Online Privacy is the level of privacy protection an individual has when connected to the Internet. It covers the amount of online security available for personal and financial data, communications, and preferences. Internet users often try to increase online privacy through anti-virus software, strong password choices, turning off tracking, checking site security, and choosing stricter privacy settings. Risks to online privacy range from phishing scams to malware, while website security issues can lead to identity theft.
Hi Ziijan,
I totally agreed with you about your online privacy. However, the Growth of Data is Exponential.. Cost of Maintaining Data Privacy becomes a big problem to many organizations. A data breach can cost organizations millions of dollars in lost .
One interesting point that I learned from the readings this week was the existence of privacy enhancing technologies. I found it interesting because while it makes sense that such technologies exist, it really shines a light on the fact that the most valuable resource in the world today is data. Today, user data is exploited and monetized instead of hidden, which may explain why the demand for privacy enhancing technologies is relatively low. Social media platforms are free to use, and I would think that they do something with user data whether it be selling it to third parties or using that data to help provide more targeted ads to the user. In either case, I think data is one of if not the most valuable resource today, and will be for the foreseeable future.
I agree with you that such technologies exist for a reason, and that in a million years data is the most valuable resource in the world. As you mentioned, whether it’s selling it to third parties or using the data to help deliver more targeted advertising to users, these are all proofs that the data is highly valuable. At the same time, I also believe that data also carries the greatest risk in that it can compromise the privacy of users and cause many security issues. For example, the most popular scam of today, phishing emails. Although, it drives the economy, it also needs to be aware of the high risks it brings.
I think at this point it would be difficult to argue against data being the most valuable resource in the world, and I don’t really see anything being able to overtake that number one spot; with the amount of information readily available to people today just about anywhere in the world, people are constantly handing out their data in exchange for free services like you mentioned. Major companies are likely spending more and more regularly to combat anything that would slow the data gathering and analysis their teams and tools accomplish. It will be interesting to see what happens with the development of privacy enhancing technologies with this in mind.
This is definitely an interesting take. Most people want and respect privacy, yet they have no problem sharing their personal information all over these social media platforms. When you google information on a product or service, you’ll find an advertisement on your Instagram feed ten minutes later. Obviously this is just the result of personalized ads, but it wouldn’t be shocking to find out that these social media sites may be accessing even more than we think.
I enjoyed learning about how the TOR network operates with symmetric and Diffie-Hellman handshake cryptography and the disadvantages of the Onion Router. I did not know that the Naval Research Laboratory is responsible for TOR’s development. However, I am not surprised, given the internet’s long history with the military dating back to its inception with DARPA. I try to make privacy-conscious decisions, so anonymous browsing is interesting to me. I also occasionally have to conduct dark web investigations for my job, and understanding how TOR operates is helpful.
Your posts regarding onion routing and the Tor client contributed to me wanting to do more research on this topic. It is very cool that you sometimes have to conduct dark web investigations for your job. Practical applications of things that we learn in class fascinate me, although I have not yet found myself comfortable enough to begin experimenting with many of the things that that we discuss in the class and that I read, I would like to eventually. I think it would be cool to perform labs related to learning some topics that we go over or read about, such as an excerpt i read in my in-the-news article about how “poisoned nodes” can help in tracking network communications that are made through onion routing.
An interesting point to learn from this week’s reading is that autonomous access control (DAC) offers great trade-offs. It ensures user flexibility while reducing IT’s management overhead. But malware can work within the user’s identity (security context). For example, if a user opens a virus-infected file, the code can install itself without the user’s awareness of the context, which poses a potential vulnerability. The code inherits all the rights and privileges of the user and can perform all the activities that the user can perform on the system, sending a copy of itself to all the contacts in the user’s email client. The interesting thing to me is that if the user is a local administrator or has a root account, once the malware is installed they can do anything. It’s not even possible to protect the system from the huge damage that can be done by security.
One interesting point I took away was from chapter 59 Identity Theft – First Part. From the reading, I learned that formatting cues are important when looking at payment notices. Users gain confidence when the message was simple and graphics were clean, the removal of hyperlinks and simple to the point message with high-end graphics proved a significant statistical difference, which to me means if you were to conduct a phishing scam then a clean concise message with high-end graphics would be enough to fool an individual from a payment perspective.
I also thought this was interesting. It reminded me of a recent Hacking Humans episode where they discussed grammar in phishing emails. The episode is available here: https://thecyberwire.com/podcasts/hacking-humans/171/transcript Much like the items discussed in the reading, poor grammar is often a red flag. I am curious to see how phishing attempts evolve as adversaries refine their emails based on the same studies discussed in this chapter.
Dhaval, I agree. It’s really fascinating when you consider the level of detail that goes into some phishing schemes. Seeing a hyperlink when you open spam email is one of the major red flags to instantly delete the email, but phishers know that by now, and they are creating ever new ways to achieve their goals. Falling victim to phishing attempts is still very avoidable for most of us, but it will be interesting to see how much savvier their attempts become as time progresses.
I enjoyed reading about the origins of privacy as a concept in Vacca Chapter 52. I was unaware of the IWW’s free speech protests and how this relates to current concerns about surveillance. In particular, I spent some time considering the following quote from Margaret Kohn, “I will argue that freedom from surveillance, whether public or private, is foundational to the practice of informed and reflective citizenship.” Security and privacy can often be transactional and it’s easy to forget the philosophy that informs these concepts. Kohn’s statement reminds us that our work as cybersecurity professionals has a much larger impact, and that advocating for privacy helps to create a more engaged citizenry.
Hi Matthew,
The chapter 52 was also interesting for me. The fact that past situations and famous philosophers’ concepts carried over to our age is incredible. I agree that security and privacy is definitely transactional and good topic to look for. It’s quite interesting that the tension between private and public spaces caused such a strong term, privacy.
What is the one interesting point you learned from the readings this week? Why is it interesting?
Out of the chapters we had to read, I found the onion routing/TOR to be the most interesting in Chapter 53, Privacy-Enhancing Technologies. An onion routing was created in the 90s at the Naval Research Lab which is a low-latency mixed based routing protocol which provides anonymous socket connections by means of proxy servers. Each layer of onion is encrypted with the public key of each node on the path and contains symmetric crypto keys as a payload. I thought it was interesting that after the onion, an anonymous path is created and the initiator’s proxy sends data through this anonymous connection.
I always found onion routing to be an interesting tool used within organizations, with Tor many think of the general Tor web browser without understanding the security behind it. To me, it’s cool how every layer gets encrypted providing a high level of security.
One of the interesting point of this weeks reading was onion routing and Tor. It is real time bidirectional anonymous connections that allow for a more private web browsing. It went into to detail explaining how onion routing works, beneath the application layer of the OSI model and replaces socket connections with anonymous connections without any proxy-aware internet services or applications. The infrastructure is consisted of onion routers where they are interconnected with a set of neighboring ones. Tor was mentioned as a tool to bypass internet filtering in order to access content blocked by governments such as the deep or dark web.
I also wrote about Onion routing as I felt that it was one of the more interesting topics from this week’s readings. After reading more about Onion routing outside of the readings we were assigned, I learned that Onion Routing was created at a US Navy research lab as a way to protect classified US intelligence communications online.
From this week’s reading, it was interesting to note The Onion Routing (TOR) technique for anonymous communication over a network. The text revealed how transmissions are encapsulated in encryption layers in an onion network, like layers of an onion. The ciphertext is then transmitted through a series of nodes referred to as onion routers, with each peel uncovering the data’s next destination from the previous node.
Secondly, the final layer is only fully decrypted when the message arrives at its destination, keeping the sender anonymous because each intermediary only knows the location of the preceding and following nodes. Thus, providing adequate security and anonymity.
I was particularly fascinated because I am an evangelist of defense-in-depth, and even though this is a single line of defense (encryption of data in transit), the inherent process involves several security approaches.
Onion routing was being developed by the Naval Research Laboratory. It was used to provide an anonymous socket connection through a proxy server. Each of the node is encrypted through a public key. There are many advantages of Onion routing. It provides an anonymous connection. It is also easy to set up new onion outers. It requires low performances for each mix.
Hi Vraj,
I remember reading an article couple months ago about onion routing and I was impressed by the idea behind it. It is fascinating that you can encapsulate each layer of encryption which analogues to layers of an onion. I know that the onion routing was also used by DARPA (defense agency) after found by Naval Lab. We should also keep in mind that there are some weaknesses coming with this technique: time analysis and exit node vulnerability.
What struck my interest is Vacca, Chapter 52 – “Online Privacy” – Privacy and Big Data section. Big data privacy involves properly managing large amount of data to minimize risk and protect sensitive information (mainly for corporations). It describes enormous quantities of personal data which are continuously being gathered and are often so huge that it’s impossible to analyze them using traditional data analysis. For privacy purposes, the term “anonymity” is brought up “as the only safe harbor for ordinary people in the battle for preserving privacy from the prying eyes of data brokers, Internet corporations, social networks and governments.”
What is the one interesting point you learned from the readings this week? Why is it interesting?
One interesting point I learned from the material this week is the concept of the Onion Routing technique. Onion routing is a way to communicate online anonymously through a network where all messages have multiple layers of encryption attached to them. I found this concept interesting because it was originally created at a US Navy research lab as a way to protect classified US intelligence communications online.
Hello Micheal,
Likewise, I was highly fascinated that it was created at a US Navy research lab to protect classified US intelligence communications online. But isn’t it interesting that; what was once designed to be a defensive mechanism is now one of the most prolific offensive technologies hackers and hacktivists use to mask and hide their identities?
I did not get to that part yet but thank you for the definition. Your idea makes me have a better understanding of what Onion Routine Technique is and I will do more research on that to know what this is exactly.
One of the interesting topic that I have learned from this week is about software as service allows the use of a specific application that executed . whereas Iaas simply to refers situation. where full, unfettered access to cloud devices, firewalls and server operating systems within the cloud and pass where user gets access to a server operating systems. Cloud computing is helping the society to cope with future problems such as managing big data, cyber-security and quality control. In addition to this, emerging technologies such as Artificial Intelligence, distributed ledger technology, and many other capabilities are becoming available as services through cloud computing
Hi Kofi,
I am interested in your point that Infrastructure as a Service provides consumer processing, storage, networking, and various essential computing resources to deploy and execute multiple software such as operating systems or applications. IaaS is the bottom layer of cloud services, which mainly provides some vital resources.
I thought an interesting point in the readings was the section regarding mix nets in the Privacy-Enhancing Technologies chapter. This is a data minimization technology that hides the relation between incoming and outgoing messages. I found it interesting because I had heard of this technology regarding the “Tor” browser but I had never really considered it as a tool that could be implemented for an organization. I really only considered this in more of a personal situation. It was also interesting breaking down how the communication takes place via the four steps outlined in the section. Detailing how this technology works gave me a better understanding of it’s potential usefulness, as I was not previously fully aware of all the intricacies of which it is comprised.
Hi Ryan,
Interesting point about using Tor for an organization. I’ve worked in security operation centers that explictly blocked and monitored for Tor activity. I would think the use case for using Tor would be for very specific reaons otherwise losing that visibility into the organization’s network is a security professional’s nightmare and an insider threat’s dream. Thanks for sharing your thoughts!
What is the one interesting point you learned from the readings this week? Why is it interesting?
I learned a lot of things from the readings this week but one thing that caught my attention was the Single Sign-On which is the name given to the requirements of eliminating multiple password issues and dangerous passwords. I found it interesting because it helped me to understand the pain that comes from having multiple identities. I did not know that since I do not have an IT background but this was really helpful for my own knowledge.
Hey Ornella,
Single Sign-on (SSO) does makes it easier to log in without remember multiple usernames and passwords for those accounts. It definitely makes it easier at work where you have to log in to multiple applications. As well as out side of the work where we could use sign in credential from one platform to login to other platforms.
I know that this is discussed over and over but I always find more interest in social engineering just because of how easy it is to attack the end users. Especially because these are not as technical as the general person would think. For example; some of the phishing attacks add a verisigned logo on their emails to make it seem like that the bogus emails care about security. Which is trying to develop trust from the user so that they are more likely to not pay attention to the red flags that should be noticed upon observation. I also found it interesting that Vacca states not to determine whether an attack is successful based on how many times a user has mistaked the email — but by highlighting the components of a social crimeware based on design.
I agree Michael. Most people I talk to who don’t have a technical think of hacking as someone in a dark room mashing away at a keyboard. But in reality, most of it’s all about social engineering and manipulating others.
What is the one interesting point you learned from the readings this week? Why is it interesting?
I found the information regarding user-centric identity management with AmI (ambient Intelligence) rather intriguing. The section from the Vacca reading in Chapter 71 raises different questions about these types of devices which make me think about the implications of these “mobile identities” based on the scenarios supplied. In the context of security, these types of systems create an interesting landscape. It seems to be the next step for mobile interoperability, and an entire environment like the store and device connectivity mentioned in the reading presents a highly questionable yet potentially efficient means of efficiency for the future, but the question of security regarding this consolidated and multi-purpose identity management system will likely be ever-present.
A few different things that I read in the chapters this week came to mind when thinking about what was interesting to me. In chapter 52, the section on trading personal data. I didn’t know much about the details of the topic, so it was nice to learn about it. In the 70’s the Federal Trade Commission FTC, promulgated the fair credit reporting act FCRA which sought to regulate how consumer data must be used by consumer reporting agencies in their decisions about employment and houses, etc. Also, that in the late 90’s is when the FCRA added the trade of citizens data for advertising or for other goals different than financial credit.
One thing I found interesting from Vacca ch 52 is the bit about how most Android applications sampled did not have a privacy policy. This is crazy, since many regulations require it – CCPA, GDPR. If those applications are collecting data on any users from California or EU, they are not compliant. Therefore, they could potentially be facing some hefty fines if they ever have a privacy incident.
This is crazy. I feel like since the GDPR was effective, I’ve been bombarded with privacy policies and declining cookies everywhere I go on the internet. But this is probably my negative bias – I’m sure there’s lots of websites and applications that are still non-compliant.
Hi Madalyn, I definitely agree with you. Especially being that I am one to shop online internationally, I see so many cookie pop-ups and have become rather numb to it. Being that I work in compliance, the lack of compliance/legal privacy framework unification is rather alarming. I would not be surprised to not only see hefty fines like you said, but also potential lawsuits if these Android platforms are not properly securing PII and result in a breach.
I also found this interesting/concerning. As an Android user, it made me consider how many of the applications I am using don’t have a proper privacy policy. I agree that what makes it really mind boggling is that there are so many regulations in place that you would think that most of the app developers would be forced to implement them.
Having an android is like being in the wild west. It makes me feel like anything goes when it comes to having an android. I used to own an android years ago before the iPhone and come remember being able to use any type of application with no restrictions and no privacy policies. I feel the same way when it comes to being bombarded with privacy and cookies too. This is the age of the internet we all now live in.
Yeah, I have been slowly become more paranoid about where my information is garnered over a period of time. To the point where I will consider not browsing on certain websites or use programs even if it’s more convenient for me to do so. I personally don’t like my information being used; even if it is used for the general good. Most of the time it’s just targeted advertisements – but with no privacy policy there is nothing stopping an bad actor from selling the data and using it for something more malicious.
Hello Madalyn, same here; I also found it interesting from Vacca ch 52 that most Android applications sampled did not have a privacy policy. Such a finding further elaborates the necessity of access control to data privacy.
One interesting point I learned from the readings this week is that flash cookies can recreate deleted http cookies, commonly referred to as “respawning” them, or “zombie cookies”.
This is interesting to me because many top websites use flash cookies, but few websites disclose this in their privacy policies.
They are stored in a specific browser-independent file and are not deleted when http cookies are deleted.
Flash cookies are local shared files (LSO’s) that are created by the Adobe Flash plug-in and store the same information as http files, plus some additional Flash-specific data.
Vacca, John R. Computer and Information Security Handbook. 3rd ed., Morgan Kaufmann Publishers, 2017.
To delete flash cookies, one must go to the storage tab within their flash player file and delete all the site data and settings.
Something that particularly interested me in this week’s reading was the idea of federated identity management. Being that I work in the compliance team of a Saas company, I hear about identity federation all of the time, but have had no true understanding of what exactly it is. I understood the idea of single sign on (SSO), but never realized it can be used in combination with federation standards. Federated identity management giving the illusion of a single identifier when connecting numerous identities is ingenious, tied with the convenience of SSO. Simple concepts like this (plus the explanation of SAML) really assisted me in better understanding my role in company compliance, and even puts more ideas and thoughts into my head on bettering enterprise processes.
Very interesting post. I like how you’re proclaiming that these lessons we are learning are actually helping you out in the field, as well as giving you more understanding of your role in company compliance. I appreciate what we are learning here as well, but recently I was starting to think I could use more hands on experience in Information security opposed to theory. However, your post is making me think that I should value learning about theory more than I already do! Great post!
Chapter 52, Privacy and Access Management, was interesting reading for me this week. I wasn’t expecting book to go into root details of privacy term. “The Origin of the Concept” on page 744 had lots of historical information helped me to understand where the term is coming from. It is interesting to see lots of philosophers engaged in this idea. The fact privacy splits into one individual’s privacy from external public, and the public privacy where addresses free speech power, interesting combination of understanding privacy.
What is the one interesting point you learned from the readings this week? Why is it interesting?
The interesting point for me is in Vacca Chapter 59, he stated
“graphic design can change authenticity evaluations and that its impact varies with context. We expected that authenticity-inspiring design changes would have the opposite effect when paired with an unreasonable request, but our data suggest that narrative strength, rather than underlying legitimacy, limits the impact of graphic design on trust and that these authenticity-inspiring design features improve trust in both legitimate and illegitimate media. Thus, it is not what is said that matters but how it is said: An eloquently stated unreasonable request is more convincing than a poorly phrased but quite reasonable request.”
It was interesting for me because it made me reflect on my career working as an IT professional, over the years I have come across countless phishing schemes and the quote from Vacca just jumped out at me because I realized how true it is. His point about how the email looks, and about how the wording and how something is said, rather than how legitimate the request is could not be more true.
I love this concept and have personally interpreted it as ‘fake it till you make it’. If you act like you belong somewhere then frequently you can get to belong there – before they realize you don’t belong and kick you out! An unreasonable request phrased and delivered politely has a good chance of being fulfilled – that seems to underlie a lot of Phishing schemes…
I also am a working IT professional, and I understand why you feel the way you do. I’ve seen some wild phishing emails working in the IT field as well. & I even failed one or two when it was a phishing test email from the hospital’s own security team. I agree with your position that the points the author made in our readings are indeed accurate.
I was intrigued by Blind Signatures and Anonymous Credentials. Both of these concepts are foundational to eVoting and ensuring election fairness as we evolve how we vote. The requirement to maintain anonymity, yet ensure there was a validation (challenge/response or other) of the credentials of an individual is fascinating to me. You need to make sure that someone is who they say they are, that they only vote 1x and yet still not know (or be able to know) who they voted for! Most of IT based security generates log files and paper trails – then we work very hard to limit exposure and access to those records. The techniques listed above flip that approach on its head!
One interesting point that I took away from this week’s readings was just how in depth some hackers will go with their phishing attempts, which is mentioned in Chapter 59 – Identity Theft. I have been a victim of many phishing attempts over the past few years, and like most of us I have just ignored/blocked/deleted them, but some of the examples presented in the readings are almost mind-blowing in their level of thought & detail. One that stood out specifically that I haven’t previously heard of is “The Unsubscribe Hack Attack”. The idea behind this type of attack is to send an email that is clearly a phishing attempt based on its narrative, but very detailed to emulate a level of authenticity. The text states the email may ask the user to refer to the authentic telephone number on the back of their credit card, for example. Amongst the detailed email the hacker may include an “unsubscribe” link at the bottom. Since the email is clearly phony the user may simply click the link in order to not receive them anymore, in the same way the user may block the address or delete the email. By clicking the link, though, they are sent to a webpage which spreads crimeware by loading malicious JavaScript code onto the device. The user continues on with their day, completely unaware that they were just the victim of a cyber attack. I found this particular phishing scheme interesting because I could definitely see someone who is pretty conscious in the realm of phishing schemes falling for something like this, because it is different than what you typically hear about, e.g. click this link to win a $50 dollar gift card.
Yes, I’ve also noticed that phishing attempts have gotten much more sophisticated over the last few years. For example, I received one phishing email a few weeks ago that looked very authentic – it was for an online cybersecurity professional conference. These are emails I get all the time – from CISA, NetDilligence, etc. The only reason I flagged this email as fishy was because it was for a conference I did not recognize. So I reported the incident and IT confirmed it was a phishing attempt.
The unsubscribe button being a malicious link is good to know – I typically just use the built in “report as spam ” button for my gmail account, so I don’t need to click any links.
I really enjoyed reading about the different tests and designs of delivering phishing emails. I often receive simulated phishing emails from our security team and I thought it was very interesting to see how they are crafted and subsequently delivered to their intended targets. Additionally, I found it interesting to see how much detail, such as deciding between using plain or fancy layout and the utilization of small footers, goes into crafting a phishing email.
After hearing about all the ways hackers are getting smarter in their phishing and social engineering attempts, I wonder whether corporate phishing simulations can ever truly embody the sophistication of these recent phishing attacks. It would be easy enough to gather a database of corporate emails for employees in the cybersecurity industry (many of us probably have linkedins and say what company we’re working for). These hackers can target cybersecurity professionals with specially crafted phishing attempts.
I found the online privacy chapter to be very interesting. More specifically, the means used to track a user’s habits and web history.. Such as cookies and HTML5 & even device fingerprinting. The chapter then goes on to describe the possible countermeasures and privacy enhancing technologies, which I thought were very insightful.
Most importantly, I was able to understand from the topic how users are identified and the roles they are then assigned. The analysis on the systems, information, and other areas protected by IAM has enabled me to understand how IAM aid in protection of business assets. The correct levels of protection and access for sensitive data, systems, information, and locations adding, removing, and amending individuals in the IAM system has helped me to understand how system function properly.
Finally, adding, removing, and amending a role’s access rights in the IAM system has also broaden my horizon in understanding access rights is pivoting on identity management.
Online Privacy is the level of privacy protection an individual has when connected to the Internet. It covers the amount of online security available for personal and financial data, communications, and preferences. Internet users often try to increase online privacy through anti-virus software, strong password choices, turning off tracking, checking site security, and choosing stricter privacy settings. Risks to online privacy range from phishing scams to malware, while website security issues can lead to identity theft.
Hi Ziijan,
I totally agreed with you about your online privacy. However, the Growth of Data is Exponential.. Cost of Maintaining Data Privacy becomes a big problem to many organizations. A data breach can cost organizations millions of dollars in lost .
One interesting point that I learned from the readings this week was the existence of privacy enhancing technologies. I found it interesting because while it makes sense that such technologies exist, it really shines a light on the fact that the most valuable resource in the world today is data. Today, user data is exploited and monetized instead of hidden, which may explain why the demand for privacy enhancing technologies is relatively low. Social media platforms are free to use, and I would think that they do something with user data whether it be selling it to third parties or using that data to help provide more targeted ads to the user. In either case, I think data is one of if not the most valuable resource today, and will be for the foreseeable future.
I agree with you that such technologies exist for a reason, and that in a million years data is the most valuable resource in the world. As you mentioned, whether it’s selling it to third parties or using the data to help deliver more targeted advertising to users, these are all proofs that the data is highly valuable. At the same time, I also believe that data also carries the greatest risk in that it can compromise the privacy of users and cause many security issues. For example, the most popular scam of today, phishing emails. Although, it drives the economy, it also needs to be aware of the high risks it brings.
I think at this point it would be difficult to argue against data being the most valuable resource in the world, and I don’t really see anything being able to overtake that number one spot; with the amount of information readily available to people today just about anywhere in the world, people are constantly handing out their data in exchange for free services like you mentioned. Major companies are likely spending more and more regularly to combat anything that would slow the data gathering and analysis their teams and tools accomplish. It will be interesting to see what happens with the development of privacy enhancing technologies with this in mind.
Andrew,
This is definitely an interesting take. Most people want and respect privacy, yet they have no problem sharing their personal information all over these social media platforms. When you google information on a product or service, you’ll find an advertisement on your Instagram feed ten minutes later. Obviously this is just the result of personalized ads, but it wouldn’t be shocking to find out that these social media sites may be accessing even more than we think.
I enjoyed learning about how the TOR network operates with symmetric and Diffie-Hellman handshake cryptography and the disadvantages of the Onion Router. I did not know that the Naval Research Laboratory is responsible for TOR’s development. However, I am not surprised, given the internet’s long history with the military dating back to its inception with DARPA. I try to make privacy-conscious decisions, so anonymous browsing is interesting to me. I also occasionally have to conduct dark web investigations for my job, and understanding how TOR operates is helpful.
Kelly I too enjoyed learning more about how onion routing works, and think it is very interesting tool to utilize for anonymous browsing.
Kelly,
Your posts regarding onion routing and the Tor client contributed to me wanting to do more research on this topic. It is very cool that you sometimes have to conduct dark web investigations for your job. Practical applications of things that we learn in class fascinate me, although I have not yet found myself comfortable enough to begin experimenting with many of the things that that we discuss in the class and that I read, I would like to eventually. I think it would be cool to perform labs related to learning some topics that we go over or read about, such as an excerpt i read in my in-the-news article about how “poisoned nodes” can help in tracking network communications that are made through onion routing.
-Mike
An interesting point to learn from this week’s reading is that autonomous access control (DAC) offers great trade-offs. It ensures user flexibility while reducing IT’s management overhead. But malware can work within the user’s identity (security context). For example, if a user opens a virus-infected file, the code can install itself without the user’s awareness of the context, which poses a potential vulnerability. The code inherits all the rights and privileges of the user and can perform all the activities that the user can perform on the system, sending a copy of itself to all the contacts in the user’s email client. The interesting thing to me is that if the user is a local administrator or has a root account, once the malware is installed they can do anything. It’s not even possible to protect the system from the huge damage that can be done by security.
Hello Dan,
I also found this an interesting point and scary at the same time
Hello Dan, very interesting, fascinating and educative. Well written and articulated.
One interesting point I took away was from chapter 59 Identity Theft – First Part. From the reading, I learned that formatting cues are important when looking at payment notices. Users gain confidence when the message was simple and graphics were clean, the removal of hyperlinks and simple to the point message with high-end graphics proved a significant statistical difference, which to me means if you were to conduct a phishing scam then a clean concise message with high-end graphics would be enough to fool an individual from a payment perspective.
I also thought this was interesting. It reminded me of a recent Hacking Humans episode where they discussed grammar in phishing emails. The episode is available here: https://thecyberwire.com/podcasts/hacking-humans/171/transcript Much like the items discussed in the reading, poor grammar is often a red flag. I am curious to see how phishing attempts evolve as adversaries refine their emails based on the same studies discussed in this chapter.
Dhaval, I agree. It’s really fascinating when you consider the level of detail that goes into some phishing schemes. Seeing a hyperlink when you open spam email is one of the major red flags to instantly delete the email, but phishers know that by now, and they are creating ever new ways to achieve their goals. Falling victim to phishing attempts is still very avoidable for most of us, but it will be interesting to see how much savvier their attempts become as time progresses.
I enjoyed reading about the origins of privacy as a concept in Vacca Chapter 52. I was unaware of the IWW’s free speech protests and how this relates to current concerns about surveillance. In particular, I spent some time considering the following quote from Margaret Kohn, “I will argue that freedom from surveillance, whether public or private, is foundational to the practice of informed and reflective citizenship.” Security and privacy can often be transactional and it’s easy to forget the philosophy that informs these concepts. Kohn’s statement reminds us that our work as cybersecurity professionals has a much larger impact, and that advocating for privacy helps to create a more engaged citizenry.
Hi Matthew,
The chapter 52 was also interesting for me. The fact that past situations and famous philosophers’ concepts carried over to our age is incredible. I agree that security and privacy is definitely transactional and good topic to look for. It’s quite interesting that the tension between private and public spaces caused such a strong term, privacy.
What is the one interesting point you learned from the readings this week? Why is it interesting?
Out of the chapters we had to read, I found the onion routing/TOR to be the most interesting in Chapter 53, Privacy-Enhancing Technologies. An onion routing was created in the 90s at the Naval Research Lab which is a low-latency mixed based routing protocol which provides anonymous socket connections by means of proxy servers. Each layer of onion is encrypted with the public key of each node on the path and contains symmetric crypto keys as a payload. I thought it was interesting that after the onion, an anonymous path is created and the initiator’s proxy sends data through this anonymous connection.
Hi Victoria,
I always found onion routing to be an interesting tool used within organizations, with Tor many think of the general Tor web browser without understanding the security behind it. To me, it’s cool how every layer gets encrypted providing a high level of security.
One of the interesting point of this weeks reading was onion routing and Tor. It is real time bidirectional anonymous connections that allow for a more private web browsing. It went into to detail explaining how onion routing works, beneath the application layer of the OSI model and replaces socket connections with anonymous connections without any proxy-aware internet services or applications. The infrastructure is consisted of onion routers where they are interconnected with a set of neighboring ones. Tor was mentioned as a tool to bypass internet filtering in order to access content blocked by governments such as the deep or dark web.
Hi Wilmer,
I also wrote about Onion routing as I felt that it was one of the more interesting topics from this week’s readings. After reading more about Onion routing outside of the readings we were assigned, I learned that Onion Routing was created at a US Navy research lab as a way to protect classified US intelligence communications online.
From this week’s reading, it was interesting to note The Onion Routing (TOR) technique for anonymous communication over a network. The text revealed how transmissions are encapsulated in encryption layers in an onion network, like layers of an onion. The ciphertext is then transmitted through a series of nodes referred to as onion routers, with each peel uncovering the data’s next destination from the previous node.
Secondly, the final layer is only fully decrypted when the message arrives at its destination, keeping the sender anonymous because each intermediary only knows the location of the preceding and following nodes. Thus, providing adequate security and anonymity.
I was particularly fascinated because I am an evangelist of defense-in-depth, and even though this is a single line of defense (encryption of data in transit), the inherent process involves several security approaches.
Onion routing was being developed by the Naval Research Laboratory. It was used to provide an anonymous socket connection through a proxy server. Each of the node is encrypted through a public key. There are many advantages of Onion routing. It provides an anonymous connection. It is also easy to set up new onion outers. It requires low performances for each mix.
Hi Vraj,
I remember reading an article couple months ago about onion routing and I was impressed by the idea behind it. It is fascinating that you can encapsulate each layer of encryption which analogues to layers of an onion. I know that the onion routing was also used by DARPA (defense agency) after found by Naval Lab. We should also keep in mind that there are some weaknesses coming with this technique: time analysis and exit node vulnerability.
What struck my interest is Vacca, Chapter 52 – “Online Privacy” – Privacy and Big Data section. Big data privacy involves properly managing large amount of data to minimize risk and protect sensitive information (mainly for corporations). It describes enormous quantities of personal data which are continuously being gathered and are often so huge that it’s impossible to analyze them using traditional data analysis. For privacy purposes, the term “anonymity” is brought up “as the only safe harbor for ordinary people in the battle for preserving privacy from the prying eyes of data brokers, Internet corporations, social networks and governments.”
What is the one interesting point you learned from the readings this week? Why is it interesting?
One interesting point I learned from the material this week is the concept of the Onion Routing technique. Onion routing is a way to communicate online anonymously through a network where all messages have multiple layers of encryption attached to them. I found this concept interesting because it was originally created at a US Navy research lab as a way to protect classified US intelligence communications online.
Hello Micheal,
Likewise, I was highly fascinated that it was created at a US Navy research lab to protect classified US intelligence communications online. But isn’t it interesting that; what was once designed to be a defensive mechanism is now one of the most prolific offensive technologies hackers and hacktivists use to mask and hide their identities?
Hi Michael,
I did not get to that part yet but thank you for the definition. Your idea makes me have a better understanding of what Onion Routine Technique is and I will do more research on that to know what this is exactly.
One of the interesting topic that I have learned from this week is about software as service allows the use of a specific application that executed . whereas Iaas simply to refers situation. where full, unfettered access to cloud devices, firewalls and server operating systems within the cloud and pass where user gets access to a server operating systems. Cloud computing is helping the society to cope with future problems such as managing big data, cyber-security and quality control. In addition to this, emerging technologies such as Artificial Intelligence, distributed ledger technology, and many other capabilities are becoming available as services through cloud computing
Hi Kofi,
I am interested in your point that Infrastructure as a Service provides consumer processing, storage, networking, and various essential computing resources to deploy and execute multiple software such as operating systems or applications. IaaS is the bottom layer of cloud services, which mainly provides some vital resources.
I thought an interesting point in the readings was the section regarding mix nets in the Privacy-Enhancing Technologies chapter. This is a data minimization technology that hides the relation between incoming and outgoing messages. I found it interesting because I had heard of this technology regarding the “Tor” browser but I had never really considered it as a tool that could be implemented for an organization. I really only considered this in more of a personal situation. It was also interesting breaking down how the communication takes place via the four steps outlined in the section. Detailing how this technology works gave me a better understanding of it’s potential usefulness, as I was not previously fully aware of all the intricacies of which it is comprised.
Hi Ryan,
Interesting point about using Tor for an organization. I’ve worked in security operation centers that explictly blocked and monitored for Tor activity. I would think the use case for using Tor would be for very specific reaons otherwise losing that visibility into the organization’s network is a security professional’s nightmare and an insider threat’s dream. Thanks for sharing your thoughts!
What is the one interesting point you learned from the readings this week? Why is it interesting?
I learned a lot of things from the readings this week but one thing that caught my attention was the Single Sign-On which is the name given to the requirements of eliminating multiple password issues and dangerous passwords. I found it interesting because it helped me to understand the pain that comes from having multiple identities. I did not know that since I do not have an IT background but this was really helpful for my own knowledge.
Hey Ornella,
Single Sign-on (SSO) does makes it easier to log in without remember multiple usernames and passwords for those accounts. It definitely makes it easier at work where you have to log in to multiple applications. As well as out side of the work where we could use sign in credential from one platform to login to other platforms.
I know that this is discussed over and over but I always find more interest in social engineering just because of how easy it is to attack the end users. Especially because these are not as technical as the general person would think. For example; some of the phishing attacks add a verisigned logo on their emails to make it seem like that the bogus emails care about security. Which is trying to develop trust from the user so that they are more likely to not pay attention to the red flags that should be noticed upon observation. I also found it interesting that Vacca states not to determine whether an attack is successful based on how many times a user has mistaked the email — but by highlighting the components of a social crimeware based on design.
I agree Michael. Most people I talk to who don’t have a technical think of hacking as someone in a dark room mashing away at a keyboard. But in reality, most of it’s all about social engineering and manipulating others.
What is the one interesting point you learned from the readings this week? Why is it interesting?
I found the information regarding user-centric identity management with AmI (ambient Intelligence) rather intriguing. The section from the Vacca reading in Chapter 71 raises different questions about these types of devices which make me think about the implications of these “mobile identities” based on the scenarios supplied. In the context of security, these types of systems create an interesting landscape. It seems to be the next step for mobile interoperability, and an entire environment like the store and device connectivity mentioned in the reading presents a highly questionable yet potentially efficient means of efficiency for the future, but the question of security regarding this consolidated and multi-purpose identity management system will likely be ever-present.
A few different things that I read in the chapters this week came to mind when thinking about what was interesting to me. In chapter 52, the section on trading personal data. I didn’t know much about the details of the topic, so it was nice to learn about it. In the 70’s the Federal Trade Commission FTC, promulgated the fair credit reporting act FCRA which sought to regulate how consumer data must be used by consumer reporting agencies in their decisions about employment and houses, etc. Also, that in the late 90’s is when the FCRA added the trade of citizens data for advertising or for other goals different than financial credit.
One thing I found interesting from Vacca ch 52 is the bit about how most Android applications sampled did not have a privacy policy. This is crazy, since many regulations require it – CCPA, GDPR. If those applications are collecting data on any users from California or EU, they are not compliant. Therefore, they could potentially be facing some hefty fines if they ever have a privacy incident.
This is crazy. I feel like since the GDPR was effective, I’ve been bombarded with privacy policies and declining cookies everywhere I go on the internet. But this is probably my negative bias – I’m sure there’s lots of websites and applications that are still non-compliant.
Hi Madalyn, I definitely agree with you. Especially being that I am one to shop online internationally, I see so many cookie pop-ups and have become rather numb to it. Being that I work in compliance, the lack of compliance/legal privacy framework unification is rather alarming. I would not be surprised to not only see hefty fines like you said, but also potential lawsuits if these Android platforms are not properly securing PII and result in a breach.
Madalyn,
I also found this interesting/concerning. As an Android user, it made me consider how many of the applications I am using don’t have a proper privacy policy. I agree that what makes it really mind boggling is that there are so many regulations in place that you would think that most of the app developers would be forced to implement them.
Hi Madalyn,
Having an android is like being in the wild west. It makes me feel like anything goes when it comes to having an android. I used to own an android years ago before the iPhone and come remember being able to use any type of application with no restrictions and no privacy policies. I feel the same way when it comes to being bombarded with privacy and cookies too. This is the age of the internet we all now live in.
Yeah, I have been slowly become more paranoid about where my information is garnered over a period of time. To the point where I will consider not browsing on certain websites or use programs even if it’s more convenient for me to do so. I personally don’t like my information being used; even if it is used for the general good. Most of the time it’s just targeted advertisements – but with no privacy policy there is nothing stopping an bad actor from selling the data and using it for something more malicious.
Hello Madalyn, same here; I also found it interesting from Vacca ch 52 that most Android applications sampled did not have a privacy policy. Such a finding further elaborates the necessity of access control to data privacy.
One interesting point I learned from the readings this week is that flash cookies can recreate deleted http cookies, commonly referred to as “respawning” them, or “zombie cookies”.
This is interesting to me because many top websites use flash cookies, but few websites disclose this in their privacy policies.
They are stored in a specific browser-independent file and are not deleted when http cookies are deleted.
Flash cookies are local shared files (LSO’s) that are created by the Adobe Flash plug-in and store the same information as http files, plus some additional Flash-specific data.
Vacca, John R. Computer and Information Security Handbook. 3rd ed., Morgan Kaufmann Publishers, 2017.
To delete flash cookies, one must go to the storage tab within their flash player file and delete all the site data and settings.
Stockley, Mark. “How to Clear out Cookies, Flash Cookies and Local Storage.” Nakedsecurity.sophos.com, Sophos Ltd., 5 Nov. 2014, https://nakedsecurity.sophos.com/2014/11/05/how-to-clear-out-cookies-flash-cookies-and-local-storage/.
Something that particularly interested me in this week’s reading was the idea of federated identity management. Being that I work in the compliance team of a Saas company, I hear about identity federation all of the time, but have had no true understanding of what exactly it is. I understood the idea of single sign on (SSO), but never realized it can be used in combination with federation standards. Federated identity management giving the illusion of a single identifier when connecting numerous identities is ingenious, tied with the convenience of SSO. Simple concepts like this (plus the explanation of SAML) really assisted me in better understanding my role in company compliance, and even puts more ideas and thoughts into my head on bettering enterprise processes.
Hello Lauren,
Very interesting post. I like how you’re proclaiming that these lessons we are learning are actually helping you out in the field, as well as giving you more understanding of your role in company compliance. I appreciate what we are learning here as well, but recently I was starting to think I could use more hands on experience in Information security opposed to theory. However, your post is making me think that I should value learning about theory more than I already do! Great post!
Chapter 52, Privacy and Access Management, was interesting reading for me this week. I wasn’t expecting book to go into root details of privacy term. “The Origin of the Concept” on page 744 had lots of historical information helped me to understand where the term is coming from. It is interesting to see lots of philosophers engaged in this idea. The fact privacy splits into one individual’s privacy from external public, and the public privacy where addresses free speech power, interesting combination of understanding privacy.
What is the one interesting point you learned from the readings this week? Why is it interesting?
The interesting point for me is in Vacca Chapter 59, he stated
“graphic design can change authenticity evaluations and that its impact varies with context. We expected that authenticity-inspiring design changes would have the opposite effect when paired with an unreasonable request, but our data suggest that narrative strength, rather than underlying legitimacy, limits the impact of graphic design on trust and that these authenticity-inspiring design features improve trust in both legitimate and illegitimate media. Thus, it is not what is said that matters but how it is said: An eloquently stated unreasonable request is more convincing than a poorly phrased but quite reasonable request.”
It was interesting for me because it made me reflect on my career working as an IT professional, over the years I have come across countless phishing schemes and the quote from Vacca just jumped out at me because I realized how true it is. His point about how the email looks, and about how the wording and how something is said, rather than how legitimate the request is could not be more true.
I love this concept and have personally interpreted it as ‘fake it till you make it’. If you act like you belong somewhere then frequently you can get to belong there – before they realize you don’t belong and kick you out! An unreasonable request phrased and delivered politely has a good chance of being fulfilled – that seems to underlie a lot of Phishing schemes…
I also am a working IT professional, and I understand why you feel the way you do. I’ve seen some wild phishing emails working in the IT field as well. & I even failed one or two when it was a phishing test email from the hospital’s own security team. I agree with your position that the points the author made in our readings are indeed accurate.
I was intrigued by Blind Signatures and Anonymous Credentials. Both of these concepts are foundational to eVoting and ensuring election fairness as we evolve how we vote. The requirement to maintain anonymity, yet ensure there was a validation (challenge/response or other) of the credentials of an individual is fascinating to me. You need to make sure that someone is who they say they are, that they only vote 1x and yet still not know (or be able to know) who they voted for! Most of IT based security generates log files and paper trails – then we work very hard to limit exposure and access to those records. The techniques listed above flip that approach on its head!
One interesting point that I took away from this week’s readings was just how in depth some hackers will go with their phishing attempts, which is mentioned in Chapter 59 – Identity Theft. I have been a victim of many phishing attempts over the past few years, and like most of us I have just ignored/blocked/deleted them, but some of the examples presented in the readings are almost mind-blowing in their level of thought & detail. One that stood out specifically that I haven’t previously heard of is “The Unsubscribe Hack Attack”. The idea behind this type of attack is to send an email that is clearly a phishing attempt based on its narrative, but very detailed to emulate a level of authenticity. The text states the email may ask the user to refer to the authentic telephone number on the back of their credit card, for example. Amongst the detailed email the hacker may include an “unsubscribe” link at the bottom. Since the email is clearly phony the user may simply click the link in order to not receive them anymore, in the same way the user may block the address or delete the email. By clicking the link, though, they are sent to a webpage which spreads crimeware by loading malicious JavaScript code onto the device. The user continues on with their day, completely unaware that they were just the victim of a cyber attack. I found this particular phishing scheme interesting because I could definitely see someone who is pretty conscious in the realm of phishing schemes falling for something like this, because it is different than what you typically hear about, e.g. click this link to win a $50 dollar gift card.
Yes, I’ve also noticed that phishing attempts have gotten much more sophisticated over the last few years. For example, I received one phishing email a few weeks ago that looked very authentic – it was for an online cybersecurity professional conference. These are emails I get all the time – from CISA, NetDilligence, etc. The only reason I flagged this email as fishy was because it was for a conference I did not recognize. So I reported the incident and IT confirmed it was a phishing attempt.
The unsubscribe button being a malicious link is good to know – I typically just use the built in “report as spam ” button for my gmail account, so I don’t need to click any links.
I really enjoyed reading about the different tests and designs of delivering phishing emails. I often receive simulated phishing emails from our security team and I thought it was very interesting to see how they are crafted and subsequently delivered to their intended targets. Additionally, I found it interesting to see how much detail, such as deciding between using plain or fancy layout and the utilization of small footers, goes into crafting a phishing email.
Hi Bryan,
After hearing about all the ways hackers are getting smarter in their phishing and social engineering attempts, I wonder whether corporate phishing simulations can ever truly embody the sophistication of these recent phishing attacks. It would be easy enough to gather a database of corporate emails for employees in the cybersecurity industry (many of us probably have linkedins and say what company we’re working for). These hackers can target cybersecurity professionals with specially crafted phishing attempts.
I found the online privacy chapter to be very interesting. More specifically, the means used to track a user’s habits and web history.. Such as cookies and HTML5 & even device fingerprinting. The chapter then goes on to describe the possible countermeasures and privacy enhancing technologies, which I thought were very insightful.
Most importantly, I was able to understand from the topic how users are identified and the roles they are then assigned. The analysis on the systems, information, and other areas protected by IAM has enabled me to understand how IAM aid in protection of business assets. The correct levels of protection and access for sensitive data, systems, information, and locations adding, removing, and amending individuals in the IAM system has helped me to understand how system function properly.
Finally, adding, removing, and amending a role’s access rights in the IAM system has also broaden my horizon in understanding access rights is pivoting on identity management.