Barker Library - TC530.D45 2019

CRS is accepting applications for an Analyst in Security Assistance, Security Cooperation and the Global Arms Trade, GS-13 until December 18, 2019.

Click here for more information.

Online Resource

Our newest Co-Innovation Center is focused on cybersecurity, privacy, digital skills and social impact.
More RSS Feed for Cisco: newsroom.cisco.com/rss-feeds ...

Molly Wilson and Eileen Wagner battle the age old Christmas issues of right and wrong, good and evil, and how the messages we send through iconography design can impact the decisions users make around important issues of security. Are you icons wise men, or are they actually King Herod?

Congratulations, you’re locked out! The paradox of security visuals

Designers of technology are fortunate to have an established visual language at our fingertips. We try to use colors and symbols in a way that is consistent with people’s existing expectations. When a non-designer asks a designer to “make it intuitive,” what they’re really asking is, “please use elements people already know, even if the concept is new.”

Lots of options for security icons

We’re starting to see more consistency in the symbols that tech uses for privacy and security features, many of them built into robust, standardized icon sets and UI kits. To name a few: we collaborated with Adobe in 2018 to create the Vault UI Kit, which includes UI elements for security, like touch ID login and sending a secure copy of a file. Adobe has also released a UI kit for cookie banners.

Even UI kits that aren’t specialized in security and privacy include icons that can be used to communicate security concepts, like InVision’s Smart Home UI Kit. And, of course, nearly every icon set has security-related symbols, from Material Design to Iconic.

Many of these icons allude to physical analogies for the states and actions we’re trying to communicate. Locks and keys; shields for protection; warning signs and stop signs; happy faces and sad faces. Using these analogies helps build a bridge from the familiar, concrete world of door locks and keyrings to the unfamiliar, abstract realm of public- and private-key encryption.

When concepts don’t match up

Many of the concepts we’re working with are pairs of opposites. Locked or unlocked. Private or public. Trusted or untrusted. Blocked or allowed. Encouraged or discouraged. Good or evil. When those concept pairs appear simultaneously, however, we quickly run into UX problems.

Take the following example. Security is good, right? When something is locked, that means you’re being responsible and careful, and nobody else can access it. It’s protected. That’s cause for celebration. Being locked and protected is a good state.

Whoops.

If the user didn’t mean to lock something, or if the locked state is going to cause them any inconvenience, then extra security is definitely not good news.

Another case in point: Trust is good, right? Something trusted is welcome in people’s lives. It’s allowed to enter, not blocked, and it’s there because people wanted it there. So trusting and allowing something is good.

Nope. Doesn’t work at all. What if we try the opposite colors and iconography?

That’s even worse. Even though we, the designers, were trying both times to keep the user from downloading malware, the user’s actual behavior makes our design completely nonsensical.

Researchers from Google and UC Berkeley identified this problem in a 2016 USENIX paper analyzing connection security indicators. They pointed out that, when somebody clicks through a warning to an “insecure” website, the browser will show a “neutral or positive indicator” in the URL bar – leading them to think that the website is now safe. Unlike our example above, this may not look like nonsense from the user point of view, but from a security standpoint, suddenly showing “safe/good” without any actual change in safety is a pretty dangerous move.

The deeper issue

Now, one could file these phenomena under “mismatching iconography,” but we think there is a deeper issue here that concerns security UI in particular. Security interface design pretty much always has at least a whiff of “right vs. wrong.” How did this moralizing creep into an ostensibly technical realm?

Well, we usually have a pretty good idea what we’d like people to do with regards to security. Generally speaking, we’d like them to be more cautious than they are (at least, so long as we’re not trying to sneak around behind their backs with confusing consent forms and extracurricular data use). Our well-intentioned educational enthusiasm leads us to use little design nudges that foster better security practices, and that makes us reach into the realm of social and psychological signals. But these nudges can easily backfire and turn into total nonsense.

Another example: NoScript

“No UX designer would be dense enough to make these mistakes,” you might be thinking.

Well, we recently did a redesign of the open-source content-blocking browser extension NoScript, and we can tell you from experience: finding the right visual language for pairs of opposites was a struggle.

NoScript is a browser extension that helps you block potential malware from the websites you’re visiting. It needs to communicate a lot of states and actions to users. A single script can be blocked or allowed. A source of scripts can be trusted or untrusted. NoScript is a tool for the truly paranoid, so in general, wants to encourage blocking and not trusting. But:

“An icon with a crossed-out item is usually BAD, and a sign without anything is usually GOOD. But of course, here blocking something is actually GOOD, while blocking nothing is actually BAD. So whichever indicators NoScript chooses, they should either aim to indicate system state [allow/block] or recommendation [good/bad], but not both. And in any case, NoScript should probably stay away from standard colors and icons.”

So we ended up using hardly any of the many common security icons available. No shields, no alert! signs, no locked locks, no unlocked locks. And we completely avoided the red/green palette to keep from taking on unintended meaning.

Navigating the paradox

Security recommendations appear in most digital services are built nowadays. As we move into 2020, we expect to see a lot more conscious choice around colors, icons, and words related to security. For a start, Firefox already made a step in the right direction by streamlining indicators for SSL encryption as well as content blocking. (Spoilers: they avoided adding multiple dimensions of indicators, too!)

The most important thing to keep in mind, as you’re choosing language around security and privacy features, is: don’t conflate social and technical concepts. Trusting your partner is good. Trusting a website? Well, could be good, could be bad. Locking your bike? Good idea. Locking a file? That depends.

Think about the technical facts you’re trying to communicate. Then, and only then, consider if there’s also a behavioral nudge you want to send, and if you are, try to poke holes in your reasoning. Is there ever a case where your nudge could be dangerous? Colors, icons, and words give you a lot of control over how exactly people experience security and privacy features. Using them in a clear and consistent way will help people understand their choices and make more conscious decisions around security.

About the author

Molly Wilson is a designer by training and a teacher at heart: her passion is leveraging human-centered design to help make technology clear and understandable. She has been designing and leading programs in design thinking and innovation processes since 2010, first at the Stanford d.school in Palo Alto, CA and later at the Hasso-Plattner-Institut School of Design Thinking in Potsdam, Germany. Her work as an interaction designer has focused on complex products in finance, health, and education. Outside of work, talk to her about cross-cultural communication, feminism, DIY projects, and visual note-taking.

Molly holds a master’s degree in Learning, Design, and Technology from Stanford University, and a bachelor’s degree magna cum laude in History of Science from Harvard University. See more about her work and projects at http://molly.is.

Eileen Wagner is Simply Secure’s in-house logician. She advises teams and organizations on UX design, supports research and user testing, and produces open resources for the community. Her focus is on information architecture, content strategy, and interaction design. Sometimes she puts on her admin hat and makes sure her team has the required infrastructure to excel.

She previously campaigned for open data and civic tech at the Open Knowledge Foundation Germany. There she helped establish the first public funding program for open source projects in Germany, the Prototype Fund. Her background is in analytic philosophy (BA Cambridge) and mathematical logic (MSc Amsterdam), and she won’t stop talking about barbershop music.

More articles by Molly Wilson & Eileen

Divya Sasidharan calls into question the trade-offs often made between security and usability. Does a secure interface by necessity need to be hard to use? Or is it the choice we make based on years of habit? Snow has fallen, snow on snow.

Security is often synonymous with poor usability. We assume that in order for something to be secure, it needs to by default appear impenetrable to disincentivize potential bad actors. While this premise is true in many instances like in the security of a bank, it relies on a fundamental assumption: that there is no room for choice.

With the option to choose, a user almost inevitably picks a more usable system or adapts how they interact with it regardless of how insecure it may be. In the context of the web, passwords are a prime example of such behavior. Though passwords were implemented as a way to drastically reduce the risk of attack, they proved to be marginally effective. In the name of convenience, complex, more secure passwords were shirked in favor of easy to remember ones, and passwords were liberally reused across accounts. This example clearly illustrates that usability and security are not mutually exclusive. Rather, security depends on usability, and it is imperative to get user buy-in in order to properly secure our applications.

Security and Usability; a tale of broken trust

At its core, security is about fostering trust. In addition to protecting user accounts from malicious attacks, security protocols provide users with the peace of mind that their accounts and personal information is safe. Ironically, that peace of mind is incumbent on users using the security protocols in the first place, which further relies on them accepting that security is needed. With the increased frequency of cyber security threats and data breaches over the last couple of years, users have grown to be less trusting of security experts and their measures. Security experts have equally become less trusting of users, and see them as the “the weakest link in the chain”. This has led to more cumbersome security practices such as mandatory 2FA and constant re-login flows which bottlenecks users from accomplishing essential tasks. Because of this break down in trust, there is a natural inclination to shortcut security altogether.

Build a culture of trust not fear

Building trust among users requires empowering them to believe that their individual actions have a larger impact on the security of the overall organization. If a user understands that their behavior can put critical resources of an organization at risk, they will more likely behave with security in mind. For this to work, nuance is key. Deeming that every resource needs a similarly high number of checks and balances diminishes how users perceive security and adds unnecessary bottlenecks to user workflows.

In order to lay the foundation for good security, it’s worth noting that risk analysis is the bedrock of security design. Instead of blindly implementing standard security measures recommended by the experts, a better approach is to tailor security protocols to meet specific use cases and adapt as much as possible to user workflows. Here are some examples of how to do just that:

Risk based authentication

Risk based authentication is a powerful way to perform a holistic assessment of the threats facing an organization. Risks occur at the intersection of vulnerability and threat. A high risk account is vulnerable and faces the very real threat of a potential breach. Generally, risk based authentication is about calculating a risk score associated with accounts and determining the proper approach to securing it. It takes into account a combination of the likelihood that that risk will materialize and the impact on the organization should the risk come to pass. With this system, an organization can easily adapt access to resources depending on how critical they are to the business; for instance, internal documentation may not warrant 2FA, while accessing business and financial records may.

Dynamically adaptive auth

Similar to risk based auth, dynamically adaptive auth adjusts to the current situation. Security can be strengthened and slackened as warranted, depending on how risky the access point is. A user accessing an account from a trusted device in a known location may be deemed low risk and therefore not in need of extra security layers. Likewise, a user exhibiting predictive patterns of use should be granted quick and easy access to resources. The ability to adapt authentication based on the most recent security profile of a user significantly improves the experience by reducing unnecessary friction.

Conclusion

Historically, security failed to take the user experience into account, putting the onus of securing accounts solely on users. Considering the fate of password security, we can neither rely on users nor stringent security mechanisms to keep our accounts safe. Instead, we should aim for security measures that give users the freedom to bypass them as needed while still protecting our accounts from attack. The fate of secure systems lies in the understanding that security is a process that must constantly adapt to face the shifting landscape of user behavior and potential threats.

About the author

Divya is a web developer who is passionate about open source and the web. She is currently a developer experience engineer at Netlify, and believes that there is a better workflow for building and deploying sites that doesn’t require a server—ask her about the JAMstack. You will most likely find her in the sunniest spot in the room with a cup of tea in hand.

More articles by Divya

Barker Library - UA23.H538 2019

Online Resource

Online Resource

Dewey Library - HV6432.J445 2018

Online Resource

Sibal stated that there should be "accountability and responsibility" in the cyber space.

Omar said there's substantial success in tackling militancy in the state and they'll be able to see its end.

The victims are all Ghanchi Muslims from Godhra while Sarangpura is a predominantly Hindu village.

Home Ministry also asked five poll-bound states to beef up security in election rallies.

NSG commandos and jawans of Gujarat police would be present at the rally venue.

Norms were prescribed on Nov 20 following the brutal attack on a woman in a Bangalore ATM.

Out of the 2,500 ATMs in the city, 600 are unmanned.

Safety arrangements have been stepped up at the nuclear plant following the blast.

Proposed 150 surveillance cameras will be in addition to the existing 47 CCTV cameras.

Security personnel retaliated triggering a gunbattle, no casualty reported so far.

Mohpatra, Sabita, author

Australia. Parliament. Senate. Foreign Affairs, Defence and Trade References Committee, author, issuing body

The employees responsible for tackling hacking threats have alleged that the Silicon Valley giant is replacing them with machines and is automating its alert response and security teams

The app is the government's mobile application for contact tracing and disseminating medical advisories to users in order to contain the spread of Covid-19

The panelists talk to The Node Security Project founder and organizer, Adam Baldwin.

02:32 - Troy Hunt Introduction

• Twitter
• GitHub
• Blog
• Troy Hunt's Pluralsight Courses

04:12 - Why should people care about security?

06:19 - When People/Businesses Get Hacked

09:47 - “Hacking”

• Social Engineering
  • BeEF

11:42 - Inventive “Hacks”

• SQL Injection
  • sqlmap
• Stuxnet

13:24 - Motivation for Hacking/Can hacking be valuable?

17:08 - Consequences and Retribution

19:10 - How to Build Secure Applications

20:47 - Weighing in UX

22:50 - Common Misconceptions

• Password Storage
  • hashcat
• Encoding
• Cookies

31:27 - Passwords (Cont’d)

33:16 - Justifying the Importance of Security

35:24 - Client-side Security

• Cross-side Scripting
• DOM Based Cross-side Scripting
  • Content Security Policy (CSP)

44:10 - Resources

• AngularJS Security Fundamentals
• Hack Yourself First

45:27 - Routing

47:21 - Timeouts

51:36 - Cached Data

Picks

awesome-react (Aimee)
Edsger W. Dijkstra Quotes (Jamison)
Sam Newman: Telstra, Human Error and Blame Culture (Jamison)
Infinite Jest by David Foster Wallace (Jamison)
T.I.M.E Stories (Joe)
We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency Paperback by Parmy Olson (Troy)
The Have I been pwned Project (Troy)

Panel: 

Charles Max Wood

AJ O’Neal

Joe Eames

Special Guests: Adam Baldwin

In this episode, JavaScript Jabber panelist speak with Adam Baldwin. Adam is a return guest and has many years of application security experience. Currently, Adam runs the Node Security Project/Node Security Platform, and Lift Security. Adam discusses the latest of security of Node Security with Charles and AJ. Discussion topics cover security in other platforms, dependencies, security habits, breaches, tokens, bit rot or digital atrophy, and adding security to your development.

In particular, we dive pretty deep on:

• What is  the Node Security Project/Node Security Platform
• Dependency trees
• NPM
• Tokens and internal data
• What does Node Security do for me?
• NPX and NSP
• Command Line CIL
• Bit Rot or Digital Atrophy
• How often should you check repos.
• Advisories
• If I NPM install?
• Circle CI or Travis
• NSP Check
• What else could I add to the securities?
• Incorporate security as you build things
• How do you find the vulnerabilities in the NPM packages
• Two Factor authentication for NPM
• Weak Passwords
• OL Dash?
• Install Scripts
• Favorite Security Story?
• And much more!

Links:

• Node Security 
• Lift Security
• https://github.com/evilpacket
• @nodesecurity
• @liftsecurity
• @adam_baldwin

Picks:

Adam

• Key Base
• Have I been Pwned?

Charles

• Nettie Pot 
• convo.com

AJ

• This Episode with Adam Baldwin
• Free the Future of Radical Price
• Made In America Sam Walton
• Sonic - VGM Album

Joe

• Pych - Movie
• NG Conf
• Why We Don’t Suck

Today the panel is talking about security features that are being added to Node 13. AJ talks about the background and what he’s working with Let’s Encrypt. He talks about changes that Node has made to the TLS module. TLS is a handshake that happens between a client and a server. They exchange certificates, generate some random numbers to use for encryption, and TLS handles the encryption. The move to HTTP/2 is all about fixing legacy bugs and legacy features from the SSL days and reducing the number of handshakes.

AJ talks about the difference between TLS and HTTPS. While TLS reduces the handshakes between client and server, HTTPS is just HTTP and has no knowledge that TLS is going on. HTTP/2 is more baked in as both encryption and compression are part of the specification and you get it automatically. HTTP/2 is also supposed to be faster because there’s fewer handshakes, and you can build heuristic based web servers. Since browsers have varying degrees of compatibility, a smart HTTP/2 server will classify the browser and anticipate what files to send to a client based on behavior and characteristics without the client requesting them

A lot of these new features will be built into Node, in addition to some other notable features. First, there will now be set context on the TLS object. Second, if you’re connected to a server, and the server manages multiple domains, the certificate will have multiple names on it. Previously, each different server name had a different network request, but now a .gitcertificate will let you get all the metadata about the certificate, including the primary domain and all the secondary domains and reuse the connections. 

These new features are a great improvement on the old Node. Previously, the TLS module in Node has been an absolute mess. These are APIs that have been long neglected, and are long overdue core editions to Node. Because of these additions, Node Crypto has finally become usable. HTTP/2 is now stable, usable, and has backwards compatable API, and a dictionary of headers to make it more efficient in compression.

The conversation turns back to certificates, and AJ explains what a certificate is and what it represents. A certificate has on it a subject, which is a field which contains things like common name, which in the case of HTTPS is the server name or host name. then it will have subject alternative names (SAN), which will have a list of other names that are valid on that certificate. Also included on the certificate is the name of the authority that issued the certificate. AJ talks about some of the different types of certificates, such as DV, OV, and EV certificates. They differentiate between encryption and hashing. Hashing is for verifying the integrity of data, while encryption can be used either as signing to verify identity or to keep data owned privately to the parties that are part of the connection. Encryption does not necessarily guarantee that the data is the original data. The show concludes with AJ talking about how he wants to make encryption available to the average person so that everyone can share securely. 

Panelists

• Steve Edwards

• AJ O’Neal

• Charles Max Wood

Sponsors

• Tidelift

• Sentry use the code “devchat” for 2 months free on Sentry’s small plan

• Ruby Rogues

Links

• Let’s Encrypt

• Greenlock

• HTTP/2

• Node.js

• Node Crypto

• JWK

• LZMA

• Gzip

• Broccoli.js

• HTTPS

• GCM

• ASN.1

• OWASP list

• jwt.io

• Diffie Hellman Key Exchange

• Khana Academy Diffie-Hellman Key Exchange pt.2

Follow DevChatTV on Facebook and Twitter

Picks

Steve Edwards:

• Panasonic SD-YD250 bread machine

AJ O’Neal:

• Greenlock v.3

• Samsung Evo 4 TOB paired with 2012 Macbook Pro

• Dave Ramsey on Christian Healthcare Ministries

Charles Max Wood: 

• Velcro straps

• Mac Pro Upgrade Guide

In this episode of JavaScript Jabber the panel interviews security expert, Kevin A. McGrail. He starts by explaining what security frameworks and what they do. The panel wonders how to know if your developers are capable of self-auditing your security or if you need help. Kevin shares recommendations for companies to look at to answer that question. 

Aimee Knight explains the hell she has been in making changes to be compliant with CCPA. The panel considers how policies like this complicate security, are nearly impossible to be compliant with and how they can be weaponized. They discuss the need for technical people to be involved in writing these laws. 

Kevin explains how you can know how secure your systems actually are. He shares the culture of security first he tries to instill in the companies he trains. He also trains them on how to think like a bad guy and explains how this helps developers become security first developers. The panel discusses how scams have evolved and how the same scams are still being run. They consider the importance of automated training and teaching developers to do it right the first time.

Finally, they consider the different ways of authentication, passwords, passphrases, sim card, biometrics. Kevin warns against oversharing or announcing vacations. The panel discusses real-world tactics bad guys use. Kevin explains what he trains people to do and look out for to increase security with both social engineering and technical expertise. 

Panelists

• Aimee Knight

• AJ O’Neal

• Charles Max Wood

• Dan Shappir

• Steve Edwards

Guest

• Kevin A McGrail

Sponsors

• ABOUT YOU | aboutyou.com/apply

• Split

• CacheFly

____________________________________________________________

"The MaxCoders Guide to Finding Your Dream Developer Job" by Charles Max Wood is now available on Amazon. Get Your Copy Today!

____________________________________________________________

Links

• Ghost in the Wires

• https://www.infrashield.com/

Follow DevChatTV on Facebook and Twitter

Picks

Aimee Knight:

• The More Gender Equality, the Fewer Women in STEM 

AJ O’Neal:

• I'll Let Myself In: Tactics of Physical Pen Testers 

• Copying Keys from Photos, Molds & More 

• The LED Traffic Light and the Danger of "But Sometimes!" 

• Regina Spektor 

• The Weepies 

Dan Shappir:

• This is what happens when you reply to spam email 

• What is Your Password? 

Kevin A McGrail:

• XKCD Security 

• IT Crowd

• https://spamassassin.apache.org/

Steve Edwards:

• XKCD Password Generator 

• Nerd Sniping

Winkler, Ira

With the arrest of Tehsin Akhtar, thought to be Indian Mujahideen (IM) commander of India operations, security agencies have netted another big fish in the fight against terror.

Hardt, Judith Nora, author

Product offerings include Cisco, CEH, CISSP, CompTIA Security+, and SSCP.

Online Resource

Stanek, William R., author

China is expected to provide two more ships to the Pakistan navy. Pakistan has already raised a new division of the army to ensure security along the CPEC route and in and around the Gwadar port.

Dewey Library - K3249.P69 2019

Dewey Library - K3263.F37 2019

Online Resource

Online Resource

£Attractive: Defence Science and Technology Laboratory
For more latest jobs and jobs in South West England visit brightrecruits.com

£Attractive: Defence Science and Technology Laboratory
For more latest jobs and jobs in South West England visit brightrecruits.com

Both employers, employees are liable for data breach from home

Australia. Parliament. Joint Committee on Intelligence and Security, author, issuing body