Setting Up an Introductory CyberSecurity Lab — Strategies and Struggles

Editor’s Note: It’s hard to put together an introductory cyber security lab, this post by Greg Moore details our efforts in this direction. Please provide feedback and links on what you think will be great tools and resources for students learning the art and craft of cyber defense!

A Prototype Cyber Security Lab (Source: ARL — US Army)

At Cyber Defenders, our mission is to bring students with little to no background in cybersecurity up to a knowledge level that allows them to work on meaningful research projects. The inaugural Cyber Defenders program has four project teams, each partnering with a different industry leader to work on a project in a growing and critical area of cyber security. The project topics for this year’s cohort are malware analysis (GotMalware), consumer data protection (Pensieve), mobile healthcare application vulnerabilities (HealthSec), and network security (Raspi).

As most students entering the program have little to no background in cybersecurity, prior to beginning our project work we provide a general introduction to the field of cybersecurity via lab exercises, tutorials, and suggested reading. Below we enumerate the steps we have taken to provide that general introduction and background. We invite you, dear reader, to contribute any suggestions about learning aids or content structure that will help us improve our cybersecurity lab!

Labs

  1. CIA triad
    We begin our introduction to cybersecurity with a discussion of the CIA triad (Confidentiality, Integrity, and Availability). This helps students conceptualize the ways that cybersecurity can be compromised and provides a useful starting point to introduce the various domains of cybersecurity that attempt to address these threat categories. As an exercise several types of attacks are presented (such as DDOS, password cracking, replay, etc) and students are asked to identify which letter(s) in the triad apply. CIA tutorials and videos.
  2. Cryptography-
    Cryptography is presented as the cybersecurity domain that attempts to guarantee confidentiality and integrity for electronic information. We begin the cryptography lesson by covering the concepts of encryption and hashing. This provides an opportunity to review some foundational math concepts like changing bases and performing logic operations such as AND, OR, XOR, etc. To help students visualize what occurs during encryption, we have the student download CrypTool and walk through an animated tutorial covering the steps involved in AES encryption (CrypTool>Individ. Procedures>Visualization of Algorithms>AES>Rijndael Animation). We then introduce the concepts of salting and nonces, and we explore the differences between symmetric and asymmetric cryptography. As an exercise, we go through different combinations of public key encryption, private key encryption, shared key encryption, hashing, salting, and use of nonces. Students are asked to identify whether the combinations provide assurances of Confidentiality and Integrity. We conclude the cryptography exploration with a tutorial that demonstrates password cracking using a provided Python program and rainbow table. Cryptography Tutorials and Videos
  3. Network Security: This lab provides an overview of networking and how network security strategies are deployed to address the Availability pillar of the CIA triad. The introduction to networking begins with a description of the OSI layer model. We walk through each layer and their associated protocol, protocol data unit, and keyterms (such as MAC address, IP, etc). We then examine the well-known traditional network attacks ping-of-death, DDOS, and botnet-mediated DDOS. The network security lab concludes with a wireshark exercise in which students perform packet capture and practice analyzing network traffic. Network Security Tutorials
  4. Malware — The malware lab begins with an overview of common types of malware and infection vectors. We cover concepts such as the reverse shell exploit, ransomware, and botnet generation. We then guide the students through installations of VirtualBox, KaliLinux, and Debian and then work through several tutorials that describe how malware can be generated using Metasploit and deployed. A favorite exercise involves walking students through infection of a pdf with a reverse callback shell in Metasploit. The students email the pdf to a dummy email account and open it on a Debian VM, and then control the Debian VM from their KaliLinux terminal. Following are some of the Malware Tutorials we use : KaliLinux, Metasploit, and Building A BotNet.
  5. Data forensics — The data forensics lab concludes our introduction to cyber security module. We begin with a discussion of file storage and erasure mechanisms. We then walk the students through a file recovery exercise using the forensic analysis tool Autopsy. Data Forensics Tutorial.

Books

We have found the following books to be extremely helpful for introducing concepts, providing background information, and serving as on-hand reference guides.

  1. Singer, Peter W., and Allan Friedman. Cybersecurity: What Everyone Needs to Know. Oxford University Press, 2014. Link
  2. Anderson, Ross J. Security engineering: a guide to building dependable distributed systems. John Wiley & Sons, 2010. Link
  3. Schneier, Bruce. Data and Goliath: The hidden battles to collect your data and control your world. WW Norton & Company, 2015. Link
  4. Regalado, Daniel, et al. Gray Hat Hacking the Ethical Hacker’s Handbook. McGraw-Hill Education Group, 2015. Link
  5. Anley, Chris, et al. The shellcoder’s handbook: discovering and exploiting security holes. John Wiley & Sons, 2011. Link
  6. Marcella Jr, Albert J., and Frederic Guillossou. Cyber forensics: From data to digital evidence. Vol. 623. John Wiley & Sons, 2012. Link

Suggested Hardware

  1. Raspberry Pi: Amazon
  2. Ethernet sniffer: Amazon
  3. Bluefruit (Bluetooth sniffer) at Amazon, Ubertooth (Bluetooth sniffer) at Amazon
  4. Rubber Ducky (USB keystroke injection tool) at Hakshop.
  5. Wifi Pineapple Router at Hakshop
  6. LAN Turtle at Hakshop

Suggested Software

  1. Virtual Box : https://www.virtualbox.org/wiki/Downloads
  2. Kali Linux VM: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
  3. CrypTool: https://www.cryptool.org/en/ct1-downloads
  4. Wireshark/Tshark: https://www.wireshark.org/download.html
  5. Autopsy: http://www.autopsy.com/download/

What else should we include? Suggestions?..

Thoughts on Application Security — jimio Talks to Cyber Defenders

Editor’s Note: Thank you Clinton Fernandes for putting this summary together.


Here at the San Jose City College, in the Cyber defenders program, we hosted our speaker Jim O’leary who works at facebook as an application security lead. We were happy to have him as he shared his knowledge and experience working at facebook and also his thoughts about the project topics that the groups at the cyber defenders program were working on.

Speaking to the individual groups, Jim gave advice to the students while telling them about his experience with regard to the project topics. Our summary below:

  • The malware analysis (GotMalware) group mentioned that they were working on malware detection using simple techniques and after the successful implementation of which they would be using machine learning to improve malware analysis. Jim conveyed to them that at facebook, machine learning is heavily used to detect malware and threats.
  • While speaking on their project, the consumer protection (Pensieve)group informed Jim about storing information on blockchain which will be sent by a user through a chrome extension. Jim had a discussion about the why it is important to have knowledge about different languages when the group mentioned that they were using solidity for the ethereum blockchain and javascript for the chrome extension.
  • The network security (Raspi) group talked about their project which involves deployment of multiple raspberry pi mini computers that monitor the network in a region and prevent intrusion and alert a user about suspicious activity. Jim talked about the different places where portable network monitoring is carried out even by individuals.
  • The last group on software vulnerability (HealthSec) talked about their project on strengthening the security of healthcare applications by formulating methods that would analyze the security risks of mobile healthcare applications and help people including hospitals to take informed decisions when it comes to privacy of patients health records. Jim mentioned about his involvement in the healthcare security area when he was associated with Microsoft to work on healthvault.

The group presentations were followed by questions. Some handpicked questions and answers were the following:

  1. How often does facebook identify bugs and threats?
    Jim — Every day. We’re constantly working to find and fix new bugs, while people on the outside are doing the same.
  2. How difficult is it to defend against bad actors?
    Jim — Every time a security breach is addressed or a bug is found, it is fixed. But some person will find a way to get around the defense and will cause another breach, while in the meantime a solution to this is identified, there is another gateway that a bad actor finds. It’s a never ending loop.
  3. What role does machine learning play at facebook?
    Jim — ML is used in more ways that I can possibly comprehend at facebook, and across the industry on the whole. From a security perspective, this might be something like our systems noticing that you’re logging in from a new browser in a new location for the first time, but facebook and other companies are really pushing into all sorts of new places to apply machine learning..
  4. How did you get into this field of cyber security?
    Jim — I have spent most of my life in cyber security. Security is a good field, and in my high school yearbook I wrote that I would go ahead and work on cryptography. The main focus of my undergrad degree was in artificial intelligence. Through my Computer science course, I learnt that you are either 100% correct or 0% correct and that is rewarding as it is concrete.
  5. What is a path for students to take after a Computer Science degree?
    Jim — Bug hunting is very helpful as you can get a lot of problem solving practice through that. You got to sell yourself and talk about your knowledge, find internships in your field of interest, participate in capture-the-flag competitions and mention about the issues you come across in a blog post; this is a good way to tell people about your work. Be public, open and find ways to contribute open source projects. Microsoft paid for my grad school, exploit your employer!!. When you meet people, establish contacts with them. It is important to know that we are in this together, in security. You do not want to be enemies with a hacker.
  6. How difficult is it to find bugs in the softwares and in apps?
    Jim — You can go with white box testing which involves coding. If you do not like coding then you can try black box testing that does not require you to code and there are a lot of people now who do it.
  7. Did you get to meet Mark Zuckerberg, and was it exciting?
    Jim — Yes, I did meet him a few times and he is a nice guy who built this huge company. But to meet celebrities like Miley Cyrus and Ludacris was more exciting to me.

Baking a Raspberry Pi to Capture Data from the Network

Its Raspberry PI Securing Your Lawns! (Source: TBA)

Editor’s Note: This article describes the project Network Security with IoTs to explore Network Security concepts and implement security devices, it’s been developed with help from Lib13 Inc as part of the Cyber Defenders 2017 Program.

Introduction

We are part of the Cyber Defenders program and our project is to set up a raspberry pi as a network surveillance system and explore concepts of network security.

We are configuring raspberry pi to perform packet capture and writing a software that allows a system administrator to remotely monitor network traffic in a customized manner, the Raspberry Pi will function as a DDOS detection that will sound an alarm when detecting malicious activity. Finally, the raspberry pi will release reports to the remote user through email, providing data on the network traffic.

Our Approach

During the first few days of the project, our team started off by learning how to setup a Raspberry Pi to open tshark to capture packets from the network traffic. This experience gave us an insight on how a microcontroller, like the raspberry pi, can be efficient and small to complete this task. Next, we were thinking about possibilities on how we wanted our raspberry pi to do after it captured packets. We thought about setting up an alarm if the raspberry pi captured an IP address that appeared on the different packets.

Then, we came up with the idea of placing a raspberry pi inside a case and place it at a location on campus, where it is hidden from public view.

In addition, we took the time to do some research and learn about other graduate students who worked on raspberry pi and doing data packet capturing projects. This helped us understand more of our project and look at some analysis that students worked on.

Each member of the group started off by researching the principles of the whole project, meaning we learned how Wireshark works and how to capture packages using tshark. After, the members decided to find three resource per person, which means we had a total of six resources. The resources helped us divide the project into sections in order to progressively accomplish the project. The resources helped us accomplish our goals because of the available information, like articles or blog posts, easily accessed online.

Progress So Far

We started with making a simple text input to output program to use a text file that came from tshark.Then we strip off redundant information from the text file, in order to apply important information, such as the packet number, the time the packet was captured, source IP, destination IP, protocol, and length. So far, the only information that we used from this text file was the number of packets and source IP.

On Python, we’ve made a constructor for all of the information we would need from a packet. We used a for loop to scan over all of the packets; making an algorithm to search for each line on every packet. We then place that information inside an array to be analyzed for any intrusions. Everything else seemed simple enough to perform on our Python code: added a stop switch in the program (Ctrl-C), installed “pregame” to have it play a sound if there is an intrusion detected, and finally send an email on what’s happening on a server.

Challenges — Need Help!

One of our challenges was figuring out how to grab the packet data. We’ve attempted with many output formats in shark, but most of it came out in a scrambled mess in a text format. The best format we choose was an XML format since it displays the information very organized than the other text files. The next challenge was thinking on how to retrieve the information in python. We didn’t have any knowledge about creating constructors in Python and store the output text file to the objects. Eventually, after hours going through online and learning about constructors, we found out that creating a for loop to scoop every line, was our best bet. We use the for loop to read every line that a packet contained and applying a single array to store the information. Performing this task simultaneously was difficult, however, we learned that using a 2-dimensional array to get all the information came in use. After that, everything else seemed easy to implement in Python.

Code Review

You can review our progress and the code at our github repository: https://github.com/cyberdefenders/NetworkSecurity

Got Malware? — Meet Us

Malware Blues! (Source: tqn.com)

Editor’s Note: This article describes the project “GotMalware?” to explore Malware fingerprinting and visualization techniques, it’s been developed with help from MalwareBytes & Lib13 Inc as part of the Cyber Defenders 2017 Program.

The Problem

Malware infects computer systems as well as mobile devices with malicious software that has the intent to obtain secured private information, delete and modify important information. In our project, we want to identify the fingerprints of different malware by looking at the files of a computer before and after infection. Then, we want to learn how to visualize the effect malware has on a computer system. We eventually would like to explore the desktop Malware Analysis techniques on a mobile phone — especially Android Devices.

What are we trying to do?

Although there is a lot of software available that can detect malware and prevent computer systems from getting infected. Our objective in this project is to observe malware behavior and the footprints it may leave behind, by comparing files and associated signals from a regular test bed environment to files in an infected test bed environment. The testbed will provide us with a platform to understand malware detection better, and to develop tools for the same. We will test three different types of malware to compare the different fingerprints they leave behind.

Research

To accomplish this goal, we first surveyed the current research that exists regarding malware detection as well as the use of machine learning in malware detection.

Here are some of the papers we read:

  • Idika, Nwokedi, and Aditya P. Mathur. “A survey of malware detection techniques.” Purdue University 48 (2007) : This paper discussed two of the most common techniques used in malware detection: anomaly based detection and signature based detection. Link
  • Ahmed, Faraz, et al. “Using spatio-temporal information in API calls with machine learning algorithms for malware detection.” Proceedings of the 2nd ACM workshop on Security and artificial intelligence. ACM, 2009 : These researchers ran malware and benign software in a sandbox environment, analyzed its behavior, and used different algorithms to classify the software as malware or non-malware. Link
  • Liao, Ken. “Solution Corner: Malwarebytes Endpoint Protection.” Blog post. Malwarebytes Labs. Malwarebytes, 27 June 2017. Web. 30 June 2017: This blog post explains how MalwareBytes already incorporates machine learning into their products. Link
  • Siddiqui, Muazzam, Morgan C. Wang, and Joohan Lee. “A survey of data mining techniques for malware detection using file features.” Proceedings of the 46th annual southeast regional conference on xx. ACM, 2008: This article was a survey of different data mining techniques from 19 different studies. Link
  • Alazab, Mamoun, et al. “Zero-day malware detection based on supervised learning algorithms of API call signatures.” Proceedings of the Ninth Australasian Data Mining Conference-Volume 121. Australian Computer Society, Inc., 2011 : This research group used machine learning to identify zero-day malware based on its frequency of Windows API calls. Link

Our Approach

We are planning to take the following steps:

  1. Learning about required tools: Our internship includes a Java course, but because Python has much better libraries for data analysis and visualization, we decided to learn and use it for our project.
  2. Creating a malware analysis test bed: We are writing a Python program that will index the files (make an organized list of all the files along with their sizes) on multiple virtual machines (software that emulates a mini computer inside of your main computer). Then, it will compare the directories and generate a report that tells the user the modifications in the files caused by the malware.
  3. Infect the virtual machines with different types of viruses and compare the files between the infected machines and a clean machine.
  4. Extract meaningful features from our samples. These features will be the basis of our study; features are what describe something, for example, the features of a house are: number of rooms, area of the house, Price of the house.
  5. Visualize data. Malware is a threat to anyone who uses a computer, but many people have only a vague idea of what is and what the effects can be. We aim to write something that will help people clearly visualize the effect of malware in their computers.
  6. Use machine learning on the prepared dataset.

Why is it beneficial?

Malware is a serious, constantly changing threat. Creating a program that will identify malware, and help people see the effect malware will have on their systems will assist them in seeing the practical effects of malware and make more informed decisions in the future.

Can this be done in a better way?

A bonus part of our project (if time permits) is to use machine learning techniques to identify malware. Because malware is constantly changing to avoid the latest detection techniques, machine learning can be crucial in identifying forms of malware that are not currently known, but are similar to already known strains.

What have we done until now?

Our team has worked with Java Virtual Box to set up Windows 10 virtual machines. We have also studied the programming language Python, by taking the Introductory and Intermediate Python for Data Science courses on DataCamp.

This week, we began writing our code. So far, we have two programs written: one that indexes the files on two virtual machines, and another that compares these directories to determine what files have been changed by the virus.

We have also experimented with other file comparison programs, mainly ‘ExamDiff Pro’ to get an idea of how a file comparison program works and the footprints it might find. Specifically, we used Metasploit to make a malicious pdf, and compared it with a benign pdf in ExamDiff. This will help us learn behaviours of malware so we have an idea of what results we should expect to find when we run our own program.

Our next step is to find three viruses and infect the virtual machines with them.

Code Review — Please?

Following is some of the code we plan to use, please review and advise:

  • Code we plan to use for line by line file comparison: Here
  • Code we plan to use to compare two directories and save results to a text : Here

How Secure Are Your Health Apps ?

The False Promise of HIPPA for Health Security (Source: healthsecurity.com)

Editor’s Note: This article describes the project HealthSec to explore software vulternabilites in healthcare mobile apps, its Michael Navarro and Shishir Paudel for DHXLabs & Lib13 Inc in collaboration with Appthority, as part of the Cyber Defenders 2017 Program.

Hello!

Greetings from Team HealthSec! We are Michael Navarro and Shishir Paudel from the 2017 Cyber Defenders program. Our group is interested in the software vulnerability domain of cybersecurity and our project focuses on the security vulnerabilities of mobile applications for healthcare. Our team has been partnered with Appthority, an infosec company that provides security software and consultation for mobile devices at the enterprise-level. DHX Labs, in conjunction with Appthority, asked us to help them develop and enhance an application security report and elaborate its operational characteristics with a focus on healthcare and fitness apps. We were curious — why health care? Well after some research, we learned that the healthcare industry is woefully behind the times in their implementation of cyber security.

Healthcare Security Is SubStandard

The unfortunate state of cybersecurity in healthcare is the result of healthcare organizations failing to prioritize it. Cybersecurity has historically been a low priority because healthcare computer systems don’t store monetary assets or trade secrets. However, as current events attest, if hospitals and healthcare organizations don’t create secure networks, hackers can easily shut away vital information; information that doctors need to help their patients.

Healthcare is becoming more and more popular for cybercriminals to target. The medical records of a patient include their social security number, date of birth, name, address, email, and occupation. At one point, medical records were sold on the darkweb for upwards of $500 per record. In 2017, it is so easy to steal medical records that the supply of records have far outweighed the demand, resulting in a price of less than one cent per medical record when bought in bulk. Health Care needs to step up their cybersecurity game unless it wants to continue to be a cyber goldmine.

Perhaps the most driving reason for a hospital, which is a business, to improve their cybersecurity is to avoid violating the HIPAA (Health Insurance Portability and Accountability Act of 1996). As more and more cyber criminals target healthcare systems to make money, it is becoming more and more apparent that most hospitals and healthcare systems are not up to par with HIPAA regulations. Breached hospitals are paying upwards of $5.5 million in settlements. Hospitals should start prioritizing investing in their cybersecurity, so they can avoid lawsuits and protect their patients’ private information. An ounce of prevention is worth a pound of cure.

Healthcare Hacks

Anthem — $115 million

On February 05, 2015 , Anthem released a press release regarding a cyber attack against them describing the breach as a very sophisticated attack to gain unauthorized access to one of their parent company’s IT systems. The hackers obtained personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past. The information accessed includes names, birthdays, social security numbers, street addresses, email addresses and employment information including income data. Anthem says no credit card information was compromised. So far this is the largest cyberattack in the world directed specifically at healthcare.

The hackers stole around 80 million detailed medical records also known as “fullz” on the darkweb because they contain enough information to create a new line of credit. These fullz are more valuable than credit card information because they can be used in any sort of fraudulent criminal activity.

In 2017, two years after the attack, Anthem has announced that it will be paying $115 million in settlements, the largest settlement ever paid for a data breach.

MyQuest

On November 2016, a cyber attack hit Quest Diagnostics, a New Jersey based clinical laboratory services company. Hackers gained access through the company’s mobile app, MyQuest by Care360. Quest Diagnostics operates forensic toxicology laboratories across the United States that perform workplace drug testing. The company announced its internet application was breached by an unauthorized third party and 34,000 patients were affected by the attack. However, officials stated Social Security numbers, credit card information, insurance cards and financial information wasn’t included in the stolen data. This incident highlights the necessity for healthcare systems to not only protect their backends, but also secure their mobile apps. As the Internet of Things continues to grow, we must be careful to secure all entry points to a network, and any device or software that communicates sensitive information.

WannaCry — Ransomware!

On May 12th, 2017 the world witnessed the largest global ransomware attack in history. The ransomware infected 300,000 computers in 150 countries, including Britain, Ukraine, Russia, India and Taiwan. Many organizations were severely hindered, including FedEx and Britain’s National Health Service. Hospitals across the Britain were forced to turn away surgery patients and cancel appointments after the cyber attacks crippled their system. This ransomware went beyond extorting money; it obstructed doctors from saving lives. The WannaCry ransomware was spread by using an exploit created by NSA that was leaked called EternalBlue, which exploits a vulnerability in Microsoft’s implementation of the Server Message Block protocol (SMB). The ironic part is that Microsoft created an update that fixed this issue a month beforehand — much of this destruction could have been prevented if people would just update Windows.

Our Approach — Peer-review and ideas please!

At the outset of the summer, Appthority sent us examples of their security analysis reports that they generate for mobile apps. These reports check apps for basic security vulnerabilities and risky behaviors, and then they generate a score that represents the security level of these apps.

Initially, we wrote a report methodically examining Appthority’s security analysis, and we studied the history of healthcare cybersecurity to identify what security vulnerabilities should be screened for when performing analysis of healthcare apps.

We then generated a report analyzing instances of healthcare cybersecurity breaches and we are generating a template for healthcare app security analysis incorporating vulnerability areas unique to healthcare information. Do you have more ideas on what app characteristics we can check for?

Moving forward we will be implementing the code necessary to some test vulnerabilities identified in our analysis template and devise techniques to judge the operational characteristics for deploying them.

Right now, we are thinking of following areas and might love your input and feedback:

  1. What should an easy to read healthcare focussed software vulnerability report for mobile applications look like — SSL usage, Minimal app permissioning, HIPAA compliance..what else?
  2. What operational characteristics which should test for running these reports on 100s of applications on a regular basis? Number of hours need to do first set of testing of the applications and then how frequently should we check the applications for vulnerabilities.
  3. We are thinking of addressing privacy preserving data layer — for e.g. why should a healthcare application share its exact location when approximate user location is sufficient. As a stretch goal we want implement a helper functions to enable that.

Our Secure Future Can Be Built on Blockchains — Introducing Pensieve!

Securing Data with BlockChain (Source: http://www.ethosvo.org)

Editor’s Note: This article describes the project “Pensieve: Decentralized Ethereum Application for Privacy & Data Security” being developed by Nick Handy, Brandon Rawlin, and Eric Tinoco for Lib13 Inc, as part of the Cyber Defenders 2017 Program.

Background

For the past couple of weeks of summer, we’ve been exploring blockchain systems as a group of college interns in the Cyber Defenders program. Our project is a tool called Pensieve, a decentralized Ethereum application that can secure confidential data.

The Problem — Big Corporations Store User Data

Users have to depend on big corporations like Google & Facebook to store their personal data like passwords and interests associated with their identity. Overtime this huge data store becomes onerous and a prime target for security breaches. Pensieve will protect user data by using the blockchain to identify users and store sensitive data.

Enter Ethereum

We are starting with a relative new but well proven system — Ethereum. The Ethereum blockchain network can provide a way of decentralizing data on a peer to peer network. We will use Ethereum to interact with a google chrome extension that can store user submitted data so that they are the only ones that can access the data.

Why BlockChain for Security?

Blockchain — This may be a familiar term to some, and you may have heard it referred to as Bitcoin, Ethereum, or the countless other cryptocurrency systems popping up over the past couple years. But what is the blockchain and how can we use it for security?

The blockchain, in its simplest form, is just a transaction ledger that everyone on the system has a copy of. Every time a transaction is made it gets added to a block that is th stored on the block chain. The history of every transaction ever made is stored in this chain and is available for every person on the network to see. A block once added to the blockchain cannot be changed which makes it impossible to undo any transaction.

Smart Contracts!

Ethereum is the blockchain system we have chosen to work with because it provides more functionality over a traditional cryptocurrency like Bitcoin. Ethereum uses the idea of smart contracts to allow the building of decentralized applications within the network.

A smart contract allows a computer program to be stored on the blockchain and be accessed through a transaction. Smart contracts are computer programs that can be submitted as a transaction to the blockchain. Every peer on the network has the contract and is able to see how it functions. Like with other blockchains, these contracts cannot be changed once submitted to the network. Smart contracts run automatically based on the conditions set up initially by the developer. Each interaction within Ethereum involves communication of the contracts.

Smart Contracts on a BlockChain

By having smart contracts, Ethereum allows decentralized apps in their system. A decentralized application is not run by any particular person and gives the users more control over how they interact with an application. A centralized application, such as a social network, holds all of the user’s data. They hold the power to do with it what they like. On the other hand, a decentralized application can only use user information in predefined ways that are public to the network.

Our Solution to Decentralize Private Data

Normally user data is stored in a central location such as datacenter. The user has access of the data, but so does the company holding that data. This creates a problem where the company, as the keeper of the data, could use that data however they see fit. This causes vulnerabilities to the data if the company becomes hacked. We will use Ethereum to interact with a google chrome extension that can store user submitted data so that they are the only ones that can access the data.

Our project will use these ideas to develop a browser extension that interacts with the Ethereum blockchain to secure sensitive data. An extension is a built in tool for browsers for google chrome, firefox etc. that can provide special interactions with web applications. This extension will be our connection from user to blockchain.

By having the data stored with the blockchain we are decentralizing the information. No single company or person will have access to the data stored on the network. Instead, data on the blockchain can only be accessed from the user’s address that originally stored the data.

To access this data through the browser we must communicate between the blockchain and the extension. Ethereum has its own native programming language called Solidity. Solidity is a contract-oriented language that is designed to allow developers to create decentralized applications (DApps). With the use of the chrome extension and Solidity, we will be able to program a way to save the consumer’s sensitive data, such as, passwords, .txt files, and much more.

Give us ideas ?

In the future, we aim to allow users to store more than just username and password information. We are still brainstorming ideas for other data to store on the blockchain and would love your suggestions — dear reader. Some preliminary ideas include storing someone’s will and testament, medical information, or other sensitive data on the blockchain.

Moving forward we also aim to provide a service that would do more than simply secure user information. We also want to devise a system to inform users of potential security breaches. For example, if some major retailer was hacked and millions’ of customers information was leaked, we would notify our user of the breach and provide steps to ensure that their personal information remains secure.

With the help of the Ethereum blockchain and the creation of a decentralized app that will communicate with the blockchain to store sensitive data, we will be able to create a new form of protection and messaging for sensitive data.

Peer Review Our Approach..

What do you think of our approach? Any pointers to simplify your implementation of a Chrome plugin (javascript based) to store sensitive information from browser to an Ethereum DApp (solidity based). We plan to have an active github repository at https://github.com/cyberdefenders/Pensieve.

Cyber Defenders 2017 Program — An Introduction

The Cyber Defenders Program 2017

Cyber Defenders student program is an 8 to 10-week paid summer internship and in 2017 is expanding to south bay through a partnership with San Jose Evergreen Community College District’s Silicon Valley Engineering Technology Pathways grant which includes nine community college partners.

The Cyber Defenders program offers a compelling introduction to the field of Cyber Security and prepares students with practical skills to be workforce ready providing a viable pipeline for your organization.

As a cohort group, during the internship program students receive practical experience in computer systems, network operations, computer security, information protection and cyber policy. The program consists of projects, classes, seminars, presentations, meetings, a poster session, a cyber policy debate and a capture the flag team challenge.

Towards personal sustainability

I’m a burner and no-where close to carbon-neutral, I also come from Jain faith which believes in extreme sustainability (Samavasarana). The thought of this article is to write about personal sustainability projects which I can do to take tiny steps towards a better tomorrow, I welcome you, my reader, to contribute and participate.

First of all the word sustainable is un-sustainable, here is a parody from XKCD.

XKCD Parody

So what are the projects I would do?

  1. Easy to use sustainable power at Burning Man — A lot has been written by b-org about this as well as few dated articles on the topic. The goal of this project would be to update and create template of energy surplus systems to be deployed on the playa out of the box.
  2. A compact and easy way to carry spices for a healthy meal — Something which is a mid-way of roll-up spices and a easy to carry travel jars.

Spice Jars

3. What else do you think is interesting?

Protecting $Yourself Against A Bear Trench

There are a number of strategies one can use to protect oneself against an upcoming bear run on the stock market. Here are a few of picks, let me know you thoughts in the comments. Of course this analysis applies to stock market as it stands in April 2017 and the upcoming three months.

  1. Keep your SToCKs but sell options against them.
    Selling calls on your stocks will create a modest buffer against losses, of course this strategy falls apart if the market did the 37% dip like 2008.
  2. Buy a bear market fund
    A bear market fund bets against the market. Good examples of a bear market fund is — PSSDX
  3. Buy a short long fund
    Short long fund is able transact on short term positions. Good take on this is SWHEX
  4. Buy a treasury or municipal bond fund
    VUSTX gained 20% when the S&P dipped 37% in 2008.
  5. Invest in Government Pipeline fixed income options .. really?

Reactjs Nitbits — Zero Configuration TestDrive

The goal of this post is to document my experience of starting to code a react application without much experience. The simple app will have a responsive interface to enable me to log how much water I drink to a google spreadsheet. I would like to host the application either on github or s3.

Minimum Viable React Unit

Step 1. Start with the facebook getting started one page app template

> sudo npm install -g create-react-app

Step 2: Create the water-logger app

> create-react-app water-app
> npm start

Step 3: Deploy to github pages

The react documentation has a few steps to deploy it to github pages by specifying the homepage field. Once the repository is created, and the homepage defined (so much for zero configuration) you can deploy the application.

> npm run deploy

Voila!

The one-page all up and running!

Next Steps

Now we need to add the buttons, and support the capability of storing information in google sheets to complete our minimum-viable-product.