Washington DC I am back with my 4 23 23 Fashion Event. #dcfashionshow #childrenmodel #teenmodel #dcrunwayshow #talentedchildren #modelingagencies #fashionweeks #pagentgirls #dcmodelsearch #upcomingmodel #modelcall #dcfashionweek #dcevents #childrenrunway #teentalent #modelcastings #modelsmodelsmodels #childrendancer #modelgosee #modelingnow #wanttomodel #newmodelsearch #beyonce #parents https://www.instagram.com/p/CpPaLibOGaUhqfgcH_NYYquYSffLj2Ja4PiMh80/?igshid=NGJjMDIxMWI=

This article is inspired by the OpenIDEO cybersecurity challenge:“Too often, visuals in the cybersecurity space reflect surface level understanding influenced by sensationalist media. We see pictures of locks, white men in hoodies, or green 1s and 0s that do little to convey the reality of this complicated, critically important topic. With this Challenge, we hope to elevate imagery that better represents the cybersecurity space in an accessible and compelling manner.”The challenge seems to be a plea to reverse some of the tropes from the 90s related to how “hacking” was visualized in the movie “hackers” and “the matrix”. In the past 20 years, the word “hacking” has been adopted by communities like Makers Faire and Hackernews. So the once nerdy/cool albeit slightly illegal past-time now can refer more broadly to just building or modifying software. For example, I went to the hackathon, and hacked together a cool new phone app by integrating a deepfake library with the Agora.io api. Additionally, open bounty programs allow hackers to find vulnerabilities in a computerized system, and get paid by the company owner for finding them. Thus, hackers might not be criminals. Instead, they are aware of certain techniques for getting into systems, and they use these techniques to collect bounties for finding vulnerabilities. Although the word has adopted new meanings, the visualizations are still somewhat stuck in the 90s.To understand why the visualizations are still in place, we need to break some misconceptions about what hacking is these days. While movies often show a nerdy guy gaining complete control of an evil villain’s base, hacking is often much less god-like, and more akin to breaking into a house after you have built a few houses. Understanding the common mistakes when building houses makes you look for these mistakes in others’ work. Although I would like to stick to the “home building” metaphor, the internet has too many moving parts for this visualization to make sense.After going over the plethora of different attacks, I decided shipping provides the best metaphor for how the internet works, and thus the best means for describing various attacks that cybersecurity seeks to prevent. In this metaphor, ships are http requests, and docks are servers processing these requests. The general idea remains the same however — shipbuilders and dockworkers understand how the shipping process works, so if they decide to turn to piracy, they only need to look for vulnerabilities that exist in things they have built in the past, and see if they can apply tactics to exploit these vulnerabilities in other ships and docks.Threat ModelingNow that we have a working metaphor, let’s dive into cybersecurity. Cybersecurity refers to protecting a computerized system from attack. Protection can only start by understanding what assets are important to an attacker, the motivations behind an attacker, and the vulnerabilities of the system. In the cybersecurity world, security experts use threat models to analyze a computerized system. We will use threat modeling as an outline to build out our metaphor. Particularly:What are the high-value assets? (data, metadata, authentication data, CRUD functionality)Who are the likely Personas non Gratas? (Pirates, Ninjas, and Armadas)Where am I most vulnerable to attack? (STRIDE)What are the high-value assets?Data = CommoditiesThe shipping industry tends to deal in commodities. Think of these like the sheep, wheat, ore, brick, wood, and gold from Settlers of Catan. In a computerized system, data is the commodity.Most ships don’t just go around randomly selling wares like a tinker. Instead, a buyer purchases the commodity from a seller, and they figure out the details of when the commodity should arrive and what to do if a ship is lost at sea. Then all the work is left up to a ship captain and a dock foreman. A buyer gives the captain of a ship a shipping manifest describing some of these details as shorthand instructions. In this metaphor, these instructions are ‘request headers’ that adhere to certain protocols like ‘http’ or ‘smtp’. Assuming the captain is shipping the right type of commodity, the request headers will make sense to any dock foreman that receives a shipment. However, the captain himself is unlikely to understand the instructions because they are in shorthand. He can be tricked by switching out his manifest or his cargo, and he would be none the wiser. Because the captain has been tricked, he may trick dock foreman unknowingly as well.Metadata = Shipping logsA good dock foreman will know when to expect each ship, and what each ship manifest should say. However, the dock foreman doesn’t have time to check the manifest of each ship against the commodities in the ship as they come in. Instead, he will just keep a log of the name of the ship, the time it came in, what was in the manifest, and so on. These shipping logs are metadata. Occasionally, a bad ship may get through, but as long as the dock foreman has time to go over the logs later, he can find a pattern in the metadata and remember to not let it through next time.A business might decide cybersecurity is not a priority of the company, and this is the first protection to go. A company is built to make money, and reviewing these logs is a cost. If the cost provides no immediate benefit to the company, they will not put forth the effort. The simple but sad truth is a lot of companies will just leave their logs alone. Without reviewing these logs, an attack will go unnoticed, and the attacker will wait months before deciding how to exploit a vulnerability that he or she has found.Authentication/Encryption Data = Flags and Colored TelescopesIn the 90s, I played a board game that had these cards with blue words obscured by red dots. After making a guess, a player took a red lens magnifying glass, and looked at the card. Suddenly, the word was revealed clearly because the red lens filtered out the red dots.Encryption works much the same way, with ships having these cards as their flags. Dock foremen having various colored lens telescopes to read these flags. The flags are referred to as a public key and the telescopes are referred to as a private key. The captain of a ship does not know what the flag says. He has shipping instructions that tell him what flag to fly. The dock foreman has a lens of the exact color necessary to decrypt the message. If the dock foreman recognizes the flag, he will allow the ship to park at the dock.Modern day authentication uses one way encryption. In one way encryption, the information is so important that the message is not intelligible even to the dock foreman. Instead, the message is encoded by two colors. The buyer gives the dock foreman information about only one color lens, and a copy of what he should see. Thus, even though the dock foreman can’t translate the message, he can compare the ink blot that he sees on the flag with the copy.CRUD Functionality = Dock WorkersSome docks are just good for allowing boats to stop for a quick bite to eat, and then the dock foreman gives instructions to go on to the next dock. However, the end destination is usually an important dock with access to a single type of commodity or resource (like sheep). If all of the flags prove that the ship came from a respectable buyer, the dock foreman of this dock can be given instructions to perform tasks on the sheep. Most of the time, these instructions fall into one of four categories – CREATE, READ, UPDATE, DESTROY. You can imagine four dock workers, each with a special tool like sheep shears or a bottle of dye. A specific dock worker can create wool by shearing a sheep, read out the color of a wool bale in stock, update some attribute like the color of the wool, or take a bale of wool and destroy it by throwing it into the ocean (maybe to stop inflation of wool prices).Although the dock workers only know how to do these tasks at a basic level, they can be trained to do multiple tasks in tandem. For example, creating wool, and then dying it red. If a bunch of buyers end up wanting the same set of tasks, an agency might decide to train dock workers to do a couple of these complicated tasks based on single commands. The agency wants to make accessing this list of complicated tasks easy, so they compile everything into a library.A library allows a software developer avoid all of the complications of building a CRUD application from scratch. However, the vulnerabilities that exist when you build the software from scratch still exist when they are abstracted away into a library. For example, if a DESTROY instruction is normally available through a database management system (DBMS), then a library that works to make accessing this DBMS easier may include this instruction as well. A software developer may use “browserify” and unintentionally expose this functionality to the client.Using the shipping metaphor, even though a seller doesn’t want to ever destroy a bale of wool, the buyer may attempt to use a hidden library instruction. The dock workers and captains work completely autonomously, so the seller may never know that bails of wool are being thrown out. Hackers know that this instruction should exist, so they look for it. Then, they access parts of your software that were unintended (like creating a new root user).Who are the likely Personas non Gratas?Opportunistic Hackers = PiratesPirates, being men of fortune, play a numbers game. They board weakly guarded ships, and see where they are going. Occasionally, they will steal a flag, and see if it works at any of the docks that they know of. This type of criminal isn’t looking for a specific commodity, they are looking for anything of value.Phishing = Dock Owners turned PiratesIn phishing, a hacker simply asks a user for their username and password. These attackers attempt to impersonate a person of authority. The attacker can pretend to be a part of the company, and call or email the target. The victim of phishing may be an employee of a company or a customer.An email can further direct victims to a website that looks like it is part of the company website. The attacker may purchase a domain name that has one letter different from an official website. Websites are public, so an attacker can build a website using the same colors and styles of the official website. Sometimes, the hacker will pretend to be a contractor for a bigger agency like the IRS or Microsoft.To prevent these attacks encourage users to NEVER give out their password information. Additionally, provide a direct line of communication (whether it’s messaging or a phone number). If users receive a suspicious correspondence, they can contact a trusted representative easily.Brute Force Attacks = Ship Captains turned PiratesA hacker can simply guess a person’s username and password. These attacks are particularly likely for systems that automatically generate root usernames or passwords in some pattern. For example, enterprise software often has a first user built in called “admin”. The default password for this user is also “admin” (remember Equifax). I’ve also seen this with routers occasionally. People never bother to change the admin password once they get the initial install working.A brute force attack is when a hacker guesses authentication information based on weak passwords. For example, the most common passwords are “123456” and “password”. An example brute force attack is when an attacker creates a script that tries the 1000 most common passwords against common usernames (sometimes referred to as OG usernames). A relatively new market, “OG” usernames refers to single word usernames that the attacker can resell.The script in a brute force attack can also use a list of previously breached username and password data. For example, a user may give the same credentials to multiple companies. If a hacker breaches one of those companies, then they have access to all of them. Their are free services to check username/password credentials against breached passwords. https://developer.okta.com/blog/2018/06/11/how-to-prevent-your-users-from-using-breached-passwordsFor most businesses, simply requiring long passwords with multiple types of characters protects against these low cost brute force attacks. Other systems can include CAPTCHA or a limited number of attempts to login before locking a user out.Supply Chain attacks = Dock Worker Agencies turned PiratesMost web developers create software by importing libraries and creating an API that is useful to end-users. However, these libraries are not perfect. A library can intentionally or unintentionally be vulnerable to attack.For instance, a developer makes some a small open source program that creates an object called “Wool” and changes the attribute color of the wool to “red”. Eventually he decides he has better things to do with his life. He wants to drop the project, but other people are using the software that he created. A person from the community contacts him and says, “Hey, I will maintain and update this project for you, so it works with future versions of Node.js.” This new “maintainer” could actually be a nefarious actor. He could release code to encrypt all of the data in a system, and hold that data ransom.Targeted Hackers = NinjasNinja hackers identify high value assets in a particular computerized system and test the system to see if there are any vulnerabilities. This type of hacker can beA former employees that want to take down a company a competing company that wants to thwart the competition, or customers of a paid service that want access to premium features The important thing to understand about ninjas is that they aren’t necessarily just trying to breach secure data for money.0 Day Exploits/Backdoors – Dock Builders let Ninjas inA software developer can build a backdoor into any web application, either on purpose or on accident. For example, the developer can directly code in a root username and password to access an API. Once a company deploys the API to the public, the root username and password are available on day 0 of deployment. An employed developer might considered the backdoor useful at first, but if a hacker ever discovers the backdoor, then the company has a huge risk. This attack can be even more insidious if there is no way to track who is accessing this backdoor.Denial of service Attacks – Ninjas Block the DockA Distributed Denial of Service Attack (DDOS) is a malicious attempt to disrupt normal traffic to a target server by overloading the server with fake requests. A simple form of this attack would be just making a ton of login attempts from a single computer to see if you can overload the server. However, a single server can recognize the multiple requests and “throttle” the number of allowed requests. A more effective form of this attack uses multiple virtual private networks to send requests from separate IP addresses to the same server. If the DDoS attack is effective, the server does not have enough resources to answer all of the requests. An effective DDoS slows the response times from company servers. If the server is running on a virtual machine that shares resources with other virtual machines, the hosting company may shut the server down.Injection Attacks – Ninjas Stow Away on a Legitimate BoatWhenever traffic goes through any third party service, that service has the potential to add or alter the legitimate request data. For example, if a user has a browser extension, the extension can add data to a webpage to add a cool overlay to the page.A hacker uses this “feature” by changing the content of a request before sending it to a server. For example, a browser extension can be made to block annoying popup ads, but then redirect you to “deals” for paid competitors when you try to access pages that are deemed scammy.Desync Attacks – Ninjas add instructions to the Manifest of a Legitimate BoatHackers perform desync attacks by sending an http request with multiple instructions for the same header data. For example, you can say Content-Length=6; and Content-Length=5 in the http same request header. The server may read the last header instruction as describing the correct length the body of the request. The body of the request then has an extra character that the server does not process with the request. The server may attach this character to the header of the next request. An attacker can add information to the header of legitimate traffic using this technique. For more on this attack see: https://portswigger.net/blog/http-desync-attacks-request-smuggling-rebornIntelligence Agencies and Large Internet Companies – ArmadasUnlike pirates and ninjas, armadas have multiple ships and docks that can work in concert to make an attack. These entities are different than ninjas and pirates because they change the perception of what is a data breach. The argument becomes one of quid pro quo rather than unauthorized access: “We offer a free service, so your company should agree to a breach of privacy.”Government entities can perform massive operations like blockading all traffic in and out of a country (China) or making copies of every message sent over a network, and storing it for later review (U.S.). Government entities look for choke points to control the flow of data. These may include telephone service providers and internet service providers. To lawfully access data, any company can be sub peona’d in the U.S., and the requirements are a lot easier in other countries.For companies like Facebook, Google, and Amazon, data is just a commodity like the Settlers of Catan resources previously discussed. Google and Facebook operate by collecting data on their users and selling targeted advertisements to businesses. If you release a link to your app through Facebook, you can bet that Facebook tracks what kind of users click on that link. If you make your website publicly available on the internet, you can bet Google will have a web crawler copy all available data, and index it. Similarly, if you sell a product on Amazon, you can bet that they are going to track what kind of product is selling well, so they can sell a similar product in the future.Armadas cannot be “beat” by patching up vulnerabilities in the traditional sense. Instead, a company must apply a balancing test about the sanctity of the data and the importance of functions that they are building. Making user data unattainable by the company themselves is one strategy that Apple is trying. Another strategy is to make data access so costly that most entities are not willing to pay the price. For example, backup data can and should be made in most instances, but accessing a particular user’s data can be difficult by requiring the backup data of an entire system to be restored in blocks before a particular user’s data can be accessed.Where am I most vulnerable to attack?At the end of the day, there are a lot of types of entities that may try to attack a computerized system. So how do we prioritize?I recommend going through the STRIDE checklist. How could others: * Spoof their Identity (bypass authentication) * Tamper with Data (change data) * Repudiate their Actions (hide their actions) * Information Disclosure (access data they shouldn't) * Denial of Service (overload resources) * Elevate their Privilege (change authorizations)Decide what type of attacks would be most devastating to your computerized system and to your users. Third party services offer a host of cheap to free cybersecurity protection. For example:AWS Cognito (for authentication)Cloudflare (for denial of service attacks)Wordfence (for data and software integrity)After an initial launch and you are making money, you can look into building a more sophisticated system that blocks specific targeted attacks.If this article is helpful, feel free to check out more like it at www.clearcutip.com

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Read on THE NEWS http://the-news.fyi/remember-her-antms-eugena-washington-retired-from-modelingnow-shes-a-beauty-mogul-5-41637/

View On WordPress

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Read on THE NEWS http://the-news.fyi/remember-her-antms-eugena-washington-retired-from-modelingnow-shes-a-beauty-mogul-4-41633/

View On WordPress

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Read on THE NEWS http://the-news.fyi/remember-her-antms-eugena-washington-retired-from-modelingnow-shes-a-beauty-mogul-3-41629/

View On WordPress

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Read on THE NEWS http://the-news.fyi/remember-her-antms-eugena-washington-retired-from-modelingnow-shes-a-beauty-mogul-2-41625/

View On WordPress

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Remember Her? ANTM’s Eugena Washington Retired From Modeling…Now She’s A Beauty Mogul!

Read on THE NEWS http://the-news.fyi/remember-her-antms-eugena-washington-retired-from-modelingnow-shes-a-beauty-mogul-41623/

View On WordPress