Mainstream media is filled with stories that cybersecurity personnel are in demand these days, which is convincing some people to consider a career in computer security. But what type of jobs are available and what might interest someone like you? Computer security jobs can be broadly categorized into these general areas:
Securing systems. A person is responsible for implementing security check lists, applying security patches, managing permissions to specific resources and checking log files. System and network administrators typically do this as part of their regular duties for the equipment they manage.
If you answered “no” to this question, you’re in good company. Pretty much everyone that knows anything about computer security shares this view as well. And as we all know, if everyone (95-99%) believes something is true, it must be true, right?
As you might have already guessed, I’m in the minority that says that it is possible. I don’t hold it against you that you don’t believe it’s possible. Being quite honest, I expect you to not believe it’s possible. Why? Because given current computer technology and security paradigms, it’s impossible. But I’m not talking about making current computing technology secure, I’m talking about starting from scratch with a clean sheet of paper. If you’re interested in how it might be possible to engineer a computer that is 100% secure, please read on.
There is a classic tale that originated in India about a number of blind men that wanted to know what an elephant looks like. Each man touched a different part of the elephant’s body and therefore had a different mental image of the elephant. (Wikipedia: Blind Men and the Elephant) What does this tale have to do with computer security? Not all computer professionals have the same perspective or knowledge when it comes to computer security.
When people choose a computer profession, they usually specialize in a one or two areas – system administration, networking, programming, database management, security, etc. While it’s possible for someone to have a good working knowledge of other areas, to truly master one particular area means that a person has to sacrifice their knowledge in other areas. This includes specializing in certain vendor specific operating systems and/or applications. Not only that, some people have no interest in one or more of the other areas or vendor products, and as a result, have little or no knowledge about certain areas or products.
A friend and I had to kill some time while waiting for a third person, so we decided to wait it out in Starbucks. I ordered my usual Venti Mocha Frappuccino with whip cream and in no time at all, I was enjoying one of my favorite frosty beverages. As I was sitting there, I happen to notice the writing on the straw wrapper. Yes, I know, it’s probably been there forever, but this was the first time that I noticed it. I don’t usually make a point of examining straw wrappers and I don’t usually hang out in Starbucks either. So I’m sitting there holding the straw wrapper at eye level staring at the following words:
Not Recommended For Use in Hot Beverages
Okay. That makes sense. Now what? I keep looking at the words as if something magical is going to happen and then an idea comes to mind. I take the wrapper and start folding it to make other sentences, phrases and words. I know what you’re thinking, but what the heck. We had a lot of fun and a few good laughs trying to out do each other. The next time you’re in Starbucks with someone, you should try this straw wrapper word game.
The first time I discussed writing a book about the shortcomings of computer security with one of my bosses, we were having lunch in a Chinese restaurant eating won ton soup. After describing the book’s contents, a look of concern washed over his face.
“Are you sure writing a book is a good idea?” he questioned.
“What do you mean?” I asked.
“Some of what you know is very dangerous in the wrong hands.”
I paused for a moment to think about what he said. “What do you mean by dangerous in the wrong hands? Hackers already know a lot of this information.”
“No,” he said shaking his head, “not all hackers know what you know and on top of that, you’re telling them how and why it’s possible to avoid detection. Don’t you see a problem with that?”
“That’s definitely an issue, but don’t you think it’s a bigger issue that people don’t know the truth? Don’t you think people need to know that all of this computer security we rely on only works against amateurs?”
My boss put down his chopsticks and spoon, wiped his mouth and mustache with his napkin and placed the napkin beside his bowl. “Just be careful what you write [ Mister Reiner ],” he said with a stern look. “You don’t want to be responsible for creating an army of super hackers.”
Bill Mullins has an interesting post on his blog that brought back the memory of this lunch with my boss. I’m siding with Bill of course. It’s ridiculous for someone to suggest that Bill is part of the malware problem.
There are quite a number of articles on passwords these days. People are providing all kinds of advice on length, complexity and special characters. They also mention how easy it is for passwords to be guessed or cracked. In this post, I want to provide some additional information that seems to be missing from some of these articles.
Bill Mullins has an incredibly informative blog on technology and computer security. His site is a great resource for both the average computer user and the seasoned computer security professional. In addition to providing daily news summaries, he also provides desktop security software reviews that address a wide-range of issues and concerns. I visit his site every day and always find something of interest. I encourage you to visit his site on a daily basis as well.
Thanks for all your hard work and everything you do Bill. You are truly amazing!
In a world full of content that is much “sexier” than computer security, how do you get people’s attention to what you have to say? Some say make a video – and that’s exactly what I did.
Photoshop can be used to create some amazing images. It can also be used to alter images to try and deceive people into believing something that isn’t true. When people see certain images, their brain immediately goes to work to determine if an image is genuine or not. If something looks too good to be true, people start Googling what they see to seek out the truth.
Hackers use a similar techniques to convince people that certain email, Websites and other content is genuine. By fooling people into believing that something presented to them is the real deal, hackers are able to lure people into performing certain actions that result in a compromise of information or computers. While some are able to discern what’s real and what’s not, many are often tricked into divulging credentials, personal information, financial information or performing actions that result in the installation of malware.
The Internet can be a dangerous place when it comes to online computer security. People need to be aware, be smart and think about what information they’re about to enter or what they’re about to click on before they actually do it.
ComputerWeekly.com has an interesting story about how £675,000 ($1,052,385) was taken from 3,000 bank accounts in the UK. According to a report by M86 Security, the hackers used the Eleonore Exploit Kit, which leverages old vulnerabilities in Internet Explorer, Adobe Reader and the Java Development Kit. The compromise techniques include “Infecting legitimate websites with malware, Creating fraudulent online advertisement websites and Publishing malicious advertisements among legitimate websites.” This is what we can all learn from this incident:
“Our application permissions model protects against this type of threat. When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a user’s phone number or sending an SMS. Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time.” First SMS-sending Android Trojan reported
The above statement is only partially accurate and entirely misleading. Here’s why: