Social Engineering

Manipulative communication—from early twentieth-century propaganda to today's online con artistry—examined through the lens of social engineering. The United States is awash in manipulated information about everything from election results to the effectiveness of medical treatments. Corporate social media is an especially good channel for manipulative communication, with Facebook a particularly willing vehicle for it. In Social Engineering, Robert Gehl and Sean Lawson show that online misinformation has its roots in earlier techniques: mass social engineering of the early twentieth century and interpersonal hacker social engineering of the 1970s, converging today into what they call “masspersonal social engineering.” As Gehl and Lawson trace contemporary manipulative communication back to earlier forms of social engineering, possibilities for amelioration become clearer. The authors show how specific manipulative communication practices are a mixture of information gathering, deception, and truth-indifferent statements, all with the instrumental goal of getting people to take actions the social engineer wants them to. Yet the term “fake news,” they claim, reduces everything to a true/false binary that fails to encompass the complexity of manipulative communication or to map onto many of its practices. They pay special attention to concepts and terms used by hacker social engineers, including the hacker concept of “bullshitting,” which the authors describe as a truth-indifferent mix of deception, accuracy, and sociability. They conclude with recommendations for how society can undermine masspersonal social engineering and move toward healthier democratic deliberation

Privacy through security: policy and practice in a small-medium enterprise.

The chapter discusses how one small business planned for, and implemented, the security of its data in a new enterprise-wide system. The companys data was perceived as sensitive, and any breach of privacy as commercially critical. From this perspective, the chapter outlines the organizational and technical facets of the policies and practices evidenced. Lessons for other businesses can be drawn from the case by recognizing the need for investments to be made that will address threats in business critical areas. By highlighting the need for organizations to understand the nature of the risk and the probability of an event occurring, the security approaches highlight the need to address both the threats and actions in the event of an incident to reduce the risk to privacy

Um framework para a avaliação de segurança de hardware

Orientador: Ricardo DahabDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: O hardware de sistemas computacionais possui uma função crítica na segurança de sistemas operacionais e aplicativos. Além de prover funcionalidades-padrão, tal como o nível de privilégio de execução, o hardware também pode oferecer suporte a criptografia, boot seguro, execução segura, e outros. Com o fim de garantir que essas funcionalidades de segurança irão operar corretamente quando juntas dentro de um sistema, e de que o sistema é seguro como um todo, é necessário avaliar a segurança da arquitetura de todo sistema, durante o ciclo de desenvolvimento do hardware. Neste trabalho, iniciamos pela pesquisa dos diferentes tipos existentes de vulnerabilidades de hardware, e propomos uma taxonomia para classificá-los. Nossa taxonomia é capaz de classificar as vulnerabilidades de acordo com o ponto no qual elas foram inseridas, dentro do ciclo de desenvolvimento. Ela também é capaz de separar as vulnerabilidades de hardware daquelas de software que apenas se aproveitam de funcionalidades-padrão do hardware. Focando em um tipo específico de vulnerabilidade - aquelas relacionadas à arquitetura - apresentamos um método para a avaliação de sistemas de hardware utilizando a metodologia de Assurance Cases. Essa metodologia tem sido usada com sucesso para a análise de segurança física e, tanto quanto saibamos, não há notícias de seu uso para a análise de segurança de hardware. Utilizando esse método, pudemos identificar corretamente as vulnerabilidades de sistemas reais. Por fim, apresentamos uma prova de conceito de uma ferramenta para guiar e automatizar parte do processo de análise que foi proposto. A partir de uma descrição padronizada de uma arquitetura de hardware, a ferramenta aplica uma série de regras de um sistema especialista e gera um relatório de Assurance Case com as possíveis vulnerabilidades do sistema-alvo. Aplicamos a ferramenta aos sistemas estudados e pudemos identificar com sucesso as vulnerabilidades conhecidas, assim como outras possíveis vulnerabilidadesAbstract: The hardware of computer systems plays a critical role in the security of operating systems and applications. Besides providing standard features such as execution privilege levels, it may also offer support for encryption, secure execution, secure boot, and others. In order to guarantee that these security features work correctly when inside a system, and that the system is secure as a whole, it is necessary to evaluate the security of the architecture during the hardware development life-cycle. In this work, we start by exploring the different types of existing hardware vulnerabilities and propose a taxonomy for classifying them. Our taxonomy is able to classify vulnerabilities according to when they were created during the development life-cycle, as well as separating real hardware vulnerabilities from software vulnerabilities that leverage standard hardware features. Focusing on a specific type of vulnerability - the architecture-related ones, we present a method for evaluating hardware systems using the Assurance Case methodology. This methodology has been used successfully for safety analysis, and to our best knowledge there are no reports of its use for hardware security analysis. Using this method, we were able to correctly identify the vulnerabilities of real-world systems. Lastly, we present the proof-of-concept of a tool for guiding and automating part of the proposed analysis methodology. Starting from a standardized hardware architecture description, the tool applies a set of expert system rules, and generates an Assurance Case report that contains the possible security vulnerabilities of a system. We were able to apply the tool to the studied systems, and correctly identify their known vulnerabilities, as well as other possible vulnerabilitiesMestradoCiência da ComputaçãoMestre em Ciência da Computaçã

Impact of Digital Security Incidents in Colombia 2017

The Latin American and Caribbean (LAC) region shows evidence of a broad and growing adoption of information and communication technologies (ICT). More than half of the population connects regularly to the internet, and it is the region with the heaviest use of social networks. Connectivity offers clear economic benefits, by increasing its productivity and offering opportunities for inclusion to all citizens. However, the digital environment carries risks that we cannot afford to ignore: government entities, private companies, organizations, and individuals are exposed to the growing threats of cybercrime. The present instrument, developed by the government of Colombia, through its Ministry of Information and Communications Technologies (MINTIC), the Organization of American States (OAS), and the Inter-American Development Bank (IDB), offers a vision of the level of preparation of Colombian public entities and private companies to face threats to their digital security. It also allows for a deeper awareness of the economic costs of cyber incidents for different sectors of the country\u27s economy, presenting findings in terms of enterprise profiles. This report provides much needed data to quantify the scope of the impact of cyberattacks in LAC, along with recommendations for strengthening the capacity of the public sector and private enterprises to prevent them

Contributions and assessments for converging VPN architectures with scalability, security and quality of service

Orientador: Yuzo IanoTese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Os próximos anos prometem ser os das tecnologias das redes de nova geração para as operadoras de telecomunicações, fornecedores de equipamentos e usuários, com ênfase na integração das redes móveis sem fio, como 3G e 4G, com as redes fixas tradicionais, integração essa chamada às vezes de convergência das redes. Como consequência da convergência, vive-se um momento em que várias operadoras de telecomunicações fixas e móveis começaram a oferecer alguns serviços básicos de banda larga e os fornecedores de equipamentos iniciaram o processo de homologação de tais serviços, sendo que basicamente o único serviço disponível pelas operadoras que utilizam as redes de banda larga móveis e fixa é o acesso à internet. Esta tese apresenta alternativas para integrar as redes fixas com as redes móveis das operadoras a fim de oferecer serviços de VPNs (Virtual Private Network) fixo - móveis para aplicações que exijam mobilidade, baixo custo, qualidade de serviço, conectividade e segurança com alta escalabilidade. Para oferecer a mobilidade, são apresentadas as principais soluções de acesso banda larga para a formação de MVPN (Mobile Virtual Private Network). Essas são analisadas e avaliadas a fim de mostrar suas deficiências para utilização em acessos das VPNs. A qualidade de serviço, conectividade, segurança e escalabilidade serão alcançadas com a implementação do protocolo MPLS (Multi-Protocol Label Switching) no núcleo da rede. A implementação do MPLS no núcleo da rede consolida o transporte para as diversas tecnologias de acesso sem fio e com fio, reduzindo os custos operacionais das operadoras e tornando a redes mais escaláveis e confiáveis, preparando, assim, a operadora para as redes de acesso de quarta geração (4G). A partir dos requisitos das aplicações que irão trafegar na VPN, são propostas novas contribuições para as VPNs fixo - móveis para que estas atendam a esses requisitos com alta escalabilidade, mobilidade, segurança, conectividade e qualidade de serviço para o usuário e a operadora. Para validar as novas contribuições propostas, foi implementado um ambiente de teste para avaliar a conectividade e isolamento das VPNs e a qualidade de serviço. Duas propostas para resolver o problema de escalabilidade das VPNs são apresentadas, uma baseada em lista de controle de acesso ACL (Access Control List) e outra baseada em firewall. Também é apresentada uma proposta de IPSec (IP Security Protocol) sobre MPLS para resolver o problema de erros de configuração quando cometidos pelas operadoras de telecomAbstract: The following years will be dominated by next generation network technology for telecommunication providers, equipment suppliers and users who emphasize the integration of mobile wireless networks such as 3G and 4G with traditional fixed networks - an integration often dubbed as network convergence. As a consequence of convergence, it is possible to observe that various fixed and mobile telecommunication providers are beginning to offer basic broadband services and equipment suppliers have initiated corresponding homologation processes, in which the only service made available by providers that utilize mobile and fixed broadband networks is internet access. This thesis presents alternatives to integrate the fixed and mobile network of providers so as to offer MVPN (Mobile Virtual Private Network) and fixed services for application that require mobility, low cost, quality of service, connectivity and security with high scalability. The main solutions for broadband access for MVPN formation are presented to offer mobility. These solutions are analyzed and assessed in order to show their deficiencies for the utilization in VPN accessing. Quality of service, connectivity, security and scalability will be reached with the implementation of MPLS (Multi-Protocol Label Switching) in the core network. The implementation of MPLS in the core network consolidates transportation for several wireless and fixed access technologies, reducing the operational costs of providers, making networks more scalable and trustworthy, thereby preparing the provider for fourth generation (4G) access networks. Based on the requirements of the applications that will travel in the VPN, new contributions are proposed for fixed-mobile VPNs so that it meets these requirements with high scalability, mobility, security, connectivity and quality of service, both for the user and the provider. To validate the proposed contributions a test environment was implemented to evaluate the connectivity and isolation of the VPNs and the quality of service. Two proposals to solve the VPN scalability problems are presented, one based on ACL (Access Control List) and the other based on firewall. An IPSec (IP Security Protocol) on MPLS proposal is also presented in order to solve configuration errors made by telecommunication providersDoutoradoTelecomunicações e TelemáticaDoutor em Engenharia Elétric