning Post print edition

To confirm the whistleblowing act of Edward Snowden on  US hacking Chinese university and servers, Prof Xu Ke, deputy director of Computer Networks at t Tsinghua University explained that data passing  through their network backbones were not encrypted but that the data would have no use for individuals mining or spying it but might be of great use for countries and organisations.

Snowden revealed how US NSA are spying on China and Hong Kong, it was mind blowing to have this coming from a 29 years old ex employee of Central Intelligence Agency, could it be he is frustrated by the system, or he is under an intoxication or probably because he wants fame, or that he truly meant to save the Victims of US cyberwarfare out of good heart? This is a question i don't have an answer to.

I was revealed in this report that US spied not only on the Chinese university being the home of Hong Kong Internet Exchange but also on the Telecommunication players in china to have access to the SMS and other data needed by them .

It was surprising to know that about 63 computers  and servers of the Chinese university were attacked in  a single day in January 2013. Another area that need clarification is the answer to the question on WHY is US doing these? May to keep firm grip of the  world power ego?. May be the real answer lie in what actually NSA is looking for in terms of data. I believe if there is answer to what exactly the data they need are , then, we can answer the why question.

For details visit the links below.

Also what will be the fate of Snowden as he has breached confidentiality?

Sources:

http://www.scmp.com/news/china/article/1266892/exclusive-nsa-targeted-chinas-tsinghua-university-extensive-hacking

http://www.forbes.com/2010/03/03/jeffrey-carr-internet-technology-security10-cyberwar.html

Social Engineering case of Amy Gaf Young and Jabber on FACEBOOK

The case below was a story of how social engineers work on their victims emotions to defraud them.

Amy chatted her cousin up with nice introduction, the normal greeting, but smartly change the tune of the conversation that  that she was stranded in London with her mum as they have been rubbed off their cell phones and  credit cards. In essence, they need help.

But  Amy  the scamer sent a wrong signal to the supposed victim  when the chat reads He instead of SHE.  And also that HE traveled with his WIFE and KIDS, while the real Amy is a girl not married , without kids. Error! Huh?

The situation warrant that Jabber should be emotional and start panicking and immediately swinging into action to save the lives of dear ones. He however was calm and sensitive enough to notice the gender interchange and also that his Mum hardly travel without his knowledge.

Without hesitation, he scattered the conversation by letting the scamer knows that his plot was not well planned that the cousin is a lady without kids not a Male and without kids as contrary to the scamer`s claims.

Source: http://www.jasoncupp.com/2010/03/facebook-chat-scam-asking-for-money-urgent/

Personal Comment.

Lesson from this is that it can save us the pain inflicted by scamers if the supposed victims can be calm and sensitive enough to notice where to fault the claims of the scamers.

Different cases of scamers versus victims (social engineering) always have gaps for careful, non emotional and most times greedy prey  to know  predators plan to strike but majority of the victims are being overruled by emotions and  greed.

Imaging if Jabber  had given in to the plot without careful analysis of the messages from the scamers, he would have at least thousands of Dollars to save families that never exist.

Social engineering is full of deception but most successful cases showed that the victims could have averted it, only if, they could control their emotions and greed

SOCIAL ENGINEERING

Social Engineering involves using non technical skills  or methods to have access to computer users information enough to cause damage, meaning social engineers could be likened to criminals whose major vision is to leverage on human weaknesses to strike. The tool required by social engineer is ASKING ASKING ASKING, No wonder the statement „“Instead of a Motto:“ You only have to ask“.

So in social engineering,  information about people are  gathered without  the use of technology.

As computer users in a networked world, it is important to know the techniques used by the Social Engineers to avoid falling victim because its a world of deception to gain undue advantage.

It is  world of little things counts for me when talking of Security and Privacy in this context, a world  where any action or inaction can be used against you in the future even immediately.

For example out of ignorance, a sticky paper used to  retrieve my lost account details such as password and username  not properly kept or trashed i the bin can sell me out and later be  used to wipe my hard earn money? Scary i thing? But it is true, it is a similar to a social engineering techniques called DUMPSTER DIVING.

May be to some computer users, the DUMPSTER DIVING technique for them is no tricky, but TAILGATING is also a disguise that any corporation can fall for, imagine a well suited fresh guy with fake invitation to a business or town hall meeting of a bank executives to discuss critical issues on the bank.  After having undue access to the information needed without carrying gun, the after effect could be bankruptcy.  Social engineering still all about deceit or robbing without carrying weapon.

SHOULDER STUFFING is another technique used by social engineers, remember that we are in a world of everybody turning into freelance journalist  with our mobile smartphones,  the same way social engineers could get  a snapshot of our abandoned Facebook page or even email box for vital information .  Imaging sleeping when already logged in to check account balance with Pin code card and other account details exposed in a room of social engineer, a glance or peep could be dangerous here.

The question is who is saved from the attack of social engineers? In a word, i will answer NOBODY, but some measures could be used to prevent falling victim

The simple answer or way to prevent being a victim is AWARENESS, computer users in a networked world needs to be aware that safety in this context depends on their actions or in-actions,  act they should know which data if leaked could sell them out and prevent it from leaking. Using Shredders to shred papers is awesome, CCTV in an apartment is cool and may be, covering our PCs with clothes when we need to log on with sensitive passwords and username to our internet bank is the way to go like Edward Snowden.

But the statement below has the most paramount message to prevent us being a victim of social engineers: Using the words of Confucius, "Education breeds confidence, confidence breeds hope and hope breeds peace", for peace or something related to peace in a networked world, security and privacy education  and training is a great tool for computer users.

Sources :

http://www.csoonline.com/article/2124681/security-awareness/social-engineering-the-basics.html

https://beta.wikiversity.org/wiki/Security_and_Privacy_in_a_Networked_World/

PROGRAMMING IN PYTHON

TASK 1


print ("Buyer : What do you offer?")

reply = input("Zoo keeper :")

animalOne = "cow"
animalTwo ="snail"

if reply == animalOne:
    print ("I take it.")
   
elif reply== animalTwo:
    print ("I hate those.")
else:
    print ("Not interested.")

PERSONAL CHECKLIST OF OS AND MAINTENANCE

Considering the importance of operating system and its maintenance in this era of  prevalent security in the networked world, the following are the step wise procedures  i will  prefer to follow when making decisions of the PC or other gadgets, Software and Networks to use:

1. Memory of the PC

2. Type of the OS and the compatibility with the  hardware.

3. checking if the OS meet the following goal as defined by Tanenbaum  for security purpose:

data confidentiality 

data integrity 

system availability 

exclusion of outsiders 

authenticity (https://beta.wikiversity.org)

4. Vulnerability of the the OS to malware(e.g Viruses, Trojans etc) as some OS are more vulnerable than others for example the case MS window and LINUX compared(https://en.wikipedia.org/wiki/Operating_system).

5.Functionality of the OS is also important in order to know what could be done  or not with the OS, e.g distributed OS, Multi users OS and othe varieties compared.

6. I will also be conscious of what the gadget is needed for in order to know the copatible OS to look out for.

In summary, i am still an advocate of education and training as mentioned in my previous blogs.

What can be done in legislation to reduce the file effect of internet and its impacts.

File effect of internet  i today's world is enormous imagine Google searching ones name and all the personal information are seen by all who cares to see them, example of the effect of file of internet is seen in identity theft.

 This is rampant in this internet era due to the fact that some companies even governments gather their customers and or citizens data and pile them up somewhere tagged database, before data storage was a big issue but nowadays the challenge is in the past as technology  has grown and widespread and law is crawling behind to catch up( A mission impossible)

„ The link https://www.privacyrights.org/ar/id_theft.htm  revealed that “Another reason identity theft is skyrocketing is that it does not yet get the attention of law enforcement that more violent crimes receive - like breaking and entering, mugging, robbery by gunpoint, and bank thefts. Many violent criminals and organized crime rings are moving to identity theft because they know that law enforcement resources are not yet sufficient to investigate the majority of such crimes. Identity thieves are rarely apprehended and sentenced. If they are, penalties are minimal and rarely include jail time. Community service and parole are the usual sentences“.

For instance in US the Internet is becoming a more popular resource for identity thieves. Yes, there are web sites that sell individuals' Social Security numbers. Social Security numbers can be purchased for as little as $20.  At this time, there are no restrictions on the sale of credit headers to information brokers. Consumers have no way to "opt-out" of the sale of their credit header data. The information broker industry adopted a voluntary privacy policy in 1997, but it has been ineffective in restricting the sale of sensitive personal information to the general public.

It is not surprising to know that social media and search engines have more than necessary information that can sell anybody out today. Here i recommend strong international legislation to protect the data  and privacy of  individuals most especially on the internet in such a way that informed consent principle in law will be applied for all, meaning that for any information to be accessed by a third party as regards individuals, the consent of the individual or permission of the individual  should be requested and verified before the information is released by the responsible institutions either governments or companies. If there will be exception, the line should be clearly stated.

But to me, the question is how do we draw a line between secrecy and privacy so that we do not jeopardize transparency?

I will suggest internationalization of EU directives on data protection  and privacy. In the same vein, mandate it for all internet technology provider to delete info that are up to a period of Three years in their database without usage.

Legislation alone cannot reduce the negative effect of file effect s of internet users. Education of the users to know what to be able to draw a line between what they make public online or not is also essential.

3 enlightening cases of internet privacy.

3 enlightening cases of internet privacy.

1.   

T

Target Vs Teenager and Father:

This was a case of a retail store ; Target, whose at every point they gather information of the customer to be able to package and direct adverts to the potential customers of their products. An enlightening case to me was that of the teenager that was being sent e-mails related to baby products and her father complaint about it. Meaning that the buying behavior of he teenager had being used against her , though her father did not know such email was sent to her daughter at the initial stage but am such he should few months down the lane as his teenager delivers .

I imagined if the father had pressurized the teenager at this time, he would probably had gotten truth about his daughter pregnancy, this is ordinarily a secret i presume the teenager would want to keep from her father but internet revealed it.

Details available  at http://www.forbes.com/sites/kashmirhill/2012/02/16/could-target-sell-its-pregnancy-prediction-score/

Another case is that of Ade vs Kidspeace: here, Ade an employee of Kidspeace found on her wife Myspace account sexually inclined message from his supervisor to his wife. This might work against Onwusho (the supervisor) and even Ade`s wife at the case is also internet privacy related. Details at https://scholar.google.com/scholar_case?case=17491912573109612082&q=facebook+OR+twitter+OR+linkedin+OR+myspace&hl=en&num=100&as_sdt=2006&as_ylo=2010&as_yhi=2012

Case of leaked(hacked)  nude pictures of Ms Jennifer Lawrence (America actress) leaked  and discussed by „“The Wrap“. The pictures  was taken for her personal consumption and not public consumption and to me she has the right to privacy but forgetting the fact or not taken into account that we are in an internet world where hacking is an everyday routine. The pictures were leaked and caused a lot of uproar for the actress as some treat the case like sexual crime. http://www.forbes.com/sites/scottmendelson/2015/02/06/fifty-shades-shocker-dakota-johnson-jamie-dornan-are-actors-play-make-believe-characters/

http://www.forbes.com/sites/scottmendelson/2014/09/01/jennifer-lawrence-nude-photo-leak-isnt-a-scandal-its-a-sex-crime/

This to me has violated the article 12 of  the universal of human right because Jennifer`s pictures were interfered (a bridge in privacy). http://www.un.org/en/documents/udhr/

This is also a case related to the fact that your words or actions might be used against you either now or in the future.

On a final note, i agree with the  conclusion of the supervisor that internet allows surveillance of others without them knowing and also the statement in one of the MIT reviews  that internet  provides free services in exchange for personal information(privacy bargain) and this could be the worst deal ever.

3 Common Mistakes That Ordinary Computer Users Make In Terms of Security and Privacy in a Networked World.

To me internet has positively impact individuals, businesses and public sector since its invention but it has also brought evil impact most caused by crackers either for show of supremacy, economic gain or for distortion of flows.

The reasons why most of computer users fall victim of crackers circumstances are discussed below:

Low Priority on Privacy and Security of Computers

Computer users are usually excited when they get a computer system that is "up and running" for them in terms of hardware, software and connection to internet(network) without taking into account the security and privacy of the system. Example is the case of Bill McBuff and Tiger Leap Program of Estonia.

(https://beta.wikiversity.org/wiki/Security_and_Privacy_in_a_Networked_World/PIBKAC)

.In both cases cases they dealt only with hardware & software dealers and network providers without seeing security and privacy as priority and they ended up not having palatable experience as users.

Hackers came initially with the intention of playing pranks for fun, example was the use of Netbus software written by hacker and a Swedish programmer Carl-Fredrik Neikter in early  1998 with the aim of remote administration but Netbus was used by crackers to plant child pornography on the work computer of a law scholar at Lund University in 1999 and he lost his research position to this case.

In the cases cited above, training on security and privacy of computer users might have saved the mess. Pre-installation of anti-virus also would have been proper as most anti-virus programs prevent,detect and remove Netbus.

https://en.wikipedia.org/wiki/NetBus

Underestimation of Economic  Importance of Malware

Some malwares are used directly or indirectly to make millions of dollars daily by sending spam and scam schemes,  DDoS attacks, also used in cyber war and political attacks.

A company like Damballa has creativity made a fortune from the threats in the networked world. See 

http://blog.damballa.com/?p=330) for details.

Many individuals, businesses and even governments have got their fingers burnt to malware attack(s).

A typical example was the Estonia`s cyber attack of 2007 which affected government and corporate companies most especially banks. This was believed by some security experts as DDoS attack, though it was reported to have minimal economic impact but at the same time was a wake up call for Estonia on cyber security. 

Georgia and Kyrgyzstan were victims also in 2008 and 2009 respectively, the response and the economic impact was more than that of Estonia.

Addiction to Less Secured Browsers and Passwords

This is also  one of the common mistakes made by computer users,  a typical case is illustrated in Microsoft Mono culture in Korea where window browser(internet explorer) with active X and this led  to a massive internet attack of 80,000 Korean crippled  in July 2014. It was pointed out in http://www.koreatimes.co.kr/www/news/biz/2009/09/123_52401.html that active X provided easy route for cyber criminals spreading Malware for DDoS attacks and the reasonable solution is upgrade of security software since Koreans are addicted to MS.

Using weak passwords for protection of computers is one of the Windows generation problems, this was attributed to early Microsoft windows 95 and being one user systems without passwords later window 2000, and XP offered better password system but users were already addicted to Windows 95 and 98.

In summary, though there is no 100% security anywhere the do`s and don'ts highlighted by CERT(http://www.cert.org/tech_tips/home_networks.html) is a preventive tools for computer users.

Using the words of Confucius, "Education breeds confidence, confidence breeds hope and hope breeds peace", for peace or something related to peace in a networked world, security and privacy education  and training is a great tool for computer users.

Broomsticks, Hackers and Crypto.

What an era to be tagged broomstick, an era that i describe as simple when broomsticks at the door was a respected symbol to denote absence of the inhabitants and others understand and honor the privacy of the home.(Less security, respected privacy).

Example of BROOMSTICKs approach was being used by post office, For instance "A" sends a  mail to "B" and to confirm that "B" receives the mail, a paper receipt is being signed traditionally  by "B" confirming the receipt of the mail,  this is still in used today both for physical and electronic mail delivery using digital signature device most especially in post office.


Digital signature is an example of the modern day security measure, instead of the example described above, "A" exchanging mails with "B" is much more secured, "A" a will send mails using his private key to encrypt the messages and the mail is only readable by "B" provided he has the public key of "A" but there is need for another party "C" to provide certification. To verify the message sent by "A", "B" software uses "C" public key to check the signature, if the signature is de-encrypted successfully, "B" is assured that the signature was created using "A" private key. This has saved the stress, time and resources of carrying out transactions in private and public sector alike  in today`s world even cross-border transactions(CRYPTOGRAPHY) in banking, post services, enterprises and everywhere.

A  key issue on  the subject is the effect of technology on society. Advent of technology brought good and bad to a simple world, hence, today there is mass access for example to computers and technologies less security and privacy. This is due to the presence of privacy intruder but innovator and game changers called HACKERS. Prior this course, hackers and criminals to me are interchangeable. This notion though not completely erased even in the minds of majority, but its becoming clear to me that hackers are game changing and innovating dynamic fan of technology because bulk of the technological based businesses emanated from hacking activities by individuals, groups or organisations e.g. is Peter Samson and club(Tech Model Railroad Club) of MIT in the book titled  "Hackers, Heroes of the Computer Revolution "by Stephen Levy where a hack is attributed to innovation, style and technical virtuosity.

My question is that looking at hacking from the perspective above, why then  is security and privacy an issue or better but is hacking criminal?