Category Archives: Cyber Security

The 2016 Election, Lessons Learned in Cybersecurity, 1

It was 40 years ago this past Sunday, June 11, that I received my BA in Computer Science.  A relatively new academic discipline, even in 1977, it was hard to imagine then that 39 years later computing, and its ubiquitousness, could have any effect on a national political campaign.  While politicians and investigators try to determine what cyber-meddling (and perhaps, cyberwarfare) was performed by Russia during the 2016 election campaign, there are several lessons to be learned by all individual users, the first related to access control.

Userids and passwords.  We all hate them, and yet we all can’t live without them.  They provide access to our most important personal secrets, whether those secrets are in our bank accounts, our credit card accounts, our Facebook posts, our online trove of photos, or, our e-mail accounts.  We should change them frequently, although there are many different theories on how frequently they should be changed.  However, we should be careful about changing them when just arbitrarily prompted to, which was the case for several staffers and senior advisers to the Hillary Clinton campaign.

As described in the New York Times article The Perfect Weapon: How Russian Cyberpower Invaded the U.S., these advisers, including senior adviser John Podesta, were presented with an e-mail, purportedly from Google, imploring them to change their password.  Naturally, those e-mails were not from Google, they were from Russian hackers, and once the user changed the password, it was harvested by those hackers, who now had access to all of the e-mails in the affected account, including e-mails from other Clinton campaign staffers who had not changed their gmail password.

So what’s the lesson here? Without getting into the politics of the situation, the fact is that, as I teach my students, there are several things the average user should do regarding changing their passwords.

  1. If presented with an e-mail as those campaign staffers received, ask yourself, “am I expecting such an e-mail?”   “Why would I be getting such an e-mail?”
  2. “Mouse over” the link to the sender (the sender’s e-mail address) and the link to the password change page.  It shouldn’t display a legitimate gmail administrative address, or the address of your organization’s e-mail administrator.  It’s not always easy to “mouse over” a link on a smartphone (depends on your phone), so the you have to take the attitude that the world is not going to come to an end if you don’t change it immediately – wait til you can get to a laptop or desktop computer to do this.
  3. And most importantly, don’t ever change the password from a link in an e-mail.  Sign into your e-mail account, click on the settings, and change it there.  As I stated in point 2 above, the sky isn’t going to fall if you don’t change your password immediately.

You aren’t running for President – but you DO have valuable private information that you don’t want compromised.  Don’t fall into the same trap that the HRC campaign staffers did – apply proper, simple Cyber Security methods and hygiene when changing e-mail passwords.  You’ll save yourself a lot of grief and perhaps even money.

 

 

Danger (still) lurks in the Internet of Things (IoT)

CES 2016 has come and gone, and even though I didn’t attend (it’s been 15 years since I have), all of the media, both “mainstream” and “tech”, has gushed over all of the new appliances and devices that are now in the category of what we would call the Internet of Things.  Items like home security,  home lighting, and refrigerators, to name a few.

There are many advantages to having connected appliances and devices, but, as I’ve written before (here, and here), there are threats as well.  Threats that can and will be exploited if unsuspecting users don’t secure them.  Last week (1/13/2016), Dark Reading interviewed the CEO of Trend Micro, Eva Chen, and she described some very real concerns, including two “layers” of security that they offer:

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example . . . the third layer is cloud: IoT cannot do anything without the cloud.  Most data is sent to the cloud and you will need to have proper protection and make sure the cloud is always available.

In both situations, users are vulnerable, mostly due to their own apathy.  Users often either don’t know how to patch their own machines (and in this case, devices) or have glanced over how to do it and just don’t bother, or if automatic patching is available, they don’t enable it.  When it comes to cloud computing, most users just assume that if their data is “up there”, the provider will take care of security.

If you really want your refrigerator to automatically create a list of items for you to purchase (e.g., you’re running low on milk) and send that list to your smartphone (via Evernote or some other app), you’re going to have to be responsible for your own security.  If available on your IoT device, enable automatic download of patches and updating of your system.  Don’t configure your IoT device with the default password that it comes with, change it to a secure password (and if you don’t know if yours is secure enough, test it in The Password Meter).  Read the users manual to find out how to enable your device’s security yourself.

You want to see, via wireless home security cameras enabled through the cloud, what’s going on in your house?  Fine.  Just practice the necessary security practices to really keep your home and its data secure.

New Year, Same Scams

The Tax Season is upon us, and once again the “IRS Scam” will be rearing its ugly head.  As I teach my students, as I’ve discussed in public lectures and presentations, this is one of the most insidious scams out there, and one that’s easily avoided.  Except that most people, especially seniors who were raised to trust and respect authority, continue to fall prey to it.  Face it, if you’re confronted with a phone caller who tells you that you might be served a warrant, your first instinct would be to be scared.  Your second might be to comply.  Except that you shouldn’t.

That’s because the IRS will NEVER initially call you regarding ANY issue.  The keyword here is initially.  If the IRS wants to contact you, they will initially send you a letter.  That’s right, via “snail mail,” i.e., the US Postal Service.  Once you have that letter, you might need to call THEM, and then you can establish a phone dialogue, but their initial contact with you will be via mail.  If you receive a phone call that you are not expecting from someone claiming to be from the IRS, just hang up (or, if you are being more adventurous, dare them to serve you with the warrant, and then hang up!).

It’s not just the IRS scam.  The Microsoft Tech Support scam is still alive and well, especially now that many have downloaded and installed Windows 10.   When you get a call from someone saying that they’re from “Microsoft Tech Support,” the first thing you must ask yourself is, “am I expecting this call?”  The second thing you must ask yourself is “how do they even know what operating system I’m running”?  But, in the end, you need to know that the REAL Microsoft Tech Support will never call you out of the blue. They will call in response to a request from you, but never without such a request.  If you get a call like this, you could play around with the caller a bit and ask him or her if they know what OS you’re running, what service pack or version you’re running (even if you don’t know what version you’re running), but it’s best just to hang up.  And never, never, never, give any identifying information (userids, passwords), let alone a credit card number.  Just hang up.

Have you been hacked? I (potentially) have

The other day the New York Times, in their online site, had a little interactive quiz – have you been hacked?  Based on the most recent well-known hacks, they asked some simple questions, such as “have you purchased anything from any of these stores (sic), or do have a job with the US government, or have you worked for the US government in the past two years?

I was able to say no to the US government question, but I failed the rest of the test: I have a Twitter account; I’ve shopped at Home Depot and Target in the past two years; and probably most importantly, my health insurance is with Blue Cross Blue Shield of Georgia, which is owned by . . . Anthem.

So what’s the tally?

  • My  address, twice
  • My birthday, once (presumably from the Anthem hack)
  • My credit or debit cards, twice
  • My e-mail (potentially up to three different e-mail accounts), four times
  • My employment history, once.  This one is somewhat murky, as Anthem would have access to how long I’ve been a professor at Armstrong State, but I don’t think a hacker could get the details of my employment (performance reviews, etc) from Anthem
  • My health history, obviously from Anthem, twice
  • My password (encryption), once.  Since I don’t use the same password for each site, this one may not be that scary.
  • And, of course, my Social Security Number, presumably from the Anthem breach, once

So, what does someone do about all of these intrusions? There are several suggestions, the first of which, of course, is to check your credit history.  Check your bank and credit card statements, regularly. Change passwords, which I’m probably a bit overdue on some sites. Use a password manager, which I do.  Secure your wireless access point (router).  Use and update your anti-virus software.  Unfortunately, beyond these suggestions, unfortunately, there isn’t much an individual can do.  Just understand that no one is going to protect you – you have to protect yourself.

BYOD – becoming a thing of the past?

Two years ago, as a summer research project, I investigated BYOD policies: what are the elements of a sound BYOD policy; who has them, who doesn’t; and whether they are effective.  It was a lengthy process, and I presented my findings at a colloquium of my college in October, 2013.  Not only that, that Fall Semester, I had my Cyber Security I (Fundamentals of Information Security) craft an effective BYOD policy as part of their semester group project.

Two years ago, it seemed that BYOD was going to be the future of mobile devices in organizations, and that mobile device management policies (MDM), especially automated MDM policies from 3rd party vendors, were going to be controlling BYOD in the organization. Still, as several students pointed out in class, if companies would just “hand out” mobile devices instead of allowing BYOD, the need for managing personal devices in the workplace would slowly disappear.

According to this article from Computerworld this week, it’s starting to come to that.  In the article, Jack Gold, an analyst at J. Gold Associates, stated that:

“There certainly is a curtailment of BYOD from where everyone thought it would be a couple of years back,” Gold said. “Companies are much more cautious now, knowing that the benefits of BYOD often don’t outweigh the risks.”

For many companies, the presumed cost-savings in letting employees use their own devices just hasn’t outweighed the security and management headaches of BYOD.

Gold cited the rise of the use of cloud-based file-sharing services such as leading to the slow demise of BYOD.  If employees can save their personal docs and photos in the cloud, they don’t need to worry about losing them if the worker leaves the company and has to return the device. As a result, employees are more willing to accept the use of employer-provided devices, knowing that their personal data is elsewhere.

While BYOD has not disappeared from the workplace, it appears that, for many of the security reasons I identified two years ago, it’s in decline.  And for security-conscious organizations who want to segregate their employees’ personal lives from their work lives, that’s a good thing.