Ethics and Information Security

DuckDuckGo: Search Anonymously, Find Instantly. {19}

DuckDuckGo is a startup is a search engine startup that is rivaling that of Google.  The creator, Gabriel Weinberg, didn’t originally want to create a search engine.  It was more a culmination of failed ideas combined to create this alternative way to find information on the web.  By combining these ideas he has created a unique search experience that helps you find instant answers, private searches, along with your usual link-by-link results.

read more...

CRM(Customer Relationship Management) {9}

The Customer relationship management (CRM) is about the management of the clientele, their records and their relation and to use this data to further develop the customer relation policies and management decisions. Basically the CRM is the integration of people, technology and the business process in the quest to protect the existing clientele and provide opportunities to further enhance the circle of customer’s satisfaction. According to the company Arvato a leader in CRM, “develops and operates customer clubs, customer loyalty programs, and individualized bonus programs for end customers and business partners, as well as carrying out special promotions and other personalized incentive arrangements.” So in the quote above the company states that without their CRM they would not be able to achieve customer clubs and loyalty program. CRM is the reason why such things as flyer miles and credit card points exist. The CRM is the catalyst that provides useful help about the customer and the business dimensions that is defined by the customer reviews and satisfactions. This useful information provides highly useful insight about the customer and their behaviors. This in turn helps the marketers establish their target audience and such.

read more...

Database Security, Secerno Solutions {6}

Database Security (IT’s biggest problem)

            The author of this article, a security guru and managing director of UK company NGS David Litchfield, discusses database security and IT’s biggest problem by referencing the Black Hat conference where he exposed over 20 vulnerabilities in IBMs Informix database products. In this presentation I will discuss the top two most prevalent areas of weaknesses in database and new technology introduced as Secerno to supplement data security offerings and protect against hackers and data breaches.

read more...

Database Security: Oracle or SQL? {Comments Off on Database Security: Oracle or SQL?}

In her 2010 article titled, “SQL Server Most Secure Database; Oracle Least Secure Database Since 2002″, Laura DiDio explores the security and vulnerability of the two leading database systems out: Oracle and SQL. Quite from the beginning, meaning the title, Laura explains how the SQL database is more secure than Oracle – and not just by a tiny margin. During an eight and a half year period, from 2002 to 2010, the NIST CVE (National Vulnerability Database) statistics recorded 321 security related issues for Oracle, the highest of any vendor. This was six times more than that reported of SQL server. DiDio explains that SQL’s unmatched security is not a fluke or luck of draw, it is rather a direct result of Microsoft’s investment in the Trustworthy Computing Initiative, an initiative launched by Microsoft in 2002 where they stopped code development across all product like the scrub the code base and make their products more reliable and secure.

read more...

Common Security Mistakes in Web Apps {2}

When creating a website, especially one that is either controversial or recieves a lot of hits, one is entrusted with the golden realm of keeping the website secure. Among just getting the website up, one has to worry about a multitude of issues including general security on the web. Is user data safe? Can an attacker pollute fake data onto your website? These are just some questions author Philip Tellis raises of Smashing Magazine. The first security mistake mentioned is Cross Site Scripting. This would be pulling and executing code from an attacker’s site, except on the server of the victim website. The second is Cross Site Request Forgery, where a website can trick visitors into performing an action onto a victim site. The third valuable tip is Click Jacking where buttons are invisibly coded onto websites to trick users into submitting information they would never have to begin with. The fourth is most relevant to our class: it is SQL Injection. SQL Injectin is a method when an attacker exploits inputs inside the website to gain access to the database server and make changes to it from the control they’ve received. SQL injection even gives the attacker power to run any line of sql code they want on your server, including the drop tables function which drops all information from your database. Similar to this is Shell Injection, which accesses priveledges on websites to add JavaScript or HTML code that is unwanted. The last and most popular is Phishing, which is creating scam websites.

read more...

SQL Injections And Preventing Them {Comments Off on SQL Injections And Preventing Them}

The article I read this week is titled “The Analysis of Database Remote Attack Defense” by Shuguang Wang and Shao Qian. The authors start off by saying that due to the popularity of the Internet, and the developments of database technology, that database security is very important and has a direct effect ranging from success of an enterprise, to national security (Wang & Qian, 2010). Because all the databases using SQL are prone to SQL injections, everyone should take measures to prevent unauthorized access into their database(s). The 4 steps that the author describes in attacking a database are :

read more...

QR codes used for quick access to health information {2}

In an article from computerworld.com, the author talks about emergency personnel using QR codes to quickly get access to health information from people. A start up company in silicon valley, LifeSquare, has started implementing this technology with two emergency response agencies in Marin County. They will be using QR codes placed on stickers so that emergency workers can get quick access to information such as any previous injuries and if allergic to any treatments or medication. Due to privacy concerns, users of this new technology must sign up on their website to be able to get a QR code. LifeSquare hopes this will improve on a previous method of retrieving such information that was written on paper. Now it can be easily accessed from a database and possibly reduce the time it takes to take the patient to the hospital. This is a great technology to use. It is cheap and efficient. I see that people will adopt this and register their information with LifeSquare and their maybe some discounts added to patients insurance premiums by using this technology.

read more...

Health Care Security Issues Emerging {3}

The article I chose for this week is “Wireless Tech Makes Health Care Security a ‘Major Concern'” by Antone Gonsalves. The article addresses that medical equipment has advanced so much so fast, that the security that protects those new technologies has lagged. Gonsalves points out that “While the Food and Drug Administration (FDA) regulates the manufacture of devices from design to sale, the agency does not have rules for how they should be connected and configured within a network. Therefore, it is up to medical facilities to make sure the devices, which often have access to patient medical information, are protected from hackers.” (Gonsalves). But there hasn’t been any recent news from medical facilities that say that their equipment is secured. The article also goes into some major incidents that could lead a possible future extension of malicious hacker activity to medical devices/equipment. The examples in the article are hacking an insulin pump to change settings, and hacking a defibrillator  to cause a direct shock to the heart, or to drain it’s battery within hours.

read more...

FBI Wants More Power {5}

For this weeks post, I read an article by Sara Yin titled “Report: FBI Wants to Wiretap Facebook, Twitter, Google”. The article states that the FBI wants some legality to help them expand their surveillance capabilities to cover a good portion of the Internet. The FBI wants “…social networks, e-mail providers, and other peer-to-peer services to become “wiretap-friendly”…” (Yin, 2012). Some of these services include: Twitter, Microsoft, Yahoo, Facebook, Google, Apple iChat, AOL Instant Messenger, GMail Chat, and XBox Live’s in-game chat. The FBI wants to include these surveillence into their already established “Communications Assistant to Law Enforcement Act (CALEA). CALEA was established in 1994, where cell phone operators and broadband network providers “…must have built in backdoors giving law enforcement agencies direct access to user data during warranted investigations. ” (Yin, 2012).

read more...

Anonymous Attacks Get Police Information {5}

In this week’s article named “BART Cops’ Data Posted By Hackers” by Jaikumar Vijayan, I read about how BART (Bay Area Rapid Transit) was attacked and their employee’s personal information was posted onto the internet. When the attack was finished, “…names, home addresses, email addresses, and passwords of 102 police officers belonging to San Francisco Bay Area Rapid Transit (BART) Agency” (Vijayan, 2011). Here is the reason/buildup that got to this point. In March, a BART police officer shot down a drunk man who threw a knife at the officer. And as word spread of this incident, protestors started planning a protest inside BART terminals and on BART platforms. BART wanted to ensure safety of riders, and knew that the protesters would be organizing via cellphone. So they took preemptive action and blocked cellular signals within San Francisco BART. But also a week before Anonymous retrieved personal information of 102 police officers, Anonymous attacked the site myBART.org, and “…released usernames, addresses and phone numbers of more than 2000 BART customers.” (Vijayan, 2o11).

read more...