index.xml

<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>CyberSecurity: Essentials</title>
    <link>https://medina.github.io/index.xml</link>
    <description>Recent content on CyberSecurity: Essentials</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 07 Mar 2017 23:31:42 -0500</lastBuildDate>
    <atom:link href="https://medina.github.io/index.xml" rel="self" type="application/rss+xml" />
    
    <item>
      <title>Week6 Slides</title>
      <link>https://medina.github.io/blog/week6-slides/</link>
      <pubDate>Tue, 07 Mar 2017 23:31:42 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week6-slides/</guid>
      <description>&lt;p&gt;&lt;a href=&#34;https://medina.github.io/static/Week06.pdf&#34;&gt;Week06&lt;/a&gt;&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week6 Links</title>
      <link>https://medina.github.io/blog/week6-links/</link>
      <pubDate>Tue, 07 Mar 2017 21:07:58 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week6-links/</guid>
      <description>

&lt;h3 id=&#34;events-and-conferences&#34;&gt;Events and Conferences&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://www.usenix.org/conference/enigma2017/conference-program&#34;&gt;Videos from Enigma 2017&lt;/a&gt; are posted.  I plan on watching &lt;em&gt;Secrets at Scale: Automated Bootstrapping of Secrets &amp;amp; Identity in the Cloud&lt;/em&gt;,&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/turtles-all-the-way.png&#34; alt=&#34;turtles&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&amp;ldquo;&lt;a href=&#34;https://en.wikipedia.org/wiki/Turtles_all_the_way_down&#34;&gt;Turtles all the way down&lt;/a&gt;&amp;rdquo; as the presentation quips.&lt;/p&gt;

&lt;h3 id=&#34;application-security&#34;&gt;Application Security&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://wikileaks.org/ciav7p1/&#34;&gt;Wikileaks: CIA Hacking Tools Revealed&lt;/a&gt; received a strange reception.  Top comments on the &lt;a href=&#34;https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html&#34;&gt;&lt;em&gt;New York Times&lt;/em&gt; coverage&lt;/a&gt; seemed to be &amp;ldquo;spies are paid to spy, this is why we have the CIA, why is anyone surprised?&amp;rdquo;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The documents amount to a detailed, highly technical catalog of tools. They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.&lt;/p&gt;

&lt;p&gt;In one revelation that may especially trouble the tech world if confirmed, WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones. [&amp;hellip;] By penetrating the user’s phone, the agency can make the encryption irrelevant by intercepting messages and calls before their content is encrypted, or, on the other end, after messages are decrypted.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;A reminder that breaking encryption on the wire may not be the most direct route to discovering &amp;ldquo;clear-text&amp;rdquo; communications.&lt;/p&gt;

&lt;p&gt;If anyone here has ever used a &amp;ldquo;web-based jailbreak kit&amp;rdquo; on an older generation iPhone, this was surely leveraging a remote code execution (RCE) vulnerability of the sorts that are suggested here.&lt;/p&gt;

&lt;p&gt;The EFF points out that &lt;a href=&#34;https://www.eff.org/deeplinks/2017/03/hey-cia-you-held-security-flaw-information-now-its-out-thats-not-how-it-should&#34;&gt;vuln-hoarding means software remains insecure&lt;/a&gt;:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices—including Android phones, iPhones, and Samsung televisions—that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we&amp;rsquo;re all made less safe by the CIA&amp;rsquo;s decision to keep &amp;ndash;  rather than ensure the patching of &amp;ndash; vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;EPIC has more about &lt;a href=&#34;https://epic.org/privacy/cybersecurity/vep/&#34;&gt;VEP&lt;/a&gt;.&lt;/p&gt;

&lt;hr /&gt;

&lt;p&gt;&lt;a href=&#34;https://openai.com/blog/adversarial-example-research/&#34;&gt;Attacking machine learning with adversarial examples&lt;/a&gt; is an unsettling survey of techniques that can really screw with machine learning software.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Adversarial examples have the potential to be dangerous. For example, attackers could target autonomous vehicles by using stickers or paint to create an adversarial stop sign that the vehicle would interpret as a &amp;lsquo;yield&amp;rsquo; or other sign&amp;hellip;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;This was &lt;a href=&#34;https://www.usenix.org/conference/enigma2017/conference-program/presentation/papernot&#34;&gt;also presented at Enigma&lt;/a&gt;&lt;/p&gt;

&lt;hr /&gt;
</description>
    </item>
    
    <item>
      <title>Week5 Board Notes</title>
      <link>https://medina.github.io/blog/week5-content/</link>
      <pubDate>Thu, 02 Mar 2017 18:36:34 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week5-content/</guid>
      <description>&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/XcodeGhost&#34;&gt;Malware infects apps via developer tools&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Insider trading &lt;a href=&#34;https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-arrest-macau-resident-and-unsealing-charges-against&#34;&gt;by hacking law firms&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Classmate mentions the &lt;a href=&#34;https://en.wikipedia.org/wiki/Ashley_Madison_data_breach&#34;&gt;Ashley Madison Breach&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Bill mentions the RSA Breach: &lt;a href=&#34;http://blogs.rsa.com/anatomy-of-an-attack/&#34;&gt;RSA Anatomy of an Attack&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Cyber kill chain:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html&#34;&gt;Glossy marketing&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf&#34;&gt;Academic-style paper&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/kill-chain.png&#34; alt=&#34;Intrusion Kill Chain&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&amp;ldquo;Kill chain&amp;rdquo; sounds ominous, &amp;ldquo;&lt;a href=&#34;https://en.wikipedia.org/wiki/Kill_chain&#34;&gt;originally used as a military concept related to the structure of an attack&lt;/a&gt;&amp;rdquo;.  Bill mentions others that have been re-purposed for cybersecurity, including &lt;a href=&#34;https://en.wikipedia.org/wiki/Demilitarized_zone&#34;&gt;DMZ&lt;/a&gt;.  &lt;a href=&#34;https://en.wikipedia.org/wiki/Firewall_(computing)&#34;&gt;Firewall&lt;/a&gt; came from the barrier between the (dangerous) steam engine and the people in a the locomotive.&lt;/p&gt;

&lt;p&gt;Viruses and worms seem to have a more organic origin.  We have anti-virus, but no innoculation (or is that what patching is?)&lt;/p&gt;

&lt;p&gt;Funny to think what names could have stuck, e.g., &amp;ldquo;web application &lt;a href=&#34;https://en.wikipedia.org/wiki/Stockade&#34;&gt;stockade&lt;/a&gt;&amp;ldquo;&lt;/p&gt;

&lt;p&gt;Question from a classmate: How to get into cybersecurity?&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Knowledge of basics &amp;ndash; take this class :-)&lt;/li&gt;
&lt;li&gt;Certifications&lt;/li&gt;
&lt;li&gt;Experience from other domains, two popular routes: infrastructure (networking or sysadmin) or application dev&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Where do Mac addresses come from?  Who gives out OUIs?  &lt;a href=&#34;http://www.iana.org/assignments/ethernet-numbers&#34;&gt;IANA&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;What applications that run over HTTP?  Lots of things can be tunneled over HTTP, but most common might be things like RDP (which has its own native remote desktop protocol).&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-5-notes-1.jpg&#34; alt=&#34;notes&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning&#34;&gt;HPKP&lt;/a&gt; and &lt;a href=&#34;https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security&#34;&gt;HSTS&lt;/a&gt; are trust-on-first-use (TOFU) headers sent by servers to &amp;ldquo;modern&amp;rdquo; web browsers that understand them to signal certain security behaviors.  I made some snarky comments about the &amp;ldquo;&lt;a href=&#34;https://chromium.googlesource.com/chromium/src/net/+/refs/heads/master/http/transport_security_state_static.json&#34;&gt;preload&lt;/a&gt;&amp;rdquo; form of this same data that ships with Chrome.  More secure perhaps but doesn&amp;rsquo;t seem like a great approach to ship static data like this.  &lt;a href=&#34;https://hstspreload.org/&#34;&gt;Get your own domain listed&lt;/a&gt;!&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Be aware that inclusion in the preload list cannot easily be undone. Domains can be removed, but it takes months for a change to reach users with a Chrome update and we cannot make guarantees about other browsers. Don&amp;rsquo;t request inclusion unless you&amp;rsquo;re sure that you can support HTTPS for your entire site and all its subdomains the long term.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;We got to talking about &lt;a href=&#34;https://en.wikipedia.org/wiki/WebSocket&#34;&gt;WebSockets&lt;/a&gt; and whether they played nicely with firewalls.  A classmate mentions that WebSockets could be used by advertisers to get around standard ad blockers (&lt;a href=&#34;https://bugs.chromium.org/p/chromium/issues/detail?id=129353#c58&#34;&gt;thread on Chrome-dev&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;Question from a classmate: TCP/IP network handling &amp;ndash; what&amp;rsquo;s handled in user space, what&amp;rsquo;s kernel space?&lt;/p&gt;

&lt;p&gt;A good article on the topic is Cloudflare&amp;rsquo;s &lt;a href=&#34;https://blog.cloudflare.com/why-we-use-the-linux-kernels-tcp-stack/&#34;&gt;Why we use the Linux kernel&amp;rsquo;s TCP stack&lt;/a&gt;, which gives an &amp;ldquo;it depends&amp;rdquo; answer,&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The latency is very important for the HFT (high frequency trading) folks. Traders can afford custom hardware and fancy proprietary network stacks.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;In a side discussion, the question was motivated by thinking of attacks that could be triggered via crafted packets that could exploit the kernel directly.  I like the way you think!  This should be a fairly straight-forward &amp;ldquo;unpacking&amp;rdquo; of ones and zeros from the received network traffic, while keeping a small amount of state off to the side before handling the data off to an application in user-space for heavier processing.&lt;/p&gt;

&lt;p&gt;One bit of code that &lt;em&gt;parses&lt;/em&gt; network traffic are the packet dissectors we saw in Wireshark in the class.  Each year there are &lt;a href=&#34;https://www.wireshark.org/security/&#34;&gt;dozens of security issues&lt;/a&gt; reported in these dissectors, usually resulting in some denial of service (affecting only the Wireshark application) if its run against a payload with a specially crafted packet.&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/bookshelf.jpg&#34; alt=&#34;bookshelf&#34; /&gt;&lt;/p&gt;

&lt;p&gt;I like the first four chapters of &lt;a href=&#34;https://hpbn.co&#34;&gt;High Performance Browser Networking&lt;/a&gt; (free online) for &amp;ldquo;Networking 101&amp;rdquo;.&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-5-notes-2.jpg&#34; alt=&#34;notes&#34; /&gt;&lt;/p&gt;

&lt;p&gt;Flows through a firewall, permitted in one direction (&amp;ldquo;outbound to an HTTP server on port 80/TCP&amp;rdquo;), with the firewall &amp;ldquo;remembering&amp;rdquo; state to permit the response traffic back from the web server to the ephemeral port on the client without needing a static rule.&lt;/p&gt;

&lt;p&gt;The &lt;a href=&#34;https://en.wikipedia.org/wiki/OSI_model&#34;&gt;OSI model&lt;/a&gt; vs real-world protocols.  Diversity on the top and bottom, TCP/IP in the middle.&lt;/p&gt;

&lt;p&gt;Not sure why but we were talking about the &lt;a href=&#34;http://web.mit.edu/~simsong/www/ugh.pdf&#34;&gt;Unix Haters Handbook&lt;/a&gt; (free online) at some point in the back of the class.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;You know the real trouble with Unix? The real trouble is that it became so
popular. It wasn’t meant to be popular. It was meant for a few folks working
away in their labs, using Digital Equipment Corporation’s old PDP-11
computer. I used to have one of those. A comfortable, room-sized machine.&lt;/p&gt;
&lt;/blockquote&gt;
</description>
    </item>
    
    <item>
      <title>Week5 Links</title>
      <link>https://medina.github.io/blog/week5-links/</link>
      <pubDate>Thu, 02 Mar 2017 15:29:31 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week5-links/</guid>
      <description>

&lt;h3 id=&#34;cybercrime&#34;&gt;Cybercrime&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;http://marissamayr.tumblr.com/post/157876672644/update-on-yahoos-security-incident&#34;&gt;Update on Yahoo’s security incident&lt;/a&gt; (also see &lt;a href=&#34;https://investor.yahoo.net/secfiling.cfm?filingID=1193125-17-65791&amp;amp;CIK=1011006&#34;&gt;10K filing&lt;/a&gt;):&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack &amp;hellip; since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3 id=&#34;cryptography&#34;&gt;Cryptography&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;http://valerieaurora.org/hash.html&#34;&gt;Lifetimes of cryptographic hash functions&lt;/a&gt;&lt;/p&gt;

&lt;h3 id=&#34;application-security&#34;&gt;Application Security&lt;/h3&gt;

&lt;p&gt;Soon after we were playing with cookies and session management in class &amp;ndash; using my Google account! &amp;ndash; &lt;a href=&#34;https://www.theregister.co.uk/2017/03/01/google_still_silent_on_mass_logout/&#34;&gt;this happened&lt;/a&gt;.  This definitely affected my mobile GMail app.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;No change to report from the last update. We&amp;rsquo;re still actively working to resolve issues with Identity/Authentication. Future updates will follow when there is significant progress to report.&lt;/p&gt;

&lt;p&gt;To summarize; some long-lived OAuth tokens have inadvertently been invalidated. This may affect the following Cloud services and will manifest as authentication errors:&lt;/p&gt;

&lt;p&gt;Cloud APIs using OAuth tokens, and related services that use them
gcloud SDK
Cloud Storage gsutil
Cloud Dataflow
Note: not all customers are affected by this.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;hr /&gt;

&lt;p&gt;The CloudFlare incident has caused a lot of back-and-forth between CloudFlare and Google&amp;rsquo;s Project Zero (see Twitter for more)&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://bugs.chromium.org/p/project-zero/issues/detail?id=1139&#34;&gt;Cloudflare Reverse Proxies are Dumping Uninitialized Memory&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/&#34;&gt;Incident report on memory leak caused by Cloudflare parser bug&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/&#34;&gt;Quantifying the Impact of &amp;ldquo;Cloudbleed&amp;rdquo;&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;hr /&gt;

&lt;p&gt;Project Zero also released a &lt;a href=&#34;https://bugs.chromium.org/p/project-zero/issues/detail?id=1011&#34;&gt;Microsoft browser vulnerability&lt;/a&gt; that went unpatched.&lt;/p&gt;

&lt;hr /&gt;

&lt;p&gt;&lt;a href=&#34;https://team-sik.org/trent_portfolio/password-manager-apps/&#34;&gt;Password Manager Vulnerabilities&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;At first sight, the requirements for a password manager application seem simple: Storing the passwords of a user centralized in a secure and confidential way. However, how is the reality on mobile, password manger applications, especially on Android? &amp;hellip; Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?&lt;/p&gt;
&lt;/blockquote&gt;

&lt;hr /&gt;

&lt;p&gt;&lt;a href=&#34;https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/&#34;&gt;Data from connected CloudPets teddy bears leaked and ransomed, exposing kids&amp;rsquo; voice messages&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;blockquote class=&#34;twitter-tweet&#34; data-cards=&#34;hidden&#34; data-lang=&#34;en&#34;&gt;&lt;p lang=&#34;en&#34; dir=&#34;ltr&#34;&gt;Here it is:&lt;br&gt;- Toy captured kids voices&lt;br&gt;- Data exposed via MongoDB&lt;br&gt;- 2.2m recordings&lt;br&gt;- DB ransom&amp;#39;d&lt;br&gt;- And much more&amp;hellip;&lt;a href=&#34;https://t.co/HvePnZleXR&#34;&gt;https://t.co/HvePnZleXR&lt;/a&gt;&lt;/p&gt;&amp;mdash; Troy Hunt (@troyhunt) &lt;a href=&#34;https://twitter.com/troyhunt/status/836320506127101953&#34;&gt;February 27, 2017&lt;/a&gt;&lt;/blockquote&gt;
&lt;script async src=&#34;//platform.twitter.com/widgets.js&#34; charset=&#34;utf-8&#34;&gt;&lt;/script&gt;&lt;/p&gt;

&lt;h3 id=&#34;other&#34;&gt;Other&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://twitter.com/badthingsdaily&#34;&gt;BadThingsDaily&lt;/a&gt; &amp;ndash; not so fictional worst-case drills, every day!&lt;/p&gt;

&lt;hr /&gt;

&lt;p&gt;Via a classmate, &lt;a href=&#34;https://www.monster.com/career-advice/article/cybersecurity-suffers-from-talent-shortage&#34;&gt;Cybersecurity Suffers from Talent Shortage&lt;/a&gt;.  Related, there may be some &lt;a href=&#34;http://www.reuters.com/article/us-usa-cyber-nsa-idUSKBN1672ML&#34;&gt;other cybersecurity folks entering the private job market&lt;/a&gt;.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week4 Board Notes</title>
      <link>https://medina.github.io/blog/week4-content/</link>
      <pubDate>Wed, 01 Mar 2017 03:28:04 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week4-content/</guid>
      <description>&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-4-notes-1.jpg&#34; alt=&#34;week-4-notes-1&#34; /&gt;&lt;/p&gt;

&lt;p&gt;A classmate recommends &lt;a href=&#34;http://www.fredkaplan.info/dark-territory.htm&#34;&gt;Dark Territory: The Secret History of Cyber War&lt;/a&gt;.  I&amp;rsquo;ve reserved it at the library :-)  Excerpt from the &lt;a href=&#34;https://www.nytimes.com/2016/03/06/books/review/dark-territory-the-secret-history-of-cyber-war-by-fred-kaplan.html&#34;&gt;&lt;em&gt;New York Times&lt;/em&gt; review&lt;/a&gt; in which life imitates art:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Kaplan had access to several of these people, and so the book is peppered with many fascinating behind-the-scenes ­anecdotes. For example, it opens with the story of Ronald Reagan watching the 1983 Matthew Broderick hacker movie “WarGames,” which led him to ask for the first national security policy directive on information systems security.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;We got to talking about &lt;a href=&#34;https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/&#34;&gt;Stuxnet&lt;/a&gt; when a classmate took us into the nasty details of how it infected embedded systems without leaving a trace.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://www.zerodaysfilm.com/&#34;&gt;&lt;em&gt;Zero Days&lt;/em&gt;&lt;/a&gt; is a movie on the subject that was mentioned (I haven&amp;rsquo;t seen it yet).&lt;/p&gt;

&lt;p&gt;We got into biometrics, including voice patterns.  I had to mention that &lt;a href=&#34;https://www.youtube.com/watch?v=n5GzlOpf3KA&#34;&gt;famous plot element&lt;/a&gt; from &lt;a href=&#34;https://www.youtube.com/watch?v=LlKDkTbUFhU&#34;&gt;Sneakers&lt;/a&gt; (all-star cast!)&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://www.nuance.com/for-business/customer-service-solutions/voice-biometrics/index.htm&#34;&gt;Nuance Voice Biometrics&lt;/a&gt; is one product that supports this.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://blog.fortinet.com/2013/08/14/security-101-smshing&#34;&gt;Smshing&lt;/a&gt; &amp;ndash; phishing via SMS &amp;ndash; was a new word for me.&lt;/p&gt;

&lt;p&gt;We reviewed various password managers just in time for the news of the week for &lt;a href=&#34;https://team-sik.org/trent_portfolio/password-manager-apps/&#34;&gt;Password Manager Vulnerabilities&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;We also talked about different multi-factor authentication mechanisms, including things like &lt;a href=&#34;https://www.yubico.com/products/yubikey-hardware/&#34;&gt;Yubkey&lt;/a&gt; hardware.  These are all &amp;ldquo;something you have&amp;rdquo; proof mechanisms (as opposed to your password, which is &amp;ldquo;something you know&amp;rdquo;)&lt;/p&gt;

&lt;p&gt;The &lt;a href=&#34;https://xkcd.com/936/&#34;&gt;XKCD comic&lt;/a&gt; I&amp;rsquo;d hinted at:&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://imgs.xkcd.com/comics/password_strength.png&#34; alt=&#34;xkcd&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://xkcd.com/792/&#34;&gt;There&lt;/a&gt; &lt;a href=&#34;https://xkcd.com/1286/&#34;&gt;are&lt;/a&gt; &lt;a href=&#34;https://xkcd.com/538/&#34;&gt;more&lt;/a&gt; good ones.&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://imgs.xkcd.com/comics/security.png&#34; alt=&#34;xkcd&#34; /&gt;&lt;/p&gt;

&lt;p&gt;Microsoft explains &lt;a href=&#34;https://technet.microsoft.com/en-us/security/dn785092&#34;&gt;Pass the Hash&lt;/a&gt; attacks.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Stingray_phone_tracker&#34;&gt;Stingrays&lt;/a&gt; are fake cellular base stations law enformcent can use for surveillance purposes.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://www.theverge.com/2017/1/20/14334192/donald-trump-phone-android-security-president&#34;&gt;What smartphone does POTUS use?&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://www.mobiledit.com/sim-cloning/&#34;&gt;SIM card cloning is a thing&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;SIM Cloning Tool is only for forensic purposes. The cloned SIM will never connect to an operator’s network! The purpose of this tool is to isolate a phone from its network for secure investigations.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-4-notes-2.jpg&#34; alt=&#34;week-4-notes-2&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Shamir&#39;s_Secret_Sharing&#34;&gt;Shamir&amp;rsquo;s Secret Sharing&lt;/a&gt;, &lt;a href=&#34;https://blog.cloudflare.com/red-october-cloudflares-open-source-implementation-of-the-two-man-rule/&#34;&gt;Red October&lt;/a&gt;, &lt;a href=&#34;https://en.wikipedia.org/wiki/Shibboleth&#34;&gt;Shibboleth&lt;/a&gt;, &amp;hellip;&lt;/p&gt;

&lt;p&gt;By coincidence (see above) we mentioned &lt;a href=&#34;https://en.wikipedia.org/wiki/WarGames&#34;&gt;&lt;em&gt;WarGames&lt;/em&gt;&lt;/a&gt; later, with the &lt;a href=&#34;https://www.youtube.com/watch?v=8-T_uhQ0iE4&#34;&gt;opening scene&lt;/a&gt; having an example of a dual-key or split-key protocol.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week4 Slides</title>
      <link>https://medina.github.io/blog/week4-slides/</link>
      <pubDate>Wed, 22 Feb 2017 20:24:55 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week4-slides/</guid>
      <description>&lt;p&gt;&lt;a href=&#34;https://medina.github.io/static/Week04.pdf&#34;&gt;Week04&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/fido-demo.gif&#34; width=&#34;100%&#34; /&gt;&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week4 Links</title>
      <link>https://medina.github.io/blog/week4-links/</link>
      <pubDate>Wed, 22 Feb 2017 20:24:50 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week4-links/</guid>
      <description>

&lt;p&gt;Spotted via &lt;a href=&#34;https://news.ycombinator.com&#34;&gt;HackerNews&lt;/a&gt;, &lt;a href=&#34;https://slashdot.org&#34;&gt;Slashdot&lt;/a&gt;, &lt;a href=&#34;https://www.reddit.com/r/netsec/&#34;&gt;/r/netsec&lt;/a&gt;, &lt;a href=&#34;http://www.oreilly.com/security/newsletter&#34;&gt;O&amp;rsquo;Reilly Security Newsletter&lt;/a&gt;, &lt;a href=&#34;https://twitter.com&#34;&gt;Twitter&lt;/a&gt;; via security bloggers including &lt;a href=&#34;https://krebsonsecurity.com/&#34;&gt;Krebs on Security&lt;/a&gt;, &lt;a href=&#34;https://www.troyhunt.com/&#34;&gt;Troy Hunt&lt;/a&gt;; from classmates; and elsewhere.&lt;/p&gt;

&lt;h3 id=&#34;events-and-conferences&#34;&gt;Events and Conferences&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://www.rsaconference.com/&#34;&gt;RSA Conference&lt;/a&gt; &lt;a href=&#34;https://www.youtube.com/playlist?list=PLeUGLKUYzh_j1Q75yeae8upX-T1FLmZWf&#34;&gt;videos are online&lt;/a&gt;.&lt;/p&gt;

&lt;h3 id=&#34;law-and-politics&#34;&gt;Law and Politics&lt;/h3&gt;

&lt;p&gt;&lt;em&gt;&lt;a href=&#34;https://theintercept.com/2017/02/20/how-to-run-a-rogue-government-twitter-account-with-an-anonymous-email-address-and-a-burner-phone/&#34;&gt;How to run a rogue government Twitter account&lt;/a&gt;&lt;/em&gt;, sounds like fun.  A good primer on operational security.&lt;/p&gt;

&lt;h3 id=&#34;cybercrime-stories&#34;&gt;Cybercrime Stories&lt;/h3&gt;

&lt;p&gt;From classmates.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://archives.fbi.gov/archives/newhaven/press-releases/2011/nh041311.htm&#34;&gt;That time the FBI operated a botnet&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&amp;ldquo;&lt;a href=&#34;http://www.independent.ie/business/personal-finance/property-mortgages/home-buyers-stand-to-lose-thousands-in-new-cyberattack-35424312.html&#34;&gt;Friday Afternoon Fraud&lt;/a&gt;&amp;rdquo; and trying to &lt;a href=&#34;https://www.lawsociety.ie/News/News/Stories/Launch-of-Cybersecurity-section/&#34;&gt;raise lawyer&amp;rsquo;s awareness of cybersecurity&lt;/a&gt;.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Cybercriminals are hacking the email accounts of Irish solicitors in an attempt to steal tens of thousands of euro from unsuspecting home buyers, the Sunday Independent has learned.&lt;/p&gt;

&lt;p&gt;Dubbed &amp;lsquo;Friday Afternoon Fraud&amp;rsquo;, the conveyancing scam has been known to take several forms, but generally occurs when the hackers intercept emails between home buyers or sellers, and their solicitors.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;I had to look up &lt;a href=&#34;https://en.wikipedia.org/wiki/Conveyancing&#34;&gt;conveyancing&lt;/a&gt;; in a real estate closing this is the transaction-clearing stage that often involves an escrow account.&lt;/p&gt;

&lt;p&gt;In &amp;ldquo;&lt;a href=&#34;http://www.csoonline.com/article/3171937/security/hackers-behind-bank-attack-campaign-use-russian-as-decoy.html&#34;&gt;Hackers behind bank attack campaign use Russian as decoy&lt;/a&gt;&amp;rdquo;, there seems to be a &amp;ldquo;&lt;a href=&#34;https://en.wikipedia.org/wiki/False_flag&#34;&gt;false flag operation&lt;/a&gt;&amp;rdquo;.  There&amp;rsquo;s some nice &lt;a href=&#34;https://baesystemsai.blogspot.ro/2017/02/lazarus-false-flag-malware.html&#34;&gt;in-depth analysis&lt;/a&gt; in the source link.  This drives home a point about cyber attacks: &lt;a href=&#34;https://twitter.com/thegrugq/status/706545282645757952&#34;&gt;attribution is hard&lt;/a&gt;.  More on this from &lt;em&gt;&lt;a href=&#34;https://www.wired.com/2016/12/hacker-lexicon-attribution-problem/&#34;&gt;Wired&lt;/a&gt;&lt;/em&gt; and &lt;em&gt;&lt;a href=&#34;https://www.tenable.com/blog/attribution-is-hard-part-1&#34;&gt;Tenable&lt;/a&gt;&lt;/em&gt;.&lt;/p&gt;

&lt;h3 id=&#34;cryptography&#34;&gt;Cryptography&lt;/h3&gt;

&lt;p&gt;&lt;em&gt;&lt;a href=&#34;https://jhalderm.com/pub/papers/interception-ndss17.pdf&#34;&gt;The Security Impact of HTTPS Interception&lt;/a&gt;&lt;/em&gt; is available again.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;[W]e assess the prevalence and impact of HTTPS interception by applying our
heuristics to nearly eight billion connection handshakes.  [W]e find differing
rates of interception: 4.0% of Firefox update connections, 6.2% of e-commerce
connections, and 10.9% of U.S. Cloudflare connections were intercepted. While
these rates vary by vantage point, all are more than an order of magnitude
higher than previous estimates.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;There&amp;rsquo;s supposed to be a &lt;a href=&#34;https://github.com/zakird/tlsfingerprints&#34;&gt;GitHub repo&lt;/a&gt; appearing soon.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html&#34;&gt;SHA1 Collisions&lt;/a&gt; were announced by Google and CWI Amsterdam.  We know enough crypto to talk about why this is a big deal.  The &amp;ldquo;branded&amp;rdquo; attack is &lt;a href=&#34;http://shattered.io/&#34;&gt;SHAttered&lt;/a&gt;.  &lt;a href=&#34;https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/&#34;&gt;Arstechnica&lt;/a&gt; has more.&lt;/p&gt;

&lt;h3 id=&#34;application-security&#34;&gt;Application Security&lt;/h3&gt;

&lt;p&gt;Google&amp;rsquo;s &lt;a href=&#34;https://googleprojectzero.blogspot.com/&#34;&gt;Project Zero&lt;/a&gt; &lt;a href=&#34;https://bugs.chromium.org/p/project-zero/issues/detail?id=992&#34;&gt;went full disclosure on Microsoft&lt;/a&gt;.  This is unrelated to the &lt;a href=&#34;https://twitter.com/PythonResponder/status/826926681701113861&#34;&gt;other vulnerability&lt;/a&gt; that may have been actively exploited and were suppose to be fixed in the &lt;a href=&#34;https://arstechnica.com/information-technology/2017/02/microsoft-cancels-february-patch-tuesday-despite-0-day-in-wild/&#34;&gt;delayed February patches&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;We haven&amp;rsquo;t covered CSRF yet, but new browser controls are starting to make an appearance that may ensure that &lt;a href=&#34;https://scotthelme.co.uk/csrf-is-dead/&#34;&gt;CSRF is dead&lt;/a&gt;.&lt;/p&gt;

&lt;h3 id=&#34;other&#34;&gt;Other&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;http://techblog.netflix.com/2017/02/introducing-netflix-stethoscope.html&#34;&gt;Netflix announced a new security tool&lt;/a&gt; that, in part, involves users in the security process.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://blogs.dropbox.com/tech/2017/02/meet-securitybot-open-sourcing-automated-security-at-scale/&#34;&gt;Dropbox also announced a security tool&lt;/a&gt; which similarly involves employees in triaging security events (should we talk about the possibility of insider threat here though?)&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week3 Board Notes</title>
      <link>https://medina.github.io/blog/week3-content/</link>
      <pubDate>Wed, 22 Feb 2017 20:24:21 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week3-content/</guid>
      <description>&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-3-notes-1.jpg&#34; alt=&#34;week-3-notes-1&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://www.schneier.com/&#34;&gt;Bruce Schneier&lt;/a&gt;, who keeps an excellent blog, wrote &lt;a href=&#34;https://www.schneier.com/books/applied_cryptography/&#34;&gt;Applied Security&lt;/a&gt;, which is an encyclopedia of cryptographic algorithms, but hasn&amp;rsquo;t been updated since 1996.&lt;/p&gt;

&lt;p&gt;From the class links, we got to talking about cross-border &amp;ldquo;searches&amp;rdquo; of your personal computing devices (including phones).  This is on par with &amp;ldquo;show me what&amp;rsquo;s in your bag&amp;rdquo;, per case law, although you may not be able to be compelled to turn over passwords.  Also talked about &amp;ldquo;Magic Lantern&amp;rdquo; (again from links), where FBI could didn&amp;rsquo;t bother going through the effort of brute-forcing the keys for encrypted disks.  This segued to an incident following the &lt;a href=&#34;https://en.wikipedia.org/wiki/2015_San_Bernardino_attack&#34;&gt;San Bernardino&lt;/a&gt; case in which the &lt;a href=&#34;https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute&#34;&gt;FBI wanted access to an encrypted iPhone&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;As a thought exercise we got into how they may have eventually gotten access to the device (latest article suggests an exploit may have been used, rather than the clone-and-brute-force method we got into).  Classmate mentions &amp;ldquo;NAN Cloning&amp;rdquo;, and this article about *&lt;a href=&#34;https://www.theguardian.com/technology/2016/sep/20/iphone-hacking-passcodes-nand-mirroring-password&#34;&gt;$100 store-bought kit can hack into iPhone passcodes, researcher claims&lt;/a&gt; is close to what we discussed.  There&amp;rsquo;s a take-away: the security of the iPhone is proving to hold up well, even when physical access to the device is compromised.&lt;/p&gt;

&lt;p&gt;(I can&amp;rsquo;t find the reference to &amp;ldquo;PIN bot&amp;rdquo;, a manual finger-press method, that was mention.)&lt;/p&gt;

&lt;p&gt;At some point we got to talking about &lt;a href=&#34;https://en.wikipedia.org/wiki/Edward_Snowden&#34;&gt;Snowden&lt;/a&gt; and two movies were mentioned, &lt;em&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Snowden_(film)&#34;&gt;Snowden&lt;/a&gt;&lt;/em&gt;, the Oliver Stone movie and &lt;em&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Citizenfour&#34;&gt;Citizenfour&lt;/a&gt;&lt;/em&gt;, a documentary.&lt;/p&gt;

&lt;p&gt;Our media-sector classmate wasn&amp;rsquo;t around so we didn&amp;rsquo;t go too far into &lt;a href=&#34;https://www.torproject.org/&#34;&gt;Tor&lt;/a&gt; and &lt;a href=&#34;https://securedrop.org/&#34;&gt;SecureDrop&lt;/a&gt;.  We did hit upon a bunch of ways that Tor users can be de-anonymized by adversaries like&amp;hellip; the FBI.  In one example, &lt;a href=&#34;https://threatpost.com/fbi-mum-on-how-exactly-it-hacked-tor/117127/&#34;&gt;they allegedly hacked browsers&lt;/a&gt; from compromised sites they controlled.&lt;/p&gt;

&lt;p&gt;Someone mentioned another vuln-for-hire case used by a government, where NSO Group&amp;rsquo;s product was &lt;a href=&#34;https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/&#34;&gt;used in the UAE&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The new &lt;a href=&#34;http://www.verizonenterprise.com/verizon-insights-lab/dbir/&#34;&gt;Verizon Data Breach Investigations Report&lt;/a&gt; (VZ DBIR) is coming soon, and in a preview, reports were circulating of a &lt;a href=&#34;https://nakedsecurity.sophos.com/2017/02/13/universitys-iot-devices-went-fishing-for-information-how-did-it-happen/&#34;&gt;mass IoT hack at a university&lt;/a&gt;.&lt;/p&gt;

&lt;hr /&gt;

&lt;p&gt;We spent some time talking about &lt;a href=&#34;https://www.kali.org/&#34;&gt;Kali Linux&lt;/a&gt;, which will be used in the more hands-on lab classes in the rest of the program.  You can download this and try it out to get a head start.  Browse the &lt;a href=&#34;http://tools.kali.org/tools-listing&#34;&gt;bundled tools&lt;/a&gt; to find out more about them.  We mentioned there&amp;rsquo;s a lot of overlap between them; nobody knows all of them, you use the ones you know best for the job at hand.  VMPlayer and &lt;a href=&#34;https://www.virtualbox.org/&#34;&gt;VirtualBox&lt;/a&gt; can be used to run virtual machines.&lt;/p&gt;

&lt;hr /&gt;

&lt;p&gt;We got into audit, with our guest speaker going into some of the different approaches that can be taken with an &amp;ldquo;audit&amp;rdquo; &amp;ndash; the terminology is all over the place and varies depending on the goals.  Is it an &amp;ldquo;audit&amp;rdquo; or an &amp;ldquo;assessment&amp;rdquo;; &amp;ldquo;black box&amp;rdquo; testing vs &amp;ldquo;white box&amp;rdquo; testing (and everything in the middle).&lt;/p&gt;

&lt;p&gt;After the Target breach, &lt;a href=&#34;http://venturebeat.com/2014/03/26/lawsuit-against-target-and-trustwave-gets-the-security-standard-all-wrong/&#34;&gt;Trustwave was sued&lt;/a&gt;.  They were the &lt;a href=&#34;https://en.wikipedia.org/wiki/Qualified_Security_Assessor&#34;&gt;Qualified Security Assessor (QSA)&lt;/a&gt; who allegedly failed to identify issues during their point-in-time review of &lt;a href=&#34;https://www.pcisecuritystandards.org/document_library&#34;&gt;PCI DSS&lt;/a&gt; compliance.&lt;/p&gt;

&lt;p&gt;Talking about what happens when access is not properly managed, the &lt;a href=&#34;https://en.wikipedia.org/wiki/2008_Soci%C3%A9t%C3%A9_G%C3%A9n%C3%A9rale_trading_loss&#34;&gt;SocGen&amp;rsquo;s rouge trader&lt;/a&gt; drove home lessons about segregation of duties.&lt;/p&gt;

&lt;p&gt;In an aside we talked about &lt;a href=&#34;https://en.wikipedia.org/wiki/Chelsea_Manning&#34;&gt;Chelsea Manning&lt;/a&gt; who retrieved almost a half-million documents she had authorized access to, but in volumes that exceeded appropriate use of that authorized access.&lt;/p&gt;

&lt;p&gt;Side comment about recent Twitter thread re &amp;ldquo;&lt;a href=&#34;https://twitter.com/fugueish/status/830638976687960066&#34;&gt;pen testing is a lemons market&lt;/a&gt;&amp;rdquo; (in a strong &lt;a href=&#34;https://en.wikipedia.org/wiki/The_Market_for_Lemons&#34;&gt;economic sense&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-3-notes-2.jpg&#34; alt=&#34;week-3-notes-2&#34; /&gt;&lt;/p&gt;

&lt;p&gt;Somehow got to talking about Bitcoin, robbing cybercurrency, which led to the &lt;a href=&#34;https://medium.com/@pullnews/understanding-the-dao-hack-for-journalists-2312dd43e993&#34;&gt;Ethereum / DAO hack&lt;/a&gt;, which was a protocool-level attack.&lt;/p&gt;

&lt;p&gt;I don&amp;rsquo;t remember &lt;em&gt;how&lt;/em&gt;, but we got to talking about &lt;a href=&#34;https://en.wikipedia.org/wiki/Aadhaar&#34;&gt;Aadhaar/UIDAI&lt;/a&gt;, India&amp;rsquo;s country-wide identity-issuance program.&lt;/p&gt;

&lt;p&gt;We got into cyberwarefare with mention of &lt;a href=&#34;https://arstechnica.com/security/2017/01/the-new-normal-yet-another-hacker-caused-power-outage-hits-ukraine/&#34;&gt;hackers targeting Ukraine&amp;rsquo;s power grid&lt;/a&gt;.  The &lt;a href=&#34;https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia&#34;&gt;attacks on Estonia&lt;/a&gt; a decade ago were significant and led to the &lt;a href=&#34;https://en.wikipedia.org/wiki/Tallinn_Manual&#34;&gt;Tallinn Manual&lt;/a&gt;, a NATO-led study on the topic.&lt;/p&gt;

&lt;p&gt;Microsoft recently shared &lt;em&gt;&lt;a href=&#34;https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/&#34;&gt;The need for a Digital Geneva Convention&lt;/a&gt;&lt;/em&gt; &amp;ndash; as a classmate quips &amp;ldquo;please don&amp;rsquo;t hack Microsoft&amp;rdquo;.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://haveibeenpwned.com/&#34;&gt;Have I Been Pwned&lt;/a&gt; (&lt;em&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Pwn&#34;&gt;to pwn&lt;/a&gt;&lt;/em&gt;) is Troy Hunt&amp;rsquo;s site to collect information from breaches into a searchable interface so you can know when your accounts are compromised.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://www.dhs.gov/topic/cybersecurity-information-sharing&#34;&gt;ISACs&lt;/a&gt; are threat-intelligence sharing groups aligned by sector, for example &lt;a href=&#34;https://www.fsisac.com/&#34;&gt;FS-ISAC&lt;/a&gt; for financial services and &lt;a href=&#34;http://www.ren-isac.net/&#34;&gt;REN-ISAC&lt;/a&gt; for universities.  &lt;a href=&#34;https://www.us-cert.gov/&#34;&gt;US-CERT&lt;/a&gt; is funded via DHS to provide data-sharing, incident response, and coordination.&lt;/p&gt;

&lt;hr /&gt;

&lt;p&gt;We talked about cybercrime laws and looked at &lt;a href=&#34;http://cybercrime.gov&#34;&gt;Cybercrime.gov&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;As an assignment, dig up a case, find some of the court filings, and discuss in the next class.&lt;/p&gt;

&lt;p&gt;For example, &lt;a href=&#34;https://www.justice.gov/opa/pr/alleged-international-hacker-indicted-massive-attack-us-retail-and-banking-networks&#34;&gt;Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks&lt;/a&gt; is a press release and &lt;a href=&#34;https://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf&#34;&gt;USA vs Gonzalez&lt;/a&gt; is the indictment filed in court.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week3 Slides</title>
      <link>https://medina.github.io/blog/week3-slides/</link>
      <pubDate>Thu, 16 Feb 2017 16:32:12 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week3-slides/</guid>
      <description>&lt;p&gt;&lt;a href=&#34;https://medina.github.io/static/Week03.pdf&#34;&gt;Week03&lt;/a&gt;&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week3 Links</title>
      <link>https://medina.github.io/blog/week3-links/</link>
      <pubDate>Wed, 15 Feb 2017 23:25:59 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week3-links/</guid>
      <description>

&lt;p&gt;Spotted via &lt;a href=&#34;https://news.ycombinator.com&#34;&gt;HackerNews&lt;/a&gt;, &lt;a href=&#34;https://slashdot.org&#34;&gt;Slashdot&lt;/a&gt;, &lt;a href=&#34;https://www.reddit.com/r/netsec/&#34;&gt;/r/netsec&lt;/a&gt;, &lt;a href=&#34;http://www.oreilly.com/security/newsletter&#34;&gt;O&amp;rsquo;Reilly Security Newsletter&lt;/a&gt;, &lt;a href=&#34;https://twitter.com&#34;&gt;Twitter&lt;/a&gt;; via security bloggers including &lt;a href=&#34;https://krebsonsecurity.com/&#34;&gt;Krebs on Security&lt;/a&gt;, &lt;a href=&#34;https://www.troyhunt.com/&#34;&gt;Troy Hunt&lt;/a&gt;; from classmates; and elsewhere.&lt;/p&gt;

&lt;h3 id=&#34;events-and-conferences&#34;&gt;Events and Conferences&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://www.rsaconference.com/&#34;&gt;RSA Conference&lt;/a&gt; is on now.&lt;/p&gt;

&lt;h3 id=&#34;hey-we-were-just-talking-about-that&#34;&gt;Hey-we-were-just-talking-about-that&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://www.bloomberg.com/news/articles/2017-02-15/verizon-said-to-reach-revised-price-for-yahoo-in-wake-of-hacks&#34;&gt;Verizon Said to Near Yahoo Deal at Lower Price After Hacks&lt;/a&gt;, $250 million discount on a $5 billion deal.&lt;/p&gt;

&lt;h3 id=&#34;law-and-politics&#34;&gt;Law and Politics&lt;/h3&gt;

&lt;p&gt;What are the rules for &lt;a href=&#34;http://www.theverge.com/2017/2/12/14583124/nasa-sidd-bikkannavar-detained-cbp-phone-search-trump-travel-ban&#34;&gt;cybersearches when crossing broders&lt;/a&gt;?  Does anyone here take extra precautions, such as using a &amp;ldquo;clean device&amp;rdquo;?&lt;/p&gt;

&lt;p&gt;Is &lt;a href=&#34;https://securedrop.org/&#34;&gt;SecureDrop&lt;/a&gt; making it easier for government employees to leak?  There are a LOT of leaks coming from the new administration, some of which have already cost the new national security advisor his job.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE&#34;&gt;Enhanced Analysis of GRIZZLY STEPPE&lt;/a&gt;, a deep-dive into recent attacks carried out by nation-state adversaries.&lt;/p&gt;

&lt;h3 id=&#34;cryptography&#34;&gt;Cryptography&lt;/h3&gt;

&lt;p&gt;There &lt;em&gt;was&lt;/em&gt; a new paper called &amp;ldquo;The Security Impact of HTTPS Interception&amp;rdquo;, but I think it&amp;rsquo;s been taken offline in advance of presentation at a conference in a few weeks.  Abstract:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception. First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and client-side
security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3 id=&#34;access-control&#34;&gt;Access Control&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc&#34;&gt;Introducing the Uber SSH Certificate Authority&lt;/a&gt;, time-bound certificates for SSH authentication.&lt;/p&gt;

&lt;h3 id=&#34;application-security&#34;&gt;Application Security&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://arstechnica.com/information-technology/2017/02/microsoft-delays-patch-tuesday-as-world-awaits-fix-for-smb-flaw/&#34;&gt;If it&amp;rsquo;s Patch Tuesday but there aren&amp;rsquo;t any patches, is it really Patch Tuesday?&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://blog.filippo.io/finding-ticketbleed/&#34;&gt;Finding Ticketbleed&lt;/a&gt;, deeply technical blow-by-blow of discovering a vulnerability in an implementation of a protocol by a vendor.  But read the &amp;ldquo;Disclosure&amp;rdquo; section about performing &amp;ldquo;responsible disclosure&amp;rdquo; working with the vendor security team.&lt;/p&gt;

&lt;h3 id=&#34;other&#34;&gt;Other&lt;/h3&gt;

&lt;p&gt;What&amp;rsquo;s the &lt;a href=&#34;https://krebsonsecurity.com/2017/01/shopping-for-w2s-tax-data-on-the-dark-web/&#34;&gt;going rate for W-2 forms&lt;/a&gt;?  Krebs answers&amp;hellip;&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week2 Board Notes</title>
      <link>https://medina.github.io/blog/week2-content/</link>
      <pubDate>Wed, 15 Feb 2017 22:44:17 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week2-content/</guid>
      <description>&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-2-notes-1.jpg&#34; alt=&#34;week-1-notes-1&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://www.kali.org/&#34;&gt;Kali Linux&lt;/a&gt;, LiveCD, VM Images, etc., providing Linux loaded with security testing tools.&lt;/p&gt;

&lt;p&gt;Sidebar re: whether all Chip&amp;rsquo;d cards include RFID (I don&amp;rsquo;t believe they do).&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Ransomware&#34;&gt;Ransomeware&lt;/a&gt;, malicious software that tries to &amp;ldquo;monetize the attack&amp;rdquo; by requesting payment to decrypt hijacked files.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://export.gov/safeharbor/&#34;&gt;Safe Harbor&lt;/a&gt;, an agreement which allowed for data to be stored for customers across different countries which had equivalent data protection regimes.&lt;/p&gt;

&lt;p&gt;rot13: &amp;ldquo;Secret Decoder Ring&amp;rdquo; with a 13-character shift.&lt;/p&gt;

&lt;p&gt;Brute force: we assume an adversary like &amp;ldquo;Eve&amp;rdquo; who has the ability to monitor communications always has an attack such that she can attempt all possible decryptions across the entire key space.  This is not efficient or cost-effective for the adversary.&lt;/p&gt;

&lt;p&gt;Encode vs Encrypt: URL Encoding, Base64, and more&amp;hellip; how to tell this isn&amp;rsquo;t encryption?  There&amp;rsquo;s no &amp;ldquo;key&amp;rdquo;.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/The_Imitation_Game&#34;&gt;Imitation Game&lt;/a&gt;, recent movie about Alun Turing and the attempts to crack the Enigma machine during WWII.&lt;/p&gt;

&lt;p&gt;Apps for encrypted communications: Facebook&amp;rsquo;s WhatsApp, OWS Signal, TOR, Threema (new to me), &amp;hellip;&lt;/p&gt;

&lt;p&gt;Data in Transit, Data at Rest: may have different security requirements.  Data at rest may be expensive to re-encrypt, and need to remain secure for longer.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Don&amp;rsquo;t collect what you can&amp;rsquo;t protect&lt;/em&gt;, my advice start-ups trying to figure out what customer data to retain.&lt;/p&gt;

&lt;p&gt;Key-wrapping example: There&amp;rsquo;s a key to encrypt the disk of a multi-user system.  Where&amp;rsquo;s the key?  How does each user get the key when they login?  Key wrapping!  The key that decrypts the disk can be wrapped separately under a key for each user.  That way each of them can decrypt the encryption key, then decrypt the drive.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Magic_Lantern_(software)&#34;&gt;Magic Lantern&lt;/a&gt;: how did the FBI deal with getting evidence from suspects who were using strong encryption?  Brute-force the key?  No, instead they installed a key-logger on the suspect&amp;rsquo;s machine to capture the password / decryption key before seizing the encrypted disks.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/PBKDF2&#34;&gt;PBKDF2&lt;/a&gt;, a mechanism for converting a user-specified password into something suitable as a strong encryption key.&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-2-notes-2.jpg&#34; alt=&#34;week-2-notes-2&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Alice_and_Bob&#34;&gt;Alice and Bob&lt;/a&gt;, our characters who want to communicate securely, and Eve and Mallory, our adversaries who have capabilities that allow them to eavesdrop on (monitor) and perform malicious modification to traffic between the two, respectively.&lt;/p&gt;

&lt;p&gt;3DES is a way to take DES and address the problem of having too small a keyspace by performing multiple rounds.  DES has 64-but-really-56-bit keys, but 3DES can be used to provide 112- or 168-bit keys.&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-2-notes-3.jpg&#34; alt=&#34;week-2-notes-3&#34; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://www.troyhunt.com/understanding-http-strict-transport/&#34;&gt;HSTS, Preload&lt;/a&gt;, and &lt;a href=&#34;https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning&#34;&gt;HPKP / Pinning&lt;/a&gt; are different mechanisms that provide hints from a server to a browser (well, actually that ship with the browser in the case of Preload) to strengthen the guarantees of TLS.  Wikipedia helpfully points out that my calling HPKP &amp;ldquo;certificate pinning&amp;rdquo; is a misnomer.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>about</title>
      <link>https://medina.github.io/about/</link>
      <pubDate>Wed, 01 Feb 2017 23:27:33 -0500</pubDate>
      
      <guid>https://medina.github.io/about/</guid>
      <description>&lt;p&gt;These are course notes for &lt;a href=&#34;https://www.sps.nyu.edu/professional-pathways/diplomas/advanced-diploma/cybersecurity/DIPL1-CE3220-cybersecurity-essentials.html&#34;&gt;Cybersecurity Essentials&lt;/a&gt;, the introductory course for the &lt;a href=&#34;https://www.sps.nyu.edu/professional-pathways/diplomas/advanced-diploma/cybersecurity.html&#34;&gt;Advanced Diploma in Cybersecurity&lt;/a&gt; at &lt;a href=&#34;https://www.sps.nyu.edu/&#34;&gt;NYU School of Professional Studies&lt;/a&gt;.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Week1, Week2 Slides</title>
      <link>https://medina.github.io/blog/week2-slides/</link>
      <pubDate>Wed, 01 Feb 2017 23:20:10 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week2-slides/</guid>
      <description>&lt;p&gt;Goal is to get these up before each class:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href=&#34;https://medina.github.io/static/Week01.pdf&#34;&gt;Week01&lt;/a&gt;&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href=&#34;https://medina.github.io/static/Week02.pdf&#34;&gt;Week02&lt;/a&gt;&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
    </item>
    
    <item>
      <title>Week2 Links</title>
      <link>https://medina.github.io/blog/week2-links/</link>
      <pubDate>Tue, 31 Jan 2017 00:06:26 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week2-links/</guid>
      <description>

&lt;p&gt;Spotted via &lt;a href=&#34;https://news.ycombinator.com&#34;&gt;HackerNews&lt;/a&gt;, &lt;a href=&#34;https://slashdot.org&#34;&gt;Slashdot&lt;/a&gt;, &lt;a href=&#34;https://www.reddit.com/r/netsec/&#34;&gt;/r/netsec&lt;/a&gt;, &lt;a href=&#34;http://www.oreilly.com/security/newsletter&#34;&gt;O&amp;rsquo;Reilly Security Newsletter&lt;/a&gt;, &lt;a href=&#34;https://twitter.com&#34;&gt;Twitter&lt;/a&gt;; via security bloggers including &lt;a href=&#34;https://krebsonsecurity.com/&#34;&gt;Krebs on Security&lt;/a&gt;, &lt;a href=&#34;https://www.troyhunt.com/&#34;&gt;Troy Hunt&lt;/a&gt;; from classmates; and elsewhere.&lt;/p&gt;

&lt;h3 id=&#34;events-and-conferences&#34;&gt;Events and Conferences&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://www.usenix.org/conference/enigma2017&#34;&gt;USENIX Engima 2017&lt;/a&gt; is going on now.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://www.meetup.com/Empire-Hacking/events/234651821/&#34;&gt;Empire Hacking&lt;/a&gt;: Tuesday, February 7, 2017 @ 6:00PM&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://www.meetup.com/owaspnycnj/events/236399988/&#34;&gt;OWASP NY/NJ&lt;/a&gt;: Wednesday, February 8, 2017 @ 11:00AM.  Legal issues, changes in PCI DSS 3.2, and more.&lt;/p&gt;

&lt;h3 id=&#34;legal-and-politics&#34;&gt;Legal and Politics&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://lawfareblog.com/assessing-draft-cyber-executive-order&#34;&gt;Assessing the Draft Cyber Executive Order&lt;/a&gt;: not officially released as scheduled, not sure the status.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://www.mit.edu/~specter/articles/17/deniability1.html&#34;&gt;On Deniability and Duress&lt;/a&gt;&lt;/p&gt;

&lt;h3 id=&#34;access-controls&#34;&gt;Access Controls&lt;/h3&gt;

&lt;p&gt;New Facebook security features: &lt;a href=&#34;https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766&#34;&gt;Security Key for safer logins with a touch&lt;/a&gt; and &lt;a href=&#34;https://www.facebook.com/notes/protect-the-graph/improving-account-security-with-delegated-recovery/1833022090271267&#34;&gt;Improving account security with delegated recovery&lt;/a&gt;&lt;/p&gt;

&lt;h3 id=&#34;encryption&#34;&gt;Encryption&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/&#34;&gt;HTTPS adoption has reached the tipping point&lt;/a&gt;: &lt;em&gt;&amp;ldquo;HTTPS adoption has now reached the moment of critical mass where it&amp;rsquo;s gathering enough momentum that it will very shortly become &amp;ldquo;the norm&amp;rdquo; rather than the exception it so frequently was in the past.&amp;rdquo;&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://codeascraft.com/2017/01/31/how-etsy-manages-https-and-ssl-certificates-for-custom-domains-on-pattern/&#34;&gt;How Etsy Manages HTTPS and SSL Certificates for Custom Domains on Pattern&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852751&#34;&gt;[cryptkeeper] Sets the same password &amp;ldquo;p&amp;rdquo; for everything independently of user input&lt;/a&gt;.&lt;/p&gt;

&lt;h3 id=&#34;application-security&#34;&gt;Application Security&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://security.googleblog.com/2017/01/vulnerability-rewards-program-2016-year.html&#34;&gt;Vulnerability Rewards Program: 2016 Year in Review&lt;/a&gt;: $3,000,000 paid out in 2016&lt;/p&gt;

&lt;h3 id=&#34;other&#34;&gt;Other&lt;/h3&gt;

&lt;p&gt;&lt;a href=&#34;https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/&#34;&gt;ATM ‘Shimmers’ Target Chip-Based Cards&lt;/a&gt;: &lt;em&gt;&amp;ldquo;The reason shimmers exist at all is that some banks have apparently not correctly implemented the chip card standard, known as EMV (short for Europay, Mastercard and Visa).&amp;rdquo;&lt;/em&gt;  What?!  I didn&amp;rsquo;t know this was a thing.&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html&#34;&gt;Disable Your Antivirus Software (Except Microsoft&amp;rsquo;s)&lt;/a&gt; - What else to do about all these vulnerabilities in security products?!&lt;/p&gt;

&lt;p&gt;&lt;a href=&#34;http://checkyourbackups.work/&#34;&gt;Check Your Backups Day!&lt;/a&gt; - an excellent idea.&lt;/p&gt;

&lt;h3 id=&#34;from-classmates&#34;&gt;From Classmates&lt;/h3&gt;

&lt;h4 id=&#34;russian-central-bank-hack-wider-implications&#34;&gt;Russian Central Bank Hack &amp;amp; Wider Implications&lt;/h4&gt;

&lt;p&gt;Dec 2016 – Hacker(s) stole more than $31MM from correspondent accounts at the Russian Central Bank, and accounts in commercial banks over the course of 2016&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Hackers broke into accounts faking client’s credentials&lt;/li&gt;
&lt;li&gt;Bank provided few details, but did state they recovered some of the funds (Transfers were frozen.)&lt;/li&gt;
&lt;li&gt;N. Korea is a “suspect&amp;rdquo; due to rare piece of code, based on the way it is structured and functions which is similar to code used in previous attacks, e.g. Sony&lt;/li&gt;
&lt;li&gt;Latest in a string of high-profile heists&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Unknown cyber criminals stole over $100MM from Bangladesh’s central bank that it had deposited at the New York Fed in Feb 2016.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Law enforcement are hunting for criminals who stole the money using fraudulent wire-transfer request sent over the SWIFT  (network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment) bank messaging network.&lt;/li&gt;
&lt;li&gt;Symantec researchers have concluded that the global banking systems has been under attack from a sophisticated group dubbed “Lazarus”, which has been linked to N. Korea&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Banks at a recent meeting of President Obama&amp;rsquo;s Commission on Enhancing Cybersecurity expressed frustrating at fighting hackers.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Larger Banks are spending millions on protection, however, hackers are still getting in, often through small Banks, Vendors etc.&lt;/li&gt;
&lt;li&gt;Institutions are only as strong as the weakest link, and there is calls for wider industry to strengthen so as to come in line with the large institutions.&lt;br /&gt;&lt;/li&gt;
&lt;li&gt;Will be a challenge for smaller Banks, Vendors due to cost&lt;/li&gt;
&lt;li&gt;Increased need for real-time information sharing (e.g. FS-ISAC); calls to automate sharing with US Intelligence agencies and American corporations&lt;/li&gt;
&lt;li&gt;Comes with privacy concerns&lt;/li&gt;
&lt;li&gt;New Government to take up the discussion&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Ref:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;CNN: &lt;a href=&#34;http://money.cnn.com/2016/05/18/technology/hackers-smaller-banks/?iid=EL&#34;&gt;http://money.cnn.com/2016/05/18/technology/hackers-smaller-banks/?iid=EL&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Reuters: &lt;a href=&#34;http://www.reuters.com/article/russia-cenbank-cyberattack-idUSL1N1DX18S&#34;&gt;http://www.reuters.com/article/russia-cenbank-cyberattack-idUSL1N1DX18S&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Wall Street Journal: &lt;a href=&#34;https://www.wsj.com/articles/hackers-steal-31-million-from-accounts-at-russian-central-bank-1480701080&#34;&gt;https://www.wsj.com/articles/hackers-steal-31-million-from-accounts-at-russian-central-bank-1480701080&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
    </item>
    
    <item>
      <title>Week1 Board Notes, Continued</title>
      <link>https://medina.github.io/blog/week1-content-continued/</link>
      <pubDate>Mon, 30 Jan 2017 23:36:34 -0500</pubDate>
      
      <guid>https://medina.github.io/blog/week1-content-continued/</guid>
      <description>&lt;p&gt;Week 1 board notes continued&amp;hellip;&lt;/p&gt;

&lt;p&gt;&lt;img src=&#34;https://medina.github.io/static/images/week-1-notes-2.jpg&#34; alt=&#34;week-1-notes-2&#34; /&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Detection or Prevention: with a finite budget, where do you put your dollars?&lt;/li&gt;
&lt;li&gt;DoS / DDoS: Denial of Service or Distributed Denial of Service, an attack against availability of a service.&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act&#34;&gt;HIPAA&lt;/a&gt;, &lt;a href=&#34;https://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act&#34;&gt;FERPA&lt;/a&gt;, &lt;a href=&#34;https://en.wikipedia.org/wiki/Federal_Financial_Institutions_Examination_Council&#34;&gt;FFIEC&lt;/a&gt; &amp;ndash; different regulations and oversight bodies for different sectors.&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Personally_identifiable_information&#34;&gt;PII&lt;/a&gt;, &lt;a href=&#34;https://www.sec.gov/about/offices/ocie/informationbarriers.pdf&#34;&gt;MNPI&lt;/a&gt;, &lt;a href=&#34;https://www.pcisecuritystandards.org/pci_security/glossary&#34;&gt;PCI Data&lt;/a&gt;, &lt;a href=&#34;https://en.wikipedia.org/wiki/Classified_information_in_the_United_States&#34;&gt;NOFORN&lt;/a&gt;, &amp;hellip; different classifications of information sensitivity, driving the required protection schemes, sometimes enforced by law.&lt;/li&gt;
&lt;li&gt;Retention policies &lt;em&gt;and destruction policies&lt;/em&gt; are both important.  &lt;a href=&#34;https://www.dropboxforum.com/t5/Missing-files-and-folders/deleted-folder-re-appeared-after-a-couple-of-years/m-p/203016/highlight/true#M8819&#34;&gt;Dropbox recently had some bad press&lt;/a&gt; when a support issue was raised wherein user content was not being deleted as advertised.  This privacy policy is now being updated.&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;Retention. We&amp;rsquo;ll retain information you store on our Services for as long as we
need to do so to provide you the Services. If you delete your account, we&amp;rsquo;ll
also delete this information. But please note there might be some latency in
deleting this information from our servers and backup storage.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://krebsonsecurity.com/all-about-skimmers/&#34;&gt;All About Skimmers&lt;/a&gt; from Brian Krebs.&lt;/li&gt;
&lt;li&gt;A classmate correctly spots that certain skimmer attacks are an example of a real-world &lt;a href=&#34;https://en.wikipedia.org/wiki/Man-in-the-middle_attack&#34;&gt;MITM&lt;/a&gt;.  When we get to &lt;a href=&#34;https://en.wikipedia.org/wiki/Alice_and_Bob&#34;&gt;Alice and Bob&lt;/a&gt;, we&amp;rsquo;ll use &amp;ldquo;Mallory&amp;rdquo; to be this active, malicious adversary.&lt;/li&gt;
&lt;/ul&gt;
</description>
    </item>
    
  </channel>
</rss>