This is a public meeting support  public

ELS session

    Ann D O
    "CyberProtect" - Learning about System Security
    ELS session posted June 18, 2012 by Ann D O 
    1714 Views, 6 Comments
    "CyberProtect" - Learning about System Security
    names(s), affiliation(s):
    Ann O'Brien, University of Wisconsin - Madison
    August 6, 2012 10:45am - 12:00pm



    • Robert E Jensen

      "Java Is No Longer Needed. Pull The Plug-In," by Antone Gonsalves, ReadWriteWeb, September 5, 2012 ---

      For nearly everyone, it’s time to dump Java. Once promising, it has outlived its usefulness in the browser, and has become a nightmare that delights cyber-criminals at the expense of computer users.

       Java Today

      Sun Microsystems released Java in 1995 as a technology for building applications that could run on any platform, including Windows, Macintosh and Linux. In its heyday, major browsers embraced Java for running applets within pages. All anyone needed was a browser plug-in for executing programs.

      Today, that plug-in has become a top security risk, along with Adobe Flash. Partly to blame for the problem is Oracle, which acquired Sun and its invention in 2009. The database vendor has heightened the risk by failing to launch timely patches.

      The latest security meltdown is a case in point. Despite being warned in April of critical vulnerabilities, Oracle did not get around to releasing an emergency patch until last week, after reports that cyber-criminals were exploiting the flaws. Security Explorations, the Polish firm that first reported the vulnerabilities to Oracle, later said the patch contained a flaw that could be used to circumvent the fix.

      The Latest Threats

      In the meantime, criminals are having a field day. Atif Mushtaq, security researcher at FireEye, says the number of computers infected with malware exploiting the flaws is growing. As of Tuesday, up to a quarter-million computers had been infected. Hackers are at an advantage because computers users are laggards when it comes to applying Java patches. Up to 60 percent of Java installations are never updated to the latest version, according to security vendor Rapid7.

      Over the just-past Labor Day weekend, the SANS Institute’s Internet Storm Center and Websense reported finding separate phishing campaigns trying to lure people to malicious sites capable of exploiting the vulnerabilities. SANS discovered link-carrying emails that copied a recent Microsoft message about service agreement changes. Websense found emails disguised as order verification messages from Amazon.

      Security experts rate the latest flaws as critical, because hackers can use them to commandeer a computer and take whatever data they want. Risking that kind of damage for a technology with little purpose makes no sense.

      What Security Experts Advise

      Security experts are hard pressed to say what Java does for most people. While some online games and business applications need a Java plug-in to run, nearly all modern sites, including Facebook and Twitter, use JavaScript, XML and HTML 5, which run natively in the browser. Therefore, people could happily surf the Web for years without ever running Java.

      Those who are using a Java application, should run it in a dedicated browser that’s used for nothing else, Patrik Runald, director of security research at Websense, says. Another browser should be used for daily Web surfing. “I’ve run a browser with Java disabled for years,” he said.

      Supporters once believed that Java would play a significant role in running Web applications. That never happened. Instead, browsers became the operating system for the Web. “(Java) never took off the way it was anticipated,” Runald said.

      So the verdict is clear. Disable Java plug-ins in all browsers, whether Firefox, Chrome or Internet Explorer. Java’s glory days are over and it’s time to pull the plug.

      Bob Jensen's threads on computer and networking security ---


    • Robert E Jensen

      The credit cards issued in other countries are much safer! Why does America lag so far behind?  by Joshua Brustein, Bloomberg Businessweek, December 23, 2013 ---

      Jensen Comment
      The sad part of this is that fraudulent charges not caught by consumers are borne by those consumers and not the credit card companies or the insurance purchased by consumers for protection. The key for consumers is to verify every charge on every account. Yeah Right!

      I'm told that credit companies rarely prosecute the thieves who are using the stolen credit card numbers. First the charges are often made from outside the USA thereby causing jurisdictional complications. Second the cost of prosecuting generally exceeds recovery thereby adding losses to losses. The sad part of this policy is that there's no deterrence if thieves know they won't be prosecuted.

      Bob Jensen's threads on Identity Theft: Phishing , Pharming, Vishing, Slurping, and Spoofing ---

      Bob Jensen's Fraud Updates are at

    • Robert E Jensen

      From the CFO Journal's Morning Ledger on February 7, 2014

      Target breach began with contractor’s billing link
      The hackers that carried out the massive data breach at Target appear to have gained access via a refrigeration contractor in Pittsburgh that connected to the retailer’s systems to do electronic billing,
      the WSJ’s Paul Ziobro reports. Fazio Mechanical Services, a privately held company with about 125 employees, said Thursday it was “a victim of a sophisticated cyberattack operation” and was cooperating with investigators at the Secret Service. The connection between the two companies is another reminder of the risks faced by large corporations when they grant contractors access to their large, interconnected computer systems.

      February 7, 2014 reply from Steven Hornik

      I've been collecting articles about this breach in a FlipBoard that I use for my grad AIS class, which is really a computer/network security class - you should see the faces of the accounting students when they realize what they are in for!  At any rate, its best to view on a tablet or smartphone but here are links to the two FlipBoards I use in my class that you can view via a browser one is the Target FlipBoard and another one that I use in my class that students contribute to for jump-staring conversations.
      Let me know what you think.
      Dr. Steven Hornik
      University of Central Florida
      Dixon School of Accounting

      Second Life: Robins Hermano
      ReallyEngagingAccounting Island
      twitter: shornik


    • Robert E Jensen

      "Prevention Measures to Help Counter E-Commerce Fraud," Deloitte WSJ, February 21, 2014 ---

      Last year, U.S. prosecutors made public a sophisticated, almost “Ocean’s 11-type” scheme involving hackers who were part of an organized cybercriminal network and stole $45 million by penetrating the security of two credit card processors. The swindle compromised only 17 accounts belonging to two banks, with one of the accounts having been robbed of $12 million. Among other illicit actions, the hackers cracked the codes for the processor’s authorization system, set the account balance to infinite and changed security rules so information being sent through the system did not trigger alarms associated with unusual activity or withdrawal limits. The organized crime group kept a small portion of the funds, wiring most of it back to the hacker groups.

      Such elaborate and organized hacker schemes are one reason why fraud detection and prevention have been elevated to the C-suite.

      “Along with the positive impact of digital commerce comes the risk of fraud to businesses and customers,” explained David Williams, CEO, Deloitte Financial Advisory Services LLP, speaking during a Deloitte webcast, E commerce and Payments Fraud on the Rise: Protection Techniques for Banks and Consumers.

      The rising concern about fraud was evident among webcast viewers. Nearly half (47.3%) of more than 2,400 executives and managers responding to an online poll question during the webcast reported that fraud protection ranks as a “high priority” for their organization, with an additional 8% citing fraud protection as their organization’s number one priority.

      Continued in article

      Bob Jensen's threads on computers and networking security ---

    • Robert E Jensen

      "Think twice before pulling up personal information online from a hotel room or coffee shop," by Cale Guthrie Weissman, Business Insider, March 27, 2015 --- 

      Abundant Wi-Fi is one of the best 21st century conveniences. But while the ease of an open hotspot may be enticing, be careful: Hackers are constantly looking for vulnerable access points intercept data.

      Earlier today we reported on a huge internet vulnerability plaguing the hospitality world. Networking equipment often used by hotel chains had a gaping security hole that allowed hackers to gain access into the network and monitor and tamper with any traffic that flowed through. Anyone who used the hotels' Wi-Fi stood the chance of having their traffic intercepted.

      We asked the security expert behind this finding, Justin W Clarke, if he thought this meant that all hotel Wi-Fi networks are a hot-bed for nefarious cybercrime.

      He wouldn’t go so far. Clarke is a researcher that sees vulnerabilities like these all the time. This week's discovery, while frightening, is an example of the need for security diligence, and for businesses to ensure their infrastructure is secure.

      “The reality,” Clarke said, “is that there’s no perfect way to access the internet.” He added that personally he would think twice before checking his bank account at a hotel or cafe. This gets at a critical point most people overlook.

      This week's finding isn't about hotels per se; it's about the freewheeling nature people have when they surf the web. People quite often share their data in potentially unsecure environments.

      On the extreme opposite end, some individuals may use separate computers only to check their financial information.

      There's a middle-point, where people are more mindful of if their data can get intercepted. It's probably wise to not log personal information unless you're absolutely sure about security. Unless you are in your own private network, it’s hard to be sure where your data is going. 

      Additionally, there are safeguards users can adopt to further protect themselves. People can use a virtual private networks (VPNs) to encrypt their traffic. In fact, that’s what many security experts — including Clarke — do when using public hotspots. 

      Use common sense. Just think: What am I accessing right now? Is it private? Is my network private? Would it be bad if a third-party could intercept this traffic? Then proceed.

      "Hackers may have had access to hundreds of hotels without anyone knowing," by Cale Guthrie Weissman, Business Insider, March 27, 2015 ---

      Jensen Comment
      To date I have four different friends who commenced to send me suspicious promotional emails for questionable products. It turns out their email systems were probably hacked when they were using computers in hotels. I just came back from a three-day trip to Boston (sadly Erika will soon have yet another (her 16th) spine surgery). I just stayed away from our Boston hotel's Wi-Fi system. It was great for catching up on some reading.

      If you use a hotel computer for email it is wise to change your password as soon as you get home, although that is no assurance the bad guys did not get into your mail before you got home. Better yet have a friend log in as you just to change your passwords while you are on the road.