What If We Taught People to Drive Like We Teach People to Use A Computer?

drivers computers1I want you to teach a person to drive a car using the following outline:

  1. Teach them where the accelerator is and how to use that
  2. Teach them where the brake is and how to use that
  3. Teach them where the mirrors are and how to use them
  4. Teach them how to turn on the car, how to turn off the car
  5. How to fill the car with gas and where to put it
  6. Where the light switch is and how to turn it on and off
  7. Where the radio switch is and how to operate that
  8. How to read the speedometer

I am sure that I skipped some steps, but you get the drift.  What you want to teach the potential driver is the “buttonology” of the car.  You fail to tell them about the dangers of driving, the rules of the road, how to be courteous and otherwise how to have consideration for others.  What is the probability this “driver” will have an accident the first day they are driving?  I am a statistician and I would take odds on this one!

Let’s segue to computers.  That’s right, computers!

How do we teach computers today? We teach buttonology, how to associate functions with pressing of the buttons.  Want email?  Do this combination of buttons.  Get an app, or get on the internet?  Push this series of buttons.

There are no classes on the rules of the road, the ethics of using a computer or the dangers associated with using a computer.  If that were compared to diving a car, basically what you are saying is that we should all go out to our car and cut the brake lines and then drive the car.  We may make it to our location, but chances are we will crash and burn.  The same is said for operating a computer without the guidance necessary in the area of cybersecurity.

Cybersecurity.  The very name raises images of dark figures hiding in the shadows, plotting the overthrow of a computer network.  Yes, the black hatted individual that spends their days planning to attack a network for a variety of reasons, whether they be money, fame, or maybe rationalization that the attack will right a wrong.  Ah, cybersecurity.  It is meant for people who are the target of the attacker, not for normal people like you and me.

Hmmm.  Then maybe none of us need driver training but the people who operate commercial vehicles, or maybe we can all get pilots’ licenses, after all only commercial airline pilots are meant to REALLY learn about flying a plane!

Maybe this is a little bit hyperbole, but I have talked to a number of people who believe that computer training is one thing, cybersecurity is another.  Ladies and gentlemen,  that is like saying that there are five unrelated fingers on your hand!  Every finger works as part of the whole hand.  The same can be said about computer training and cybersecurity training.  Did you know that your brand new computer comes configured so that ANYONE can have access to that computer from the internet?   A simple configuration change can eliminate that threat.  Did you know that you can be tracked through your cell phone; or that people can access your microphone and video camera from your phone?  Many people realize they can, but fail to correct that situation.  Do you have a passcode on your phone?  Do you have a privacy screen on your phone?  All of this is part of keeping yourself safe while using a device you know the location of buttons.  Without good cybersecurity education, you are putting yourself at risk every time you get online.

The sad part of this whole situation is that our children are using devices at very young ages and do not understand the consequences of their use.  Would you put them in a car without education and let them drive to the store?  Of course not!  Why are continuing to let our children learn functions without learning consideration of their actions?

I teach senior citizens cybersecurity and I wanted to get the word out so I contacted a local paper.  The editor responded that it sounded okay, but they just did an article on seniors learning computers and that it might take a while before something else was done on this subject.

Can you now see what I am discussing here in this article?  If we fail to protect ourselves, we are just placing more people “on the road” without seat-belts and brakes!  Worse than that, we are giving people the ability to get scammed because they “trust” the network they are on at any time.  We do not implement protections and thereby put our loved ones in harm’s way.  We do it inadvertently, but we do it nonetheless.

How can we start to turn around this spiraling of our computer users?  First, look toward the basic cybersecurity courses (there are plenty that are free on www.cybrary.it as well as other sites).  Yes, there are classes in hacking, but there are plenty that show defensive measures to keep yourself safe while using your computer, cell phone, or other technology.  If we fail to keep pace with safety and security, we are contributing to the increasing cyber crime.  After all, what better way to encourage cyber criminals than to place someone on the computer network that does not understand the protections necessary to be secure and safe.  If that is case, take your teenager and give them the car before they get their license and let them drive it wherever they want.

If that be the case, one more fact before I let you go on with your internet surfing.  There are approximately 3.6 BILLION internet users according to http://www.internetlivestats.com/internet-users/ and there are “only” approximately 1 BILLION cars on the road according to http://www.huffingtonpost.ca/2011/08/23/car-population_n_934291.html.  From these numbers, which of the elements – computers or cars – present the most threat?  If I were a criminal, would I want to steal a car or steal a computer network (without you knowing)?  You decide.

That last part made your anxious – admit it.  Let’s all start to educate our users better and keep cyber crime at bay.  Otherwise, you need to get off the grid, because it is about to get ugly (or uglier)!

 

Learn, Offer, Value, Educate (LOVE)

“Silver Hats” founder

Advertisements

Using a Game Keypad for Passwords

I wanted to make a strong password without forgetting the password in the process.  I specifically needed something that would not “linger” on the computer where an intruder could find the passwords, and I did not want to have several passwords in the “cloud” under one key that could be broken and then all my passwords exposed (see my previous blog on Ali Baba).

 

The solution it seemed was in the same keypad used by gamers to compile “macros” that would save keystrokes for complicated games (i.e. pressing the CTRL key while holding down the SHIFT and DELETE keys to fire a weapon).  So, when looking for a solution, this looked like a good alternative.  I purchased a GENOVATION keypad from AMAZON, which cost me about 80 dollars at that time, but I noticed that they have gone up in price since that time.  I then plugged it into a computer that I do not put on the internet and then program the macro generator with passwords that are sometimes 30 characters long with random letters, numbers, and special characters.  Then I go to the site, put in my userid and when I get to the text, I press the appropriate key and the password is inserted and I am into my account.

Because the hardware is not connected past the submission, the file is not placed on the computer I am using for the account and then I unplug the hardware and put it aside for the next use.

Some disadvantages:

(1) I cannot carry the keyboard with me (it is about the size of a book) so it is not really portable.

(2) I can only use it from home, which actually suits me fine since I have no intention of going into my bank account from some hotel wi-fi.

An advantage I failed to mention was that this keypad can be adapted to an iPhone to put your passwords in at home.  Again, portability is an issue, but I am looking into other Genovation products that are smaller and you could possibly carry with you.  The main concern is that the smaller the keypad is, the more likely that it may become stolen which could be a problem if you have the keys plainly labeled with things like “bank” or “credit card.”  I am doing some more research on this and will share that as I go.

Thanks for reading and remember

Learn, Offer, Value, and Educate

Ali Baba and Cloud Security

ali-baba

By Maxfield Parrish – Arabian Nights, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1471823

So, we are now in the cloud era, where our files are kept on secure servers around the world and we can sleep at night knowing that we can put all of our records in an area that we have never seen, do not know the location, and have NO idea the amount of security that is on those servers.  Wow, this certainly makes me more relaxed, how about you?

This reminds me of the story of Ali Baba and the 40 Thieves.  Although reputably a part of the 1001 Arabian Nights, it has been challenged that it is not really part of the original stories of that very colorful legend, but nonetheless we will assume it to be for the purposes of this article.

The story goes something like this:  Ali Baba, a poor man, is cutting wood one day and he hears the beating of hooves.  Hiding in a nearby area, he spies a group of riders approach the side of a cliff and then hears what looks like the head of this band say “Open Sesame.”  At those words, the side of the cliff opens and the band enters with the leader saying “Close Sesame” closing the wall behind him.  Now the story goes on in some detail of how Ali Baba uses the password to go into the cave and steal some treasure only to be found out and then employing an ally to ultimately defeat the thief’s leader, but the main reason for re-telling this story is the “password of passwords.”

You see, the leader knew that the password had been compromised, but did nothing to change that password, instead trying to “seal the leaks” by disposing of the people who knew that password.  Once a password is compromised, the chances that it will be distributed is high.  What happens when a “password of passwords” is compromised, similar to one that many systems administrators have to do their daily jobs?  Pure chaos.

If I were a stranger and asked you for the key to your home, would you give it to me without gathering some information about my background, or my reputation?  Probably not, but yet we are willing to trust our sensitive data to others that we have not verified.  The cloud security is probably very good, but until that can be affirmed, placing sensitive information in that area is somewhat disconcerting.  After all, all a “black hat” would have to do is to get ONE password or set of credentials that would allow access to all records and then there would be chaos.

So, what is the solution to this for the household computer use?  Get an external drive and software to back up your computer and use THAT to store your important files.  As for the rest of the industries that are using cloud security, such as the health information and bank information industries, it is vital that THEY inform the consumer their security posture (leaving out the details so that intruders do not gain access).  In the meantime, continue to make your passwords strong by making them longer and more complex.  Don’t know how?  There are many references on passwords, including a children’s book on the subject by yours truly  called “Granpappy Turtle Talks About Passwords” available at http://www.lulu.com.

Learn, Offer, Value, and Educate  http://www.grectech.com

 

Happy Cybersecurity Month! Hug a Silver Hat!

cover-for-simple-cybersecurity8x13Did you know that it is cybersecurity month?  I know it does not get the publicity that other “special months” or “special days” do but it is no less important.  Cyber affects every person in the US and the World.  Did you know that there are over 3.4 BILLION people on-line in the world? Or that the continent of Africa has increased their online presence by 8000% (www.internetlivestats.com/internet-users)?   Cyber currently has reign over our health care, our infrastructure (that’s right – electrical grid, water purification, even our entertainment), and our daily commute.  It is a shame that we only have one month devoted to this very important part of our lives, and even that month is barely mentioned!

So, what are you all doing to celebrate this month?  Are you making any travel plans, or maybe taking a day off of work?   Well, here are some suggestions to help commemorate this important aspect of our daily living:

  • Change your passwords – now!

There have been so many breaches that it does not harm you to change your passwords on your accounts that could disrupt your lives like your online bank accounts, online insurance accounts, online health care accounts, Social Security online accounts, and any other accounts that you need to use.  Do you have one master password that controls all these accounts?   Then you should be changing this at least once a month, if not more.  People ask me what a good password contains and I have done research on this (as well as written one of the first children’s books on this subject – GRANPAPPY TURTLE TALKS ABOUT PASSWORDS, available at http://www.lulu.com – sorry about the shameless plug) and can tell you that some of the best passwords are long, complex, and memorable.  But the bottom line is to remember this:  LONGER IS STRONGER.  Make your passwords long using random words (like BOIL and FRAME), along with some numbers and special characters and voila you have a pretty strong password.

  • Check your router

Does that sound strange?  Everyone that has access to the internet has a router (you know that box that the cable company or phone company rents to you?).  This router has a default setting for both the USERID and password (especially for those that you buy yourself).  It is usually on the bottom of the router or on a plastic card that can be removed from the case of the router and the USERID is normally ADMIN with the password being 12345 or PASSWORD or (Heavens!) NO PASSWORD!  Change this password and USERID whenever you can, but do so as soon as possible.  Make it a strong password (see above).

  • Know your surroundings!

This is probably the most important suggestion.  When I was in the military I was walking down a hallway and there was a person coming the other way with his head down – he almost ran into me.

“Be careful there.”  I warned.

“Oops, sorry about that,” the other service member said, “I know where I have been, and I know where I am going, I just want to know where I am.”

Although somewhat funny, this story has real value today.  We used to walk with our “head in the clouds.”  Now we walk with our “hands on our phones.”  We are oblivious to our surroundings or who is in front or behind us.  We need to lift our heads and become more aware.  In addition, get a “privacy screen” for your laptop and your phone.  These are usually less than 50 dollars for a laptop and prevent people from “shoulder surfing” to get information.  Also, get a virtual private network (VPN) for use on your phone and your laptop or other device when you are out of your home and using local WI-FI.  These WI-FI connections are NOT secure and so present a real threat to those who use them.  I am waiting for someone to get hacked at one of these public sites and litigating because they were not secure.  But that is another story for another day.

Let’s review.

First, change your passwords.  Make them strong and one that you can remember (it can be done).

Second, check your routers at home to ensure they are secure.

Third, ensure you know where you are and what you are doing.

And TRY to enjoy the month.  There are tons of articles out there that research everything from cell phone vulnerabilities to making strong passwords.  Don’t like to read?  Plenty of YouTube videos for you to review.  Want a place to start?  See my SIX MINUTES FOR SILVERHATS series on my YouTube Channel – GRECTECH (the one with the black and gray logo).  If you have any suggestions, please contact me through my web site http://www.grectech.com or http://www.silverhats.org.  Happy computing!

Learn, Offer, Value, Educate

This Day in History – The Making of a Traitor (or Insider Threat)

stealing-password5Most people know the name of Benedict Arnold.  Traitors are called “Benedict Arnold” as well as those that switch sides in the middle of a battle.  But the name has much more meaning if you take a look at this individual’s battle record during the Revolutionary War.  Let’s start with a small, but important, fort at a place call Ticonderoga.  This fort had strategic importance since it lay on the fragile northeast corner of New York State, close to Vermont and the St Lawrence River.  The British wanted this fort, which was occupied by the Americans.  Benedict Arnold, then a patriot, offered advice to the fort commander to ensure that there be patrols on the hills overlooking the fort, since it was there that a well placed cannon could fire down on the fort, inflicting heavy damage.  The fort commander ignored the advice, stating that there was no way a cannon of that weight could be hauled to a point to fire effectively on the hill.  Benedict Arnold left, and shortly thereafter one of the fort’s lookouts saw the glint of metal on the morning sky.  The British had in fact hauled a cannon to the point where Arnold had warned would be vulnerable.  The fort was surrendered.  Although it was later recaptured by the Americans, it did not have to come to that if the fort commander had listened to Arnold.

Again, in 1777 Arnold advises General Gates to attack the British during the First Battle of Saratoga (anniversary of which is today – 19 September).  Gates ignores the advice until it is almost too late and then implements it with the urging of Arnold.  Although the American’s lose the battle, they inflict heavy casualties on the British (http://www.history.com/this-day-in-history/arnold-and-gates-argue-at-first-battle-of-saratoga).  That is the final straw for Arnold, who plots to hand over West Point to the British, but whose plot is later foiled.  Arnold switches sides, fights for the British and later dies in London in 1801, a broken man.

The emotions run high when talking about Arnold.  In one instance, there is a statue of a lag with no name attached (http://www.roadsideamerica.com/tip/9271).  This is supposedly Benedict Arnold’s leg, which was wounded in the Battle of Saratoga (mentioned above).  The leg is considered the “patriotic” part of him and so was given the commemoration.

What do we learn from this that applies to today?  The insider threats can come from any source, even the ones that seem very loyal.  Arnold became a traitor for a number of reasons that are beyond our analysis, but one seems clear – the disregard for his advice and guidance.  Once he felt that his expertise was not heeded, and seeing the results of the inaction, he (in my opinion) felt that the leadership was not worthy of his support.  How many times in your company has a person come up with an idea that was later squashed, leading to that person offering no further ideas and maybe even leaving the company?  If you are a manager, you need to listen to all ideas even if you do not enact them.  With the computer age, and “over access” to information becoming more the rule than the exception, employees have more access to personal and company information.  This could be catastrophic if the insider threat becomes a reality.  It is imperative that we make all employees feel as if they are part of the solution, or they will become part of the problem.

Credit Card Chips Do Not Replace Common Sense

I heard for the 900th time today (that is a hyperbole, actually I heard it for the 800th time today) about how the credit card chips are such an improvement over the previous credit card swiping procedure.

The bottom line is that credit card chips do not replace common sense when it comes to credit cards (or debit cards).  Here are some basic tips that will help keep your credit cards safe (please pay attention to the first one)

  1.  Check to ensure you have your credit card periodically.  That means when you leave a restaurant, when you leave a gas station, when you leave anywhere where you had to display or use the card and then (maybe, possibly) left it somewhere.  It is better to check one more time than get all the way home and realize it is gone.
  2. For those that carry a purse, ensure the zippers are zipped, the clasps are clasped and you hold the purse securely.  Be aware of where your purse (or wallet) is at all times.  Keep your wallet in your front pocket and your purse within site.
  3. Check your credit card bills at least once weekly and mark any expenditures with which you are not immediately familiar.  If you do not check it, small charges can build up and this can lead to penny theft which is common in the credit card theft business.  In order to eliminate suspicion, thieves make small credit card charges that are not suspicious and, before you know it, they are stealing you blind.
  4. Credit card chips are NOT biometrics, so you still need to protect your credit card and your account.  That means STRONG passwords on the on-line account to help protect that account.  Once that is gone, your card is as worthless as the plastic it is on.

Are these exhaustive hints?  Absolutely not!  They are just prompts so that people can understand that chips don’t protect your card as well as YOU can protect it.  What the chips do is reduce the amount of counterfeiting that goes on with cards and they are not an assurance that your card is protected.  My main goal in all cybersecurity is for people to understand that the USER is the center of the cybersecurity assurance, not technology.  Technology does not mean you can be complacent or transfer responsibility or accountability.  It is up to you to maintain security on your personal accounts and this includes credit cards.

Okay, so now people are saying that biometrics are coming to credit cards and that will solve the problem of credit card theft.  But it is already known that hand lotions will interfere with biometrics, so what happens if you apply your antibacterial lotion prior to using the biometrics?  Chances are you will not get that charge to go through.  Even the most secure technological innovation is sometimes defeated by the simplest method.  In the Vietnam War, one of our most advance jets – supersonic, terrain following radar, adjustable geometric wings, etc., was defeated by the enemy using cheap weather balloons and wires to bring those planes down.  The same is true by the technology of today.  In the Star Trek movie “The Search For Spock” Mr Scott said (after he had completely disabled another star ship) – “The more thought they put into the plumbing, the easier it is to stop up the drain.”  Something to take note for the future.

Are Insider Threats caused by Bad Management?

As a manager in a variety of workplace settings including the military, public service, private industry and academia, I know how management philosophy and application can affect the workforce for both good and bad.  Most bad managers are usually bullies, forcing their staff to perform unnecessary or repetitive work in order to exert control.  Most employees just take this abuse, or else look for employment elsewhere.  But what if these employees were not malicious, but just made human errors as a result of the work environment, where they were stressed and overworked?

I did some preliminary research on this subject and found a great article on Human Factors in Critical Infrastructure Security by Ayhan Gucuyener on LinkedIn (https://www.linkedin.com/pulse/human-factor-critical-infrastructure-security-insider-ayhan-gucuyener).  In this article, Ms Gucuyener gives some fantastic research data from several sources including Carnegie-Mellon University and the Department of Homeland Security on why individuals become an insider threat and what positions they have at the time they commit that threat.  The results are relatively predictable, with the majority of individuals stating that the commit the act out of financial gain, and the positions they possess are usually in the IT area of the company.  The recommendation that she gives are also very good, focusing on the Human Resources side of the company in the form of hiring practices and different security controls.

What does this have to do with the line management responsibility?  Everything!  I realize that Human Resources is the first line of defense when it comes to the insider threat, but the management is the consistent line of defense for employees once they enter the workforce.  I say that from decades of experience.  I know first hand what bad management can do to the workforce and how that workforce can strike back in ways that are both subtle and effective.  At several times in my management career I was a bad manager, expecting more than reasonable and demanding results, no matter what the cost.  The way that my workforce struck back was relatively low tech – following instructions to the letter, ensuring my documentation on tasks were thrown back in my face in a very respectful manner, and just basic stalling using my words and tasking against me.  As a workforce member with a bad manager, I did the same thing.  In a highly bureaucratic organization, this is done more than you  think, and is unpunished since the manager sets themselves up for the fall.  Of course, by expecting unreasonable goals, I also placed my staff in a stress mode, them wanting to satisfy my desires and spending more time in the office to do so, resulting in fatigue and more human error.  So, the conclusion is that you have insider threats already existing in the organization and now they have the technology to not only put a wrench in the works, they can do so with a machine’s ability to perform tasks in nanoseconds.

I was also in IT as a systems administrator and can tell you that systems administrators have the ability to place little bugs in the system that may not be found for months and in the meantime spread poison throughout the system.  Even when the mistake is not intentional, an IT systems administrator has great impact on the computer environment and as much impact on the security of that environment.  I see through some of my research that people do not always commit insider threat because they are being malicious.  A study completed by Carnegie-Mellon University for the Department of Homeland Security  in 2013 called “Unintentional Insider Threats”(http://www.sei.cmu.edu/reports/13tn022.pdf) notes that there are instances when an insider threat is not done out of retribution but are unintentional because of fatigue, incidental use of drugs or hormones, along with other factors.  On page 42 of this report, one of the main recommendations for mitigation of these unintentional insider threats (or UIT as in the report) is focused on “human error.”

“Human error plays a significant role in UIT. Countermeasures and mitigations to decrease UIT incidents should include strategies for improving and maintaining productive work environments, healthy security cultures, and human factors for increased usability of security tools to decrease the likelihood of human errors that lead to UIT incidents.” (page 42 of the report).
Human error in this case is associated with work environments, of which the manager is the lead observer of the workforce in this environment.  I postulate that trust is a major factor between the workforce and manager, so if the trust is absent, so is the observation of the environment.  One real life example of this was when I was a manager of IT project managers.  Because of the trust that I kept with that workforce, my staff brought problems to me prior to those problems being disasters.  It also helped that I did not punish them for mistakes, which helped keep that trust relationship solid.  Human error is not something that we can eliminate, but it is something that we can control through good communication and trust relationships, all an essential part of good management.
More articles on this in the future.  A quick note to the managers out there:  read my book “L.O.V.E. is the Answer” available through http://www.lulu.com.  It gives you some basic essentials for how to treat your staff and make you a better manager and person.