Category Archives: Security

Threat Agents

Anonymous Guy Fawkes mask

A threat agent is an active entity motivated to attack our mobile devices and activities. We may identify threat agents as specific organizations or individuals, like Anonymous, or we may classify them by goals or methods of operation (MOs). For example, shoplifters are a class of threat agent that attacks retail stores.

[This post is another piece of text I’m writing as part of a mobile security writing project. It was originally part of another post, but it can stand on its own.]

Continue reading Threat Agents

Communication is Hard

[This post contains text I’m trying out for a new writing project on cybersecurity in the mobile age. I might be posting more such stuff in the future]

In an ideal world, we share with other people directly. We speak quietly face-to-face, gesture, and draw occasional images.

In the real world, most people are too far away to hear our words. We use cell phones and other mobile devices to carry our words farther.

Today’s mobile devices try to solve the deceptively simple problem of sharing text, images, and words. The natural world restricts the power of our voices and the range of our messages. Misunderstandings that already happen face-to-face are multiplied when we restrict our messages to text, images, and sounds.

Continue reading Communication is Hard

NSA re-releases Boak’s Lectures

Boak's History of US COMSECI’m a fan of Boak’s Lectures – they cover the fundamentals of military cryptography just before the information revolution.David Boak developed the lectures for the National Security Agency’s Cryptologic School.

Even though the lectures are from the ’60s and ’70s, they remain relevant to today’s cybersecurity threats. Cryptographic techniques that were classified Secret in Boak’s work are prominent in modern commercial cryptosystems. A sanitized version of Boak’s Lectures (Vol 1, Vol 2) was released in 2008.

I’m happy to report that the Interagency Security Classification Appeals Panel has released a more complete (less redacted) version. It’s available from the Government Attic.

Continue reading NSA re-releases Boak’s Lectures

Recycling an iPhone – not a picnic

iPhone and erasersI’m upgrading my iPhone and trading in the old one. I had to erase the old one completely and unhook “Find my iPhone” from it.

I’d seen headlines hinting that recycled iPhones aren’t often erased. Some headlines suggest that the erasing operation itself doesn’t really work.

It works. It’s just time consuming. I turned off TouchID and the lock code. I disabled “Find my iPhone” and all the iCloud connections. Then I went on line and made sure the old phone wasn’t listed on my Apple account. Finally, I hit the “Erase All Contents and Settings” option.

The phone restarted with the Hello setup screen. I went through guided setup without hooking up iCloud or anything personal. I looked through the phone to make sure nothing was there. It was clean. I looked on Find My iPhone, and the old phone didn’t appear.

Continue reading Recycling an iPhone – not a picnic

Encrypt All Hard Drives!

Hard drive showing plattersIf you have the technical interest to read this, you probably do a lot of your finances with your personal computer. Taxes, monthly budgets, check printing (on those rare occasions), and tracking numerous accounts – computers are far better than people at handling such details. A typical personal computer, or smart phone for that matter, contains company names, account numbers, login credentials, and everything else an identity thief might need. This is reasonably safe as long as you don’t lose your device and/or its hard drive.

But when you replace your computer or hard drive, or (God forbid) someone steals it, your intimate financial details are “out there” unless your drive is encrypted.

Continue reading Encrypt All Hard Drives!

Clinton’s Email Server Isn’t Her Scandal

Hierarchical security levelsEarly last month, Edward Snowden criticized former Secretary of State Hillary Clinton for obviously and intentionally mishandling classified information by using a private email server. A recent Huffington post argues that, if true, Snowden’s comments could cost Clinton the Democratic Presidential nomination.

This rests on technical questions of security and classified information. Based on the information I have seen, Clinton committed no crime. Her security mistakes are typical of politicians of her (my) generation. She was exercising the authority and discretion (or lack thereof) belonging to her role as Secretary of State. I will explain why.

DISCLAIMER: I personally neither support nor oppose Hillary Clinton’s bid for a Presidential nomination.

UPDATE (March 22, 16): Richard Lempert, a professor of law and sociology, has posted a more detailed parsing of the laws and regulations to come to the same conclusion.

Continue reading Clinton’s Email Server Isn’t Her Scandal

A Script to Generate Spam Comments

SpamThe text attached to this post was submitted as a web site comment. No doubt some spambot was supposed to select randomly from the text to produce a unique-looking spam message. I know I’ve received lots of spam comments that this script might have generated: personal-sounding messages that are content-free.

I’ve used similar scripts to show how one could generate several different texts that all mean the same thing but contain different digital content.

Continue reading A Script to Generate Spam Comments

Free NSTISSI 4011 Certificate

[SORRY – This is posted for historical purposes only! The free certificate is no longer available]

NSTISSI 4011 training badgeIf you have studied the textbook Elementary Information Security as part of a class, or on your own, and did not earn a formal certificate for NSTISSI 4011 training, here is your chance.

As part of our final testing and release, Cryptosmith Institute offers eighteen (18) weeks of completely free access to its new NSTISSI 4011 certification program to a limited number of students.

Continue reading Free NSTISSI 4011 Certificate

My invitated – a classic phishing attack

Your InvitatedPhishing emails can be tiresome. Sometimes, though, they are classically bad. Even better, this one uses an old-school strategy to get you to click on a suspicious link.

The domain name is “nytijmes.com” which at first glance appears to go to a more-or-less legitimate news site. The extra “j” in “nytimes” is easy to overlook.

Continue reading My invitated – a classic phishing attack