Security Everywhere - FaceApp

Article: Tried the viral FaceApp transformation? Here’s what might happen to your photo now.

Over the past few weeks, a new craze has been going on over the internet, “FaceApp”. Users upload a photo to the app, which uses AI to transform their face to an older version of themselves. I have talked to a few people about using this app and they all seemed interested after all who doesn’t want to see the future. But the real questions are who is collecting this information and what are they going to do with this information and what information are they collecting.

Firstly, who is collecting your information? When you use FaceApp, the photo you upload, is first uploaded to Amazon servers in the US and some Australian servers. Once uploaded there, it can be accessed by the developers at Wireless Labs, the app’s Russian parent company. Now to what information is collected, the app collects user’s name, username as well as their photo with all their biometric data. Lastly, what are they going to do with the information? While there is no definite answer a suggestion for one of the uses was that the biometric data will be used in a machine-learning algorithm to train facial recognition software. Another suggestion is using the photos to create “deep fakes”: “where images of real people are digitally altered and disseminated as real”.

However, one aspect which scared me the most was that the terms of service for FaceApp is the same as that of Facebook, Snapchat and other social media sites, where users also upload their photos. This means that the photos that were uploaded on these sites can be and probably are already used in the ways mentioned above. I believe everyone including myself need to think about what information we are giving to apps, as most apps exist to collect data from users. This lead to the question, are we users or we the products?

https://www.abc.net.au/news/2019-07-18/faceapp-privacy-concerns-dampen-viral-challenge/11321728

Security Everywhere - NAB Data Breach due to Human Error

Article: NAB admits thousands had personal data breached, blaming ‘human error’

Australia’s fourth largest bank NAB – National Australian Bank, has had personal data of 13,000 of its customers be uploaded to two data service companies without permission. The personal data includes names, date of births, contact details and government identity numbers. NAB has said this data breach was due to human error.

To prevent this from happening again, NAB could have stricter layers of security. An example could be having more than one person checking the work to ensure human error is minimised.  

https://www.news.com.au/finance/business/banking/nab-admits-thousands-had-personal-data-breached-blaming-human-error/news-story/f6f9d48c55ac6597d4321dff7e51d65a

Security Everywhere - Data Breach

Article: UWA student data may be compromised after laptop theft

Recently, an Australian university, University of Western Australia (UWA) has informed its students that personal data of more than 100, 000 former students may have been compromised. The university stated that thieves had broken into an administration building and stole 20 laptops containing this sensitive data. UWA vice-chancellor Dawn Freshwater stated that “fragmented data relating predominantly to people who applied to study at UWA between 1988 and January 2018” were the contents of the stolen laptops. The personal data in these laptops include tax file numbers, student identification numbers, passport details as well as names and dates of births. UWA has now after the incident has “user log-in passwords had been reset so the stolen devices could no longer connect to the UWA network”. They have also offered advice and support to the people affected.

This is an example of data breach. similar to that which occurred earlier in the year at the Australian National University (ANU). Personal data of individuals must be stored safely according to the Australian Privacy Act 1988. In my opinion, UWA should implement tighter physical security measure to prevent thieves breaking into buildings. They should also ensure user passwords to the computers are not easily guessable or predictable and make sure these passwords are stored hashed.

https://thewest.com.au/news/wa/uwa-student-data-may-be-compromised-after-laptop-theft-ng-b881272938z

Security Everywhere - Automation & Physical Security

Article: “Discount theft”: Shoplifting spikes in Australia as Coles, Woolworths crack down on $3.37 billion problem

With automation comes a whole new set of problems. This can be seen through the issues that are faced by Coles and Woolworths in the Australian supermarket industry. The introduction to self-service checkouts has a lot advantages such as faster checkouts for customers and less labour cost for companies. But these companies are now faced with a new challenge, theft at the self-service checkouts. It is reported that there has been a 16% increase in shoplifting over the last financial year.

I believe that when companies bring in new technologies, the safety measures that are implemented all focus towards the new technology and companies forget or pay less attention to security threats that were already present before such as physical security. To tackle this problem, supermarkets with self-service checkouts should invest in more physical security measures such as cameras and gating technology.

https://www.smartcompany.com.au/industries/retail/shoplifting-theft-australia/

Security Everywhere - Social Engineering

Article: Don’t fall for these highly sophisticated EOFY scams

This article focuses on scammers during the end of financial year (EOFY) period. These scammers impersonate representatives from the Australian Taxation Office (ATO) to get money from innocent citizens. They do this through Phishing attacks by sending individuals emails to get their personal information.

The attacks can be classified into 3 groups:

Impersonation Scam: The victim is sent an email from the ATO which require them to download a file to solve an error. When the victim clicks on the link, they’re redirected to a fake ATO page and now the attackers can collect the information he victims unknowingly enter into the website

Invoices for Goods & Services Scam: This attack is targeted at victims or organisations that are expecting a large number of invoices during the EOFY period. The attackers also send a fake invoice pretending to be from a reputable company, hoping it will go unnoticed. When the victim clicks to view the invoice, they are redirected to a malicious website, where malicious JavaScript content is downloaded automatically. These JavaScript files remain unknown in the victim’s computer and is used to gain access to the computer’s function.

Banking & Financial Scams: In this attack, victims are sent emails similar to the above but when the victim click s on the link a malware downloader stored within a JavaScript file is opened. The attacker can then remotely execute ransomware, which will block access to the computer till the requested amount of money is paid to the attacker.

https://www.9news.com.au/technology/eofy-scams-how-to-spot-three-common-end-of-financial-year-scams-ato/689ce703-4cfc-4106-b4bf-eb2c1c0124c8

Module 7 - Knowledge-Based Authentication Game

In this activity, I was required to “social engineer a friend”, by getting answers to common password reset questions. A common question I have seen been used  a lot is “What was the name of your first pet?” and I decided to find the answer to this question from my friend. 

To get answers to this question, I knew that my friend and I both shared a love for dogs and I also knew that she has had pet dogs before, so I started the conversation by showing her a funny dog video that I had seen on Facebook so that she wasn’t suspicious. I then told her about how I wanted to get a dog but I wasn’t sure about what to name it. And then she suggested some names. 

And finally without me even asking, she listed the names of her pets. So I took a guess and asked “Was that the name of your first pet?” and she replied “No it was _____”. And bam I had the answer to my question.

In this activity, the most important factor was exploiting information I already knew. In real life, this can be done by hackers who can collect information about individuals through social media profiles and easily answer these password reset questions. 

Module 7 - Trump Phishing

Dear President Trump,

We are writing to inform you that there has been suspicious activity on your Twitter account and hence your account has been suspended. To regain access, please click on this link and reset your password.

Sincerely,

The Twitter Team 

Week 7 Goals

Module 2:

Shredding Analysis

Module 6:

One Time Pads

Threat Modelling

Module 7:

AES

Social Engineering Simulator

Trump Phishing

Knowledge-based Authentication Game 

Lecture 1 Notes

Lecture 2 Notes

Lab Notes

Case Study Notes

Post Lab Reflection 

Module 7 - AES

Cipher 1: ECB, since each of the blocks are made up of 16 characters, when a 16-character plaintext is repeated, the cipher text is also repeated  

Cipher 2: CTR, since size of cipher increases as size of plain text increases

Cipher 3: CBC, since when a character in the plaintext is changed, the cipher text of the block that the character was in changes as well as that of all the following blocks, but the cipher text of all the previous blocks remains unchanged

Cipher 4: CBC, since when a character in the plaintext is changed, the cipher text of the block that the character was in changes as well as that of all the following blocks, but the cipher text of all the previous blocks remains unchanged

Cipher 5: ECB, since each of the blocks are made up of 16 characters, when a 16-character plaintext is repeated, the cipher text is also repeated  

Module 2 - Paper Shredding

In order to safely dispose of confidential documents, I would use a cross-cut shredder and dispose of the paper shreds in different bins a little by little over time place. 

Week 6: Goals

Module 2:

Research Claude Shannon

Shredding Analysis/Dumpster Dive

Coincidence Index

Module 5:

OWASP 

Module 6:

One Time Pads

Threat Modelling

5G in Australia 

Lecture 1 Notes

Lecture 2 Notes

Lab Case Study 

Lab Notes

Lab Reflection

Module 2 - Claude Shannon

American mathematician, electrical engineer & cryptographer

Labelled as the “father of information theory” – “A Mathematical Theory of Communication”, 1948

Proposed method of logic called Boolean Algebra to design relay switching circuits

Built secret communication system over which Roosevelt and Churchill communicated during the war

References:

https://www.nyu.edu/pages/linguistics/courses/v610003/shan.html

https://www.itsoc.org/about/shannon

https://en.wikipedia.org/wiki/Claude_Shannon

Module 6 - 5G Networks

Dear CEOs,

I am writing to inform you of my decision to ban the use of the Huawei 5G infrastructure in the construction of Australia’s 5G network. I make this decision after careful consideration and know the consequences of the same will be vast. This includes the inevitable cost of building the 5G network which will in no doubt be passed on to your customers, but I believe that Australian citizens value national security and personal privacy. 

Please ensure that no part of the Huawei 5G infrastructure is in any way used for the construction of your own 5G Networks.

Best Regards,

The Prime Minister 

Module 7 - Post Lab Reflection

In this week’s lab we went through some topics that were covered in the lecture including CBC, Format String Vulnerabilities as well as Buffer Overflows, before looking at the case study. 

The case study this week, consisted of articles about the government using facial recognition in society. In the lab, we were split into two groups, one which represented the government and one which represented the citizens and debate the topic of facial recognition. This was a very insightful discussion as it helped me to view the different perspectives of the government and the citizens.

The arguments presented by the government which was for facial recognition to be used was to minimise and prevent criminal activity, terrorism as well as child protection. While all these were good factors, on the citizens side, a main issue was our distrust of the government, i.e. that we can never be sure what the government will do with all our personal information. Another point was that the facial recognition technology currently available has made significant  percentage of errors when identifying criminals which was a major concern. 

I find it hard to pick a side and I believe that if the personal information that is collected by the government is used for the purpose it was collected then it can for society’s good.

An interesting fact pointed out by the tutor was that while people, including myself, were reluctant to give their personal information to the government and other organisations, they don’t take enough safety measures to ensure their privacy is protected. For example, on social media, turning location on, in phones and other devices etc. This leads to the question of “Is convenience worth privacy?”.

Module 7 - Lab Notes

Lectures: canary, format strings, RSA, block modes

Buffer Overflows

 Stack Canary:

detect a stack buffer overflow before execution of malicious code can occur

ECB vs. CBC:

Block Modes: randomness comes from the IV

Counter Mode:

Exam Style Question: What are the differences? Which one should you use? Give you a cipher & ask you which method you use to

Encryption vs. Hashing:

Encryption: want to undo it (input & output)

Hashing: you get the same thing every time you hash something

Format Strings Vulnerability:

printf(“%s\n”, hi); instead of like in python printf(“hi\n”)

%n: is the number of bytes

i.e. printf(“abcd%n\n”, &var); => 4 as there are 4 characters

Buffer Overflow:

1.        

look at main

look at doCheck (function) -> which has a “gets”

 Case Study:

Government:

Anti-terrorists

Protect children

Citizens:

What government will do with the information

Guarantee what will happen to the information 

Main Idea: Is convenience worth privacy?

Week 7 Cryptogram

Week 6 Cryptogram