More Ransomware attacks

So there have been some more ransomware attacks in the US recently, this time on school districts. This is in actually the second time, the state of Louisiana had been hit by a cyber attack, the last one only last year in February. Hopefully this time they'll consider upgrading their software due to the potential cost of recovery outweighing the cost of upgrading. https://www.zdnet.com/article/louisiana-governor-declares-state-emergency-after-local-ransomware-outbreak/ https://www.cnbc.com/2019/07/26/louisiana-declares-state-of-emergency-after-cybercriminals-attack-school-districts.html

Ghost

So this week we did a case study on an invisible man. Except the invisible man was actually a ghost in our scenario. It was a reference to a Stargate episode which no one got. The problem was here that the invisible man had to give a report to the major (us), but he couldn't talk to the major, he had to communicate through the alien who had come with him. The alien could communicate with both the major and the invisible man. So our solution to this problem, was to separate everyone into rooms and give the supposedly invisible man an OTP stuck across the floor and walls. OTP is simple enough to use, its basically an addition/ subtraction to every single letter. The reason we chose this was because, the alien is of an unknown intelligence, he could in theory work out every other type of security, but also it's not very practical to assume said invisible man knows how to even encrypt messages. We thought that this was the best way to get a report through to the major. If the alien was bad and gave us some faulty messages, we could figure it out because the message wouldn't make sense. We decided to assume certain things, such as if the invisible man was really a human. We thought that having some assumptions makes this situation simpler, because the fact is that we are already in this specific situation, where we're already not allowed to use conventional methods of communication such as like the private being able to use morse code or being able to signal us by other methods. So we assume the situation is just a man in the middle problem, instead of considering any other possible methods of the invisible man communicating directly with the major.

Failure Rates

So in the lecture this week, we talked about a nuclear reactor failing and a lot of the parts seemed to have pretty high failure rates. So i was wondering, what were these so called failure rates and why is something which is so likely to fail say 1/50 uses, considered safe? So wikipedia actually has a lot of information about this. It seems to be generally calculated based on probable usage and the need for safety with the design. There are a number of ways that they collect the data for this such as using historical data or lots and lots of different types of testing. However, i think two of these; estimation and prediction, are not really the best ways of knowing whether something would work or not. Because, not everything can be estimated very accurately, and theoretically something might work but in a lot of cases, when it comes to actually using it, the scenario is completely different. I believe that only through testing can something really be estimated to a okay level of precision. So why can failure rates be so high yet, it's counted as safe? Well it's generally because this failure rate is then multiplied by the chance of usage, which again is done through estimation as testing is not very probable. Something failing usually means that there was a very low probability of it happening, but it did, low probability high impact situations. So failure rate, be it low or high, it sometimes just depends on the situation whether something explodes or nothing happens. I believe that failure rates should basically be 0, though that is definitely not economical. There are two functions used in the calculation of failure rates. One for discrete cases and one for continuous cases respectively.

Where R(t) is the probability of no failure before a certain time.

And this is a given example of how the failure rate is calculated

https://en.wikipedia.org/wiki/Failure_rate

Social Engineering Questions

Secret questions are an extremely easy way for hackers to get into your account, because a lot of the information they ask for is extremely easy to get. The best way to go about it is when they ask you for a secret question and answer, just put in a random string of letters and numbers and then save it somewhere or something. Then even if they did find the correct answer to the question, they still wouldn't be able to reset your password. Anyway, I tried out the exercise with a friend, I think for friends, some of the information they would already know, so some of them don't really work but for others. For me at least, it wasn't that hard to figure out that they were trying to get this piece of information or that one due to the fact that I had given them the task of doing it. But as the activity had described, a lot of this information vis readily available even through a google search. This is the one my friend screenshotted and used.

Phishing

So one thing about email phishing scams. I have been the recipient of so many of these. They just spam send you emails about, hey your email/ or random account has been compromised, please reset your password or whatever. Some of them are really convincing, especially considering that the legitimate ones aren't very convincing themselves. That's why extra security measures are always required to verify things. If i receive an email which even remotely seems kind of suspicious. I double check my account and see if it is really true. If it isn't then i block the email, but i feel like that really doesn't do much because they just keep on sending them and then when you check where people have been trying to access your account, it always comes up with a really random location where you have no idea where it is. It's also pretty scare thinking about. Maybe someone old who doesn't really know any better, might fall for one of these phishing scams then whoosh, all their information is stolen and maybe even bank accounts. So I think some intervention is needed. Recently phone phishing scams have started being monitored by phone companies, although it seems like some companies want to make money off of this like a subscription service... Which seems like corporate phishing...

Email Phishing

This activity was quite fun to play with and try and find information aha. If you think about it, a lot of people wouldn't really care about their security for their social media accounts because, who would think that people would try and steal that information. Some others really want to make their information public as well. It's kinda scary if you think just how many people would actually fall for something like this. That's why it exists and still exists right? Though i think the best part was trying to figure out what parts of my messages made which response happen. I assume some string matching was used as well as a minimum length of the message. It was interesting trying to see what the minimal length of each email would be and what key words it would respond to. For the bank one i kinda gave up and decided to write out a whole email and it worked! For some reason, it decided to try and autofill in some of the form elements because google has all the data it needs to do anything rightt.... Yeaa.

Privacy Study

This week we had a case study concerning privacy. We were discussing if increasing/decreasing the amount of data the government has access to would be more beneficial or detrimental. At first in class we were discussing whether no data collected vs some data collected, but it came to a general consensus that there will always be some data needed otherwise anarchy would ensue, because without data, there would be no way of verifying anything. I think a lot of interesting points were brought up, a lot of them I would never have thought of. I think a good point which was brought up, is that the government has been collecting data for a long time, but noone i know of has had any private data leaked due to the government. I believe that they have been acting out of goodness, trying to make things more secure for the people, regardless of who's in power and what policies they may believe in. So I think that they should be able to collect maybe a bit more, but there comes a risk with more data, it gets stolen much more easier or with more power comes more responsibility. People become more corrupt with more power they get, this is an undeniable fact that even the best of people do not disagree with. It may be possible that even though it is alright now, that it might get worse in the future. However, I do think that this is worth the risk at least for some certain types of data.

ContinuedSomethingAwesome

Since I can’t upload that many photos in one post

Something Awesome

So last week wrapped up all the physical and most of the research parts of my something awesome project. I’ve found a few more things concerning security of NFC devices, mainly concerning mobile devices. But this week, I will be writing up a tutorial if you wanted to make your own little Arduino reader and wanted to use it for something, as long as it goes along with the Good Faith Policy. This is very similar to the blog that I followed except for a few parts because the reader I had bought was slightly different to theirs. If you want to follow their tutorial here is the link: https://randomnerdtutorials.com/security-access-using-mfrc522-rfid-reader-with-arduino/

So first of all, some basic Arduino skills/ electrical engineering? You’ll need to connect the reader to the board either by soldering some wires to the sensor or by doing what I did and connecting them in series and connect the wires as shown in the picture.

After that download the prebuilt package made by miduelbalboa here: https://github.com/miguelbalboa/rfid/archive/master.zip

After installing the library into the Arduino IDE, you can run any of the examples to test whether the Arduino is configured properly.

There is another security issue concerning using phone payment. It is very susceptible to malware. If the user accidentally installs malware and it steals your information, then they would have access to your card details instantly. Obviously, by not using this technology and instead just using your card is an easy way to avoid this issue, but otherwise, care needs to be taken when installing or downloading anything, making sure it is developed by a reputable source and there are no harmful aspects of it.

Threat Modelling I thought threat modelling was an interesting topic, because it formalises "hacking" or how to break into secure things in general. And by doing that, we can work on ways to reduce the risk of being broken into through that method. There are three main threat models that we talk about. Threat trees or attack trees describe how you would attack a particular system, by using a tree structure. Where each path represents one single way of completing a goal. The example given shows 8 different ways of breaking into a safe. This also allows us to think about many more measures that we can take to prevent these from being high probability risks. It is important to know that not all the nodes mean OR, that's why there are only 8 paths. Then we can analyse like the example, whether an option is impossible or not.

DREAD is an acronym for Damage, Reproducibility, Exploitability, Affected users, Discoverability (I feel like discoverability is kind of a weird one because rating discoverability is in itself inherently not secure because if the information were leaked, it would give hints as to what the vulnerability is. Threats are split into these categories and given a rating. The sum is used as a way of knowing whether the risk itself is high priority or lower. STRIDE is another type of model which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of service, Elevation of privilege. This model is different from the other ones as it specifically names the different types of threats, and the threats would fall into different categories in this model. If other types of threats were discovered, I guess they would add more letters to STRIDE.

As you can see, each type of threat corresponds to a certain property. Most of them fall under the CIA principles of security. https://www.schneier.com/academic/archives/1999/12/attack_trees.html https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) 

https://en.wikipedia.org/wiki/STRIDE_(security)

5G Networks

Dear President of the United States, I have written this letter to inform you that we will be using Huawei's technology in our rollout of the 5G network. We will ensure that Huawei complies with Australian security guidelines with thorough analysis of their supply. We as a country believe that Huawei themselves are not a threat to us, just like Apple or Samsung. Other countries such as Britain and Canada have already signed agreements with Huawei with their rollout of 5G and we will do the same. I do not believe that trading with a Chinese company should affect US and Australia relations. I sincerely hope that the US government rethinks their stance on this situation. I believe that if they do not, there may be consequences for all parties involved in the coming future.

FaceApp

Recent News of FaceApp stealing information from people So something which has been recently on the news is FaceApp, an app which augments your face to make it older among other things. There are some concerns about the app as it requires access to all the photos on the user's phone, which means that even though you haven't used the photos in the app, it still has access to them all. This means that they could be stealing your data but not necessarily. This goes to show the importance of reading what you are exactly giving permission to when you sign a contract or download an app or even visit a website. US Congress has called for an investigation into the app and company, because there is suspicion that the data could be used maliciously, but on the other hand, it is also more likely that the data being used is just being used for the company, such as making a better algorithm for facial modification and detection. Technology Review makes a good point about how even if they didn't take the data from their users, there would be a number of other ways to do so, such as open source databases which webscrape social media sites for photos. Which then goes onto the point of privacy, even though we may not know it, if we don't make sure what we send and upload to the internet is safe and private, you never know who might access it and use it. To those people who don't care, then they don't need to worry, but those who do care about who can get access to their data, this is another aspect that they need to keep secure. https://www.technologyreview.com/f/613983/faceapp-ai-could-use-your-face-not-for-face-recognition/ https://www.cnet.com/news/faceapp-might-face-fbi-ftc-investigation-over-security-concerns/

Something Awesome

So this week was mainly thinking of ways to make RFID reads more secure (or just see in what ways do successful reads happen). I was curious as to why the RFID shield that I bought had worked so well even though it didn't use the basic theory that was implemented in the other shields that i tried out. Turns out, not a lot of companies disclose what their material is made of. They just say that it works 100% of the time. WOW. And that there was nothing to worry about if you were using their patented product. I assume its just a fancy faraday cage but I guess we will never find out. I did cut it up and tried to see what was inside but to no avail. It still worked even when cut up. I tried to use the NFC reader on my phone to interfere with signal reads from the NFC reader that I had made but it didn't change anything. I guess it's because the card itself can output signal in any direction. An idea that I had which did have some effect was stacking two cards on top of each other and holding it up to the reader. This had varied results. It would sometimes read the card in front and then sometimes read the card on the back. I can't be certain that it was due to the card stacking, not the best equipment (not the best reader because it's cheap and the cards seem to be of low quality too), but it has been the only non shield method which had any effect. So I guess keeping multiple cards together in your wallet or card holder reduces the chances of someone swiping your data because of signal interference... Maybe. But I would still say getting your hands on a RFID shield would be more effective. So this week I also did research on real life applications and security measures in place with technology using NFC in general. So as you can see in the graph. There's a lot of different types of NFC and uses. Some common uses would be say those really hard to remove stickers on more expensive products in stores. Those are actually NFC tags, it kinda makes sense once you have a look at it and think about it. These prevent thievery as well as authenticity as the store would be able to verify whether the product belonged to them or not. The cards i usee fall under the MiFARE Std 1K type of product. It uses the MiFARE protocol to read and write. The RFID reader that I have can only read certain types of tags due to the different protocols they are built on. Maybe you can see some keywords which have appeared in our security lectures. Initialization vectors. Anti collision. As they also contain an identification key, companies need to make sure that, their unique identifiers stay unique.

Another common usage of NFC is in payment. Credit cards usually have a NFC tag embedded in them such as pay & go. But if it was simply just tag and go then people could easily steal your bank details and read your card, use your card to buy anything they wanted. This was one of the reasons why tap and go has a limit of $100 before requiring a pin. However, it's not so easy to just read a card and you have all the information. In credit cards and debit cards, there is a security chip embedded into the card as well. What happens when you tap your card is, the tag is sent from your card, encrypted by the security chip into the EFTPOS machine. This is then only decrypted at the banks end where the actual payment and deduction takes place. This ensures that even if someone tapped your card. All they would get would be an encrypted tag which would not work for any transaction other than the original one. Similarly, using services like Samsung Pay or Android Pay, instead of having a security chip which encrypts your payment details, tokenisation is used instead. Although it is inherently more insecure as you must first give your payment details to the company whose service you are using. The principle however remains the same as credit card payments.

https://en.wikipedia.org/wiki/Near-field_communication#Standards 

https://security.stackexchange.com/questions/131638/how-can-rfid-nfc-tags-not-be-cloned-when-they-are-passive-technology 

https://www.southernphone.com.au/Blog/2018/Oct/safe-secure-mobile-wallets-australia https://www.tigermobiles.com/blog/nfc-payment-safe/

Midsem

I think the midsem went alright. I wasn't too difficult however there were a couple of questions which i had no idea about. I had expected the bit questions to be of a different nature and couldn't calculate the ones in the exam. The questions about the case studies were a bit unexpected but I had prepared for some of them so it wasn't that bad. I think i wasn't paying enough attention in some of the discussions because i think some of the information from them I didn't remember covering. I think the midsem gives a good idea about what is covered in the exams, because I feel like we don't cover some parts in a lot of detail in the lectures and sometimes it's not the clearest whether a part of the content will be in an exam. So I guess something to take away would be that it is important to pay attention to everything and make sure you know it and can do your own research on the topics.

No-Reply Emails

I got kinda curious about no-reply emails. Like why do companies use no-reply emails. Is it a security thing, to make sure that no-one opens the emails sent to the no-reply emails? So I looked over a couple of different sources. All of them came from blogs. So apparently, the reason why companies use noreply emails, (it's simply a setting in your email account) is so that the email which sends out the email, won't get spammed with emails from all it's users. Instead they have an email which they can use for you to contact. Although this kind of seems like an unnecessary measure to implement. If you look at it from a security standpoint, it kind of makes sense. By separating the two email accounts, you make sure that whoever can send emails can't receive harmful emails and vice versa. This limits the areas of human error and does not create a single point of failure. In the blogs, they mainly talk about how it's bad as a marketing strategy and how it blocks communication from your customers. But for security reasons, I feel like its a decent idea.

https://www.mailjet.com/blog/news/the-noreply-dilemma-going-from-no-to-yes/

Activity Vulnerabilities

Simple Vanilla Cake

·         The temperature isn't Fahrenheit its Celsius. 180 degrees Fahrenheit is only 82 degrees C which is pretty low for baking

Caramel Slices

·         2 x 395 what sweetened condensed milk. It's missing a unit.

·         It's confusing that PLAISTOWE Chocolate dark is used in the method but it just says chocolate in the ingredients

·         It's missing a whole step. Step 3 from the source is missing

·         There are some copy and paste errors from the source i think. Semicolons

Cheese Souffles

·         What is Cheedar?

·         It is not cooked for long enough. It should be baked for 30 minutes but it is only baked for 10-15 minutes.

·         When did we put a skewer in?

Um for some reason, i couldn’t add these to the other something awesome blog so here they are