Don't wanna be here? Send us removal request.
Statistics
We looked inside some of the posts by nomiabalone and here's what we found interesting.
Average Info
Notes Per Post
7
Likes Per Post
5
Reblog Per Post
0
Reply Per Post
2
Time Between Posts
7 hours ago
Number of Posts By Type
Text
17
Last Seen Tumblr Blogs
Fun Fact
28.6 is the average number of monthly visits per US mobile user.
Text
Community/Professionalism 7#
Feedback received on my letter to trump - relates to the following activity:
https://nomiabalone.tumblr.com/post/186560366560/module-7-trump-phishing
0 notes
Text
Community/Professionalism 6#
Feedback from fellow classmate on the concept of threat models. Relates to the following activity:
https://nomiabalone.tumblr.com/post/186462833070/i-think-that-the-most-important-assets-that-the
0 notes
Text
Week 8 Lec 2 - Raw Notes
Root cause analysis – occurs after an issue
Expected responses (convenient)
1. User error
· Don’t need statistics to investigate
· Can remove the issue immediately (sack)
· We look for a villain and a hero
· In the old ways, the engineer who last signed off will be to blame
· Bad management only blamed by external party
2. Culture
· This is not an easy thing to fix
· Many people are to blame not one person
Errors
· Humans cannot effectively determine the best things to focus – misdirection
· Humans don’t usually focus on what is consciously important but they always focus on something salient – this can be executed through social engineers
Similarity Matching
· This is the process of falling back onto a familiar situation. Social engineers can orchestrate a familiar situation to a specific person so that they can control how people will behave in that situation
Frequency Gambling
· When a situation is ambiguous, your brain relies on patterns of situations and will use a pattern that you have used most
· As a person, the attitude is that “what you know worked the first time will usually work the second time”
· Rational reasoning is not engaged every time when a new situation arises
· If pattern matching doesn’t work, we don’t usually know what to do.
Difference between attack and accident
· Intention is orchestrated in an attack
· Murphy’s law is in action in an accident
“Habit diminishes conscious attentions with which our actions are performed”
Selection/ confirmation bias – discounting evidence that you weren’t considering or don’t like and convince yourself that you’re right
Satisficing – rather than getting the best of something, you are satisfied by something that is good enough.
Bounded rationality – using shortcuts to preserve knowledge, efficiency
· We have an overriding tendency to verify generalisations rather than falsify them
Group Think Syndrome – behaviour of people changes when they value group membership
· They don’t want to say anything to create discord or to break that feeling of belonging
System Error
· Accidents are usually systematic
· There is no one individual unit that is at fault
· The law or company culture is to apply blame but they often overlook that it is the whole system that is at fault
Good design
· Each unit needs to be coherent
· Low coupling – change one without breaking the entire system
· Low complexity
· Resilient with change
· Resilient to attack
Remove brittleness
· Stops the program from not working when new functions need to be added in the future
· Expandable and adaptable
e.g. of tight coupling
· taxis and buses
· looks like defence in depth but it is the opposite – suffers from common mode failure (if one thing fails, other components fail too)
· Chekhov play - if something is notable, it will be used
· hindsight: seems obvious after the study/scenario but not always apparent during the accident or situation
· salient objects that are placed in a play that are obviously going to be used later
· simplification isn’t good – removes all non-salient information and gives an illusion of what you consider as reality
· hindsight bias: the thought that what looks plausible will happen however also blinds you to the things that you think wont happen because they seem implausible
· latent errors: happens now but consequences become evident later. Vulnerable in defence in depth scenarios. Consequences are invisible
· operator deskilling due to automatic safety devices
Three Mile Island
· generator uses coal to generate heat/steam
· self contained (closed system)
· radioactive uranium rods in liquid (high pressure) which is circulated
· another set of rods drop down and absorb neutrons to slow reaction down (carbon)
· hot water creates steam and moves the turbines that generate electricity
· pure (non-radioactive) water used for cooling
Accident
· started in the cooling system (2 units)
· runaway reaction of nuclear waste is called the China Syndrome
· water went through a leaky seal to adjacent air system used to power instruments that monitor safety. Water made the instrument output funny readings. Cooling system shuts down
· valve left closed after maintenance inspection (latent condition). Investigation focused on who left these closed. Companies often denied their involvement.
· SCRAM: process of dropping the rods (kill switch)
· ASD: automatic safety device
Complex systems
· Humans are often the catalyst to its failures
· Everyone is always rushed to implement the system and deal with the testing and infant mortality rates of devices later. This always leads to catastrophic failure
· If the issue is conceptual, people often overlook the consequences of their actions – they are often unaware that they have done something wrong (latent issue)
· Tightly coupled systems – produce unpredictable results and issues are compounded
· Must design a system so that when something goes wrong, the impact is reduced
· Work out the most important assets and put resources into it. In a university scenario, the assets can be students, safety, staff and money
· Always assume your system will be compromised: to prepare, write two press releases – one will be about the consequences if you haven’t done anything in advance, and another will be if a security system is in place
· Don’t keep valuable data into a ‘data lake’ if the data is not necessary
0 notes
Text
Week 8 Lec 1 - Raw Notes
Root cause analysis – occurs after an issue
Expected responses (convenient)
1. User error
· Don’t need statistics to investigate
· Can remove the issue immediately (sack)
· We look for a villain and a hero
· In the old ways, the engineer who last signed off will be to blame
· Bad management only blamed by external party
2. Culture
· This is not an easy thing to fix
· Many people are to blame not one person
Errors
· Humans cannot effectively determine the best things to focus – misdirection
· Humans don’t usually focus on what is consciously important but they always focus on something salient – this can be executed through social engineers
Similarity Matching
· This is the process of falling back onto a familiar situation. Social engineers can orchestrate a familiar situation to a specific person so that they can control how people will behave in that situation
Frequency Gambling
· When a situation is ambiguous, your brain relies on patterns of situations and will use a pattern that you have used most
· As a person, the attitude is that “what you know worked the first time will usually work the second time”
· Rational reasoning is not engaged every time when a new situation arises
· If pattern matching doesn’t work, we don’t usually know what to do.
Difference between attack and accident
· Intention is orchestrated in an attack
· Murphy’s law is in action in an accident
“Habit diminishes conscious attentions with which our actions are performed”
Selection/ confirmation bias – discounting evidence that you weren’t considering or don’t like and convince yourself that you’re right
Satisficing – rather than getting the best of something, you are satisfied by something that is good enough.
Bounded rationality – using shortcuts to preserve knowledge, efficiency
· We have an overriding tendency to verify generalisations rather than falsify them
Group Think Syndrome – behaviour of people changes when they value group membership
· They don’t want to say anything to create discord or to break that feeling of belonging
System Error
· Accidents are usually systematic
· There is no one individual unit that is at fault
· The law or company culture is to apply blame but they often overlook that it is the whole system that is at fault
Good design
· Each unit needs to be coherent
· Low coupling – change one without breaking the entire system
· Low complexity
· Resilient with change
· Resilient to attack
Remove brittleness
· Stops the program from not working when new functions need to be added in the future
· Expandable and adaptable
e.g. of tight coupling
· taxis and buses
· looks like defence in depth but it is the opposite – suffers from common mode failure (if one thing fails, other components fail too)
· Chekhov play - if something is notable, it will be used
· hindsight: seems obvious after the study/scenario but not always apparent during the accident or situation
· salient objects that are placed in a play that are obviously going to be used later
· simplification isn’t good – removes all non-salient information and gives an illusion of what you consider as reality
· hindsight bias: the thought that what looks plausible will happen however also blinds you to the things that you think wont happen because they seem implausible
· latent errors: happens now but consequences become evident later. Vulnerable in defence in depth scenarios. Consequences are invisible
· operator deskilling due to automatic safety devices
1 note
·
View note
Text
Pre-Submission ~ Time Management
I’ve managed to complete most activities in modules from 1-8. The ones highlighted in yellow are those that I have completed prior to my Job Application submission.
I will be ready to submit by 5pm today. The only thing I need to complete is the writing up of the in-person raw notes for week 8.
0 notes
Text
COMP6441 Compiled Notes
Here are my notes for COMP6441. Sources that I’ve used include course textbook, online sources, online lectures, tutorials and in-person lectures.
https://drive.google.com/open?id=1W36uJXo3TEpYlVhl0PDguAJqdDEmdp2H
0 notes
Text
Security Everywhere - Misdirection and Human Greed
Identity, particularly the act of claiming to be someone that you’re not, is something that can be faked by cleverly using social engineering. This activity reminded me of a Russian woman, Anna Sorokin, claiming to be a German heiress to who conned money from her friends, hotels, restaurants and banks to fund an extravagant lifestyle.
She was able to convince people to pay for her hotel stays and taxi rides by stating that she was having trouble moving her assets from Russia. She also spun stories about her wealth, claiming that her father was a wealthy diplomat, oil baron or a solar panel entrepreneur. She was also accused of creating fake bank statements and convinced a bank to provide her $136,032 for a start-up business.
Another Independent article described how she was able to pull this off for so long. The article points fingers at human fallacy and greed, stating that the promise of money and fame clouded their judgement. The article wrote “It’s almost farcical, except that it comes across as so very cynical for all these people to have ignored major clues that something wasn’t right, as long as they stood to gain from it”. This highlighted the concept of misdirection and how easily it is to execute when people are acting out of self-interest.
Perhaps her downfall was her carelessness in the way that she treated the people that she knew. She had promised a friend that she would fund an all-expenses-paid trip to Morocco but she never delivered on her promise, leaving her friend to pay the bill. Hotel staff also described her as “annoying and ill-mannered” which made her stand out in a way that she probably never wanted. People were clearly satisfied with perpetuating the identity that she created as long as there was a gain in the end. As the article stated, “ If people weren’t so easily bought, Anna would never have got as far as she did”.
https://www.independent.co.uk/voices/anna-delvey-fraud-new-york-banks-money-socialite-party-a8376141.html
https://www.independent.co.uk/news/world/americas/german-heiress-new-york-fraud-anna-delvey-sorokin-trial-con-a8842056.html
0 notes
Text
Module 7 ~ Trump Phishing
Here is my letter to Trump which simulates a phishing attack:
Dear Trump,
Your wall between Mexico and America is too brown. Can you please change it to black to match your heart.
Thanks
You Mexicant do this
Mark as spam? <bad link>
3 notes
·
View notes
Text
Security Everywhere ~ Paywave Credit Card Spree
This article about the capture of a Wollongong man using a stolen credit to pay for his purchases shows how easily one can determine a person’s character, location and movement simply by conducting simple recon on credit card history. The article details his purchases by outlining the items he bought, the time he bought them, location and the cost. The police was able to “put together a virtual connect-the-dots” style movement that eventually led to the man’s capture. This article therefore highlights risk we all take when we use our credit cards for purchases extensively. If a malicious person obtains such information, we will be losing more information about ourselves than we bargained for.
https://www.smh.com.au/national/nsw/wollongong-man-s-entirely-predictable-buys-during-28-hour-paywave-spree-20190723-p529vf.html?fbclid=IwAR2KV_ozKH5KI48X2IrMpC9bdlfPFTcilTddhLIdFaH6K2zEFneBYb18zXE
0 notes
Text
Module 7 ~ AES
For this exercise, I decided to draw a diagram to help me distinguish between the different types of encryption available. I first typed in 16 x ‘a’ and observed that cipher 2 increased in length while all the other ciphers had a fixed length. Therefore cipher 2 was a form of CTR. Next I typed in another 16 x ‘a’ and observed that some of the cipher texts repeated themselves - these revealed that they were a type of ECB.
0 notes
Text
Pre-Lab Reflection ~ Module 8
This Stargate Ghost problem holds similarities to man-in-the-middle attacks because it simulates 2 people, who cannot see each other, communicating over an insecure network, which in this case can be an environment where the Alien A can eavesdrop on the conversation and manipulate the message.
From my understanding of Richard’s lectures, the concept of issuing certificates in a real-life scenario is the solution to this problem. It would require the invisible sender to have a public key, certified by his/her trusted third party authority, with the message that they want to send. The certificate is signed by the sender’s private key or secret.
0 notes
Text
Time Management ~ Week 8
The activities and lectures that I’ve completed as of today are highlighted in yellow. I’m still struggling to finish the activities and I do plan on doing them because they give fantastic theoretical knowledge.
0 notes
Text
Feedback - Something Awesome
Thanks @cse6441. Thanks for your positive reviews on my blog. It’s nice to know that someone is actually reading about what I’m doing. Your own blogs are also very amusing and informative in terms of class content - especially those gifs you add at the start of your posts.
1 note
·
View note
Text
Module 8 ~ Authentication/Identity/ Authorisation
Stagarte Ghost Problem Wayne Ronaldson – social engineering
Identify and Authentication
How do you prove that you are who you claim to be
• 100 points of ID – passport (photo), bank card, school uni card, information on passport • Banks may ask "how was your day" as a subtle way to ask for verification • Fingerprints (can be broken by a scar or mark) • DNA • Dental records • National Document Verification (federal service) service allows you to verify yourself online • The physicality of the object/passport is hard to forge • Mag stripe card – stores information (this does not stop people from cloning the card) • Background knowledge – you can authenticate yourself by demonstrating that you know how to do things • Challenge response – multiple secrets are exchanged and the mag stripe is required to compute the answer to different secret questions to authenticate you • Secret question/ password • Vouching/ Third Party Authentication – getting someone you know verify your identify • Two-factor authentication: sending message to your phone Two Factor Authentication
• Something you know • Something you have • But your phone is now a computer and phone so if someone hacks your phone, they can get your password and your SMS Biometrics - Issues
• The issue with biometrics is that the fingerprint or DNA information must still be transferred over to a computer as data or information. This can be replicated or stolen • The process of authenticating a thumbprint is not atomic – it goes through a chain of actions. This is exciting to attackers because they only need to find the weakest link and exploit it Authentication vs Authorization
• Who am I vs What can I do? • Example: when you get to the airport, they check your passport (authentication). When they print out your boarding pass and give it to you, this is authorization. Authorization and authentication happens at different times in the airport TOCTTOU Attack
• When your are authenticated and authorized once but your swap 'tokens' so that you are authorized to complete a certain action, even though you are not actually who you initially claimed to be
• Time of checking is not at the time of use • This attack is impossible to stop because it relies on a chain of commands (check then do scenario) - you cannot really fix this due to concurrency issues Identity Theft
Statistics
• Number of victims of robbery, motor vehicle theft, household break-in, assault in Australia much less than identity theft • Shows that everything is forgeable, especially physical data like passports and Medicare • "title via registration, rather than registration of good title, so what's on the title is considered conclusive proof"
Identity Theft • Once someone has take your identity, they retain that information because nothing changes e.g. mother's maiden name, your face, date of birth • You don't need much information to impersonate you • Using the secret may reveal the secret – makes you vulnerable to identity theft • The companies storing your credentials may not be doing it securely What do they do with the data?
• Loans • Social security • Crime • Tax • Driving • Buy phones • Credit cards • Conveyancing • Social damage
How to respond?
• IDCare • Get a copy of your credit report (for free once a year) • Ask all three agencies to issue a credit ban when you suspect that identity theft has occurred to you • Determine whether there is an email redirection • Change all your passwords from a clean machine on a clean location • Be aware that if you have been scammed once, chances are you will be scammed again because the best time to attack someone is during chaos • You can also obtain a certificate (applies to Commonwealth recognized identity fraud situations only) which can help you authenticate yourself • The government has established the National Facial Biometry Matching Capability which contains the database of photos of you. Agencies are subscribed to this and can ask to identify citizens based on photos
Should we have Mandatory Data Breach Notifications?
• Panoptigon - the warden is placed in the middle of a dome with many cells. The idea is that the fear of being constantly watched is good enough to control people's behavior. This is the idea of modern surveillance
0 notes
Text
Community/Professionalism 5#
Thanks @nicolecomp6441 to sharing with me the link to a helpful resource about the Vigenere cipher
0 notes
Text
Community/ Professionalism 4#
This is me and @oofdezza helping each other with mid-sem exam practice on a late Friday evening before the exam. Thanks for staying up pal.
1 note
·
View note