Have you been hacked? I (potentially) have

The other day the New York Times, in their online site, had a little interactive quiz – have you been hacked?  Based on the most recent well-known hacks, they asked some simple questions, such as “have you purchased anything from any of these stores (sic), or do have a job with the US government, or have you worked for the US government in the past two years?

I was able to say no to the US government question, but I failed the rest of the test: I have a Twitter account; I’ve shopped at Home Depot and Target in the past two years; and probably most importantly, my health insurance is with Blue Cross Blue Shield of Georgia, which is owned by . . . Anthem.

So what’s the tally?

  • My  address, twice
  • My birthday, once (presumably from the Anthem hack)
  • My credit or debit cards, twice
  • My e-mail (potentially up to three different e-mail accounts), four times
  • My employment history, once.  This one is somewhat murky, as Anthem would have access to how long I’ve been a professor at Armstrong State, but I don’t think a hacker could get the details of my employment (performance reviews, etc) from Anthem
  • My health history, obviously from Anthem, twice
  • My password (encryption), once.  Since I don’t use the same password for each site, this one may not be that scary.
  • And, of course, my Social Security Number, presumably from the Anthem breach, once

So, what does someone do about all of these intrusions? There are several suggestions, the first of which, of course, is to check your credit history.  Check your bank and credit card statements, regularly. Change passwords, which I’m probably a bit overdue on some sites. Use a password manager, which I do.  Secure your wireless access point (router).  Use and update your anti-virus software.  Unfortunately, beyond these suggestions, unfortunately, there isn’t much an individual can do.  Just understand that no one is going to protect you – you have to protect yourself.

BYOD – becoming a thing of the past?

Two years ago, as a summer research project, I investigated BYOD policies: what are the elements of a sound BYOD policy; who has them, who doesn’t; and whether they are effective.  It was a lengthy process, and I presented my findings at a colloquium of my college in October, 2013.  Not only that, that Fall Semester, I had my Cyber Security I (Fundamentals of Information Security) craft an effective BYOD policy as part of their semester group project.

Two years ago, it seemed that BYOD was going to be the future of mobile devices in organizations, and that mobile device management policies (MDM), especially automated MDM policies from 3rd party vendors, were going to be controlling BYOD in the organization. Still, as several students pointed out in class, if companies would just “hand out” mobile devices instead of allowing BYOD, the need for managing personal devices in the workplace would slowly disappear.

According to this article from Computerworld this week, it’s starting to come to that.  In the article, Jack Gold, an analyst at J. Gold Associates, stated that:

“There certainly is a curtailment of BYOD from where everyone thought it would be a couple of years back,” Gold said. “Companies are much more cautious now, knowing that the benefits of BYOD often don’t outweigh the risks.”

For many companies, the presumed cost-savings in letting employees use their own devices just hasn’t outweighed the security and management headaches of BYOD.

Gold cited the rise of the use of cloud-based file-sharing services such as leading to the slow demise of BYOD.  If employees can save their personal docs and photos in the cloud, they don’t need to worry about losing them if the worker leaves the company and has to return the device. As a result, employees are more willing to accept the use of employer-provided devices, knowing that their personal data is elsewhere.

While BYOD has not disappeared from the workplace, it appears that, for many of the security reasons I identified two years ago, it’s in decline.  And for security-conscious organizations who want to segregate their employees’ personal lives from their work lives, that’s a good thing.

One thing you should do if you’re into the Internet of Things (IoT)

A July 7 article in Computerworld detailed The Internet of Things: Your Worst Nightmare.

Author Preston Gralla described the nightmare that would ensue when all of our home media devices, appliances, and even our electric (well, battery powered) toothbrushes are connected to a wireless access point (WAP) router.  Now I haven’t had the problem of having a WAP burn out (ever), but nonetheless, his article discusses what happens when each device has to be authenticated to the new wireless network.  After reading his article, I’m not sure that I want to be involved with IoT, but more and more of our electronics are.  It’s just a matter of time before most of our household devices are connected to the Internet.

So what’s the one thing you should do if your devices are part of IoT? You need to make sure that your WAP is secured with a nearly unbreakable password or passphrase.  Way too many users bring wireless routers into their home, connect their devices to it, and never enable the WPA2 security.  And even if they do, they usually just keep the default password (here I’m presuming it’s a simple password) or create their own simple password (“password”, “12345678”, etc.).  Full disclosure here – my ISP-provided WAP came with a default password, and I kept it.  But this password has SIXTEEN characters, randomly generated, and includes alphas and numbers.  So given that I determined it was unbreakable (well, www.thepasswordmeter.com did that for me), I kept it.  But I certainly would have changed it if it had been something simple, and if yours is, you should change it, too.

You just never know when your refrigerator is going to get hacked and start melting your ice cream!