lightework design

Category: Uncategorized

  • Anonymity in Cyberspace

    Anonymity in Cyberspace

    In this information age, large technology corporations harvest the personal data of millions of individuals to collect demographic information that they can apply to their products and advertising endeavors. Private citizens desire situations in which they can protect their personal data through anonymous action; and inversely, users want proper authentication credentials and authorization systems to protect access to their electronic business arrangements.

    I don’t believe that the conversational debate on this topic should resolve in a binary answer of whether anonymity should be preserved in cyberspace because there are differing types of practical applications which benefit from either anonymity or authentication. If the world wide web is continually used for both casual recreation and serious business applications, there will be a need for both types of functionalities to be utilized to create satisfied users. Ideally, our business communications and transactions should be secured, encrypted, and only available to properly authorized and fully authenticated users. However, it is helpful and comfortable to be able to maintain anonymity as a casual user and utilize the protection of anonymity to protect freedom of speech and the identities of vulnerable users from possible threat actors.

    The Usefulness of Anonymity

    Throughout history, anonymity has proven to be useful in protecting vulnerable people for many legitimate reasons. Journalists often rely on hiding their personal information to protect themselves from threats to their person when publishing controversial ideas or when writing with criticism toward authority figures. Anonymity also allows writers to disconnect from their subject matter in a way that they might hope allows people to withhold the prejudice that comes with knowing who the author of a work is. According to Hruska (2011), the founder of Facebook has stated that all anonymity should be abolished from the internet, elaborating that he believes personal anonymity leads to a higher chance of negative or anti-social behavior. I don’t believe that his statements reflect the implications of all anonymity online, but instead pertain particularly to the Facebook service which also profits less from anonymity and profits more from a strategy of personal data collection and user verification. In opposition to Mark Zuckerberg’s opinion on digital anonymity, I believe that there are very useful applications for anonymity and that the determination of whether personal verification should be obtained is situational. I think that it is time for the governing bodies to accept that the many applications of today’s internet have outgrown the regulations that govern the physical hardware systems that powers them, and new legislation should be considered that promotes informed consent on behalf of private citizens and their data privacy.

    The Necessity of Personal Authorization

    There are so many business transactions and accounts that exist on the world wide web and individuals all desire proper authentication systems in place so that they are the only verified user of their accounts and sole signer of their transactions. A verification process does submit personal information to a 3rd party, but that does not mean that the 3rd party must engage in mass data collection, trading, and sales. The organization’s collection of qualifying personal information helps protect a user’s account from people that do not possess that information which contributes to authentication and helps to maintain the economic integrity of the relationship. However, there are plenty of types of interactions on the internet that do not require verification and can be used more comfortably in complete anonymity. Just like in our non-digital interactions with people in society, information is naturally disclosed on a need-to-know basis. People don’t feel comfortable sharing all their personal details in the first few conversations or with someone they don’t know well because of possible security risks. This is an example of how we use anonymity in everyday life to assert authorization when providing our personal information to others. The world wide web has similar situations and interactions in which it is beneficial to preserve personal anonymity to protect personal data and exercise free speech. Hruska (2011) points out that anonymity has been described by the United States Supreme Court as vital to the freedom of speech, which I think should also be respected in the internet platforms and the systems’ informational design.

    Is Anonymity in Cyberspace an Illusion?

    In today’s internet, when a user makes a connection to a website, their computer’s details are sent through a vast network of networks before it reaches the intended destination leaving behind a trail that is easily tracked. Because of this physical limitation on the potential anonymity of the medium, I believe that digital anonymity is somewhat of an illusion. Digital anonymity can be created when an organization’s operations are designed to collect the minimal amount of user data required to achieve the necessary functions of the product or service. It is in the hands of the organization and user who must take responsibility for possible security risks and foster their relationship’s trust to maintain a comfortable sense of digital anonymity. Lufkin (2017) from BBC, states that he believes digital anonymity allows people to have exciting experiences without fearing the consequences of recognition or retaliation to themselves. Relating to psychology, he believes that our individual definition of self is made up of both our perception of ourselves and a culmination of how other people view us. Although that any interaction on the internet can be traced with enough time, it is equally important for web developers to create spaces that provide users with an easing sense of anonymity and proper user verification as is applicable to the specific type of interaction.

    Part of the illusion of anonymity that initially surprised me was, as Lufkin (2017) states, that personal demographic data is still bought and sold through large technology companies even if the subject individual is not a user of that service or does not possess an account with that company. Corporations such as Facebook are still able to collect data about individuals through other methods such as their Facebook Pixel which tracks users on many different websites outside of Facebook. Inherently, there is no anonymity on the internet that is legally protected out of the scope of the freedom of speech.

    Is Secure Authorization in Cyberspace an Illusion?

    Secure authorization is generally provided through the roles assigned by the server administration after authentication. Authentication systems are constantly challenged in new ways as hackers and cyber security professionals battle it out in endless advancement of their offensive and defensive tools and systems. Huge collections of personal data that exist within these large companies’ user accounts are popular targets for criminals because this personal information usually leads to qualifying information that allows them to access business and financial accounts. Secure systems sacrifice convenience for more security; so, if we want to enjoy the benefits of conducting our business on the internet, we should recognize the value of authentication and encryption systems like biometrics and passkeys. The government has a direct interest in reducing the level of possible anonymity on the internet toward more transparency so that it becomes easier to identify and solve domestic threats of terror and other forms of crime that can be traced through our national networks.

    Anonymity for Human Rights Protection

    The United Nations Human Rights Office (2015) writes that the improvement of digital security is imperative to the success of all interactions with the United Nations to work toward their goal of creating a connected, protected, and stable world environment. Within their concerns lie the digital security of countless people who rely on the protection of freedom of speech and some form of digital anonymity to perform their job tasks without adding to the risk of personal endangerment. Moyakine (2016) writes that anonymity on the internet is critical to the maintenance of our human rights and fundamental freedoms, and our personal data and free expression should be protected. Personally, I believe that the disclosure of personal data to corporations allows threat actors to directly target individuals and is an obvious personal security risk. The internet has the potential to facilitate the greatest conversational progress that humanity has yet achieved, but if users’ personal data can be targeted and some form of digital anonymity is not in place then people will be discouraged from exercising their freedom of personal expression due to considerable negative consequences.

    Summary

    When discussing the subject of digital anonymity, we must also consider the importance of free speech, privacy of personal information, and the preservation of our human rights. It has become common for large technology companies to develop technologies that appear to challenge our current legislation’s technical knowledge or appear to create a situation that has no prior legislation. I believe that this attempt at overcomplication is more of an attempt to create a monopoly within a trending market, often at the expense of individual data privacy and free speech. Optimistically, I hope that advances in encryption and authentication techniques can create a justifiable sense of security in the world wide web while adopting a need-to-know style strategy toward data privacy to protect users from dangerous personal data exposure.

    References

    Hruska, J. (2011). The need for anonymity in a digital age. ExtremeTech. https://www.extremetech.com/internet/92096-the-need-for-anonymity-in-a-digital-age

    Lufkin, B. (2017). The reasons you can’t be anonymous anymore. BBC. https://www.bbc.com/future/article/20170529-the-reasons-you-can-never-be-anonymous-again

    Moyakine. (2016). Online Anonymity in the Modern Digital Age: Quest for a Legal Right. Journal of Information Rights, Policy and Practice, 1(1). https://doi.org/10.21039/irpandp.v1i1.21

    United Nations Human Rights Office of the High Commissioner. (2015). Human rights, encryption and anonymity in a digital age. United Nations. https://www.ohchr.org/en/stories/2015/06/human-rights-encryption-and-anonymity-digital-age

  • The Trojan Horse Virus Type in 5 Examples

    The Trojan Horse Virus in computing is named after the story of the Trojan horse in the works of Virgil and Homer in which soldiers hid themselves inside the body of a large wooden horse to stealthily ambush the city of Troy (Fortinet, 2023). Similarly, a Trojan horse virus is composed of malware that is disguised as a genuine software application or file. Once the Trojan horse virus as successfully breached a system’s defenses by being accepted by a user, the malware is free to run its course within the host network.

    The Inosoft VisiWin 7 2022-2.1 Trojan exploit that was documented in August of 2023 allows the creation of an insecure folder which enables the manipulation of files and can result in escalation of user privileges (Shinnai, 2023). This exploit is capable of compromising the entire system and has a CVSS severity rating of 7.8 which is high. The Inosoft VisiWin 7 2022-2.1 Trojan exploit was reported by Carlo Di Dato for Deloitte Risk Advisory Italia.

    In April of 2023 a Trojan horse-powered attack in Diasoft File Replication Pro 7.5.0 was published that replaces an executable file that already has “LocalSystem” rights with a Trojan executable that is then executed allowing escalated privileges. This vulnerability has critically high severity at a 9.8/10. The exploit was documented by Andrea Intilangelo.

    There is a vulnerability that is exploitable by a trojan horse virus, documented in February of 2023, which involves the installer applications of ELECOM Camera Assistant and QuickFileDealer (JVN, 2023). Similar to some other recent Trojan horse attacks, this attack includes an issue that can insecurely load Dynamic Link Libraries (DDL). The running application provides privileges to which arbitrary code may be executed. There is a solution available from the developer in the form of an updated installer application.

    Yet another example of a trojan horse attack that utilizes insecurely loaded Dynamic Link Libraries involves Sony Content Transfer for Windows from the Sony Corporation (JVN, 2023). Privileges needed for arbitrary code executed are provided through the installer’s privileges. The effect and solution of this vulnerability are some what limited because the software is no longer in distribution, however potential for malicious distribution is possible.

    A fifth example of a trojan horse attack that was recently documented uses a similar privilege escalation strategy with the trojan horse executable of Panini Everest Engine 2.0.4 (NIST, 2023). This vulnerability comes from the use of an unquoted path that runs the service as “SYSTEM”. The impact of this vulnerability is escalation to system privileges and is scored at 7.8/10 in severity.

    References

    (2023). CVE-2022-39959 Detail. National Vulnerability Database.https://nvd.nist.gov/vuln/detail/CVE-2022-39959

    (2023). JVN#60263237 The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries. JVN.https://jvn.jp/en/jp/JVN60263237/

    (2023). JVN#40620121 The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries. JVN. https://jvn.jp/en/jp/JVN40620121/

    (2023). Trojan Horse Virus. Fortinet.https://www.fortinet.com/resources/cyberglossary/trojan-horse-virus

    Intilangelo, Andrea. (2023). File Replication Pro 7.5.0 Insecure Permissions / Privilege Escalation. Packet Storm Security. https://packetstormsecurity.com/files/171879/File-Replication-Pro-7.5.0-Insecure-Permissions-Privilege-Escalation.html

    Shinnai. (2023). Inosoft VisiWin 7 2022-2.1 – Insecure Folders Permissions. Exploit Database. https://www.exploit-db.com/exploits/51682

  • The Importance of Ethics in Penetration Testing

    The Importance of Ethics in Penetration Testing

    Ethics are paramount to conducting penetration tests. Technologists conducting penetration tests must always closely obey laws and behave in a strictly ethical fashion to maintain a high level of trust because penetration tests aim to determine the exploitability of a system’s weaknesses without damaging or negatively affecting any systems in the process (Faily et al., 2016). Penetration testers are consistently faced with situations that can increase the chance for unethical behavior or implicit bias to take place, which Faily et al. refers to as “ethical hazards.” These ethical hazards include situations with legal ambiguity, tests that involve a human target, tensions between offensive security team and defensive security team activities, and a client’s possible indifference to security recommendations. Each situation that purposes an ethical hazard requires a high ethical standard and attention to ethical responsibility in the performant so that the integrity, confidentiality, and availability of the systems can be secure.

    In the world of penetration testing, legal written authorization is what is referred to as a “get out of jail free card” and obtaining it is a key process to a legal ability to conduct pen testing. Penetration testers should be scrupulous, transparent, and thorough in their documentation because proper documentation is fundamentally the only reason that penetration testing can be performed legally. Documentation also provides clients an understanding of the complete scope of work and builds trust with the penetration testers (Gillam, 2023). Faily et al. (2015) explains that hacking a system requires a set of technical and creative skills to succeed, but penetration testing has an added constraint of protecting both the dignity of users affected by the test and protecting the systems involved from danger created by the test. When a penetration tester makes an incorrect choice in an ethical decision, they can easily face criminal charges.

    References

    Faily, Shamal; McAlaney, John; Jacob, Claudia. (2015). Ethical Dilemmas and Dimensions in Penetration Testing. Bournemouth University.https://cybersecurity.bournemouth.ac.uk/wp-content/papercite-data/pdf/fami15.pdf

    Faily, Shamal; Jacob, Claudia; Field, Sarah. (2016). Ethical Hazards and Safeguards in Penetration Testing. https://dl.acm.org/doi/pdf/10.5555/3114770.3114793

    Gillam, Jason. (2023, March 9). SecureIdeashttps://www.secureideas.com/knowledge/what-are-the-ethical-and-legal-considerations-for-penetration-testing