Ali Baba and Cloud Security

ali-baba

By Maxfield Parrish – Arabian Nights, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1471823

So, we are now in the cloud era, where our files are kept on secure servers around the world and we can sleep at night knowing that we can put all of our records in an area that we have never seen, do not know the location, and have NO idea the amount of security that is on those servers.  Wow, this certainly makes me more relaxed, how about you?

This reminds me of the story of Ali Baba and the 40 Thieves.  Although reputably a part of the 1001 Arabian Nights, it has been challenged that it is not really part of the original stories of that very colorful legend, but nonetheless we will assume it to be for the purposes of this article.

The story goes something like this:  Ali Baba, a poor man, is cutting wood one day and he hears the beating of hooves.  Hiding in a nearby area, he spies a group of riders approach the side of a cliff and then hears what looks like the head of this band say “Open Sesame.”  At those words, the side of the cliff opens and the band enters with the leader saying “Close Sesame” closing the wall behind him.  Now the story goes on in some detail of how Ali Baba uses the password to go into the cave and steal some treasure only to be found out and then employing an ally to ultimately defeat the thief’s leader, but the main reason for re-telling this story is the “password of passwords.”

You see, the leader knew that the password had been compromised, but did nothing to change that password, instead trying to “seal the leaks” by disposing of the people who knew that password.  Once a password is compromised, the chances that it will be distributed is high.  What happens when a “password of passwords” is compromised, similar to one that many systems administrators have to do their daily jobs?  Pure chaos.

If I were a stranger and asked you for the key to your home, would you give it to me without gathering some information about my background, or my reputation?  Probably not, but yet we are willing to trust our sensitive data to others that we have not verified.  The cloud security is probably very good, but until that can be affirmed, placing sensitive information in that area is somewhat disconcerting.  After all, all a “black hat” would have to do is to get ONE password or set of credentials that would allow access to all records and then there would be chaos.

So, what is the solution to this for the household computer use?  Get an external drive and software to back up your computer and use THAT to store your important files.  As for the rest of the industries that are using cloud security, such as the health information and bank information industries, it is vital that THEY inform the consumer their security posture (leaving out the details so that intruders do not gain access).  In the meantime, continue to make your passwords strong by making them longer and more complex.  Don’t know how?  There are many references on passwords, including a children’s book on the subject by yours truly  called “Granpappy Turtle Talks About Passwords” available at http://www.lulu.com.

Learn, Offer, Value, and Educate  http://www.grectech.com

 

Happy Cybersecurity Month! Hug a Silver Hat!

cover-for-simple-cybersecurity8x13Did you know that it is cybersecurity month?  I know it does not get the publicity that other “special months” or “special days” do but it is no less important.  Cyber affects every person in the US and the World.  Did you know that there are over 3.4 BILLION people on-line in the world? Or that the continent of Africa has increased their online presence by 8000% (www.internetlivestats.com/internet-users)?   Cyber currently has reign over our health care, our infrastructure (that’s right – electrical grid, water purification, even our entertainment), and our daily commute.  It is a shame that we only have one month devoted to this very important part of our lives, and even that month is barely mentioned!

So, what are you all doing to celebrate this month?  Are you making any travel plans, or maybe taking a day off of work?   Well, here are some suggestions to help commemorate this important aspect of our daily living:

  • Change your passwords – now!

There have been so many breaches that it does not harm you to change your passwords on your accounts that could disrupt your lives like your online bank accounts, online insurance accounts, online health care accounts, Social Security online accounts, and any other accounts that you need to use.  Do you have one master password that controls all these accounts?   Then you should be changing this at least once a month, if not more.  People ask me what a good password contains and I have done research on this (as well as written one of the first children’s books on this subject – GRANPAPPY TURTLE TALKS ABOUT PASSWORDS, available at http://www.lulu.com – sorry about the shameless plug) and can tell you that some of the best passwords are long, complex, and memorable.  But the bottom line is to remember this:  LONGER IS STRONGER.  Make your passwords long using random words (like BOIL and FRAME), along with some numbers and special characters and voila you have a pretty strong password.

  • Check your router

Does that sound strange?  Everyone that has access to the internet has a router (you know that box that the cable company or phone company rents to you?).  This router has a default setting for both the USERID and password (especially for those that you buy yourself).  It is usually on the bottom of the router or on a plastic card that can be removed from the case of the router and the USERID is normally ADMIN with the password being 12345 or PASSWORD or (Heavens!) NO PASSWORD!  Change this password and USERID whenever you can, but do so as soon as possible.  Make it a strong password (see above).

  • Know your surroundings!

This is probably the most important suggestion.  When I was in the military I was walking down a hallway and there was a person coming the other way with his head down – he almost ran into me.

“Be careful there.”  I warned.

“Oops, sorry about that,” the other service member said, “I know where I have been, and I know where I am going, I just want to know where I am.”

Although somewhat funny, this story has real value today.  We used to walk with our “head in the clouds.”  Now we walk with our “hands on our phones.”  We are oblivious to our surroundings or who is in front or behind us.  We need to lift our heads and become more aware.  In addition, get a “privacy screen” for your laptop and your phone.  These are usually less than 50 dollars for a laptop and prevent people from “shoulder surfing” to get information.  Also, get a virtual private network (VPN) for use on your phone and your laptop or other device when you are out of your home and using local WI-FI.  These WI-FI connections are NOT secure and so present a real threat to those who use them.  I am waiting for someone to get hacked at one of these public sites and litigating because they were not secure.  But that is another story for another day.

Let’s review.

First, change your passwords.  Make them strong and one that you can remember (it can be done).

Second, check your routers at home to ensure they are secure.

Third, ensure you know where you are and what you are doing.

And TRY to enjoy the month.  There are tons of articles out there that research everything from cell phone vulnerabilities to making strong passwords.  Don’t like to read?  Plenty of YouTube videos for you to review.  Want a place to start?  See my SIX MINUTES FOR SILVERHATS series on my YouTube Channel – GRECTECH (the one with the black and gray logo).  If you have any suggestions, please contact me through my web site http://www.grectech.com or http://www.silverhats.org.  Happy computing!

Learn, Offer, Value, Educate

Cybersecurity and the Bible?!

the-cyber-and-the-bible

I was thinking of a subject to write for this blog and, after going to church, thought about how the Bible might have had some prognostications to the computer age.  I have heard many people talk about how the Book of Revelations predicted the internet (the “number of the beast” or 666 translates to “www” according to the Hebrew language), but were there any phrases in the Bible that might relate to our current cybersecurity efforts today?

Unfortunately, after some effort trying to put in search terms like “router” or “password” or “authenticate” or other such words, I found nothing in my version of the Bible (King James version), but some other words did hit on some interesting phrases.

The first word was “network.”  This one brought up some interesting references, especially in the Book of Isaiah, where in Chapter 19, verse 9 it says “moreover…they that weave networks shall be confounded.”  I just thought this was such an interesting phrase, since the more complex the computer network, the easier it is to defeat that network.  In the same way that having a large area of land is tough to patrol for intruders, the network “land area” (or “LAN area” if you like puns) is tough to patrol for cyber intruders as your network becomes more expansive.  This one did raise my eyebrows slightly because of the applicability to today’s cyber environment.

Network was also used in the Book of Kings, where in 1 Kings, Chapter 7, verse 18, it says “…and he made the pillars, and two rows round about upon the one network…”  This could be interpreted as a type of computer network, where it is both hierarchical and peer-to-peer, some of which are used today.  It could also refer to firewalls or DMZs, which could stand as pillars to block intruders from entering the network.  I know, I am stretching, but the fact that this phrase even exists in the Bible is interesting if nothing else.

The second word that I found was “host.”  Now, in the Bible, at least from my reading, host is just that:  some person or some entity that is in charge of the tribe or family.  There was an interesting phrase in the Book of Judges, where in Chapter 8, verse 11, it states that someone “…smote the host; for the host was secure.”  This is probably the one phrase that pertains the most to cybersecurity.  Why would anyone try to defeat a system that is already defeated?  The challenge to defeating a system is to overcome the security; to aim the intrusion against something that is reported to be “unsinkable.”  What better way to make a name for yourself as an intruder than to defeat a secure host.

Okay, all this is hyperbole, I realize that.  It is interesting to note that maybe the Bible was not predicting the internet or the computer age, but that something written as long ago as this reference can be adapted to something as new as the computer security arena.  It was a fun exercise, but it is much more than that to me.  It means that users are the ones that operate and maintain computers, computer networks, and computer security.  If the people are not considered in the equation, we are really not considering the entire formula.  By personifying computers through use of the Bible, I hope to bring us all back to the basic as IT professionals.  We MUST consider the users (and the intruders who are also users) in the big IT picture.  The past is the future.

http://www.grectech.com

You Are the Weakest Link – Something You Are

I just received news that a company received the OK from the UK to govern their government verification.  I read the article and am both impressed and relieved that there are entities out there that seem to be thinking out of the conventional security box to provide a more secure way to get into government sites.  The thing that scares me the most is that Estonia had a very large and expansive tech system to access government associated information and services was hacked, with the consequences being a large segment of the population not being able to conduct business until the recovery was complete.  I have not heard anything more about this (it happened years ago) so I am sure that the country has put into place a more secure method of access.  The elements that I just read about the UK seem promising, but I still think that the most important weakness that exists is something that no technology can defeat – the innate laziness of the user.

I am lazy, I admit it.  I want to access information with the simplest method possible.  However, I try to do the most secure method possible also, which sometimes is counter-intuitive.  I am concerned that giving the ability for people to develop their own security is one that has it downsides more than its upsides.  For computer security people, we lover to develop our own security since it gives us control.  Unfortunately, others that are not reading computer security flaws, fixes, and failures do not stay awake at night wondering if their bank account will be there in the morning.

The first flaw I see is the self-assigning of the PIN that many security applications are using, especially if it is under 8-12 characters.  If I were a hacker, I would check FACEBOOK or another social site, find the birthday and try that first, then any phone number that the user might have (especially if it is a seven or 10 number PIN), along with any other birthday I can find.  I would also see if I could access anything with a Social Security Number and try that, and then their address if it had a number.  After that, if I do not get the “three strikes you’re out” I would close my browser and try again, especially if I know that there will be no email sent to the real user that says someone is trying different PINs and “we suggest that you change yours.”   The reason I picked the 8-12 number is the “Shannon’s Entropy” theory and application to making the PIN as difficult as possible to guess.  Claude Shannon understood the complexity of information security and the theory is still used today in some US government circles.

The second flaw I see if the “verification” of the “verification.”  What happens if the person forgets their PIN?  I understand the “something you know” can be misplaced, but how do you verify that information?  If there are security questions, those have to be stored somewhere, taking up capacity, and those have to be kept somewhere in the system.

The final flaw I see is the “something you have” and the “something you are” not taking up separate space.  Some companies are using a downloaded token as part of the “something you have” and having the downloaded token on a home PC or laptop to cover the “something you are.”  Unless those hardware devices are chained to you, they will become misplaced and now the hacker has access to your site, guessing the PIN to be your birthday and they are in!

This article is not meant to be negative at all, believe it or not.  I see great strides in the security of people’s information considering the many on-line services available today.  I also see young people who are trusting of others to the point where they share security information with their “best friends” (that could change every hour).  What type of recommendations would I make?  Probably those that are already in the works, including more biometrics that are not invasive but extremely different such as EKG or EEG which can be baselined and used as a “something you are.”  No one has to remember their EKGs or EEGs and there are interfaces that can be pattern checked against these indicators.  Another recommendation would be that the verification questions be used from a credit bureau’s own database, which could help eliminate saving them on the access server.  I am very impressed with these credit check questions since they are something that I would remember, even if the data is 10 years old.

The bottom line in this article is that I applaud the efforts of public service security efforts.  After working for the Federal Government in a variety of capacities, I am very pleased that there are companies that are taking this security aspect very seriously.  Please keep up the good work!

PS  I kept the company’s name out of this article for anonymity purposes.  Hey, at least they are trying folks!

 

 

Environmental Force Effect Analysis (EFEA), CyberSecurity, Project Management – Part 1

I am a private pilot that hasn’t been in a cockpit since the 1980s.  That is a shame since I really liked flying.  I enjoyed being up there alone, just me and the machine, battling all the different forces that hit that aircraft whether it be wind, rain, downdrafts, or updrafts.  I was once pushed up over 1000 feet because of an updraft; it was relentless and I was powerless.  The instructor, who was with me at the time (whew), told me that there was nothing I could do and to just ride it out and ensure that the aircraft was straight and level; consistency and stability were the keys.

I recently remembered that story and associated it with life in general or, since I am a business owner, the business aspects.  Let’s say that you are making money hand over fist (an updraft), or the project is going extremely well, or your cybersecurity is doing what it is supposed to do; the consistency of the moment is unbelievably important.  You must keep the “plane straight and level” meaning that you must keep an eye on the project costs and schedule, or you must ensure that the cybersecurity policies are consistent, in order to keep everything stable during the period of updraft.  This means that, like the wind or the updraft or any force on the object, the idea is to counter that force and keep the plane on course and straight and level.  In the world of flying, in order to keep your aircraft on course when the wind is against you, you adjust your course to account for the wind.  What if progressing through a project or implementing cybersecurity did the same thing?  What if you could use existing flying tools to adapt to changing forces in the environment?

This is where the theory “Environmental Force Effect Analysis (EFEA)” comes into play.  Basically, what this does is use existing flying tools to adapt and adjust your course to ensure you stay straight and level and on course for the future.  I am completing an article for the PMI Journal on MegaProjects and realized the company I was profiling was carried through some buffeting times and still is extremely strong today, even though forces pitted against it should have crashed it several times over.  After some analysis, I found that the company realized the force against it and countered it with some far-reaching strategic solutions, which it then adapted as those solutions were hit by even more forces.

How does this theory work?  It works on the Kepler law of motion that every action has an equal and opposite reaction.  The force is treated as a wind that is hitting your object (business, project, etc) head on (0 degrees), slight cross-wind (45, 135, 225, 315 degrees), full cross-wind (90, 270 degrees) or tail-wind (180 degrees), with the object always traveling in a consistent north direction (0 degrees).  What you are trying to formulate is the ground speed at each of these forces, since that is the actual speed you are traveling.  The true air speed is that speed your aircraft gauge reads and that would be your revenue or sales or iteration completion time or cyber outliers detected, etc.  You set the “true air speed.”  The ground speed is the rate you are going with the force against you (or with you).

The next article will delve into the specifics of the formula and how to calculate the true ground speed and how this can be adapted to your project.  This is just a theory at this point, and is being developed, so please excuse the very elemental nature of this explanation or description.  It is a work in progress.

 

Learn, Offer, Value, and Education (LOVE) http://www.grectech.com

 

Occam’s Razor and “Cutting Edge” Email Security

You have probably all heard of Occam’s Razor, a theory that was attributed to William of Okham centuries ago that the conventional use is associated with the adage “given two solutions, the simplest solution is probably the best.”  Well, after some research, it turns out that this is just one of many interpretations of this theory, others being that an “entity should not be multiplied beyond its necessity” as well as others (see the wikipedia entry on Occam’s as well as read Charles Mackay’s Extraordinary Popular Delusions and Madness of Crowds by Tim Phillips).  The reason I write today about this used (and somewhat overused) theory is something that can be useful with computer security in your company.

After working in several federal government agencies, I found two different security methods.  The first one was “keep it secure at some point, but otherwise keep it open” while the other one was “keep it secure until otherwise needed.”  These two competing forms of information security had their advantages and disadvantages, but I found one thing in common – keep it simple.  For instance, the email address.  In order to ensure consistency, most email addresses contained something that was pretty easy to remember for the user – the first name and the last name.  The problem with having this as a standard is that all an amateur hacker needs to get into someones email is the user name since that gives them the ability to attach a text file with malware and they are in the company.  I could give you some advice on this, but that could make me a black hat, so I will not do that here.  However, instead, let me give you some advice on email names.

First, do NOT base your email name on your first and last names!  I cannot count the times that I see this, even with friends that are computer security specialists.

Second, do NOT put a date in that email address!  Any date has to be based on something and someone will figure it out – period.  If someone wants to get to your personal information, why make it easy for them?  If you must put a number in your email address, make it something that means nothing to you personally (like the number for pi – 314 – or something similar).

Third, do NOT use your middle name if  you have a choice.  Again, the middle name can mean something more than just your middle name.  It could be your mother’s maiden name and you never want to give that out.

Treat your email address as you would any other piece of personal information.  Make the information displayed as hidden as possible.  Don’t worry.  Those people that you know will probably know when your birthday or anniversary is, so they will remember.

Just a quick bit of tips from the people at GRECTECH (www.grectech.com).

 

 

Should We Teach Cybersecurity Ethics to Children?

I have done some preliminary research on teaching cybersecurity ethics and have found articles written by academia, federal government agencies, and private industry.  But I have yet to find one written about teaching cybersecurity ethics to children attending middle or high school. In one article, by KQED news, there was a survey that showed that 91% of teachers felt that there should be instruction on on-line ethics but less than half believed their school was doing a good job of teaching those subjects (http://ww2.kqed.org/mindshift/2011/05/19/how-well-are-schools-teaching-cyber-safety-and-ethics/).  This is one concern that I share after teaching very briefly at the middle school level.  The facts and theories taught are not being associated with the ethical standards that surround them.  Teaching middle school and high school students basic programming does not address the idea of copyright laws and that, although copying modules of code to enhance your system is accepted, that does not make it correct.  The very idea of teaching students ethics is no more unorthodox than teaching them the rules of the road when taking drivers education.  I am positive that the drivers education instructor covers the proper way to park, the proper way to make a turn, signaling others, etc.  Although there is some foundation in the law, the fact that people do this is to be courteous to others, to give other consideration.  Is that not what ethics covers in the long run – consideration of others?  Why should being online be any different?

What types of subject matter should be taught when covering cybersecurity (or for that matter cyber) ethics?  The first, and most important, is to regard others information as private.  One would normally not break into a person’s home and steal anything, but somehow it is okay to break into their email and steal information, or to take a stolen password and steal a person’s bank account.  Teaching the student that this is not the right thing to do is the first step to getting them to think through the process.  What is happening now is what I call “enabling the bad.”  Basically, by TV shows and movies showing the glamour of hacking and stealing, we are endorsing the behaviors that we would not want our peers to possess.  By teaching the right/wrong aspects, we are no longer providing the plausible deniability that many hackers are using for their activities.  How many times have you heard that the hackers are “just equalizing the playing field” or “righting a wrong?”  It is this type of thinking that can at least be addressed with the ethics training.

The second part of the ethics training could be a series of simulations where the students interact in the scenario.  A few of these are included here:

  1.  The student is confronted by another student that says they posted something bad about them on social site.  The student has no knowledge of this but remembers giving someone else a password to his/her site.  How does the student address this problem?
  2. A student realizes that they copied code from another student which helped the first student to deploy an app that is making money.  The other student recognizes the app.  How would the student who copied the code address this problem?
  3. A student reads something bad about another student online that he knows is false.  What does the student do?
  4. A student is approached with the username and password of another student to use as he/she sees fit.  How would the student handle this situation?

Granted there are hundreds of scenarios, but these are important because young students do not think of strategy in terms of years but sometimes hours.  Unfortunately the decision they make now based on what they think will happen in hours do not seem to pass the test of extended time past that hour.  Ethics training should take this situations head on and show the student that decisions made now for their strategic outlook may affect them for years.  That is a big task, but one that has to be taught, not assimilated by other people who think that technology usurps human interest.