Statistics
We looked inside some of the posts by tobycs6841 and here's what we found interesting.
Average Info
Notes Per Post
0
Likes Per Post
0
Reblog Per Post
0
Reply Per Post
0
Time Between Posts
1 day
Number of Posts By Type
Text
17
Last Seen Tumblr Blogs
Fun Fact
In 2020, 27% of US Tumblr users had an annual household income of over $100,000.
Text
Module 8 activities
https://tobycs6841.tumblr.com/post/186579532330/module-8-activity-spot-the-fake
https://tobycs6841.tumblr.com/post/186579295365/module-8-activity-google-yourself
0 notes
Text
Module 8 activity:Ā Spot the Fake
This exercise asked us to find an example of something that has been faked or spoofed. We were then asked to describe how it was achieved and how it could be detected or prevented.
Fake news is a very good exampe!
There are from one ABC article below...
During the election campaign, fake news about now President-elect Donald Trump and Democratic presidential candidate Hillary Clinton circulated online.
Stories about Mr Trump calling Republicans the "dumbest group of voters" and Mrs Clinton accidentally paying the Islamic State group $US400 million were among those determined to be false by myth-busting website Snopes.
On election day, stories claiming Harambe the gorilla [who was shot at Cincinnati Zoo earlier this year], received thousands of votes were found to be fake.
Preventing an attack of fake news will not be easy. It will in part require cooperation between social media companies and the intelligence community. Perhaps machine Learning and AI will play a role. I believe that education is the best defense against this sort of attack. This is because I believe that "fake news" is not a technology problem. I also recommend politicans can spend more time on talking with people.
0 notes
Text
Module 8 activity: google yourself
In this exercise, I was challenged to obtain and view all the information Google or Facebook or any other online companies have obtained of me through a form of metadata obtaining. I decided to obtain the data Google had collected from me, using their Google Takeout service. I found a few things which surprised me, but most of the data collection was normal and I expect them to collect those data.
My reflection
Most of the data obtained by Google was as expected and normal. Most of the data was a collection of my search history, websites I visited through their sites and information on relevant cookies related to information or keywords I had searched for. However, in saying this, I did not quite expect such detail to be included in other aspects, such as Google Maps or data from my phone. Collection of my exact location and times was a bit scary; Even more, there were also images and videos I had searched for and viewed especially on the YouTube. Everything ranked in an order of access frequency. In summary, much of the data collection was as expected. Although, I did not expect the data to be so in detail and Google has so much infrastructure to store heaps of information, especially due to the amount of users and the data needed to store everyoneās information was certainly something which staggered me.
0 notes
Text
All my notes taken so far...
Todo
change SAP marking guide
make up SAP projects
Q&A
Round up when estimating bits of security, can we round down(true estimate)? - Either way is okay, just nearest one
MAC protects integrity and authentication, right? - Yes
How can we do the substition cipher without frequency distribution?
I can't solve any problem given by the link http://nsa-crypto.s3-website-ap-southeast-2.amazonaws.com/
So if the entropy of a cipher is very high, it will be harder to decode, right?
What's the problems with other formats of MAC mentioned in the module 4?
Is HMAC not covered in this course?
If you ever need to sign a large file, hash the file then sign the encrypted hash. Why?
The purpose of signing is authentication, not confidentiality. People just need to verify that the file came from you (i.e. it was signed with your private key), so signing a hash is enough. RSA is slow, so it would take a long time to sign the entire file.
Is Diffie Hellman key exchange covered?
No
Final Exam
Will we have NSA substitution cipher question again?
Midterm revision
http://nsa-crypto.s3-website-ap-southeast-2.amazonaws.com/
Non crypto: read lecture notes
Crypto
math3411 chapter 7
Merkle puzzle
RSA http://comp6445-curlybracket-letsmakeflagsgreatagain-curlybracket.bid/challenges/rsa/rsa.html
MAC and its attacks
Length extension attack
Hashing properties
preimage resistance (attack)
secondimage resistance (attack)
collision resistance (attack)
A lot of Sub Tze quotes
COMP6443 something awesome project
Week 2
Asset discovery
Reverse IP
DNS
local dns resolution /etc/hosts
change the local dns mapping to achieve the phishing website
https: 443
google dork query
google search site:yahoo.com -www inurl:admin.php remove www domain name
site:uber.com inurl:/wp-login wordpress for blogs
sitr:uber.com inurl:/wp-admin
Week 3
SSL strip
password storage
hash: md5 hash, SHA-256 hash
store the password in a salted hash
authentication
different auth mechanism
finger-print, username,
password reset
anand prakash: facebook tinder bug
Week 1
morning
think about risks - habour bridges collopase
making complex things will introduce more vulnerbilities
e.g. stone -> aeroplane
job application
analysis
tutorials
situation and use security eyes
time management
skills
6841: technical skills
something awesome
community/professionalisms
helping others get involved
moive for final exams - analysis
security everywhere analysis
tutorial case study
journals and blogging - tumblr
private study
SA
notes
evening
how to good security engineer
good analysis
awareness of an farms history and other domains
learn from histories
case studies
figure out why things going on instead of blaming
decisions
what's important
the case can be very complex and don't know where to start
extract the important information from the top to the bottom
e.g. google's cofounder larry
advance the google mission
he always holds the importance of everything about google
certainty
a sign of good engineer is that they are never certain all the time
humans
should understand humans, not only technical stuff
most of problems can be from humans
what we do in each week
security everywhere
find twitter security issues and make some analysis on that
news this week:
russia and tinder
us and social media identites
australia and spying on own citizens and raiding journalists
anu breach again
westpac breach
tank man
journals and blogging - tumblr - aim for 10 a week including one big (want to show breath and depth)
human weakness
difficulty of changing the mind
find anything about it
binary
dits/bits
CIA: confidentiality, integrity, authentication
confidentiality = encryption
confidentiality: face to face is easy
hiding the existence
flaw:
the recevier knows how to read it
as soon as the attactor knows the method
lose the control of secrets because people tells the secrets
secrets don't work
code talkers
substitution, transposition
the codebreaker a book
security over obscurity
https://www.openlearning.com/courses/securityengineering19t2/notes/slides01
Week 1 Lab: Deepwater Horizen Accident
The process and equipment of deep-watering drilling
drilling onshore: full control of wellhead directly under the rig.
blowout preventer(BOP)
search image BOP separation from Rig
two parts:
the top attaches the riser
the bottom attaches the deep water well head
blind shear ram: cut the two parts
People
crew rotation
on board 12 hours shift
different crews, 21 days on board or off board
many companies operating like launching a rocket
dynamic positioning to make vessel stable
If vessel loses the power, something bad is able to happen. You are in serious position.
A series of questionable issues
Some decision making: like yellow lights, risk management
Design
Complete the well: long string is a cheaper material and alternative one is called liner and tie-back
no lockdown sleeve - important thing but built in low priority
cement design:
causing hydrocardon leaked
negative pressure test
this didn't have any standard way to do that. People only have interpretations and do the test based on experience
Flow monitoring is wrong because of cement design and negative pressure test
Ignition
Hydrocardon came into the riser -> to the board, engine room -> engineer oversped ->ignition
BOP
fail to seal well even if shut the BOP
Blind shear ram didn't automatically cut BOP
The ones that matter in the accident
cement jobs testing
the crew chose not to finish the logging done to make sure the cement job is good quality
on-board crew didn't install some parts centralizers
On board operations
negative pressure tests -> interpret wrong flow condition
the spacer
regulation error?
Ignition
the HC entry into the engines caused the explosion there're safty devices preventing this happening however, there were not automatic. They need to be manually shut down?
BOP
Six of components only worked in annular space. it has a single mode of failure
ROV
How do it better
cementing program was adequately designed but it wasn't installed the way that it was designed.
avoid single point failure
testing
recording black box on aireplane
email: [email protected]
blogging:
one blog per lecture - analysis
one blog per tutorial - summary what decisions, depth of understanding
one blog about thoughts - security everywhere
one photos or something
Week 2
morning
What does the UNSW security email achieve?
Trust
The perfect answer is no-one. The security plan shouldn't rely on building trust.
Defense in depth
multi-layer defense
Problems of military hireacrchy:
single point failure
Wargame movie - clip
security majors:
defence in depth
symmetric launch code
dual control
two keys should be pushed at the same time
Physical security
huawei
keyboard patterns
padlock shim
physical shredder
evening extended
sausage p - famous codeword
Vignere code
make sure you know the Kasiski test and can compute and use the index of co-incidence
Enigma
how this works?
how the roater works
Math
2^10 = 1024
2^20 = 1 million 2^30 = 1 billion
256 bits of work is impossible in reality
work ratio
one time pad (opt)
tempest
breaks
numbers stations
FOI planning
Ecosystem - erosion - weeds (later)
https://www.oaic.gov.au/freedom-of-information/faqs-for-individuals/how-do-i-make-a-freedom-of-information-request
data centres
Where are data centres are?
Type 1 & 2 errors
which one do you want to minimise?
left and right people
Bruce Scheier
last week: change people's mind
From week 2 videos
steganography - that's an example of security by obscurity
The common words: etaoin shrdlu
Week 3
Morning
thermal imaging
Risk
low prob but hign impact
risk in security is different from that in finanical market
security risk may not happen and people have no idea of how to deal with it
financial market has the history data so that the matheticians can do the roughly accurate estimations
examples
earthquake
hospital failure
massive shooting
nuclear
climate change
big companies data breach
We are bad at assessing low probablity risk
large scale cloud: low possibilities but high impact
Evening
Corruption weakness of the week
predication of data breach
make a bold prediction
centralisation
a single point failure
separation of power leaders and terms
how did the Romans and Greeks do separation of pwoers/avoid absolute power
Week 4
bits of information
birthday paradox or birthday attack
cryptographic hash function
some examples of using cryptography
proof of work
bitcoion
message authentication code
MAC (Message Authentication Code): protect integrity and authentication
We need to make sure the message hasn't been changed
If the key is too big, it may have key distribution problem. For example, you may send 50 different versions of bibles
There is an attack called length extension attack for SHA-256 attack
If we put the key at the front, then the attacker can use the SHA-256 algorithm to regenerate its hash value without modifying the password.
However, there is another problem if you put the key at the end
other crypto properties
Non-repudiation: You can't claim something didn't happen that did
HMAC
Week 4 lab
hashing
bits of security
bits of security and entropy and compression: multiple choice and some calculations
Revision
hashing
cryptographic hash function
difference between hashing and encryption
preimage:
2nd preimage
Collision resistance
HMACs Message authentication code
one way
fix length
lossy
Merkule pizzle
bits of security
Type I and II
CIA
MAC
Week 5
Morning & Evening
access point attack
Seminar password
passwords based on personal information
github.com/Mebus
how passwords store
plain text: bad, bad
bad hashing:
MD5 can be attacked right now
SHA-1
case background: Linkedin 2012
rainbow table
salts should be long (at least 256 bits long)
https://haveibeenpwned.com/Passwords
Hash
Merkle-damgard construction- Hash
Initialisation Vector
MD5, SHA1, SHA2 all use
People know the hash function
Digital signature
the original message is hashed
collision attack
I create a fake certificate authority, and I can produce the same certification hash for https and pretend to be a legitimate website in order to let browser trust.
collision attack pretend to be other person
Key stretching
Bcrypt
password - online & offline attacks
steal the passwords and it's called data breach
add salt to prevent rainbow table
evey salt is unique
factorize RSA
Week 5 lab
Case study
Assets
Any self-drive technologies like some artificial intellegence algorithms
Special hardwares in the car like GPU
Customers' data - new added
Engineers or researchers on artificial intelligence, any other related to self-drive car
Reputation
Budget?
Risks
Job loss
Everyone's safety on the road not only Passenager's life safety in car
Damage to the car and responsibilities distribution - tentative answer
Car owner authentication in case car is stolen
Privacy issue - new added
loose control of car
How fast the car can be
Insiders - change the car behaviour
System failure - network, AI makes wrong dicisions
carjacking
car overran
Actions on risks
The company should do lots of testing and experiments in different extreme conditions.
Every person who bought the self-driving car is the owner of car. So if there is any accident, use owner's insurance
The computer in the carshould record any bioinformation
The owner should have some triggers to full stop the car in any conditions.
tech training
YES with conditions
there should still need a driver but there can be a self-drive mode
deeper thinking
who is the fault if a car hit a person, the company or the driver?
Revision
hash(k|hash(m|k)) is safe
Week 6
Lectures from openlearning week 5 videos
Vulnerbilities
Types of vulnerbilities
memory corruption
buffer overflow
the stack and the heap
how fuctions are called in C
format string
Week 6 lab
SWIFT compromise
Week 6 lab
Cyber war thread model
social media; fake news
censorship:
insiders and break the encryption
infrastructureļ¼ malware attack
non disclosure
lobby group
prime minister
hack the elections: fake news
power is integreted, hack energy grid: distributed, isolated network,
blackmail family, hospitals, cloud:
hack financial service
tap the undersea cables
hack traffic lights
sam dastyari: don't forgeign donation
lobby group
blackdoor chip
ASD:
hack supplier of supplier: got the whole sallite
Week 7 lab
Portfolio due 5pm Sunday
3 mins something awesome
Mid term exam
RSA
take a given modulus
do 8 bits of work, dividing modulus through each of the possible primes it could be (2*10^18 primes)
if the result of division = another prime - you've figured it out. will happen 1/2 way though
1e18 = 2^60
therefore 2*10e18 =2^61 primes
(2^8 * 2^61)/2 = 2^68
Houdini
authentication
non-repudiation, part of marks for proof against replay, repeatability
Key: Because we know the order 6*6: 6+6+6....
case study
keyword
terrorists
going dark
edward snowden
5 eyes
mandatory data retention
san bernadlino iphone case
access and assistance bill
pine gap facility essentials to US drone strikes, expert called at activitists' trial says
new encryption powers used at least five times by federal and nsw police
Privacy discussion
govt
freedom
0 notes
Text
Module 6 activity: One Time Pad
one-time pad is the process in which a private key is generated randomly and is only used once to encrypt a message. The receiver can then decrypt the message using a matching one-time pad and key. Encryption using āone-time padsā are useful mainly because of their randomness, meaning there is theoretically no way to analyse patterns in the message or one-time pad and therefore is extremely difficult to decrypt!
The only issue which arises is how to keep the key safe in transmission between the sender and receiver. One-time pads have prominently been in use in secret message transmission and espionage from the WWII era, through the Cold War era until now! It is interesting to note that the difficult of securely securing secret keys between the two groups involved led to the invention public key cryptography.
Exercise:
LpaGbbfctNiPvwdbjnPuqolhhtygWhEuafjlirfPxxl
WdafvnbcDymxeeulWOtpoofnilwngLhblUfecvqAxs
UijMltDjeumxUnbiKstvdrVhcoDasUlrvDypegublg
LpaAlrhGmjikgjdmLlcsnnYmIsoPcglaGtKeQcemiu
LpaDohqcOzVbglebjPdTnoTzbyRbuwGftflTliPiqp
After using this software: https://lzutao.github.io/cribdrag/, I found that...
Message 1: The Secret To Winning Eurovision Is Excellent Hair
Message 2: Everyone Deserves A Hippopotamus When Theyāre Sad
Message 3: Can You Please Help Oliver Find The Flux Capacitor
Message 4: The Most Important Person In The World Is Me Myself
Message 5: The Price Of Bitcoin Is Too Damn High Given The Data
0 notes
Text
Module 7 activities: Trump Phishing
Phishing is a very common method of social engineering and in fact, I have been exposed to email phishing and message phishing in the past. In this exercise, I was asked to write an email phishing attack targeted at Donald Trump.
Dear Pres. Donald Trump,
We hope this email reaches you in good spirit and can help mend some of our business relations with your White House administrationās statements regarding my company.
I have the special permission from the Chinese Communist Party to trade with American companies.
To say hello to you, we have made some fantastic burgers for you.
Click here to view the burgers.
We also connect with Amazon company and they will help us send our burgers to you.
You can track your order from Amazon here.
Cheers, CEO of Chinese pork company Zheng Li
0 notes
Text
Week 6 activities: Thread Modelling
I was amazed with the large amount of vulnerabilities I have learnt and the analytical mind I have developed.Ā If I spend a day, I would be able to go into more detail regarding physical vulnerabilities. I did not take into account vulnerabilities like buildings, nor the probability of more fundenmental types of physical attacks.Ā Ā
0 notes
Text
Week 7 Case Study: Privacy
This weekās case study in our tutorial involved a debate whether the government should collect and have access to your data for the purpose of good or if we as citizens have a right to privacy? For this debate, I was a member of the team which were for the right to privacy, where the government should not have the right to our data. The main arguments we followed for this side of the argument were:
Our data could be misused
The government would hold too much power and control of its citizens which would crack down.
I also did analysis on both sides...
Why government can collect data from people
Data collection could improve the society as a government can assign policies and/or recommend legislation which largely benefits society or reduced incident risks.
Data would only be collected for the protection of citizens through catching potential criminals or terrorists who are conducting or planning illegal activity.
Data collection could improve the society as a government can assign policies and/or recommend legislation which largely benefits society or reduced incident risks.
Why government can't collect data from people
Government may have good intentions now, but data doesn't go away; how do we know that future governments will have good intentions?
Breach of international rights; only for cases of mass surveillance (i.e. China WTF).
Political view: Privacy is the fundamental of democrocy and freedom.
0 notes
Text
RSA Discussion
Livia and me discussed how RSA works one day before the mid-term exam. Here're some drafts...
0 notes
Text
Security Everywhere 6: Goverment need backdoors to encryption algos
There is a trending that more governments demand backdoors to encryption algorithms. One example is from the word from US Attorney General. Read the article here: https://www.itnews.com.au/news/citing-australia-us-attorney-general-demands-backdoors-528703.
I am thinking this sort of regulation should be discussed internationally. My view is pro-government because I believe it is necessary to let justice department to access the encrypted message. However, the act should be discussed internationally, for example from UN. UN need to regulate what kinds of criminals the government has right to decrypt their message or devices. And every company in the world need to follow the rules.
Although it is hard to design the whole thing internationally, we actually have experience like Kyoto Treaty. If the world leaders focus on privacy issues (apparently they don't care), countries many regualte the first law applying to every country in the world.
If I stay in Australia, I will support the encryption bill because Australia is a democracy country and people's opinions will be respected. Therefore, I believe governtment has the ethics to deal with different cases, as we all agree that anti-society or terrorism is the enemy for all humans.
However, if I stay in China, I will be against the bill because I don't trust the government to have ethics and the government may utilise this to extend to crack down some people because of political reasons.
0 notes
Text
Security Everywhere 5: Sydney Airport Facial Recognition Trials
This case is related to the topic we discussed in week 6 - privacy. The case talks about that Sydney airport trails facial recognition to speed up the process of onboarding. The article link is here: https://www.itnews.com.au/news/sydney-airport-is-continuing-its-facial-recognition-trials-528684. Actually the central question to ask is that which one do you trade-off, efficiency or privacy? My analysis is not going to give any biased opinions on that, instead I would like to find a new way to solve this problem.
In terms of opinions on which one is preferred, it is related to different countries and different culture. I believe people in western coutries value more privacy than that in China. Therefore, I believe many people in China would support airport's behaviour. However, people in Australia may worry about their privacy and surveillance.
In my opinion, the best way to solve the problem is give people to choose like opt-in and opt-out options. If the people prefer to use facial recogonition technology, the airport provide the application and users can register and the machine in airport can match the uploaded pictures with the one taken live.
0 notes
Text
Week 6 Case Study: Safer in the country?
During the tutorial, we were discussing the main threats we face in the cyber domain of war.
Political influence
This includes any political lobbies and fake news on any social media.
Posting information and/or news that change public opinion.
For example, the Cambridge Analytica/Facebook privacy scandal which was used to influence opinions of the Trump administration before the latest U.S. federal election.
The Internet
Disabling Internet services would significantly disrupt the Internet capability whihc is a treat to defend Australia.
This could be done either in the form of a cyber-attack or a physical security attack. One such example, Other countries can destroy Internet cables on the seafloor. This capability could be devastating for communications of many nations.
Attacking utility services
Attacking utilities such as electricity, telecommunications or water could devastate the whole population.
These services are most likely highly protected due to the attackās potential high impact.
Phishing attack on government people
Government officials are also sensitive person.
Attacking businesses and organisations
Their communication networks and data storage facilities could be targeted to limit or disturb the interaction between such businesses and their clients.
This could include banks or large companies to accentuate financial impact. Although, security would be expectedly highā¦
Attacking hospitals or more-vulnerable government-controlled services
Potential attack or focus on patient information and hospital management to cause some chaos.
This would be less-guarded than government agencies and could potentially have a large impact on vulnerable civilians.
Others:
Hack root server
Backdoors to infrastructure like 5G network
0 notes
Text
should have a password blog in 6443 side channels aes vs des aes can attacked by side channels skim it off a card if it's radiating wifi
0 notes
Text
Module 6 activities
5G in Australia
https://tobycs6841.tumblr.com/post/186562113610/week-6-activities-thread-modelling
https://tobycs6841.tumblr.com/post/186579085535/module-6-activity-one-time-pad
0 notes
Text
Module 6: 5G in Australia
I have chosen to ban them and therefore must write a letter to the telecom companies explaining the importance of the ban and why paying 3 times increased cost to them and their customers is worth paying.
Dear the CEOs,
I am writing this letter to you all regarding the recent news in which the Chinese telecom company, Huawei, was planning to enter the Australian market and building 5G network in Australia. Unfornately, I couldnāt fully allow their expansion due to imminent security concerns. It is reasonable to buy Huaweiās technology patents but not devices. It is the Federal Government of Australiaās highest priority that our citizens are protected from any potential data breach.Ā
The government will spend more money on building Australiaās own 5G network. Any hardware components should be bought from our allies or manufactured in Australia.
0 notes
Text
Security Everywhere 4
Trump diplomatic row: What do we know about leaked UK emails?
Sir Kim Darroch, one of Britain's top diplomats, used secret cables and briefing notes to impugn Trump's character, warning London that the White House was 'uniquely dysfunctional' and that the President's career could end in 'disgrace'.
From the article, it seems that the official said there was insiders leaking information instead of the encrypted chaneel was hacked.
Actually insider thread is the most common attack right now.
Insiders may have legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them.
0 notes
Text
Security Everywhere 3
Cryptocurrency Scam
Bitcoin investment scam steals tens of thousands from couple as cryptocurrency losses grow
This is a typical spam website for bitcoin lovers or for people who want to earnĀ ābigā money. The spam website first virtually gave themĀ āmoneyā into their accounts. However, the money is just number and it doesnāt mean anything.Ā
So thereās a recommendation for people who wants to invest online.Ā
1. Check the regulation of financial service 2. Find any ABN for the website and check whether they are legal and check websites on SpamWatch provided by government agency 3. Find a real human to talk 4. Make sure your money can be tranferred into actual bank account, not just some numbers on the website accounts.
If we take close look at the website page, thereāre a lot of errors of spelling and the structure of page was not built with heart.Ā I think we should be very be careful when I tried to put some bank information onto a website. For example, we need to check the background of company. Not only rely on the information on the website, but also find some information on any third-party website or official government website. We also need to check their hosting IP address
I got a similar experience before. I found a website and want to get some resources from the website. It looks very legitimate and website is like a normal company. However, I was tricked eventually even though I didnāt lose anything but my personal bank information has been leaked. So I had to get a new credit card. Later I found a suspected thing, which is that the IP address of this website is in Czech but it claims it is a U.S company.
0 notes