Double Columnar Cipher Challenge

As one of my cybersecurity classes comes to an end, this will be my final blog. Most of my postings have covered Mac OS X security configurations or cryptology, both subjects being a great interest of mine. Other topics, such as National Cyber Security Awareness Month, just happened to coincide with the area I was studying. The Mac OS X source was myself, playing around with the features on my own Macbook. I incorporated other sources into the postings where applicable, and tried to use a variety.

I hope this blog will be useful to other students and security professionals by providing a clear understanding of the chosen topics and resources for more information.

Since the holidays are just around the corner, I thought I would put a little cheer in this finale. Not only will you learn how a double columnar cipher works, but I challenge you to crack my own code!

The first step is to pick two code words or phrases of the same length, and put each letter in its own column. Letter by letter, write out your message under the first code word/phrase, like this:

R	E	D	M	U	S	T	A	N	G
D	O	N	T	F	O	R	G	E	T
T	O	D	R	I	N	K	Y	O	U
R	O	V	A	L	T	I	N	E	R
A	L	P	H	I	E	X	X	X	X

In this example, the first code phrase is RED MUSTANG, and the message is DON’T FORGET TO DRINK YOUR OVALTINE RALPHIE. The message is not long enough to cover all the cells, so X’s are used for padding.

Next, order the code word/phrase according to the alphabet – 1 for A, and so on. If you have duplicate letters, I suggest numbering them in the order of appearance in the code word/phrase. It should look like this:

7	3	2	5	10	8	9	1	6	4
R	E	D	M	U	S	T	A	N	G
D	O	N	T	F	O	R	G	E	T
T	O	D	R	I	N	K	Y	O	U
R	O	V	A	L	T	I	N	E	R
A	L	P	H	I	E	X	X	X	X

Starting with the column under #1, string the message into blocks of 5 letters, continuing on to the next number if needed (do not count the code word/phrase, just the message). This makes the first ciphertext, which is GYNXN DVPOO OLTUR XTRAH EOEXD TRAON TERKI XFILI.

The first ciphertext is used to fill the cells under the next code word, NIGHT MOVES:

6	4	2	3	9	5	7	10	1	8
N	I	G	H	T	M	O	V	E	S
G	Y	N	X	N	D	V	P	O	O
O	L	T	U	R	X	T	R	A	H
E	O	E	X	D	T	R	A	O	N
T	E	R	K	I	X	F	I	L	I

To generate the final ciphertext, perform the same operation in the example above, with letters in blocks of 5: OAOLN TERXU XKYLO EDXTX GOETV TRFOH NINRD IPRAI. To decrypt, the operation is performed backwards, starting with this final ciphertext. If you know the code word/phrase, start by ordering the letters into numbers and place the first block of 5 letters into column #1, moving on to the next column. Once you have the cells filled in, do the same using the first code word/phrase.

Now that you have learned how to compose a double columnar cipher, I have two code phrases for you. The first is APPLE CIDER, and the second is SANTA CLAUS. The final ciphertext is NSAPO VHAAE AHFYA IEDHP YAANS ODSEL.

Happy Holidays!

Kids and Information Security

When most people think about protecting their kids, its usually from bullies on the playground, accidents, and illness. In the past few decades, it extended to censoring their exposure to graphic media such as TV, movies, and music. In today's world, kids are very technology-savvy, yet they know little about the consequences of using it inappropriately. That's where we need to step up as parents and offer our guidance, establish rules, and enforce our restrictions.

When it comes to kids, I feel that some level of censorship should be implemented, depending on their age level. As they get older, it will be increasingly difficult to shield them from every danger, so it is our job to talk to them about what they might encounter, and how to handle it. Why should information security be any different? With the increasing prevalence of online predators, cyberbullies, and malicious content disguised as legitimate offers, your kids and devices are at stake.

At the same time, we all know that kids do the exact opposite of what we want them to do, so some controls will help keep them on track. Installing a pop-up blocker or web filter on your browser is an obvious choice, but if you have read my previous blogs, you know that I advocate features built in to Mac OS X. One feature that addresses this topic is the Parental Controls under Accounts in System Preferences:

With this feature, you can manage areas such as System, Content, Mail & iChat, Time Limits, and Logs:

This example uses the default guest account, but you can set up several accounts and tweak the controls to suit the level of permission for each. Not only does this protect your children from the evil forces that be, but it also prevents other users from accessing sensitive information or modifying controls set by the administrator.

While this is a great way to keep tabs on what your kids are involved in, they still need to know the rules set by your family. Do they know what your expectations are and the risks of deviating from those expectations? Do they know what dangers to look for and how to avoid them? Keeping your kids educated is the best prevention. You will not be able to hold their hand forever.

Firewall for OSX Leopard (10.5)

How many of you knew that a Macbook comes with a built-in firewall? Well, it does, and now is the time to take advantage of it.

To configure this firewall, you will need to open System Preferences and click on the Security icon. The Security menu has three tabs: General, FileVault, and Firewall. Select the Firewall tab, which should look like this:

Three radio buttons appear in the box:

•Allow all incoming connections stops the firewall from running
•Allow only essential services blocks any service from making a connection
•Set access for specific services and applications allows the user to set permissions for trusted connections

The last one is probably the best choice for an average user. The + and - box will let you choose which applications are allowed to make connections. Once you activate the firewall, the Advanced button becomes available. Clicking on it will bring up a submenu:

I recommend checking both Enable Firewall Logging and Enable Stealth Mode. A great way to see if the Enable Stealth Mode option is working is to visit the ShieldsUP! website. From the Home page, click on the Proceed button, and choose All Service Ports. A quick run of my ports aced the test:

This configuration should be done with administrator privileges to avoid any changes being made, and don't forget to click the Lock icon when you are done!



*Answers to last week’s quiz:
1)d 2)b 3)c 4)d 5)b

Take the quiz: Information Security in the Media

Information security is not a new trend. It has masqueraded for ages as a form of entertainment. In celebration of National Cyber Security Awareness Month, I have dug up some fun facts for your own amusement. Go ahead and test your knowledge!



1. Which famous author used a polyphonic substitution cipher in one of his or her short stories?

a. Edgar Allen Poe
b. Washington Irving
c. Stephen King
d. Virginia Woolf


2. What type of cipher did Ralphie use on his Code-O-Graph in A Christmas Story?

a. Transposition cipher
b. Simple cipher
c. Block cipher
d. Stream cipher


3. In 2001, a movie about hackers gaining access to a government slush fund in a counter-terrorism scheme hit the box office. The movie was named for a famously used password. What is the name of the movie/password?

a. Antitrust
b. Hackers
c. Swordfish
d. Takedown


4. Who was the famous hacker that went by the code name c0mrade?

a. Kevin Mitnick
b. Adrian Lamo
c. Kevin Poulsen
d. Jonathan James


5. What breakfast cereal contributed to the popularity of phone phreaking in the 1990’s because the toy whistle inside the box was tuned to the frequency of most AT&T phones?

a. Fruity Pebbles
b. Cap’n Crunch
c. Golden Grahams
d. Frosted Flakes


*Answers will appear in next week’s blog. Happy hunting!

National Cyber Security Awareness Month

October 2011 has been designated as the National Cyber Security Awareness Month (NCSAM) for the eighth year running. It is a cooperative effort between the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Their goal is to promote cyber safety by providing education and awareness to both public and private sectors.

So how can you get involved? NCSAM's motto is "Our Shared Responsibility", which means cyber security starts with you by protecting your own information. Google has started a "Good to Know" campaign that outlines a few simple steps you can take to create a strong defense. The campaign addresses many aspects of information security, such as phishing, malware, and mobile security. Check it out at Google's Good to Know campaign.

Another ongoing campaign that is more widely known is Stay Safe Online. It is a great resource center for a variety of communities, from educational institutions and law enforcement to businesses and individuals. If you have kids, you will definitely want to visit the cyberbullying page.

If you find yourself or someone you love a victim of any kind of security breach or harrassment, please don't hesitate to report it. While local law enforcement may be the obvious choice, a little-known reporting agency is the Internet Crime Complaint Center. The website is ran by the Federal Bureau of Investigations (FBI) and the National White Collar Crime Center (NW3C). It is specifically geared towards cyber crime, and may be better equipped to handle these sensitive situations.

October may be coming to an end, but cyber security is a year-round battle. Be ready for your attackers.

An Overview on Virtualization

How does virtualization work?

Virtualization is the practice of using software on a host computer to simulate a particular computing environment. It works by allowing processes to share system (particularly hardware) resources.

Three main types of virtualization are network, storage, and server. Network virtualization works by splitting bandwidth into channels. Storage virtualization combines physical storage from multiple sources into a centralized source. (What is Virtualization?, n.d.) Sever virtualization disguises the number and components of real servers from guest users by dividing and isolating virtual servers. (What is Server Virtualization?, n.d.)

All three types assign resources as needed rather than committing it to a particular device. The purpose is to free up available components while reducing costs.

What can virtualization be used for?

Virtualization is used for private cloud computing within a network. When a private network is joined to a public one, it creates a hybrid cloud. This method allows businesses to join forces, or for one business to manage internal and external data.

Virtualization on a private level can be used for running multiple operating systems on a single computer. One such method employs Parallels software. (Virtualization & Automation Solutions for Desktops, Servers, Hosting, SaaS – Parallels Optimized Computing, n.d.) Parallels is an application that allows a user to toggle between Windows and OSX (for example) without partitioning the hard drive. The Windows portion would be the virtual machine, sharing resources with OSX on the Macbook hard drive.

What are the security flaws?

Security flaws depend on the management of server configuration and operating system patching. If neither is actively maintained, it leaves a gap for attackers to plunge through. Active maintenance includes patching the hypervisor, following best practices in configuring the host/platform, securing transmissions, managing virtual switches for guests, and preventing malicious activity from the guest.

The best advice is to develop strong policies and procedures, follow best practices, and harden systems. (Shackleford, 2010)

Why is this issue becoming prevalent?

Virtualization is a growing industry because it provides businesses with a solution to consolidate resources; cut costs on hardware, maintenance, and personnel; plan seamless backup and routine maintenance; improve operational flexibility, and securely manage desktop environments.

 

References:

1.     "Virtualization & Automation Solutions for Desktops, Servers, Hosting, SaaS – Parallels Optimized Computing." Virtualization & Automation Solutions for Desktops, Servers, Hosting, SaaS – Parallels Optimized Computing. N.p., n.d. Web. 21 Dec. 2010. <http://www.parallels.com/>.

2.     Assessments, Dave Shackleford - Director of Security, SANS - Tuesday, and 9 March 2010.. "An introduction to virtualization security." Help Net Security. N.p., n.d. Web. 21 Dec. 2010. <http://www.net-security.org/article.php?id=1397&p=1>.

3.     " What is server virtualization? - Definition from Whatis.com ." Server Virtualization: Covering today's Server Virtualization topics . N.p., n.d. Web. 21 Dec. 2010. <http://searchservervirtualization.techtarget.com/sDefinition/0,,sid94_gci1032820,00.html>.

4.     " What is virtualization? - Definition from Whatis.com ." Server Virtualization: Covering today's Server Virtualization topics . N.p., n.d. Web. 21 Dec. 2010. <http://searchservervirtualization.techtarget.com/sDefinition/0,,sid94_gci499539,00.html>.

What is a Buffer Overflow?

A buffer is a temporary data storage area that has a capacity limit. A person running several programs at one time needs the buffer zone to seamlessly process information before heading to its final storage area.

A buffer overflow happens when a program or process tries to store more data than the buffer can hold. The extra data is forced into other buffer zones, possibly corrupting the data already in there. Sometimes the buffer overflow is done intentionally, as in an attack. The buffer overflow works on the “last in, first out (LIFO) principle. The last string of data is the first string to be cut from the buffer and go into overflow. An example is below:

In this example, the program was written to accept 5 bytes in the “name” field. The buffer (small) can only hold two, moving the remaining 3 into the executable stack. Hackers take advantage of this by purposefully inserting malicious code at the end that they know will go into overflow. However, this is not always the case. Sometimes the C/C++ programming language often has errors caused by the limitations of the programmer. (Information Security, n..d.)

Fortunately, there are security features out there to detect and prevent this, such as Comodo Memory Firewall. (TechMixer, n.d.)

References:

1.     " What is buffer overflow? - Definition from Whatis.com ." Information Security: Covering today's security topics . N.p., n.d. Web. 19 Dec. 2010. <http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci549024,00.html>.

2.     " Prevent Buffer Overflow Attack with Comodo Memory Firewall." TechMixer | Review Software, Online services, Freeware and Others.. N.p., n.d. Web. 19 Dec. 2010. <http://www.techmixer.com/prevent-buffer-overflow-attack-with-comodo-memory-firewall/>.