1.2 Security

The social issue of Security is covered in chapter 5 of the book. Students are introduced to security threats faced by users and businesses, including phishing, hacking, and malware. Solutions, preventative measures, and related issues such as biometrics and encryption are also clearly explained. ITGS syllabus section 1.2 Security is covered, with links to 1.5 Authenticity and 3.3 Networks. The following resources support the content in the textbook:

  • Security advice and information
  • Authentication (passwords and biometrics)
  • Social engineering
  • Hacking
  • Phishing
  • Spam
  • Cyber-warfare and cyber-terrorism
  • Malicious software
  • Encryption
  • Wireless security
  • Physical security
Password strength

Exercise 5.4 - Password Strength

Computer security company Kaspersky has an online tool that performs calculations like the ones in this exercise. How Secure is my password? is a similar tool.

For security reasons it might be better to avoid typing your actual passwords into these sites, just in case (in fact the Kaspersky website warns specifically against this).


Updated: 2017-08-10
DTP

Exercise 5.9 - Computer Security Advice

Suggested rubric for the "Computer Security Advice" booklet on page 113. The following free DTP software might be useful:
  • PagePlus SE - Serif offer a cut down version of their DTP software for free.
  • Scribus - open source desktop publishing program.

Updated: 2014-10-03

Security advice and information

Buckeye Secure from Ohio State University is a guide to many aspects of computer security including malware, phishing, encryption, and backups. Threatsaurus is an online A-Z of computer security threats, from Sophos Security. OnGuardOnline.gov is produced by the US government and has extensive advice on online shopping, cookies, child safety, and many other online security issues. It also has a section for teachers. The nasties of the net and Sophos' IT Security videos are two other informative resources.
Updated: 2014-10-03
Security advice videos

1 Minute security tip videos

These excellent videos from Sophos Security (makers of anti-virus software and other security products) offer security tips and examples in a quick and concise format. Each video is around a minute long. Topics covered included secure passwords, physical computer security, social engineering, and data leak protection. They make useful lesson starters that can be used to generate discussions about best security practices.

You can view the playlist here.
Updated: 2014-10-03
Passwords and biometrics

Passwords, biometrics, and two-factor authentication

The video Secure Passwords Explained by CommonCraft is a good introduction to this topic. Why passwords have never been weaker - and crackers have never been stronger and How I Became a Password Cracker (ARS Technica) explain the security threats facing passwords.

Two-Step Verification is inconvenient, but more secure (NY Times) and Google's Alternative to the Password (MIT) offer alternatives to passwords.

Biometrics (BBC) are often hailed as a better authentication mechanism, and modern systems can even recognise users by the way they walk (Science Daily).

Problems with biometrics

Contrary to popular belief, biometrics systems can be fooled. For example, by using fake silicone fingers (BBC) and even plastic fingerprint surgery (BBC). Voice recogition technology can also be fooled: the BBC fooled HSBC's voice recognition security system for online banking, for example.

Social and ethical issues

Biometric facial recognition systems can raise privacy issues as they are capable of surveillance without subjects' knowledge or permission - one such example is in the 2001 Super Bowl (The Register). The article You Cannot Encrypt your Face examines this issue in greater detail.

Another potential issue with biometrics is security - ironically there are several major security concerns about using such technology. This Wired article explains the concerns and how they affect stakeholders in various fields.


Updated: 2017-08-10
Social engineering

Social Engineering

Hacking humans is an article from the Washington Post explaining just how easy and effective social engineering attacks can be. Using social media to launch a cyberattack discusses the risks of revealing personal information on social networks and explains how criminals can use this against you. Fake femme fatale dupes IT guys at US government agency covers perhaps the canonical social engineering technique.

Finally, My career as a professional bank robber is a first hand account of a man who used to use social engineering techniques to commit crimes, while The Art of Deception: Controlling the Human Element of Security is an excellent book written by hacker-turned-security consultant Kevin Mitnick, packed full of real-life examples.
Updated: 2014-10-03
Hacking

Hacking

The Telegraph's Five of the biggest hacking attacks is a good introduction to hacking and its social impacts. Security lapses at Apple and Amazon lead to an epic hack is an excellent resource explaining how a major hack was performed using a variety of techniques, including social engineering.

With information technology systems becoming ever more ubiquitous, more and more systems are potentially vulnerable to hacking, including transportation systems, television stations, telephone networks, and even electronic hotel door locks. Many organisations also store customers' personal and credit card data and passwords, making them tempting targets for hackers. Multiple companies, including AT&T, Sony, McDonalds and Twitter have been the victims of such attacks.

Hackers sometimes take novel approaches to their crimes: in 2013 a group of Australian hackers broke into a CCTV network at a casino (Wired) and used it to watch other players' hands - winning $33 million before they were caught.

The Politics and Government page contains many more examples of hacking for military purposes.
Updated: 2014-10-03

Spam

Spammers often take advantage of people's interest in gossip and breaking news, frequently 'hijacking' the latest story by sending emails purporting to offer more information. Hi-tech thieves target Olympics (BBC) and The Michael Jackson spammers  (BBC) illustrate this well.

Despite the inherent difficulties caused by the nature of the Internet, spammers and botnet creators are sometimes caught, as 'Spam gang' leader faces $15m fine (BBC) , Spam text message pair are fined £440,000 (BBC), and Jail sentence for botnet creator (BBC) prove.
Updated: 2014-10-03
Phishing

Phishing

Phishing examples

Advice for avoiding phishing scams


Updated: 2017-05-03
Computer security infographics

Classroom Resources: Security Infographic

A nice infographic showing how organisations implement many different IT security methods: from physical security, through technology, to company policies to keep their systems secure. Would make a nice classroom poster.

Updated: 2014-10-04
Banned words game

Lesson resources: Banned words game

Banned words game - This game is similar to 'Taboo' or 'Forbidden Words'. Each card contains an ITGS key security term which students must explain to the class without mentioning the 'taboo' words listed on the card. The aim is to improve students' ability to explain key ITGS language and have a little bit of fun. Works well as a starter with the class split into two teams. I find printing the cards on coloured paper and laminating them works best.

Download Security cards or the blank cards to make your own.
Updated: 2014-10-04
Database security issues

Database security issues

Unfortunately significant database breaches tend to make the headlines every few months, meaning there is no shortage of examples for discussion in ITGS lessons. Also on the rise are 'ransomware' attacks, where hackers encrypt users' data and demand payment to decrypt it. Some companies have paid up to $40,000 to get their data back. Examples of database breaches include:

May 2017: Debenhams Flowers data breach hits 26,000

May 2017: Hacked plastic surgery photos published online

May 2017: India's Zomato says data from 17 million users stolen

November 2016: Mobile phone company Three suffered a security breach when criminals used an authorised Three login to access the company's database and steal personal details. The details were used to intercept expensive mobile phones being sent to customers as upgrades.

September 2016: Yahoo confirmed a 'state sponsored' hacker stole personal data from 500 million accounts back in 2014.

September 2016: Talk Talk were fined £400,000 over the theft of more than 150,000 customer details

August 2016: Personal details of up to 2.4 million people may have been stolen from Carphone Warehouse

August 2016: Accounting and payroll software company Sage said its systems were compromised and data for 280 UK businesses may have been stolen.

August 2016: Yahoo investigated a data breach in its MySpace and LinkedIn divisions, after it was claimed 200 million Yahoo IDs were stolen.

June 2016: The personal details of 112,000 French police officers became publicly available after a disgruntled worker for a support company uploaded them to Google Drive.

June 2016: Chinese hackers were suspected of stealing the details of almost 4 million people from the Office of Personnel Management (OPM), a branch of the US government

April 2015: the US Office of Personnel Management revealed a hack had exposed 1.1 biometric records to unauthorised access. In September 2015 this number was increased to 5.6 million fingerprints.

The textbook details several cases of lost data by the British government, including the Ministry of Defence's loss of personal data of 600,000 people. Many organisations have lost data, including 132 UK councils, the National Health Service (memory stick left on a train), and even  NASA (stolen laptop). Meanwhile, Computer World reports that over half of UK firms have lost data in security breaches.

Not to be outdone, the HMRC lost sensitive personal data of 25 million people after sending it out, unencrypted, on two CDs - which were subsequently lost.

Under the Data Protection Act, companies can be fined for losing sensitive data, and in a few cases this has happened: Zurich Insurance was fined £2.3m in 2010, Shopacheck was fined for losing data on over half a million customers in 2012, and the NHS was fined £200,000 for losing the data of 3,000 patients in 2013.


Updated: 2017-07-04
Electronic Medical Records

Electronic Medical Records (EMR) & Electronic Health Records (EHR)

Electronic medical records resources:
Updated: 2014-11-07
Online voting

Electronic Voting software and lesson plan

Electronic voting is a controversial topic. This E-Voting lesson plan uses a simple Java application I wrote to simulate the e-voting process. Students get to vote and then are presented with three sets of results - two of which are falsified. This is a useful practise exercise to stimulate discussions about e-voting and the potential problems that may arise.

The New York Times article Voting Test Falls Victim to Hackers and the video Why Internet-Based Voting Is a Bad Idea are also useful for this task, as are the articles below.
Updated: 2014-11-07
Electronic voting

Electronic Voting articles

E-Voting impacts and issues

Report: Voting Machine Errors Highlight Urgent Need for U.S. Database (Wired) describes many, many problems that have occurred with e-voting machines in recent years. Some of them are quite unusual.  E-voting system awards election to wrong candidates in Florida (ComputerWorld) and Voting Out E-Voting Machines (TIME) both detail further problems.

Oscar's E-Voting Problems Worse Than Feared analyses the problems that faced e-voting systems designed to vote for Oscar nominees, while 'Fake votes' cast in France's first digital election (BBC) explores France's June 2013 open primary mayoral election - both articles are a stark reminder of the myriad problems facing such systems.

Finally,  this is a letter to President Obama about e-voting, written by elections officers and computer security experts - and urging him to resist calls for Internet voting.

Solutions

Science Daily's 'Voter-Verifiable' Voting System Ensures Accuracy And Privacy explains how paper-trails are needed on voting machines, while Aussies Do It Right: E-Voting (Wired) discusses another possible solution - open source voting software (this is a good article for students who believe open source software is "less secure".
Updated: 2014-11-07
Offender databases

Police use of IT: Offender databases

Online offenders databases remain a controversial topic, with security, privacy, and integrity being key issues. Nevertheless, many such databases exists, especially in the US: Family Watchdog lists details of sex offenders living in the community (US), while the Michigan Public Sex Offender Registry (PSOR) contains records of sex offenders in the state of Michigan. Florida Department of Corrections Offender Database has online records of prison inmates, released inmates, and fugitives. The Sensible Sentencing Trust is a similar database of offenders in New Zealand - interestingly this is not operated by the government, which could raise further issues related to privacy and integrity.

Mugged by a Mug Shot Online (NY Times) discusses some of the potential long term ramifications of exposing such data.


Updated: 2014-11-07
Cyberwarfare and cyberterrorism

Military use of IT: Cyber-warfare and Cyber-terrorism

The computer security page contains teaching resources for common computer security threats including phishing and computer viruses.

Cyber-warfare and cyber-terrorism are often highlighted by the media as growing problems. Cyber-warfare attacks may be performed by countries or nation-states to disable steal secret data, disrupt computer networks, or install malware to further spy on the targets. The news articles below provide some examples:

Government sites are not the only potential targets of hacking attacks: Iran has been accused of hacking US banks (NY Times) and British research universities have been warned about the possibility of attacks from spies (Telegraph) looking to steal research data. Cyber attackers have also seized, encrypted and held ransom medical centre patient databases (Sophos Security). Major sporting events such as The Olympics can also be tempting targets for cyber-terrorists.

The need to respond to cyber-attacks quickly and effectively has led to specific training courses within several countries' military and intelligence communities, as well as the occasional practice 'war-games'.


Updated: 2014-11-07
Ghost in the Wires book cover

Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

by Kevin D. Mitnick
Amazon.com | Amazon.co.uk | Kindle | Worldwide (free shipping)

Update: Ghost in the Wires is now available as a free audio book when you sign up for a free Audible trial (US or UK customers only). Even if you cancel the trial, you get to keep the books.

Written by Kevin Mitnick (who also wrote The Art of Deception and The Art of Intrusion, below), Ghost in the Wires takes a different approach to his more 'instructional' tomes. An autobiography of sorts, Ghost in the Wires details Mitnick's escapades during the 1990s, a time when he freely compromised hundreds of computer systems and was pursued by authorities across the world. On his way he uses a variety of techniques, from social engineering to exploiting software vulnerabilities.

Ghost in the Wires is excellent extended reading for those interested in computer security or true crime stories.


Updated: 2017-11-10
Zero Day book cover

Zero Day

by Mark Russinovich
Amazon.com | Amazon.co.uk | Kindle | Worldwide (free shipping)

Update: Zero Day is now available as a free audio book when you sign up for a free Audible trial (US or UK customers only). Even if you cancel the trial, you get to keep the books.

Zero Day deals with what some experts believe is a major threat to modern societies - a serious cyber-attack on governments and national infrastructure. Although a work of fiction, Zero Day's portrayal of computer failures - from the controls of an international airliner to a hospital's database - make it easy to see how reliant we are on computers and how vulnerable systems make tempting targets for terrorist groups.

At the same time, Zero Day is a very well written thriller that should engage a teenage audience right to the end. The book avoids the unrealistic cliches found in a lot of "cyber fiction" and as such is very useful extended reading for ITGS students interested in IT security or the Politics and Government strand.


Updated: 2017-11-10
The Art of Deception book cover

The Art of Deception: Controlling the Human Element of Security

by Kevin D. Mitnick and William L. Simon.
Amazon.com | Amazon.co.uk | Kindle | Worldwide (free shipping)

Update: The Art of Deception is now available as a free audio book when you sign up for a free Audible trial (US or UK customers only). Even if you cancel the trial, you get to keep the books.

The Art of Deception, by hacker-turned-security consultant Kevin Mitnick, is a collection of short stories and detailed examples explaining how humans are often the weakest link in the IT security chain. The book's 16 chapters cover social engineering techniques from phishing emails and websites, to malware, fake phone calls, and impersonation. 

Most of the stories in The Art of Deception are highly relevant to ITGS students, relating strongly to the social and ethical issues of security, authentication, and policies. Mitnick's style is clear and accessible, with key language and points highlighted, and the book's structure makes it easy to quickly dip in and read one or two stories. ITGS students or teachers with even a passing interest in computer security should find it a worthy read. Click here for a short review.


Updated: 2017-11-10
The Cuckoo's Egg book cover

The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage

by Cliff Stoll
Amazon.com | Amazon.co.uk | Kindle  | Worldwide (free shipping)

In The Cuckoo's Egg, Cliff Stoll tells the true story of how an investigation into a 75 cent accounting error at Lawrence Berkeley Laboratory in California led him to track a computer hacker across the globe, into a world of money, drugs, and computer espionage.

Unravelling the story like a thriller, Stoll clearly explains the details of how the hacker managed to gain access to machine after machine, how he searched for top secret government files, and why it was so hard to trace him. With "cyber-warfare" and "cyber-terrorism" being at the top of many Western countries' agendas, the themes raised in The Cuckoo's Egg are as relevant today as ever. Well recommended for anyone with an interest in networks, security, or hacking. Click here for a short review.
Updated: 2014-11-07
The Art of Intrusion book cover

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers

by Kevin D. Mitnick
Amazon.com | Amazon.co.uk | Kindle | Worldwide (free shipping)

Like The Art of Deception above, Mitnick's The Art of Intrusion deals with examples of computer crime - in this case, with a strong emphasis on hacking. Unlike the previous book, the examples in The Art of Intrusion are all real life cases, broken down and analysed so the reader can understand how they were perpetrated and how they could have been prevented. The examples cover hacking motivated by ideology, finance, and curiosity, which tie in perfectly to the ITGS 'security' social / ethical issue.

Like a lot of IT and computer science teachers, I find students often ask "How do people hack into computer systems?". This book provides clear real life answers to that question.
Updated: 2014-11-07
America the Vulnerable book cover

America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare

by Joel Brenner
Amazon.com | Amazon.co.uk | Kindle | Worldwide (free shipping)

Update: America the Vulnerable is now available as a free audio book when you sign up for a free Audible trial (US or UK customers only). Even if you cancel the trial, you get to keep the books.

American the Vulnerable examines the potential impact of cyber-warfare and cyber-terrorism on the United States. The book covers tactics that could be used to attack American computers, including hacking, Distributed Denial of Service (DDoS) attacks, and spyware.

Brenner also examines the difficulty of addressing these threats. Isolating sensitive computers from a network, for example, is good practice. However, it raises new threats we might never have considered - such as USB flash drives loaded with malware at the point of manufacture. Ironically, Brenner says we know that many of these threats are real because the US has tried them against its own enemies.

America the Vulnerable is a good read for anybody interested in computer security and cyber-warfare / cyber-terrorism. Although it initially appears slightly paranoid, by the end its veracity is quite convincing.


Updated: 2017-11-10
Malware visualization

Global malware visualization

The map to the left was created in an unconventional way - by an anonymous researcher who hacked into nearly 500,000 computers in order to plot their location and produce the map data. The web site contains an animated version where Internet connection density can be clearly seen moving across the globe as the day progresses.
Updated: 2014-10-10
Rogue Code book cover

Rogue Code

by Mark Russinovich
Amazon.com | Amazon.co.uk | Kindle | Worldwide (free shipping)

Update: Rogue Code is now available as a free audio book when you sign up for a free Audible trial (US or UK customers only). Even if you cancel the trial, you get to keep the books.

Rogue Code is the third book in Mark Russinovich's series about cyber-crime and cyber-terrorism (the first is Zero Day). Fictional computer security expert Jeff Aiken returns to deal with a potential security breach at the New York Stock Exchange (NYSE), which rapidly turns into a cat-and-mouse pursuit linked to large criminal gangs intend on performing an electronic "bank heist". One of the strengths of Russinovich's books is his realism and accuracy, which has been praised by many reviewers. At no time while reading the novel does anything that Aiken encounters seem unrealistic or even far-fetched. This is a great book for extended reading about the topic of Politics & Government and cyber-terrorism.


Updated: 2017-11-10
Cybersecurity and Cyberwar: What Everyone Needs to Know

Cybersecurity and Cyberwar: What Everyone Needs to Know

by Peter Friedman and Allan Singer
Amazon.com | Amazon.co.uk | Kindle | Worldwide (free shipping)

Cybersecurity and Cyberwarfare provides a clear explanation of the types of Internet and computer-based threats that can face countries. Friedman and Singer do a good job of explaining not only the potential damage that could be done by cyberintrusions, but also how technology can - as is - being used as a weapon of war by powers such as the US (Stuxnet is covered in detail). There is also a good discussion of why it is so hard to defend computers and infrastructure against cyber attacks.

The book focuses primarily on miltiary (Politics and Government) but many of the issues and problems are equally applicable to the realm of Business and Employment, and the examples are an excellent basis for discussions about the future of cyberwarfare and the ethics of using technology in this way.


Updated: 2015-03-06
All your devices can be hacked

All Your Devices Can Be Hacked

All Your Devices can be Hacked discusses the increased security threats as much and more devices feature Internet connectivity - including implanted medical devices, car networks, police radios, and voting machines. The very interesting - and worrying - aspect of this video is that it is not mere scaremongering - all of the attacks described, including disabling a pacemaker and taking over control of a car, have all been successfully executed as proofs of concepts. This makes great discussion material for ITGS students in several different strands of the ITGS triangle.


Updated: 2016-07-07