What 2017 has in store for cybersecurity?

The threat to the cybersecurity regime will continue to escalate in 2017 and in the years ahead. The excitement and apprehension surrounding the security business in 2017, which is directly related to the change in US administration in 2017, has led security professionals to predict that cybersecurity will be the most difficult task in both the government and commercial sectors (Francis, 2016). Though significant changes in security policy and regulation are doubtful, cybersecurity experts anticipate that the next president would prioritize security command by increasing budgets. After reviewing the article, it is obvious that the most of the anticipations regarding the upcoming threats and changes in policies in security industries are reasonable but the consequences are overstated in many cases. For example, the president-elect Trump’s position against Apple’s privacy policy that apparently helped a gunman flee away from law, has been taken as a reference to predict the end of encryption based privacy (Smith, 2016). But it is not feasible to wash away encryption based privacy as it is widely accepted technique for secure transmission of messages, currency and other secret information. Like the article on Government Technology predicts that Trump’s administration will surprise the cyber world in a positive way and will not take any attempt to disrupt public’s trust and reliability on the Internet (Lohrmann, 2016). However, it is true that the next US administration lacks proper knowledge, research and framework to deal with emerging cybersecurity threats, which will have impact on privacy and security over the Internet at national and global scale (Lohrmann, 2016).

The threat of identity theft and ransomware will be comprehensible in recent years and targeted contents and websites like healthcare industry and financial sectors will be more vulnerable to these types of attacks (Ragan, 2016). It is understandable because with the proliferation of the computer network, use of Information technology will be on the rise, which will increase the reach of the Internet far beyond people could imagine in last decades. As a result, hackers will be more active than ever to exploit security loopholes in the Internet to take control of sensitive data and personal information. Ransomware will be one of the tools that hackers are likely to use deliberately to put victim in a unstable position to extort money from (Barker, 2017).

With increased footprint over the Internet, especially through social media exposure, hardly anyone’s information or privacy is secured. I think, my information is as exposed to the cyber-attacks as any other individual who uses the Internet and computer technology for day-to-day work. Despite all the preventive measures that I have taken to prevent cyber-attack, I am certain that I might be victim to cybersecurity damage anytime. My pessimistic view about cybersecurity comes from a past experience of being robbed by an attacker who took control of my computer by through ransomware; he encrypted all my important data and private contents and sent me a pop-up message demanding $500 to get my data back. He offered me a single file decryption for free to convince me to pay the sum. However, I could not afford the money and lost all my documents, photos and other important files. Among all frustrations, one thing that still amuses me is that I used his free offer to decrypt a spreadsheet full of details of my daily expenses for over five years.

Assignment 2: Not Such Lone Wolves

Lone wolf, as relating to the terrorism, represents an individual or group that performs terrorist attacks or act of terrorism by his own and does not belong to any group or team. However, a lone wolf can be influenced by a group ideology or act in support to others but they do not perform structured terrorisms and are not accountable to anybody for their actions (Kimmel, 2013). Individual shooter, mass killer are some examples of lone wolves. Lone wolves can hide their intentions and keep their operations secret more efficiently than organized terrorisms because they do not need to reveal their plans to anybody. Unlike organized crime, lone wolf terrorism dies with the person or group involved in a particular incident.

The act of lone wolf terrorism is on the rise in recent years (Worth, 2016). Political and personal grievances, years of deprivation, over influence by an ideology or faith are major causes of creating lone wolves. Lone wolf terrorism activities are less catastrophic than organized terrorism but are not easy to predict in advance or stop (Strohm, 2016). Their violence is now fueling the debates of gun control, online privacy policy and immigration from Muslim countries (Stearns & Tirone, 2016). Since lone wolf terrorism happens in a relatively small scale, it is possible to control it effectively through counseling and exemplary punishment.

Assignment 3

Exercise: 1.1: Attack tree for stealing a car

Steal the car

1.1 By driving the car away

1.1.1 Enter through door

1.1.1.1 using duplicate key

1.1.1.2 breaking the glass and unlocking the door

1.1.1.3 using drill or welding tools

1.1.1.4 by finding the door accidentally left opened by the owner

1.1.2 Enter through glass

1.1.2.1 breaking the glass

1.1.2.2 using glass cutting tools

1.1.2.3 discovering the owner left the car glass opened

1.2 By pushing the car from behind

1.2.1 by using another vehicle or truck from behind

1.2.2 owner did not pull the hand brake

1.3 By pulling the car from front

1.3.1 by using another vehicle or truck from front

1.4 By taking parts of the car apart

1.4.1 using tools to dismantle the car parts,

1.4.2 using force to break parts

Exercise: 1.4: Attack tree for learning username and password of someone’s online bank account

Learning bank account credentials

1.1 Physically

1.1.1 Physically force the user to provide the information

1.1.1.1 held the customer captivated and push him for the information

1.1.1.2 keep a close person of the user hostage and threaten him to reveal the information

1.1.1.3 point a gun or arms to the user and ask for the credentials

1.1.2 Physically steal the credentials

1.1.2.1 follow customer’s keystroke from a secret place and note them 1.1.2.2 use a hidden camera to record customer’s keystroke to get the credentials

1.1.2.3 use keylogger device that can record each keystroke in its internal memory

1.2 Virtually

1.2.1 Using phishing

1.2.1.1 Send trustworthy emails to user

1.2.1.2 ask customer to reply the email with credentials of the bank account

1.2.1.3 deceive the customer by redirecting to a pseudo website that resembles the online bank account and convince him to enter into the website using credentials

1.2.1.4 ask customer to provide sensitive account information, like birthdate, phone number, secret question with answer etc. which later can be used to exploit the account

1.2.2 Using virus

1.2.2.1 Use Trojan horse that will secretly hide inside customer’s workstation and

Predefined information

1.2.2.2 Use a key logger virus that can record each keystroke of the user and send it via email

1.2.3 Eavesdropping

1.2.3.1 by tapping into customer’s Internet line and extracting unencrypted information that might help in getting secret information

1.2.3.2 by pairing with one of the customer’s devices from where he or she frequently access the bank account

Exercise 1.6: Attack tree for preventing someone from being able to read his own email

Account holder cannot read his own emails

1.1 Block user’s access

1.1.1 hack into user’s account and change the password and reset recovery options

1.1.2 get control of the user account and delete it

1.1.3 block the user’s access into the email agent’s site

1.1.4 disconnect the user from the Internet

1.1.5 redirect all traffics from the user to the email agent to another address

1.2 Make the emails unreadable

1.2.1 encrypt the emails to render them unreadable to the user,

1.2.2 add pseudo-noise to the email content and make the unintelligible

1.3 Change the route emails intended for the user

1.3.1 redirect all emails to user account to another account

1.3.2 change the destination of all emails intended to be received by the user

Exercise 1.7: Changing sender of the email

Email recipient gets emails from wrong sender

1.1 Change the sender address

1.1.1 create a mailbox that will receive all the emails intended for a specific user and change; resend those emails to the user by changing sender’s name.

1.2 Take the user to a wrong email site

1.2.1 use a phishing site to take the user to a wrong email box, where the received emails will be engineered to show wrong recipient

1.3 Sit in the middle

1.3.1 sit in the middle of the network between the sender and the receiver and inject malicious codes that will change the sender’s name.

1.3.2 create a key pair and impersonate like someone else; hand the keys over to the recipient such that the recipient can verify the digital signature attached with the email belongs to the impersonated person.

Exercise 1.8: Security Review of Tesla’s Announced Wireless Car Charging System

Technology Summary

The electronic car manufacturing giant Tesla is planning to launch wireless car controlling system that will enable the user to take control of his car from remote places like from lobby of a hotel or from his room while the car is parked at the garage. The new technology will enable the user to check the condition of his car and drive the car up to a distance not longer than 1 km. The technology will be a help for people who are in a hurry or who forgets to park their cars or perform routine check because of busy schedule. The technology will provide a means of checking the car and take necessary actions during leisure periods. The remote technology will create a major hype in the electric car industry and will help the car user exploit every extra dollar they have paid for their car being electric. The unit also comes in the mobile app package, which enable the user control the car using his mobile device.

Assets and Security Goals:

Asset 1: The technology will be wireless. It will require no wire connection between the car and the user and it will let the user have command over the car from distance. The main security goal of this asset is to keep the car safe from wireless infiltration or intrusion.

Asset 2: The control system of the car that can help the user ignite and kill the engine and even drive the car a few meters in different directions. The main security goal for this asset is to keep the car safe from stealing or accident.

Threats and Adversaries:

Threat 1: The major threat of becoming wirelessly controllable is to be get hacked by stealers. Hacker can easily get control of the wireless system and control the car from distances without being caught or having any trouble to steal the car.

Threat 2: Threat to privacy. A hacker can access the car log wireless or put a malicious code into the car system that will help him know about the travelling history of the car as well as current position and direction. This adversary possesses serious threat to the privacy of the car owner.

Weaknesses:

Weakness 1: The wireless control is lost when the car is more than 1 kilometer away from the user. The user might loss the control immediately when the car is in remote-wireless driving mode and that might cause an accident.

Weakness 2: Frequent switching between wireless and physical mode, the car might get stuck and cannot follow the instructions properly, which may lead to an accident.

Defenses:

In order to address the first weakness, the car might use automatic alert system to make the user aware of that the car is moving out of the wireless range. The user should instantly halt the car and reposition it somewhere that is within the wireless zone of access. Again, the car can use autopilot feature, built-in to modern Tesla cars, to avoid accidents out of the wireless zone while being operated by remote controller. In order to deal with the second weakness, the car might use some sort of failsafe system that would take the control of the car and park it instantly if it senses any kind of unresponsive behavior.

Evaluation

From the above discussion, it is obvious that the weaknesses are not severe as far as possible defenses and awareness from the user are concerned but the threats are really worrisome and are subject to research and upgrade to eliminate the possibility of being security loopholes.

Conclusion

Despite having security problems, the new technology will create a revolution in car industry, which might be as well introduced into other vehicles. There is a good possibility that this technology will get widespread acceptance in the entire car industry.

Attack Tree

1. Compromising Wireless Control of Tesla Car

1.1 Get the remote controller

1.1.1 Snatch the remote controller from the user

1.1.2 Steal the remote controller

1.1.3 Force the owner hand over the remote controller

1.2 Hack the wireless channel

1.2.1 Hack the wireless signal and get control of the car

1.2.2 Get credentials of the handshake key between the mobile app and the car and take control

1.2.3 Insert malicious codes into the car software and make it transmit information for pairing

Exercise 1.9 Comprise of Tesla Car’s Wireless System

Developers from the Keen Security Lab, a division of the Chinese internet giant Tencent have compromised Tesla S car model through air. The groups of developers have shown that how the car’s remote wireless system can be exploited to take control of the CAN bus that controls many vehicle system in the car. However, the vulnerability that was exploited by the developers was narrow because it requires the car to be connected to specific malicious Wi-Fi Hotspot. Obviously, this was not the weakest link of the wireless security chain of the car. The weakest link, from my point of view, should be the mobile app interface that sets a communication link with the car after initial handshaking because it is easier to hack user credentials and get control of the car. On the other hand, forcing the car to pair with the malicious hotspot is a bit tricky and does not guarantee success all the time.

Exercise 1.10 Impact of Addressing One Security Issue on Others

One of the major example of the situation where improving security of a system against one type of attack welcomes others is the Two Factor Authorization (TFA) techniques in email or other accounts. Due to frequent account hacking problems, security developers have introduced TFA, where the user have to authorize the access via a code sent to their mobile. The incorporation of mobile-based authentication has increased the mobile hacking problems. On the other side, if the mobile of the user is stolen, there is a great chance of his accounts being comprised easily.

Exercise 2.1 Kerckhoffs’ Principle

Two arguments in favor of Kerckhoffs’ Principle:

It is not easy or cheap to build an algorithm, which is why it must be used many times,

Using algorithm universally helps in identification of bugs, security loopholes and improvement

Two arguments against Kerckhoffs’ Principle:

Keeping an algorithm open to all eases the work of the attacker who might acquire greater control over it or discover its weaknesses

All systems require expensive algorithm upgrade once it is compromised anywhere.

Validity of Kerckhoffs’ Principle:

It is obvious that the view of validity of Kerckhoffs’ principle is important from security point of view. There is no way anyone can develop individual algorithm for each user or each system because it is complex and expensive. On top of that designing individual algorithm will require modification of system hardware and software and as such no standardization can be done. A non-standardized unique algorithm will require all participants must shift to same hardware and software to perform a communication, which is not a feasible model of communication.

Exercise 2.2 Using Open Wi-Fi

Parties that might be able to attack the system:

The network administrator or employees of the coffee shop who have access to the network,

Other customers of the coffee shop who access the same network

An intruder from outside who can penetrate the wireless interface

What They Can Do:

Can read the email

Can change contents as well as sender info of the email

Can cause interruption in email transmission

Defenses:

Bob and Alice can use VPN to secure their communication

Can hide their IP address

Can use 128-bit encryption

Can use secret codes to encode the email content

Can share authentication information to make sure that the email came from the other

Exercise 2.3 Number of Symmetric Keys

(30 × 29) / 2 = 435.

Exercise 2.4 Digital Signature Verification

Yes, it does prove that Alice saw the message in question and chose to sign it.

Exercise 2.5 Public Key Authentication

Alice can ask Bob to verify his key over phone.

Alice can ask Charlie to certify the key she has belongs to Bob

Alice can communicate Charlie via email through encrypted channel and ask him to certify P as Bob’s key.

Exercise 2.6 Security of Encryption Scheme in a Chosen-Cyphertext model

Yes. Unless the attacker can break the decryption key there is no luck with the Chosen-Cypher attack.

Exercise 2.7 Security Against Birthday Attack

To avoid a birthday attack or collision, we need n-values,

Where the birthday bound, 2n/2 = 128

n/2 = 7

n = 14.

References

Barker, I. (2017, January 04). Ransomware set to increase in 2017. Retrieved from Beta News : http://betanews.com/2017/01/04/ransomware-increase-2017/

Francis, R. (2016, December 19). What 2017 has in store for cybersecurity . Retrieved from CSO Online: http://www.csoonline.com/article/3150997/security/what-2017-has-in-store-for-cybersecurity.html?page=2

Kimmel, M. (2013). Angry White Men: American Masculinity at the End of an Era. Avalon.

Lohrmann, D. (2016, November 13). Will President-Elect Trump Surprise on Cybersecurity? Retrieved from Government Technology: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/will-president-elect-trump-surprise-on-cybersecurity.html

Ragan, S. (2016, November 28). SF MUNI hacker lashes out, threatens to release 30GBs of compromised data. Retrieved from CSO: http://www.csoonline.com/article/3145425/security/sf-muni-hacker-lashes-out-threatens-to-release-30gbs-of-compromised-data.html

Smith, L. J. (2016, February 17). Donald Trump on Apple encryption battle: ’Who do they think they are? Retrieved from The Verge : http://www.theverge.com/2016/2/17/11031910/donald-trump-apple-encryption-backdoor-statement

Stearns, J., & Tirone, J. (2016, October 04). Europe’s refugee crisis. Retrieved from Bloomberg: https://www.bloomberg.com/quicktake/europe-refugees

Strohm, C. (2016, September 23). Lone Wolf Terrorism . Retrieved from Bloomberg: https://www.bloomberg.com/quicktake/lone-wolf-terrorism

Worth, K. (2016, July 14). Lone Wolf Attacks Are Becoming More Common — And More Deadly. Retrieved from pbs: http://www.pbs.org/wgbh/frontline/article/lone-wolf-attacks-are-becoming-more-common-and-more-deadly/