Week 02: TCP/IP and Network Architecture

The article I read was about Cato Networks which is a startup company that emerged early on in 2016. The company provides software-based networking solutions to businesses through a cloud overlay. Essentially, Cato’s business plan revolves around providing networking solutions without requiring companies to purchase any complex hardware. Instead, Cato’s software can be downloaded and it will make the necessary changes to pre-existing networking devices (routers and switches). The company recently raised $30 million to fund global expansion.

Reading this article brought several things to mind. First, although I know the move to cloud-based technologies and the prevalence of software over hardware is a growing trend, I never thought of its application to networking. I think the success of Cato Networks shows the diversity of the application of cloud based technologies, but it also raises a few questions. For example, what problems might arise over Cato’s software being incompatible with network devices? Additionally, what precautions does Cato have to detect these scenarios? Will different risks arise due to software and hardware incompatibilities? Cato’s implementation of the cloud is interesting and has been lucrative so far, but I’m interested to see how this company and other similar companies fare as cloud technologies continue to mature.

Article: http://www.eweek.com/security/security-startup-cato-networks-raises-30m-to-expand-globally.html

 

 

Finally an indicator that you’re on an unsecure site.

I was looking for an article that would provide me the most secure browser in today’s market. In my research, I came across this article about warning users that you are not on a secure site and I thought I wished this was implemented a few years ago.  This article caught my where chrome will be notifying you that the site you are on is not secure.  I ran into a situation a few years ago where I had purchased tickets on a website (small local business) and it was only using http for its logon and purchasing the tickets.  It was only after the purchase I had realized that that the site was not secure and had become blind looking at the trusted security certificates.  I called the business and it took a few people to get me to the right person and me threating that I would report them to the best business bureau if nothing was done.  I took a few days but they were able to provide https and a valid certificate to the site.  I only hope this idea catches on with other browsers moving forward.

 

http://money.cnn.com/2016/09/08/technology/google-chrome-flag-non-secure-sites/

The latest research released this week by Ben Gurion University in Israel reveals the findings of 911 systems been potentially in danger that could overwhelm a complete state’s 911 system with endless calls, by using a network of hacked smartphone, and shutting out a great portion of legitimate callers, also known as a denial of service attack (DOS attack).

According to this article, researchers replicated North Carolina’s model based on its 911 network, with the knowledge that all emergency response systems are run at the local or state level, and the assessment determined that if hackers compromised 6000 smartphones with malicious software, they could make calls to 911 and block out half of all legitimate callers using cell phones in North Carolina.

Those results were shared to the US Department of Homeland Security says the Washington Post, and remarks of this type of danger have been made in the past of denial of service attacks on emergency response infrastructure.

The solution proposed was to change phone infrastructure completely, and stop using old fashion analog phone switches to route emergency calls, and instead use provide internet-like network called managed IP Networks, however there was no mentioned of how much money this would undertake in this article.

 

9http://www.cnet.com/news/911-could-face-its-own-emergency-hackers/

As often discussed, a company’s most critical threat is no other than its own employees. IT Security threat is most likely to come from within whether it is negligence, honest mistake or intentional wrongdoing. All of these will lead to one result, data breach which in turn can cause extraction of information, financial loss or system manipulation. In the case of Wells Fargo’s incident occurred this week, the financial giant had to let go 5,300 of its workforce for financial fraud orchestrated internally. According to CNN’s Matt Egan in “5,300 Wells Fargo employees fired over 2 million phony accounts,” Wells Fargo employees submitted applications for more than 565,000 credit card accounts without their customers’ knowledge or consent from which interest charges and overdraft-protection fees, the author states.

Who knows for how long this scam has been really going on? Regardless the time, I give Wells Fargo a lot of credit for uncovering something like this as that proves at least the organization has business/IT governance and security in place against fraud. It can be difficult and time consuming to investigate crimes of this nature. IT and business controls obviously need to be reviewed and improved as they should on regular basis, but at least something exists already to help catch the bad guys. However, that does not prevent Wells Fargo’s reputation from being hurt, loss a lot of money and probably will have to deal will many lawsuits in the process. A much closer monitoring system should be implemented to avoid such an un unfortunate circumstance.

Article can be accessed via:

http://money.cnn.com/2016/09/08/investing/wells-fargo-created-phony-accounts-bank-fees/

Here is the presentation for Week 2

intro-to-ethical-hacking-week-2

Also, and email has been sent to each participant with a link to the Video.

I believed everyone had heard more or less about that Hilary Clinton’s computer systems were hacked about two months ago and about 20,000 emails from top Democratic National Convention (DNC) officials were leaked on WikiLeaks. According to the WikiLeaks Founder Julian Assange, he still had more data from the DNC hack and some could eventually result in the arrest of Hilary Clinton.

This action could influence the presidential election in a tremendous way. Hack and leakage is absolutely illegal, but it may help some people to see the real dark side of politic and even Hilary Clinton. If the contents of the emails are true, will you still vote for Hilary Clinton? The candidate of president of USA still have cyber security problem, how could he/she protect our privacy? Or maybe other candidate of president hired hackers to reveal any information they want to know. This makes me very insecure and felt disappointed about the country.

Link：http://thehackernews.com/2016/07/hillary-clinton-hacked.html

With the election coming up shortly, many hackers have been trying to exploit election databases to get PII about voters. Both Illinois and Arizona had to perform extensive security reviews regarding their vulnerabilities in their systems. An SQL injection attack was discovered to be hitting the voter registration database for 24 hours a day from June 23 to August 12, showing that an attack can go under the radar for so long. Department of Homeland Security Secretary have been pressed about the issue and are still investigating how to prevent this from happening in the future.

Article Link:
http://www.technewsworld.com/story/83866.html

http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C

I found this article from this morning pretty interesting. SWIFT, which basically allows financial transactions between banks worldwide, declared that their were new cyber attacks on its member banks. They said that attacks have ramped up since the Bangladesh Bank lost $81 million dollars back in February’s cyber attack. The attackers are specifically targeting banks that lack proper security for “SWIFT-enabled transfers.” It seems like SWIFT is having trouble with their member banks complying to security procedures. The biggest issue stated in this article is that SWIFT does not have “regulatory authority over its members.” So they cannot FORCE these banks to comply to proper security controls. SWIFT is threatening to disclose security lapses for these banks, which I don’t see how it helps. Before these banks were capable of using the SWIFT transaction system, SWIFT should have sent their own IT auditors to make sure these banks had the proper IT security and controls in place. Otherwise, we will see problems like this where banks or companies in general, especially in developing countries, aren’t taking IT security seriously.