Category Archives: Uncategorized

One thing you should do if you’re into the Internet of Things (IoT)

A July 7 article in Computerworld detailed The Internet of Things: Your Worst Nightmare.

Author Preston Gralla described the nightmare that would ensue when all of our home media devices, appliances, and even our electric (well, battery powered) toothbrushes are connected to a wireless access point (WAP) router.  Now I haven’t had the problem of having a WAP burn out (ever), but nonetheless, his article discusses what happens when each device has to be authenticated to the new wireless network.  After reading his article, I’m not sure that I want to be involved with IoT, but more and more of our electronics are.  It’s just a matter of time before most of our household devices are connected to the Internet.

So what’s the one thing you should do if your devices are part of IoT? You need to make sure that your WAP is secured with a nearly unbreakable password or passphrase.  Way too many users bring wireless routers into their home, connect their devices to it, and never enable the WPA2 security.  And even if they do, they usually just keep the default password (here I’m presuming it’s a simple password) or create their own simple password (“password”, “12345678”, etc.).  Full disclosure here – my ISP-provided WAP came with a default password, and I kept it.  But this password has SIXTEEN characters, randomly generated, and includes alphas and numbers.  So given that I determined it was unbreakable (well, www.thepasswordmeter.com did that for me), I kept it.  But I certainly would have changed it if it had been something simple, and if yours is, you should change it, too.

You just never know when your refrigerator is going to get hacked and start melting your ice cream!

Firewalls and the difficulty of teaching Information Technology

The hardest thing about teaching IT (and Cyber Security) is keeping up with the speed at which technology changes. When long-held beliefs are only held for 5 to 10 years (or less), it’s hard to determine what should be taught. This was brought to my attention last week in an article from Dark Reading, Why the firewall is becoming irrelevant.  The author, Asaf Cidon, makes two good points regarding the possible irrelevance of firewalls:

  1. Data resides on company servers and unsecured employee devices. The BYOD revolution, and the use of cloud-based software such as Dropbox to store data, has made it easy for employees to do work from the office by syncing company data to their mobile devices.  The problem, of course, is that a firewall can’t protect data once it’s left the secured company server.
  2. Consequently, as he points out, that data ends up everywhere – with employees, suppliers, partners, clients, etc., and it’s likely that none of them are securing your data.  How can a firewall protect that data?

From an academic point-of-view, is that this is rather disturbing.  Our second Cyber Security course at Armstrong is entitled Network Security: Firewalls and VPNs.  Is it reasonable to be teaching our students firewall concepts and practices if they’re “irrelevant?”

I would like to think that’s not the case – companies still place their data on corporate servers that must be protected.  And, in a “point-counterpoint” kind of article, Firewalls sustain foundation of sound security,  author Jody Brazil makes the point that firewalls are still a valuable tool in securing the enterprise.  As he states:

While paradigms including mobility, virtualization and the cloud have created a new set of challenges (along with opportunities) to invoke additional security controls, the resulting distribution and hyper-segmentation of networks has in fact only made effective firewall management more important than ever before.

His defense of firewalls stands on three points:

  1. Firewall dependencies are expanding, not contracting.  95% of 700+ respondents to the 2014 FireMon State of the Firewall Report indicated that the use of effective firewalls are more important to protecting their security management.
  2. Firewalls provide an effective and important means of securing virtualized network environments
  3. “Firewalls are one of the few security technologies with a positive whitelist security model – allowing only necessary network traffic while denying the rest –the best defense against evolving threats.”

I read Dark Reading daily, and when I read the first article, my initial thought was “oh no, we’ve devised and implemented a curriculum that’s already obsolete.” Then I read the second, and felt somewhat vindicated. We still need to teach our students the basic components of an effective, layered defense of systems and networks. What we have to do going forward is recognize that IT is always changing, and that while we continue to teach the basics, we embrace the future, and ensure that our students understand how change is affecting the way we defend our information systems.

Appalling Violations of Basic Principles

Cyber / Information Security can’t be that hard, can it? The guidelines are available, the principles are available, the regulations exist, and if you’re in the government, the NIST docs and FISMA exist, too. I teach my students in our Cyber Security I (Fundamentals of Information Security) course that if you need to secure your business, there’s no better place to start than to use the NIST 800-series docs as a guideline. And yet, as described in the New York Times article on the Chinese hack into the Office of Personnel Management, a lot of the basic principles were violated.  Some of which were:

  • Failure to inventory computers, especially laptops containing sensitive information (or even those that didn’t contain that kind of information)
  • Failure to require secure passwords, and to change those passwords regularly, according to a schedule
  • Failure to install the necessary security & update patches
  • No firewall set up, and no Intrusion Detection and Prevention Systems (IDPSs) set up
  • Failure to encrypt data
  • Failure to monitor the network (again, IDPSs would be one component of doing this)

All of these precautions are not only in the textbook we use for our first Cyber Security course, they’re in the NIST docs that the government requires its personnel to use as guidelines for managing information security.  It’s just astounding that the very principles set forth by the federal government for their own agencies to use, very valid principles, were not followed by a governmental agency.

Perhaps the students we graduate from our program at Armstrong will go into government service and help straighten them out.

It’s impossible to stop the hackers, or is it?

Knowing that I’m a professor of IT who teaches Cyber Security, one of the questions I am repeatedly asked (usually, it’s more of a statement than a question) is: “it’s just impossible to stop ‘them’ (substitute criminals, China, N Korea, etc. for “them”) from hacking.” Those who ask this (or perhaps, state it to me) just throw up their arms as if it’s a foregone conclusion.  But I posit that it’s NOT.  To quote the cartoon character Pogo (paraphrased from US Navy Commodore Oliver Hazard Perry in the War of 1812), “we have met the enemy, and he is us.”  That’s right, you just cannot remove people from the system.  And consequently, you just cannot remove the lunk-headed, misguided, or just plain ignorant (accidental) things that people do from a computer system.  When people click on links in spear-phishing e-mails, they’re compromising their entire network, because that link may drop malware onto their networked desktop.

In the opinion section of today’s CNN, in the article “Why the Cyberattacks Keep Coming,” Associate Professor Arun Vishwanath of the State University of New York at Buffalo makes that very claim – that we are the insiders who unintentionally, and accidentally, hand over the keys of the network to the bad guys.  He gives two good reasons why insiders (employees) accidentally give over the keys to the kingdom to hackers.  The second is something that I teach my students here at ASU over and over again, and I’ve made mention of this in several presentations and TV interviews:

The second problem stems from people’s cyber habits, where many online actions such as checking emails and texting have become so routine that people are often unaware of when they perform these behaviors. As a result, many people quickly open emails or mindlessly click on links and attachments with nary a thought of its consequences. Smartphones, which the majority of us now use to connect to the Internet, have further exacerbated the problem by making it possible for people to check email frequently while simultaneously being engaged in a number of other activities. Smartphone apps and screen sizes also restrict how much information is presented, which can make it difficult to check the veracity of an email even if one is so inclined.

I often teach that users need to “mouse over”  a link in an e-mail to see where it’s actually going before clicking on it.  Once you see that the e-mail came from some source other than where you thought it was coming from, you’ll know enough not to click on that link, and to delete the e-mail. He makes that point – that we need to train users how to spot a fraudulent e-mail.  I use the Sonicwall e-mail test in my classes (and presentations) to show people how to spot one.

We’ve all just become so used to technology that we expect anti-virus software, firewalls, etc., to do the job for us, when, in fact, we need to become more tech-savvy and do the job for ourselves.  Since so many attacks are caused by hackers looking for information that we have provided them, we all need to be trained to reject their advances and ensure that we don’t make their job easier by falling prey to their lures.

I’ll have a little hack with that latte

It’s become so easy to use our phones to pay for goods, especially on the go.  While many of us use our debit/credit cards, loaded into an app, to pay for an item from our phone, the proliferation of third-party apps that allow us to do this has made it even easier. Unfortunately, many of us don’t realize that there’s a double-edged sword to using those third-party apps . . . they can be hacked.

The latest victim in the never-ending fight to keep our data secure is the Starbucks app, which allows us to pay from our smartphone, whether it’s an Android or iPhone device.  As Bob Sullivan’s article (he has his own “Red Tape Chronicles” site) on NBCNews.com describes, hackers have found a way into the Starbucks app through the auto-reload feature of the app (and its associated gift card) to drain the Starbucks account, automatically reload the account against the registered gift card, and then drain that as well.

But what’s more insidious about this hack is that the auto-reload feature of the app, associated with the Starbucks card, is auto-reloaded from a linked debit or credit card.  So the perpetrators are stealing from the debit or credit card you used to auto-reload your Starbucks card (app). It’s so convenient to auto-reload from that stored card, you just don’t think about it.

Starbucks likes the app because it reduces credit-debit card interchange transaction fees and it improves customer loyalty.  And admittedly, although this hack has occurred, it’s not widespread.  In addition, Starbucks states that

“We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers,” said spokeswoman Maggie Jantzen. “Our customers’ security is incredibly important to us and we take all these concerns seriously. … Customers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks.”

Still, how can you protect yourself against this hack?  There are several things you can do:

  • Use good old cash to buy your coffee.
  • Use your credit card (although, as pointed out above, Starbucks doesn’t prefer that you use this method)
  • Use your Starbucks card/app, but limit the amount of money you have in it at any given time, AND, most importantly, do not implement the auto-reload feature AND do not tie it to any given credit or debit card.  In other words, DON’T SAVE YOUR CC/DC IN THE STARBUCKS APP.  You want to reload some $$ into it?  Fine, do it with a small amount of money (maybe $5 or $10) and DON’T save that CC/DC.  It may be annoying, but just manually enter it each time.
  • Or, better yet, brew it at home, and take it with you, or brew it in your office (if it’s allowed)

So does life imitate art, or is it vice-versa?

A few weeks ago, I guess at the beginning of March, CBS debuted its much-hyped fourth venture into the Crime Scene Investigator world – CSI Cyber.  It didn’t hurt that the lead FBI agent, Patricia Arquette, had just won the Academy Award for Best Supporting Actress, a point not lost on CBS, who made no bones about that in their advertisements of the show once she had won it.  Considering that I enjoyed her performance in NBC’s Medium, and that I teach Cyber Security, I figured I’d give it a try.

Now I’m no media critic, but to me, the characters were not only stock characters from central casting, they just didn’t ring true.  The technical constructs also did not ring true – I don’t know of any code editor that will display malicious code in red.  But the one thing that seemed incomprehensible, even in this day of the Internet of Things (IoT), was that the central premise of the premiere episode was that someone was hacking into bedroom baby-cams in order to use them to kidnap babies.  The “unsubs” as they are known, were hacking in, making it seem like the children were still in their cribs, breaking into homes, and taking the children.  The whole thing sounded preposterous, until . . . wireless baby cam hacked – from Computerworld

It didn’t happen just once an unnamed mom told KTTC. “We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off.” At one point, the family faced the camera “toward the wall, and then a few hours later we accessed the Foscam, and it wasn’t facing the wall it was facing the closet.”

“We were able to track down the IP address through the log files within the Foscam software and found out that it was coming from Amsterdam,” the mom said. “That IP address had a web link attached to it.” After following the link, she found, “at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens. Every place that people think is sacred and private in their home is being accessed.”

After searching through “thousands and thousands” of pictures coming from IP cameras, the family saw their nursery. “You can literally just sort by whatever country suits your fancy, and whatever room suits your fancy,” the mom said. “It’s pretty sick.”

So now we have to worry about baby-cams REALLY being taken control of by wireless intruders.  What’s the recommendation to mitigate this bizarre threat?  Like any other device, it has firmware.  And that firmware needs to be updated, because just like any other firmware, security patches are included in it.  So if you have a Foscam baby-cam, you need to make sure that its firmware is current.

But that’s not all. Even if your WiFi router/access point is password-protected (and hopefully, with something more secure than the default password or just “password” or “123456”), the Foscam baby-cam can be password-protected, too.  And it needs to be.  And it needs to be with some password that’s more secure, again, than just a default, or “password”.  Now, it’s true that the current version of the Foscam baby-cam forces the user to change the default password when setting it up, but if you’ve got an older one, older than one year ago, you need to change that password (or perhaps, enable one if it doesn’t even have one), NOW.

Beware of Fake Microsoft Support Techs

According to an article in today’s Computerworld, there’s been a rash of bogus Microsoft Support Techs trying to sell pirated Malwarebytes software to the unsuspecting. What’s made it worse is that while most computer users have long expected that a bogus support tech would have an Indian accent, as most of these companies are in India, recent fake callers have “American” accents, making it seem like they do work for Microsoft.

From the article:

In a new trend, scams have gone home-grown, said Malwarebytes on Monday, with twists that include bogus warnings driven by malicious websites that urge users to call a toll-free number.

“This is the first instance [of a Windows support scam in the U.S.] on this scale that I’ve found,” said Jerome Segura, a senior security researcher with San Jose, Calif.-based Malwarebytes. “Most scammers are in India, but we wanted to expose this because they’re harming U.S. customers, who will feel more comfortable with a [native] English speaker.”

I recently was called, not once, but twice, from a person with a 206 area code, which is Seattle.  This, of course, would make one think that the call was indeed coming from Microsoft Tech support.  However, both times this caller had an Indian accent.  I flat out told him he was a scammer, and then hung up.  The Computerworld article detailed several different ways that the scammers scare their prey into purchasing their “goods”.  One is the good old “ransomware” technique, using scary graphics. 

Rather than cold-call victims — most India-based scammers blindly dial telephone numbers, figuring that most people who answer will have a Windows PC — E-Racer relied on fake alerts. The warnings, which were embedded in fraudulent websites, those sites often tied to URLs that might appear in search results for Windows errors, scream “Warning! Your computer may be at risk. For emergency Tech Support call immediately.” A toll-free number is prominently displayed.

As I’ve told my students (and WSAV, when I was interviewed by them), the best way to get out of this situation is to “X-out” of the window, as the scammer cannot control Microsoft’s window controls.  Then turn off your computer.

The other way that they get the gullible computer user into becoming a victim is to direct the user to look at a Windows log on their computer that contains harmless entries.  To a user who isn’t tech-savvy, these could look serious, but they’re not.

As expected, the article states that the fraudsters are often targeting the elderly, because they’re just not as tech-savvy as younger users (or users younger than, say, 50), and recent FBI IC3 stats for 2013 bear this out. 

Users have to understand that their Microsoft Event Viewer is not tied to MS without their permission, and the default setting is off.  But even more important, users have to remember that if they have not requested such a service, if they’re not expecting such a call, then how would the caller know that there is something wrong with their computer?

So if you get a phone call like the one described in the article, before you just hang up, tell the caller that you’re going to report their number to the Federal Trade Commission.  If you get a window with the message, don’t click in it, just “X-out” and perhaps restart your computer.  Don’t fall victim to this kind of scam!

Here’s the article from Computerworld

Windows 8: a failure, or just an annoyance?

Preston Gralla, writing in today’s Computerworld, detailed how it’s possible that MS has admitted that Windows 8 is its worst OS ever.  He described how it appears that Microsoft is going to ditch the tile interface of Windows 8 (and Win 8.1) for the next generation of Windows, due in 2015, which will adapt itself to whatever kind of machine you are using, a tablet-like interface for tablets, and a desktop-like interface for traditional PCs (what I predominantly use in my Win 8.1 Toshiba laptop).  In the new Windows OS, code-named Threshold, users won’t have to see the Start screen (the tile interface) unless they want to.

He then goes on to compare Win 8 to some real dogs, such as Win ME and Win Vista, both of which I’ve had the pleasure (not) to use.  While Win 8 is annoying, especially in the way it handles photos in my photo library (displaying them as it sees fit), it’s more of just something I work around than something that’s bothersome.  It does work, although since it’s really designed for a touch screen, it’s somewhat clunky.  I just generally avoid using the Start screen and its tiles.  I don’t use the force-fed search (Bing), the force-fed travel, or e-mail (I don’t have an Outlook account, and don’t want one), the force-fed weather, sports, news, and any of the other force-fed apps that MS has placed there.  I just go right to the familiar desktop, and use that, just as I always have.

Win ME and Vista were terrible.  ME didn’t work, I constantly received the “blue screen of death,” and back in November 2002, went through an entire weekend trying to recover from a memory dump (it’s a good thing I can read hex!).  But I still was on the phone with MS and with Gateway (it was really a Gateway issue – no wonder they went defunct) for probably a combined 4 to 6 hours, not including the re-install of the OS, that weekend.  Vista had even more problems – it constantly crapped out, and I eventually replaced it with Win 7.

But here’s the real problem with Win 8:

The consequences of Windows 8’s problems will haunt Microsoft for far longer than Vista did. Windows 7 largely fixed what was wrong with Vista, and as a result Microsoft suffered no serious long-term losses because of it. Not so with Windows 8. Windows 8 came out at a time when Microsoft needed to make a splash with tablets. But because its tablets were forced to run an operating system built for both tablets and traditional computers, Windows 8 has never been a great tablet operating system. As a result, Microsoft fell behind even further in mobile.

So as a company, going-forward, MS has some real issues on its hands, issues it’ll be tough to overcome.  As a user, I’ll just keep going straight to the desktop, and except for managing my photos, just keep using the desktop interface as I am on my Win 7 box at work right now.

What’s your personality, according to Facebook

On the day when NBCNews’ Matt Lauer announced the debut of his Facebook page, 10 years into the existence of the site, it’s interesting that his own NBC News site had an article on software that determine your personality by your posts.

Since Facebook has become virtually ubiquitous among us, I guess it was only a matter of time that this would occur.  Of course, someone like Matt Lauer, who only joined Facebook in the last day or so, must not have any personalty, LOL!  I ran the program against my own posts, and I feel that the personality traits it assigned to me are fairly accurate.  I can’t say that I post a lot to FB. I click on a lot of “Likes” to other people’s posts, and maybe I make three to four posts per week, whereas many people I know make three to four posts per hour.  So it was interesting to me that the software could take the relatively few (in relation to others) posts I do make and come up with a fairly accurate personality assessment.

Of course, since I teach Information Security, I was somewhat hesitant to try such a thing – what if their software was gathering confidential information about me?  But I figured that since it was on NBC’s site, it must have been vetted by them first, so it had to be OK.  And since I’m creating a module on social media for inclusion in CSCI 1150 this summer, it would be just one more thing to comment on in that curriculum.

So after all of that, even though I do think the analysis was fairly accurate, it really was just an amusing little exercise.  But it sure shows how integrated FB and other social media (Twitter, etc.) have become in our lives.

TrueCrypt shutdown and its implications

It was announced today in SearchSecurity.com that encryption tool True Crypt had shut down  Open source software, the implication is far-reaching for multiple reasons:

  • While TrueCrypt developers won’t confirm or deny that their open source software had been hacked, TrueCrypt’s demise means that more users who want to employ open source software as a less-expensive means of providing encryption/security solutions may have to look to more expensive proprietary software.  This will make any user skeptical of using any open source software in the future.
  • The article hints that the one of the issues with TrueCrypt, over time, has been that the authors of the software have remained anonymous.  This is indeed a concern – the user community is entitled to know who is writing the software in order to verify its authenticity and reliability.  If the authors won’t identify themselves, how reliable can their work be?
  • True Crypt purported itself to be secure, so much so that its use is promoted in Information Security textbooks, and as a professor who teaches IT and IS, I have taught it to my students.  Now I will have to switch over, almost certainly to the proprietary BitLocker, installed on Microsoft operating systems.  The instructions on how to migrate to BitLocker are here, on, of all places, TrueCrypt’s own site (what’s left of it).
  • Some hardware devices actually use TrueCrypt to provide encryption services.  I own a LaCie USB key that contains an encrypted drive, it’s encrypted by TrueCrypt.  I’ll keep using it, but now I’m suspicious.  In the meantime, manufacturers such as LaCie that use it are going to have to migrate to another encryption tool.
  • While I don’t use TrueCrypt to encrypt an entire system drive on my home PC, I do use it to encrypt a file container of secure personal documents and files, and so I’ll have to migrate those files to BitLocker, which probably won’t be that difficult.  TrueCrypt’s instructions seem easy to follow.

The biggest blow from TC’s announcement is to the open source community, TC’s community of users, and instructors like myself.  It will be interesting to see how textbooks and instructional material are updated in the future.