Wednesday, October 8, 2014

#LibSec: "Knowing is Half the Battle"

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks.

The irony of cybersecurity research is that the biggest threat to an organization often has nothing to do with firewalls or security updates. It's the people using those computer that are often the weakest "layer" of protection in information systems. The DefCon presentation in the video above is almost a decade old but the type of social engineering attacks described by the presenter do not change.

With that in mind, I thought it might be useful for both librarians and my classmates to take a look at an article I found, published by Association of Computer Machinery titled Understanding Scam Victims: Several Principles of Information Security. The article is behind a paywall but thankfully the University of Cambridge Computer Laboratory has an un-abridged version of the report you can download as a full-text PDF.

I won't go into the full details of the article but rather provide a summary of the "types" or "genres" of attacks described and then place them in a public computer lab setting. My hope is that placing these types of attack in a different setting will make them easier to identify on the job. The following headings are direct from the paper itself but the description is my own:

1. The Distraction Principle

We could rename this category "the art of misdirection". Imagine a scenario where a computer lab user calls your attention to a problem on the other side of the library. While you're away from the desk their partner in crime, the "shill" is copying network information or passwords from your computer station. This is why computer lock screens were invented.

2. The Social Compliance Principle

This type of attack can take several forms. The gist of it is that it's very easy for an attacker to pose as an authority figure, like a police officer, and gain entry to places they should not have access. The authors also note:

"The lesson for the security architect is that training users always to obey commands from certain people (as “system administrators” of all flavours, including government authorities, like to be able to do), can be a double-edged sword. Although people are generally pretty good at recognizing people they already know (by face, by voice, by shared memories. . . ), they are not very good at all at authenticating strangers, whether over a network, over the phone or even in person."
So there's a virtual component happening here as well. The essence of a phishing attack.

3. The Herd Principle

"Hey, install this new software! Everyone's using it!" Does that sound familiar? Much like the social compliance principle, it's important to do independent fact checking. In a computer lab setting this would ring true in both hardware/software configurations (because "but everyone was doing it" isn't a valid excuse when your network security is on the line) and interpersonally as well (for example, imagine these words: "but the person who works here on Thursdays lets me print all I want").

4. The Dishonesty Principle

The gist of this style of attack is that a scammer/attacker can and will use knowledge of illegal activity against you to gain an edge. The best example I found in the article related to cyber security was the idea that unreported system attacks—because victims must admit failure in the process—actually enable more attacks to occur. Honesty is a key factor in improving the overall health of a professional community.

5. The Deception Principle

We could rename this the "malware" principle. Software that claims to do one thing but does something entirely different. In a computer lab setting this usually isn't a problem because users can't download or install software but either way it's important to understand how and why these attacks occur: see principles 2 and 3 above for another take on this idea.

6. The Need and Greed Principle

The quote they use in this article basically says it all: "Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you." If you look back at my first #LibSec article, this is a core component to that debate and the reason why TOR networks can't be 100% trusted. If you know even a small fraction of users are using public library computers to look up questionable material, that's also a very good reason for them to be closely watched. Double-edged sword.

7.  The Time Principle

Much like the the first item in this list, the distraction principle, it's important to understand that attackers can use timing to create a false dilemma, and in the process access information or hardware they wouldn't see otherwise. Perfect example: it's the end of the day, time to close up the computer lab but this person is printing a really long document or their computer is taking a long time to export a video file or something along those lines. Your natural tendency might be to accommodating and continue to close up the lab while they finish up. This creates a scenario however where the person is now in an empty room and could do something malicious like plant a keylogger device with a much lower risk of being caught.


That's the end of this blog post! If you want to learn more check out the National Initiative for Cybersecury Education framework by NIST.

Friday, October 3, 2014

#LibSec - BadUSB: "Our problem right there"

"Didn’t get no sleep last night
I was thinking about today
Try to keep things simple
But my brain gets in the way 
I said you need to rest now
But my big head don’t care
Now I can see
That that’s gonna be
My problem right there"

Check out my first post in this series for context: ACLU Ninja Librarians are Here to Save the Day?