Digital Frontier

I wanted to update my readers on a few things, so here it goes.

1. A big shout out goes to readers of Digital Frontier for pushing me over 3,000 total views.  I had (and currently still having) a terrific month of July with over 1,300 views.  This is no doubt due to the popularity of the iPhone/iPod Touch Penn State VPN Wi-Fi story I am currently running and constantly updating.  I have
2. You may have noticed that I’ve ramped up the number of posts over the last four or five days.  This is due to me finally having some time to sit down and do research for each of those posts.  I hope to get back on track as the summer draws to a close and school starts again.
3. I am currently preparing an interactive timeline news feed that will be used in conjunction with this  blog.  I will have one initially that will be like the Daily Links article that I publish every so often.  Check back later for more news on that front.
4. Next on my list of updates is a new blog I have started.  It is called Volunteer @ Penn State and you can find it at this location.  It is my desire to find a group of people that will help me update and maintain the site.  This will involve communication with Penn State clubs and groups as well as entities located in State College.  Please email me at sjs5196 {at} psu {dot} edu with “Volunteer @ Penn State” in the subject line if you are interested.  I believe this has lots of potential, and it may even spill over to other schools.  There is also a link in my blogroll on the right hand side of this blog.
5. If anyone is interested in guest authoring a blog post on Digital Frontier, please let me know.  I am open to content suggestions and want to diversify what Digital Frontier already offers.  Contact me at sjs5196 {at} psu {dot} edu with “Guest Blogging” in the subject line if you are interested.
6. If you have comments or suggestions for Digital Frontier, I would love to get some input.  Whether it be able the design or about the content, I’m open to comments.  Either email me with them, or comment directly on this post.

A computer engineer by the name of Terry Childs continues to hold San Francisco’s brand-spanking-new computer network hostage. The multi-million dollar system called FiberWAN, is protected by Childs’ password which gives him the only key to the city’s emails, confidential law enforcement documents, city payroll files and inmate booking information. Childs was taken into custody on July 13 and has since been charged with four counts of computer tampering. He is currently being held on five million dollars bail. He initially gave police a password, but it didn’t work. Even under pressure, he refused to give authorities the correct password.

A city official familiar with Mr. Childs case says that the system administrator, who had been working in the position for five years, had been disciplined for sub-par performance. Additionally, the city official said that his superiors had even tried to fire him. Luckily for Mr. Childs, he had a premium insurance policy- San Francisco’s network. Authorities say that Childs started messing with the network on June 20th and that his work could cost the city millions of dollars to fix the denial of service.

Click more to view the rest of the post.

Read more…

The University of Pittsburgh’s Cancer Research Institute has issued a very important message regarding cell phone usage. In a memo sent to 3,000 faculty and staff, Dr. Ronald Herberman (director of the Research Institute), says to limit cell phone use because of the possible risk of cancer. This message is contrary to a multitude of other studies that see no link between cell phone usage and cancer. Even the Food and Drug Administration has expressed a certain lack of public worry on this topic.

Dr. Herberman admits that this warning is based on unpublished data, but believes we should act now in order to mitigate cancer risk. He has this to say:

“Really at the heart of my concern is that we shouldn’t wait for a definitive study to come out, but err on the side of being safe rather than sorry later,” Herberman said.

His recommendations include a few things targeted to both kids and adults. For children, Dr. Herberman says to limit cell phone use for emergencies only because their brains are still developing. In terms of adults, he says to keep the phone away from the head and use the speakerphone or a wireless Bluetooth headset. Dr. Heberman goes on to say that we should even limit usage in public places because it exposes the risk to those around you.

Click more to view the rest of the post.

Read more…

A few weeks ago, a security analyst named Dan Kaminsky gave a few scant details on a DNS Vulnerability. Up until now, the details have been kept secret since Mr. Kaminsky discovered the problem several months ago. Due to an accidental blog posting, the problem has been released into the wild and can be easily taken advantage of. DNS stands for Domain Name System and is a critical link in Internet infrastructure. Wikipedia explains DNS:

The Domain Name System (DNS) associates various information with domain names; most importantly, it serves as the “phone book” for the Internet by translating human-readable computer hostnames, e.g. www.example.com, into IP addresses, e.g. 208.77.188.166, which networking equipment needs to deliver information.

Four days after the details on the vulnerability was detailed, hackers have produced an exploit that takes advantage of unpatched systems. The problem itself involves hackers poisoning the DNS so that it re-routes traffic to a website of their choosing. Let’s say you type in www.google.com, and the DNS server your computer uses to find other computers/servers on the Internet has been hacked with this technique. Instead of sending you to Google’s homepage, it might send you to www.nigerianmalwareporn.com. I can’t speak for everyone, but that is an experience I would like to avoid.

Click more to view the rest of this post.

Read more…

It seems as though Microsoft is finally firing back in response to Apple’s all out advertisement assault on Windows Operating Systems.  As Apple gains a larger foothold in consumer’s homes and offices (an alleged 8.9%), its competition is starting to realize the threat it faces if they do not act.  Microsoft’s new ad campaigns (which we have heard whispers of over the last few months) are starting to show up.  Last week, a story broke that a large group of people that use a variety of Windows, Apple and Linux Operating Systems were shown a new, experimental version of Windows called “Mojave”.  Before being shown a demonstration of the new OS, they were asked on video to give their impressions of Windows Vista and most gave a decidedly negative view of the year old OS.  After being shown the video, over 90% had purportedly gave positive feedback on the “Mojave” OS.

Then, the group of people were told that the “Mojave” Operating System was just Windows Vista all along.

A Cnet article had this to say:

“Oh wow,” said one user, eliciting exactly the exclamation that Microsoft had hoped to garner when it first released the operating system more than 18 months ago. Instead, the operating system got mixed reviews and criticisms for its lack of compatibility and other headaches.

The teaser site for the video that will be released this coming Tuesday has been put up.  You can find it here with some details on how they set up the experiment.

In my opinion that this is a step in the right direction for Microsoft.  To be honest, Apple’s TV ads are amusing and they connect with everyday people.  It’s about time Microsoft stepped up now that its Windows Vista OS is more mature.  With Windows 7 in heavy development, Microsoft needs to gain some advertising momuntum that is going to make Windows more attractive to consumers.  Since Windows 7 is going to be built off of Vista, they need to get thier proverbial ducks in a row.  With cool upcoming features like native multitouch support and a strong foundation, Windows has a lot to offer.

So I understand that living in the D.C. Metro Area has its share of problems.  The biggest problems residents and visitors alike recognize within seconds is the traffic problems.  Every once in a while I’ll see some kind of traffic accident/situation that just makes me laugh (only when people aren’t hurt).  I’d like to share a recent sighting that points to the hopelessness of drivers in this area and in general.  As funny as the pictures are, it still makes me weep for the future.  So without further ado, here it is.  Click read more for the accompanying picture.

The License Plate In Question

Read more…

I was made aware yesterday that Google has been working on their own version of Wikipedia since December.  The system, named Knol is set up in a similar way, but there are a few changes that may end up making the new competitor an even more valuable resource.  According to their webpage, “A knol is an authoritative article about a specific topic.“  Their service, discourages anonymous article authors.  Instead, the Knol team hopes to encourage subject matter experts to submit information.  To do this, a verification process has been put in place which verifies your name with provided (and registered) credit card information.  An additional verification system has been put in place that does the identification check over the phone.  This gives authors a higher level of impetus to write what is the truth.  Additionally, Google will be paying article writers with the advertisement money from their Ad-Sense ads.  Additionally, the service will allow people to comment on a written article and make suggestions to the original author to improve the article.  This way, the author stays in control of what they have written, but can accept alterations to their work.  Google has made a point to say that they will not be performing an editorial screening of a given post.  I’m assuming that they will monitor posts for pornographic and other questionable content.

In terms of current content, a large majority seems to be medical related.  I’m sure as people start finding out about this service, there will be a wealth of information.  You can find the page here.

I know I usually don’t do reviews on movies, but this was too good to pass up.  Last night, I saw the newest installment of the Batman movies, The Dark Knight.  Let me just say that it was probably the best movie I have seen in a long, long time.  For the past five years, every time I watched a movie, I’d pick the plot apart and anticipate everything.  Additionally, I’d think about how they did all the effects and screenplay.  With Dark Knight, all that internal dissection disappeared as I got deeper and deeper into it.

I would like to note that Heath Ledger’s performance as The Joker was simply stunning.  Every time he was on screen, I didn’t know whether to laugh at what he said/did or be disgusted.  It was truly magical.  A lot of people have been saying that he’s going to win a ton of awards because he’s dead and people feel bad, but I believe that he could have won tons even if he was alive.

Here is the trailer for the movie:

Now, I didn’t really think much of the trailer, but I still wanted to see the movie because the first Christian Bale version was good.  The actual movie, trumped all expectations.  So go out and see it.  If I felt fine about spending $10 for a single ticket, then it must be good.

As if the movie wasn’t good enough, the previews contained teaser trailers for the upcoming James Bond movie “The Quantum of Solace” and the new Terminator movie which stars Chirstian Bale.

Update August 24, 2008

Both methods seem to be working fine.  I am posting the settings at the top of this post so you don’t have to scroll down anymore.  Here they are:

Go to Settings > General > Network > VPN > Add VPN Configuration > IPSec tab. Then enter the following details:

Description: <Whatever>
Server: mobility.up.psu.edu
Account: <PSU Username>
Password: <PSU Password>
Use Certificate: Off
Group Name: pennstate
Secret: pennstate

Then save it, and on the first page of settings there is now an On/Off toggle for the VPN. Just flip the switch whenever you need to connect to PSU’s wireless.

If they don’t work for some reason, please let me know and I will amend them.

Update: August 14, 2008

The ITS Alert has been updated to report that the iPhone/iPod Touch now function correctly with the VPN.  Several sources have told me that it is consistently working.  What I would like to know now is if the settings that were originally posted here (now at the bottom of the page) work.  The settings given at the bottom of this post are shorter than the steps listed on the personal page that I posted the other day.  Leave a comment, let me know how it goes!

Update: August 13, 2008

An email to the person who’s instructions were posted on his personal page resulted in a link that I’ve posted  here before.  Hit up this link to see an update to the upgrade of the Penn State VPN.  The upgrade should allow for the successful connection of the iPhone and iPod Touch to PSU Wi-Fi VPN.  From the update:

The vendor has released the new code that should resolve the iPhone and iPod Touch issue. TNS will be loading the new code during the maintenance window on Wednesday 8/13/08. During this upgrade ITS wireless service will not be available from 5:00AM to 7:00AM.

So that means that in a few hours, they will be rolling out an update to the network.  It would be great if some people could test it out on both the iPhone and iPod Touch.  Let me know in the comments if it works for you.  Thanks!

Update: August 11, 2008

A link from the Macrumors.com forum post that offers spectacular step-by-step instructions (w/ screenshots) has been posted.  The instructions have you put in the off campus VPN information.  Can someone on campus test to see if this method works?  In the meantime, I’ll contact the person that posted this information to see if he’s had any luck.

Updated August 7, 2008

An update from ITS in an email:

Hello,

Unfortunately, there still does not appear to be a fix. NOC just put out an alert about some problems with wireless connection on campus, which stated that they are still trying to resolve the issues with the iPod touch and iPhone. For more information, please visit http://alerts.its.psu.edu/alert-801

I’m sorry that I can’t give you any more information. We will make every attempt to keep users updated as more information becomes available. Thank you for contacting the ITS help desk.

Updated July 24, 2008:

So I emailed the Helpdesk at ITS today. They replied with a “there are no updates to report at this time”.

Boring!!!

We have not been able to work out a solution on my blog but some good discussion is going on. Please give it a look and leave a comment with your thoughts.

I have a feeling that the problem lies with Penn State’s network. In that case, we would have to wait until they configure the VPN server to accept this kind of device.

Updated: I have moved all related information to this location.  I created it so I can continue to run stories on my blog, while still keeping the information everyone wants/needs.  Bookmark this new page because I’ll be updating it when ITS comes out with a solution.  Thanks for reading!

Original Post:

I wanted to do a post on a few things related to Penn State’s network.  The first concerns an upgrade to the network and the second concerns the iPhone/iPod Touch.

As most Penn State students know, we must connect to wi-fi on campus via VPN connection.  Problems still plague this technique, as connection speeds are slow and VPN (in my opinion) is unreliable.  The story broke a few months ago, but Penn State is testing new connection methods over on Services Road (close to the Blue Band Building).  This new system only requires your Penn State Access Account Name (abc123@psu.edu) and your password.  This eliminates the need for VPN completely and will make connecting easier.  Devices that Penn State does not have VPN compatible software for (think cell phones or PDAs) will suddenly be able to access and surf the internet.  This method should, in theory increase speed as the connection will connect directly through the internet, instead of being passed through VPN servers.  I have asked ITS about the current status of this upgrade, but they weren’t sure.

The second order of business also concerns using the Penn State wi-fi access points.  Since the release of the first iPhone, and the subsequent release of the iPod Touch, people have been looking for ways to connect these innovative devices to Penn State.  With the release of OS 2.0 for the iPhone and iPod Touch, support for Cisco VPN has been introduced.  I sent ITS an email asking what the procedure for connecting to Penn State with these two devices was.  They responded that they currently didn’t know, but would know for sure in a few weeks.  Knowing this, I turned to online forums dedicated to the iPod Touch.  A Penn State user posted the following in response to my inquiry:

I’m using it on Penn State’s VPN just fine. Go to Settings > General > Network > VPN > Add VPN Configuration > IPSec tab. Then enter the following details:

Description: <Whatever>
Server: mobility.up.psu.edu
Account: <PSU Username>
Password: <PSU Password>
Use Certificate: Off
Group Name: pennstate
Secret: pennstate

Then save it, and on the first page of settings there is now an On/Off toggle for the VPN. Just flip the switch whenever you need to connect to PSU’s wireless.

Another forum poster to my thread admitted that they were having problems, but I see no reason why these settings should not work.  If you have had success connecting to Penn State Wi-Fi using the iPhone or iPod Touch, leave details in the comments (especially if the settings I have posted are wrong.

UPDATE:
I got an email from ITS this afternoon giving some details about what was going on.  The email follows:

Hello Steve,

Staff in ITS who had also been testing the new software before it’s release last Friday experienced the same thing that you did – it worked, then it stopped working. At this point ITS staff are actively working and testing possible solutions and an announcement will be made as soon as a solution is found.

Thank you for contacting the ITS Help Desk.

So I will keep you all posted.  It seems as though a ton of people are intersted in this topic.  Keep leaving your comments of experiences.  If you find a workaround, please post it for everyone to see!

The moment you all have been waiting for has arrived- I have finally posted another Expo speaker summary.  This is another content post of my summary of the day’s events at the DGI Cyber Security Conference and Expo.  Click here for the overview post of the conference.

The third speaker was equally as interesting and entertaining as Mr. Chun’s presentation.  The third speaker was Rick Mellendick who is the Senior Architect of the Cyber Operations Lead at Bearing Point.  His topic was detailing a proactive approach to develop a road map of cyber security.  The title of the presentation was “Offensive Capabilities for Defensive Posturing.”

Mr. Mellendick touched on the fact that security professionals must think outside the box when it comes to strategy.  Now, in my opinion, that phrase is pretty overused, especially when it comes to the IT industry.  He does, however, make a good point as our current security strategies are not sufficient enough to get the job done.

He makes the following assumptions about network security:

1. Our networks are attacked regularly.
2. There are vulnerabilities that we don’t mitigate because it is either too expensive or not worth it to fix them.
3. The enemy is within and is taking data and bandwidth.
4. The enemy isn’t the “traditional” adversary.
5. Concerning mobile communication devices:
   • People use Blackberries for normal work operations
   • Normal work operations involve some “sensitive” data.
   • Blackberries have code running on them that is secure.
   • 10 % of you have handhelds that are broadcasting, and 2 are insecure. (Presumably, he scanned the conference room for Blackberry/Smartphone connections)

As for the current methods of defense, most fall short.  Firewalls can only stop what they are set up to stop, and they allow authenticated traffic, which can be exploited by hackers.  An additional problem is that administrators need a high level of training which, as it turns out it very expensive.  The fact that networks are changing all the time, but the network’s configuration are not is a huge problem.  The current solution to handle an issue with a firewall is to open a port, which basically defeats the whole purpose of a firewall in the first place.  Two additional attack vectors are what are known as IPS and IDS.  These are used to create an abnormal amount of administrative trusted connections on the network.  Often times, these attacks are brought upon by improperly configured appliances and the utilization of old and outdated signatures.

The current issues with cyber operations are numerous.  Mr. Mellendick chose to focus on a few.  First, cyberspace is finally being realized as a legitimate battlefield.  Cognizant of this fact, people are finally realizing that protecting this new battlefield is critical to global operations and that current implementations of info assurance are too passive.  The proposals are as numerous as the problems.  He suggests that security professionals must work together to create a unified framework for the consolidation of Cyber Operations.  Sidenote: almost every speaker at the conference talked about how requirements and strategies need to be consolidated and fleshed out. We must test both infrastructure and tools, and reverse engineer malware and attacks.  He urges that we encourage agile development for CND RA tools, and altering our present practices to enable proactive defenses.  As it turns out, the benefits are numerous as well.  The migrations from passive to active postures lead to both offensive and defensive security positioning.  Under these new practices, networks have become more stable and serve as effective baselines, while at the same time defensive modules are becoming more unified.  A powerful tool (which has worked wonders for the military) is providing a proactive defensive strategy using the adversary’s tactics against them.  Coupled with active malware detection, mitigation and response, this change in posture will result in a lot less headaches.

In the future, the exemplary speaker noted that we must protect more than just IT networks.  Using active defenses and holistic approaches, we can triumph over present day security issues.  Additionally, security professionals will take Black Team concepts and use them to make agressive network assessments.  Using the right tool for the right job, and the right people for the position can make all the difference in the world.  Modern day attacks on non-IT networks systems like transportation, water and electricity have clearly shown the world that there is a need for the expansion of security procedures and methods.

Mr. Mellendick made a few particularly awesome statements in the second half of his presentation.  He discussed the topic of active defense.  In this scenario, the nature of the beast is much like the Cold War between the U.S. and U.S.S.R.  A show of force, mixed with a preemptive (rather than reactive) response goes a long way to deter enemies.  In this way, we are able to use offensive capabilities for defensive actions.  He went on to explain that in the future of network security, professionals will use three tactics to defend networks.  First, is Network Fast Flux DNS.  This technique alters the internal DNS records of the server environment and allows for the avoidance of DNS based DDoS attacks.  Since malware can change its DNS information on the fly, servers are particularly susceptible to concurrent attacks.  If the server in question is in a fast flux, that is to say always changing, it means we are fighting fire with fire.  The next tool we can use is Network Tool Recording or NTR.  This practice essentially employs basic tools like SSH and NMAP.  These tools record information on the network and is logged by a central database.  Even though this means that there is a boatload of new data, people can use simple analytics and basic heuristics to manage the flood.  An important feature of this concept is that the tools reside in a tool repository that is accessible to users.  And lastly, reverse proxies can be used to great effect.  Essentially, the reverse proxy is a proxy server that is placed within a network DMZ which dispatches in-bound network traffic to a set of predetermined servers.  This strategy has many benefits.  First, it can optimize and compress content to deliver it to users faster.  It pinpoints separated connections to add an additional layer of non-traditional defense.  Even though, the end-user sees a single interface, the traffic is randomized.

The net view of cyber operations was displayed in a cyclical manner during the presentation.  This is a transcription from the original:

Full Spectrum of Cyber Ops:

• Protect
  • High Assurance
  • FR Protect
  • Security Mobile Code
  • Boundary Controllers
  • Embedded Systems
  • IA Wrappers
• Prepare
  • Early Warning
  • Data Hiding/Marking
  • Network Tool Recording
  • Stronger Policy Enforcement
• Predict
  • Data Mining
  • Intelligent Agents
  • Effective Enterprise Defense
  • Rouge Wireless Detection
• Assess
  • Situational Awareness
  • Forensics
  • Decision Support
  • IO Planning
• Response Actions
  • Active Exfiltration Prevention
  • Active Response
  • Fault Tolerant Networks
  • Effects-Based IO

I will quote Mr. Mellendick’s presentation as I cannot say it better myself:

The New Paradigm:

Open source tools and tool boxes tend to be a mixed collection ranging from very professionally developed and supported tools, to scripts developed on the fly to perform a specific task.

Through a deeper knowledge of defensive and offensive techniques, along with a shift from current penetration testing techniques, many new vulnerabilities can be and are found and mitigated in advance.

The need for determining new zero day and unpatched vulnerabilities is the best defense against the adversary.

Use of offensive techniques gives the network defenders the best chance to protect their soon to be deployed appliances, processes and currently administered networks.

It was really great to hear his perspective on all these topics.  He covered a lot of ground (as you can probably tell) but made everything really enjoyable to listen to.  Leave your comments below.