Cybersecurity: Navigating the Maze

Do you think you can find your way through a maze?

Take a look at the maze below. See if you can find the way through it.

 

picture of maze to solve with pencil

Perhaps you think it’s easy. It’s really not too difficult. But there’s only one way through it.

“Hold on there!” you say. You probably think there’s more than one way.

Really? You missed something the first time you looked. Continue reading “Cybersecurity: Navigating the Maze”

Cybercriminals… Where to Find Them & How to Avoid Them

In my last post, I described the cybercrime “marketplace” where criminals can:

*   Find the resources they need

*   Find other criminals who will provide the specialized services they need

*   Find other criminals to work with as they engage in their criminal activities

In this post, I want to talk about cybercrime from a different angle.

But first, let’s talk about what YOU do.

If you are looking for something, what do you do? Continue reading “Cybercriminals… Where to Find Them & How to Avoid Them”

Cybercrime Today

In my last post, I painted a picture of a hacker that discovered his victim would be on vacation. He then shared that information with someone who breaks into houses. I also suggested that he might have an ongoing arrangement with that burglar, for their mutual benefit.

Perhaps some of you thought, “There he goes again… getting carried away and making up stories. Sure, it COULD happen, but how likely is that?”

So, today, I want to talk about how cybercrime REALLY works. Continue reading “Cybercrime Today”

I sent an invitation to the guy that robbed me!

Computers and technology have provided some wonderful improvements to many areas of our lives. But, as we become comfortable with them, we sometimes “lose” common sense. Other times, we simply don’t think about the consequences of our actions.

E-mail makes it easy to communicate. Before e-mail, we could make a phone call. But, if it were the middle of the night, we might need to wait until morning. Or, if the person didn’t answer, we had to leave a message (if they had an answering machine) or call back later. Now, we can just prepare an e-mail and hit “send.”

Some time after e-mail was developed, e-mail programs began to add the possibility of sending an automatic reply. That is convenient if you are out of the office for a couple of days. Just set up an automatic response that says, “I will be out of the office until Monday.” Then the person sending the e-mail won’t be upset if we don’t reply quickly enough. Perhaps we see someone else do that and we think, “I should do that, too.” In this way, we can enhance our responsiveness. However, we may not think about the implications if we do. Continue reading “I sent an invitation to the guy that robbed me!”

Airport Shooting & Safety Online

Again last week, a gunman opened fire upon a crowd of people, this time in an airport. You probably heard about it. He had flown in from Alaska. He had checked his luggage, which had a gun in it. Upon retrieving his luggage, he removed the gun and began firing. Several people died, more more wounded.

image of luggage carousel at airport

I was a bit surprised that he could have done this because I didn’t realize that it was possible to ship guns in luggage that you could retrieve upon landing. I then wondered if the powers that be would now pass regulations that forbid the transport of weapons in any luggage. But then, even if they were to do that, there are other kinds of weapons such a person could use, and someone could also cause harm without any weapons.

 

Later, I realized that, since the baggage area is outside the security zone, this could happen another way. Anybody could drive up to the drop-off or pick-up area with a weapon, enter the building, and begin shooting. That could take place outside, in the baggage or ticketing areas, or anywhere that is accessible without passing through the security screening centers.

To prevent that, one would have to have to have security at every entrance. Can you imagine everybody that arrives on airport property going through security scanning? The cost would be tremendous, the delays would be outrageous. The flow of movement would be severely restricted. Who would pay for all that? We would, of course, through taxes and/or higher ticket prices, or access fees to enter airport property.

Even that wouldn’t prevent problems. Weapons that don’t show up on security scanners would still get through. Items that are allowed, like ball-point pens would be allowed through. A pen or pencil could be a weapon, although that would be more of a close range attack and would be against one victim at a time, even if it affected many people in succession. And someone trained in combat skills (the perpetrator in this instance was trained in combat skills) could do a lot of damage without a weapon.

 

So, do we begin to treat airports like federal buildings? We screen for weapons at federal courthouses and at the social security office. However, we don’t do that kind of screening at pseudo-government offices like post offices. Should we?

Some might say we should. But the cost alone would be enormous, to say nothing of the negative impact upon our access to the services we need (buying stamps, mailing packages…. or flying to our destination).

What about when we go to the grocery store or the mall. Should we be required to go through a security screening post when we go to buy milk? Or gas? Or when we walk into a bookstore, or when we buy a gift for a baby shower?

Maybe we should put law enforcement on every block and screen people who are out walking their dog? That way, we would be safer! At least the 80 year-old who is trying to maintain their mobility by walking around the block can’t gun us down. Maybe we need to screen all the cars turning onto our street so they can’t execute a drive-by shooting.

image of vehicle checkpoint guarding entrance of residential street

Am I getting carried away?

My point is that we can’t prevent bad things like this from happening, much as we might like to. If we try to enforce safety to the maximum extent possible, we would end up in a world that few of us would want. Novels have been written about that: 1984; Brave New World; and more recently, the Divergent trilogy. Even in those novels, there were people that didn’t conform and actions were necessary to prevent their “unlawful activity.” Even if we did have such a world, there would still be incidents! But the consequences of trying to achieve that “safety” would destroy our freedom.

One thing I know is that we can’t regulate the world into a place where these kinds of incidents CANNOT happen. I’m not saying we shouldn’t do anything. But we do seem to like making rules without considering the less obvious consequences, and we often don’t like the consequences. Even then, when we do make rules, incidents still happen. They will as long as people get angry and act on that anger, as long as people are greedy, and even when people just feel threatened. We can work on learning to behave better, but even if EVERYBODY went through training programs to improve their behavior, we would still have problems.

 

Let’s apply this to online security. I hope I’ve made my point that we can’t prevent bad incidents from occurring in the real world. We can’t prevent bad incidents in the cyber world either.

When we hear about a virus or some other malware that is attacking computers, we think we need some reliable way to stop it.

When we hear about a hacker, we think we need to catch them and lock them up.

When we hear about a breach of personal information, we want that company held accountable.

Here’s my message: We can’t stop these things from happening.

To do so, the world we would create would be one we wouldn’t accept.

Imagine a world where:
*   You can no longer post pictures online because they could contain malware or could contain “information” that should not be published
*   You can no longer share videos
*   Web sites are just text, like a college textbook without pictures
*   Your computer no longer goes to many of the web sites you like to go to; those sites are blocked because someone could use that site to attack you. (No more CNN, no more weather, no more Facebook, Pinterest, etc.)
*   Your e-mails are returned undeliverable and the e-mail from your friends doesn’t reach you (because someone else who uses the same service as your friends: hotmail, gmail, etc., broke the rules and sent bad e-mails and now that e-mail provider is blacklisted)

And the list could go on and on.

We can’t prevent the things we don’t want unless we make it impossible to do the things we do want.

 

Regulation won’t solve the problem. Regulation has the following results:

*   The worst offenders will ignore the regulations.

*   In many cases, regulations make it harder for honest people to operate. (That’s one of the reasons I don’t currently allow comments on my blog. If someone were to make a “bad” comment, to protect myself from liability I have to meet the requirements of regulations. Those regulations have financial and filing requirements, in addition to the measures that I would naturally take without any regulations.)

*   Regulation can’t stop attacks and breaches. It can only provide an incentive to people to do something about them.

Most companies would love to do something about them. However, a checklist of steps to take won’t assure you won’t be attacked or have customer data stolen. A checklist can help, but attacks will still be successful and data breaches will still occur. Trying to solve the problem by rules and regulations would be like making it illegal for you to ever make a mistake about anything:

New Federal Law: “From now on, you aren’t allowed to forget things and you aren’t allowed to make mistakes. Penalites for violation: $1000 fine per occurrence; imprisonment after three strikes.”

Most people would love to stop forgetting things and making mistakes. It’s just not possible. Solving security problems is much like trying to prevent mistakes or natural disasters.

 

The real solution is to:
*   Take appropriate measures to make it harder for those bad things to occur
*   Learn the warning signs and respond to them, which might keep us out of the line of fire when they occur
*   Realize that bad things will still occur despite all efforts
*   Have plans of what to do if we do find ourselves in a problem situation and what to do to reduce the damage if something bad does happen (e.g., wear bulletproof vests for an active shooter scenario; have data backups in case of a ransomware attack)

We may have limited options in an active shooter situation. We have better chances of preparation for a cyber scenario.

Doing these things won’t prevent bad things from happening. What it can do is reduce the frequency of occurrences, and reduce the severity of the impact when they do occur.

image of lightbulb indicating bright idea, with four bullet points from The Real Solution list above

 

 

Uh-oh! That wasn’t expected!

When I was a kid, there was a short period of time that I thought I wanted to be a mailman when I grew up. I followed the mailman throughout the neighborhood as he delivered mail. At one point, I thought I was going to help the homeowners and let them know the mail had arrived. So I rang the doorbell when the postman left the mail in the box. I was quickly instructed not to do that anymore!

I don’t remember exactly how long that phase lasted. Probably not very long.

 

In later years, I had a “job” delivering the weekly advertising supplement to a neighborhood in the community. That was hard work. They would deliver a large bundle of the advertising pamphlet, called Penny Power, to my doorstep. They also had stacks of supplemental ads and plastic bags. First, I had to put one of each of the many advertising fliers together with each Penny Power. Then, I had to fold each Penny Power and the associated flyers and place them in a plastic bag. That would take more than a couple hours. Then, I had to go to my territory and walk up to each porch and delivery a bag of advertising goodies onto each porch. Then proceed to the next house. And the next. And the next. Until I had delivered several hundred Penny Powers with the additional advertising flyers stuffed into their respective plastic bags.

That was a heavy bundle to carry, a lot of walking, a lot of time, for a little income. Let me emphasize the word “little.” There was a lot of turnover in that job. I found out why!

 

I don’t see too many mail carriers delivering mail to the front doors of houses on their routes these days. Perhaps it is just the communities I have lived in recently. What I typically see instead is a mailbox on the street. The mail carrier deliveries the mail from their vehicle. In some cases, all the mailboxes for a community (or apartment complex) are located in one central location and the residents have to go to that location to get their mail.

But I do remember the days of walking with the postman to each door.

 

Some of the houses had a very handy arrangement for the homeowner. A mailslot in their door! They didn’t have to go outside to get their mail. The mail carrier just slipped it through the slot and it fell inside the house, just inside the door! What a marvelous invention!

Usually.

But then, there are the neighborhood mischief makers. Typically, they would run up to the house, ring the doorbell, and run away. On Halloween, they might “egg” a house. What if one of them had gotten the idea of putting rotten eggs through the mailslots? Not a pleasant thought. Eww!

image of Rotten Eggs

How would you stop that? You could lock the screen door so they can’t put the eggs through the slot anymore. But then the postal carrier couldn’t deliver your mail. If you want your mail, you need to allow the possibility that the kids can push rotten eggs into your house.

Or, you could put up a mailbox outside your door and lock your door. Now the kids can’t use your mailslot anymore. Neither can the postal carrier. Hopefully, it won’t be so much fun for the kids to put rotten eggs in your mailbox and they will stop.

But now, the marvelous invention of the mailslot is no longer of any use to you. It has become a liability. You also had the extra expense and effort of putting up a mailbox outside your house. And you now have to open the door to get your mail. Not a lot of extra effort. But, on a freezing cold day, it’s not as nice as having it dropped inside your door. And you may need to fix your hair or put on an extra layer of clothing before getting the mail. You don’t want to get caught looking too “unkempt” by a neighbor walking by as you step briefly out the front door.

 

Wait a minute! I thought this was supposed to be about keeping safe online!

OK, here goes…..

Our computer has a lot of “mailslots” in it.

What I am referring to as “mailslots” are useful bits of computer programming that do cool things that we like. They make it easy for us to do what we want to do. Some may automatically show us a preview of files when we hold the mouse over them, such as showing us a picture preview. Some automatically check our e-mail every 10 minutes. Others ring a bell, play a few notes, or say “You’ve got mail!” when a new e-mail arrives. Some automatically save our progress when we are typing a letter, just in case we forget to save it.

image of e-mail delivery with bell to notify and words You've Got Mail!

When it comes to the Internet, some of those “mailslots” display pictures. If they didn’t, every time there was a picture, we would have to:
* Tell the computer to go out and “download” the picture.
* Then we would have to open a special program that views pictures. We would need to make sure we got the correct program for the type of picture we wanted to view. (There are several different “types” of pictures that get displayed on web pages, each with a different file extension, or “format.”)
* Then, once you opened the picture-viewing program, you would need to find the picture you downloaded and open it.
* Next, if you didn’t want to keep it, you would need to open another program that lets you work with files.
* Fnally, you would need to find that picture you downloaded and delete it.

A lot of work! And you’d have to repeat that process for EACH and EVERY picture you wanted to see. Many of those pictures wouldn’t be of any interest to you, certainly not worth all that work.

But, we don’t have to do all that work. Instead, our web browser (Internet Explorer, Safari, Chrome, Firefox, etc.) automatically displays these pictures for us. This is really useful. It enhances our experience. We can enjoy surfing the web instead of getting hung up on the mechanics of how the computer is really doing all that extra work for us. Technology is great! Until it isn’t. Until someone sticks rotten eggs through our mailslots.

And therein lies the problem. If we want our mail delivered inside our house, we have to face the risk that someone might deliver rotten eggs. If we want the convenience of “easy” and of a “rich, enjoyable experience,” we have to face the possibility someone might find a way to use those “mailslots” (useful programs) to deliver unwanted material or experiences. Those “rotten eggs” could be viruses. They could steal our information. Or they could hold our computers or information hostage, for ransom. (See my recent posts on ransomware.)

If we were to make our computers so the mischief-makers CAN’T do this undesirable stuff, we would end up with a computer that doesn’t do what we want it to. But, with computers, instead of just having to open the door to get our mail, we would have to go through ALL the above steps (and some that I haven’t even mentioned) just to see whether a picture on that web page is even one we might want to see. And, to view that web page in the first place, there could be a whole lot of additional steps involved. Most people would revolt.

 

So, what are these “rotten eggs”? They could be any way that an attacker can utilize some desirable feature built into our computers and use them to do something we don’t want them to do.

As an example, let’s continue with the picture-viewing discussion above. In 2004, it was discovered that there was a problem with the way Windows processed pictures so that you could view them. If someone sent you a bad picture (that is, one that someone with bad intentions had created) it could crash your program or even, in some circumstances, compromise your computer. That particular issue was fixed, but only if you updated your computer with the proper security updates.

However, that isn’t the only time that Windows has had problems with displaying pictures. As recently as May 2016, Microsoft released a security bulletin revealing that there were FIVE different vulnerabilities related to displaying images that had been recently discovered. In some cases, sensitive information could be released to the attacker. In other cases, the attacker could compromise your computer. And for this to happen, all you would need to do is visit a web page that had a “bad” picture on it. That could even be a seemingly innocuous picture on a web page that is usually considered to be on a “safe” or “trusted” site.

image of Cartoon-like Bomb Wearing a Silly Face Mask for Disguise

When this happens, Microsoft (and many other vendors) usually try to fix the problems as soon as possible (though some companies don’t). In some cases, it may take awhile to fix the problem. Once they do, the “fix” needs to be applied to your computer. For Microsoft, if you have “automatic updates” turned on, this SHOULD happen automatically (although, from experience, I can tell you that these updates sometimes fail). For other companies, you may have to apply the updates yourself. And, there are problems out there that haven’t been discovered yet. What if the bad guys find them and take advantage of them before the good guys find them and fix them. It happens all the time.

What this means is, if we want to be able to see pictures on our computers, including when we visit a web page, we will be subject to the risk that our computer can be compromised.

 

It doesn’t stop at picures. In 2016, Microsoft issued 155 security bulletins. Some of these advised of multiple issues. Many of them were critical.

It isn’t just Microsoft. All software is potentially subject to vulnerabilities. Microsoft’s programs are so powerful and so complex, there are a lot of pieces of programming code in which unexpected and unforeseen issues can be found. And Microsoft is a popular program, so the bad guys go looking for problems to take advantage of. (There are also a lot of good guys looking for the problems, so they can be fixed before the bad guys find them. That’s another reason so many security bulletins are issued.)

Other companies may have fewer issues. Some of that is because they are “smaller” and less “complex.” Some of that is because they are not as popular. But some of that is because they are not responding to issues and fixing them, or telling us about them.

ALL software has the potential to have these kinds of issues. (Mac and Linux users included. Yes, these systems have their issues as well, despite some people’s claims to the contrary.)

 

So, where does that leave us? Do we choose to lock the door so the mischief-makers can’t put rotten eggs in our mailslots? When it comes to computers, that would mean turning our computer off and leaving it off. There isn’t a way to escape these risks if we use our computers.

There are two things we can do.

First, we can keep informed of what the risks are and how to take appropriate measures to REDUCE those risks (we can’t eliminate them completely).

Secondly, we need to recognize there is still the possiblility that we can be affected by the threats. Our best response to that is to take other measures to protect ourselves against the damage that could be caused if a threat does affect us. (This would be like installing a sprinkler system to put out a fire. Damage is still done, both by the fire and by the water from the sprinklers, but not as much damage as if there were no sprinkler system to put out the fire.)

My blog is a start towards taking those two steps. This year, I will be providing additional options to go further with those steps. Stay tuned.

In the meantime, if you recognize that there is always risk, first be thankful that we have as few problems as we do. Then, use your computer with the knowledge that 100% safety is not an option and that it is up to you to do the best you can to escape as many of the potential problems as possible. Again, that comes down to learning what you can do (and then acting on that knowledge).

Implementation

Today, I want to review another theme that we saw in several of the tips from last month. That is the idea that a good security solution can be “broken” if it is implemented poorly.

Let me give an example that will illustrate the idea of implementation.

A traffic light can be an effective method of controlling traffic and avoiding accidents at the intersection of two busy streets. However, implementation is important.

An example of poor implementation would be if the light were green at the same time in all four directions. Fortunately, traffic lights are implemented to stop traffic on one road before traffic is permitted to flow on the other.

Another example of poor implementation would be if one of the signal lights were positioned behind a sign or a tree branch, so that the oncoming driver has no way of seeing the signal until he is far too close to be able to stop. A city official might conceivably argue that people should slow down so that they can stop in time if the signal happens to be red. But, knowing that a lot of people won’t, that argument would be flawed. Those responsible for traffic lights need to make sure the signals are visible from a sufficient distance to allow drivers to respond safely.

A good solution needs good implementation or it becomes a poor solution.

 

Problems with implementation occur repeatedly in security. Some of the places we saw it last month include:

*   The “chip” credit cards. The use of the chip could result in a lot better protection than it does in the U.S. By allowing the customer to still swipe the card or, with many of the cards, allowing the use of a signature instead of depending upon the chip, security is weakened. Although we discussed that the European version still allows for fraud to occur, the American version is far weaker.

*   The banks’ handling of security questions to verify identity, using information that is not that difficult to obtain.

*   WiFi security, both public and at home

*   Backups, which even the technology experts at well-funded organizations fail with on a regular basis

Implementation failures occur in at least three areas:

1) When the solution is being developed. The manufacturer of the equipment, the programmer of the software, and/or the creator of the solution may try to incorporate a good security idea in a way that weakens it or renders it ineffective. Or they could fail to take into account factors that are important for it to be effective.

2) When the solution is put into place. This could be when someone installs software on their computer or when they set up equipment. An example would be failing to change the password that comes with a new baby monitor, or using a weak password, or not having any password at all.

3) When the solution is being used. An example would be writing the password on a piece of paper and attaching it to the computer screen. Or having an alarm system for your home, but forgetting to turn it on when you leave the house.

All these kinds of failures can occur from a variety of causes, including:
*   Lack of knowledge
*   Carelessness
*   Human error
*   Inadequate planning
*   Impatience

Certainly that is not a complete list of causes.

In addition, failures can occur as the result of the difficulty of trying to address a complex situation or one that changes. That especially applies to security, a situation which is magnified by the common causes listed above.

 

Here are some thoughts on each of the stages where these kinds of problems can occur, and an approach to deal with them.

1) In the development of the solution. The consumer doesn’t have much direct control over how the manufacturer or designer creates the product. However, they can ask questions before buying, they can consider security as an important factor in their choice of which brand and model they purchase, and they can provide feedback to the manufacturer that security is important to them.

We have seen “fast food” establishments offer “healthier” choices as a result of public sentiment. If manufacturers and programmers know that the buyer will go somewhere else if the products don’t adequately address security concerns, they may begin to do a better job in the design of the products. In the meantime, by considering security and asking questions before purchasing (or having someone knowledgeable help in the purchase decision), the consumer can end up with a better choice from the selection of products available.

 

2) In the installation. By becoming aware of what is involved, the consumer can reduce the chances of making mistakes during installation. This may mean reading the directions, doing research, or simply asking questions of someone who knows what is involved.

Most people wouldn’t install a new furnace by themselves but would ask an expert. They would, however, install a new toaster (“just plug it in”) all by themselves. With computers, the installation issue can be tricky. Systems can be made relatively easy to install and seem more like installing a toaster. However, some security solutions address complex issues and installation may require “furnace” expertise even though it seems as simple as a toaster installation. Encryption solutions are one example of complex issues requiring precise implementation. Even though the encryption software may be simple to install, the “other factors” are extremely important. Ignoring those other factors results in a “broken” solution.

The answer to this does not require becoming an expert. However, it does require an awareness of which solutions require the greater level of expertise. Then, one can seek help when appropriate.

 

3) Use of the solution.
Knowing what things you need to watch out for (the threats and risks) and what things you need to do or avoid doing (practices) will help you avoid the most common mistakes made. There is always the possibility of making a mistake, no matter how much knowledge one acquires. However, awareness of the issues goes a very long ways towards avoiding the most common problems.

 

There are two main concepts I would like you to take away from today’s discussion:

* First, when someone makes claims about how good the security in their technology or solution is, remember that the way they implement it makes all the difference. They may say their product uses “state-of-the-art encryption” (or use some technical terms describing the type of encryption they use). They may say they use “two-factor authentication.” They may throw around words like “heuristics” or “adaptive technology” or some other impressive sounding terms.

When these claims are made, remember that no matter how good the claim of their technology sounds, it can be seriously flawed if it hasn’t been implemented well. That happens frequently. There are products and solutions that are well-designed and the claims being made are valid. I just want you to recognize that a really good-sounding claim using all the right words may end up being a flawed solution. Don’t be seduced by their claim just because it sounds good. (Reviewing third-party evaluations; getting opinions from informed parties and/or experts; asking questions; etc. are ways to address this.)

 

* Secondly, what YOU do with a product or other solution, both in setting it up and also in using it, makes a significant difference in whether or not it provides the desired results. The key to this is learning what is necessary to set up and to use it correctly. Whether you learn this by reading the directions and doing some additional research, or asking someone knowledgeable, or possibly “both of the above,” remaining secure requires you to be an active participant so you don’t end up “breaking” an otherwise good solution.

The other part of your involvement in the equation is to become aware of:
   a) The risks and threats that you face
   b) The options you have to address those risks
   c) The pros and cons of the “solutions” that you have available to you

One additional element would be helpful to know:
   d) A framework to make good choices in the complex environment of the many threats and issues and with the myriad of solutions to address them.

If you know “All of the above” (a, b, c, and d), you will be in a position to navigate the minefield and come out in one piece. Stick around and you will find all of that available, although it will take some time. When I say “some time,” I really mean a “little bit” of time on an ongoing basis as you learn a little bit now and a little bit more later.

The Security Solution

One common misconception about security is that you go out and buy a security program and install it on your computer, and that the security software will keep you safe. It would be really nice if that was all that was necessary. But security is a lot more than just installing a security program.

As we saw through the month of October with the 31 security “tips,” security involves a lot more than something a single piece of software can address. Security software is an important part of the solution. But it is nowhere near sufficient to keep you safe.

Some of the things we talked about during National Cyber Security Awareness Month were:

* Misleading promises made by marketers (some of them fully believe they can deliver on those promises but don’t realize there are limitations)

* Power failures and lightning strikes (that can destroy data and/or equipment)

* Common human error (forgetting to save a file, deleting something)

* Criminals (who have added the use of computers and electronic communications to their arsenal in order to steal, extort, commit fraud, and ….)

* Features that enable ease of use and automation also result in additional risks. Lowering the risks may result in less convenience. Some people will find loss of convenience unacceptable.

* Security solutions that sound good but overlook important factors and don’t fully address the risks (e.g., the new chip credit cards; “remote wipe”).

* Sometimes, security is sacrificed in favor of profitability (app builders).

Many of these are not the kinds of things that security software can address. Some of these can be addressed by security software but humans who own the systems will find a way around them, often for the sake of convenience. In addition, criminals on a mission to conduct their crime will find a way around them. For a considerable number of reasons, security software is only part of the solution.

One of the main points I want you to take away from last month’s posts (in addition to learning a few specific things) is that keeping safe means you will need to become more aware and continue to learn more over the years. I am not suggesting you become an “expert.” Nor am I suggesting you undertake an extensive study in the field of security. For anyone who wishes to do that, great! I would be happy to discuss that with you.

However, for all the rest of you, I want you to learn a little bit at a time on an ongoing basis. I will be offering a way to do that which will be inexpensive, easy, and (hopefully) may even be fun at times. But, whether or not you learn from me, I want you to learn from somebody.

Again, security has no “silver bullet.” There is no single solution. There is no solution that will be able to address all you need to know and to do in order to remain safe, apart from the ongoing process of keeping up with the changing security environment. As we have seen, some of those threats extend beyond the cyber world into the real world and may affect your health and safety.

If we want to be informed about world events, we don’t watch the news for one day and then decide that we know all there is to know from then on. If you want to be informed of world events, you watch the news, or read the paper, or follow it online, on an ongoing basis. In the world of security, the world of threats and what we need to know to keep safe continue to evolve, and the same ongoing process is required. That is the closest solution we have to remaining safe.

Without this knowledge, more than likely, most of us will be lucky a lot of the time. But, it only takes one time to make you wish you’d taken it more seriously. Maybe it would be loss of data, maybe identity theft, or maybe just the cost and inconvenience of not being able to use your computer until it gets fixed or replaced. Don’t forget that, for a great many people, their computer will be compromised and will be used to attack other people or carry out other criminal activities, without them ever finding out that they are enabling these activities to occur by remaining unaware.

So, the first “theme” I want you to take away from the past month’s tips is that security has a lot of pieces and that a lot of remaining safe depends upon you learning more about it.

If I needed to boil it all down into one word, that word would be

“AWARENESS”

That is what I wish for you.

Ghost Stories & the Virtual-Real World Connection

Many years ago, I watched a movie that was really scary. I don’t usually watch horror movies, but somehow I came across it without knowing what it was. I couldn’t turn it off. It took place in a remote wooded area. I think it may have been titled “Claws.” The main characters are in conflict with a bear and, as the movie progressed, one wondered if the bear may be supernatural and unable to be killed. I remember trying to go to sleep afterwards and talking to myself about how the bear wasn’t real, it was just a movie. It was all make believe and I was actually safe. It wasn’t really going to come and get me as I lay in my bed with the lights out.

Perhaps you’ve been at camp. Camp is good for “ghost stories” and the like. One year in grade school our class went on a field trip for a couple of days. It was in a secluded area and we had “nature classes” during the day. We went out in the field and saw the different kinds of long grasses that grew in this natural habitat.

At night, as we lay in our bunks, someone told a “ghost story.” It was about some unsavory character that lived in the woods. I don’t remember the story but image of ghost reading scary storyit was one of those designed to scare the young kids and make them terrified to go to sleep. Even if you knew it was just a story to scare us, lying there in the dark it was easy to wonder if maybe it just might be true. It’s not real… it’s just a story…. isn’t it? I hope it’s just a story. But, maybe…. What if he’s really out there?

 

OK. So, let’s talk about cyberspace. What is cyberspace, anyway? It’s all just “virtual,” isn’t it. Just computer stuff. Not really the real world. It’s all inside computers and what’s inside the computers can’t really “reach out and touch” the real world, can it? I mean, it’s kind of like television. It’s behind the screen and it’s different from the world we live in. Isn’t it?

But, what if it’s not just “virtual”? Could it really be real?

 

Twenty years ago it would be easier to say that the “virtual world” is not connected to the physical world. But today, so much of our world is connected through computers. Traffic signals can be controlled by computers that monitor traffic flow. Our telecommunications systems are computerized systems, so our phone calls, e-mail, text, and any other communication that isn’t face-to-face relies on computers.

Our water and wastewater systems are controlled by systems that can be accessed over the Internet. Many industrial control systems are also accessible through the Internet or through Internet-connected systems. So, the systems that control water processing and distribution and also other essential systems have a connection to the “virtual” world.

In “Daily Tip 31” (the extended tip version), I told of how a hacker had taken down a state-wide emergency response system (911 service) toward the end of last month. I didn’t provide many details, but he did this using a “botnet” where he controlled about 6000 smartphones to launch an attack. This is an instance where the virtual world “reaches out and touches” the real world, and disables critical functions. This kind of “virtual” world activity can actually threaten our life and safety in the physical world.
image of ambulance with negation symbol to illustrate it won't be coming

 

What about the information we share that resides on computers in doctors offices, labs, and hospitals? What if someone were to “alter” that information. Suppose they changed your drug allergy information. The next time you visit the doctor’s office, if your allergy information has been altered, could the doctor perhaps prescribe some medication that you are allergic to? If it’s a medication that results in a serious reaction, that change in your information could result in death. They often review your allergies when you are in the office, but are mistakes ever made? Are all recommended procedures always followed?

 

Just in the normal course of events, I regularly find that some of the information about the medications I take, which were reviewed each of the last several times I went to my doctor’s offices, are “missing” from the records. They have to update it every time. It’s not a matter of verifying it, it isn’t showing up in the records.

I have also had a doctor prescribe a medication to me that I cannot take (not an allergy but an extreme sensitivity). I had just told him that I couldn’t take certain medications. One of the components in the medicine he prescribed was the drug that I had just told him I couldn’t take. The result was really bad pain. When I researched it after the attack of pain, I discovered his error. Fortunately, it wasn’t a severe allergy.

If doctors and medical offices have these kinds of troubles with keeping information accurate or with prescribing medications when the information they receive is correct, think of the results if the records were altered by someone else. Can we really continue to think, “But that’s just the “virtual” world. That doesn’t affect our real lives, does it?” Think again.

 

As a final example, consider your bank account. It’s all numbers inside a computer. The number of the account, your social security number, the numbers for the dates and amount of transactions, the number showing your balance. What if someone messes with those numbers? Suppose they alter the amount of your paycheck and the numbers showing how much money you have in the bank? Do you think that affects your REAL life? You bet it does. If your money is all gone, and you can’t pay your bills, how long before you run out of food, before your water and electricity are disconnected, and other consequences occur? Hopefully, you could get that corrected in time. But, if all your credit cards were unusable and your bank accounts had zero balances, how long before it would impact your “REAL LIFE”?

 

Why am I saying this? Why am I painting these images of bad things that could happen?

It’s not to scare you. I am trying to make a point.

 

It’s easy to think of protecting our information as being something “in the computer,” much like the movie we watch is “in the TV,” or the ghost story we hear as being “in our imagination.”

It’s easy to say, “Yes, there may be threats out there, but why should I worry about those. After all, that’s only computer stuff. I live in the real world and that computer stuff isn’t going to affect my real world life.” But, unlike the movies and the ghost stories, a lot of what happens “in the computer world” can actually have an impact on our physical world and our real lives.

So, when I talk about protecting yourself and your information, that really does mean protecting yourself. Not just in a metaphorical way, but in a real-life physical way.

We may not always see the impact on our lives from any particular “threat” or the benefit of any specific “security measure” that may be recommended. But, just because it may not be obvious, I want you to realize that these are not just theoretical ideas. The decisions we make really can make a difference in our REAL world.

 

Some of you may say, “But I don’t have any information on my computer that would affect my real life. I don’t do anything financial online, I don’t store any personal information. I just use e-mail and surf the web. How can that affect my personal life?”

Although, at first glance, that may appear to be a reason to not take the concern for security seriously, I want to remind you about the way the 911 emergency services were taken offline last month. Consumer’s smartphones were used to attack the system.

If you don’t secure your system, your system can be compromised without you ever knowing it. Then, it can be used to attack banking, medical, utility, and emergency services, as well as other consumers. In other words, your unsecured computer can be used to attack systems that you rely upon for your personal, financial, and physical well-being.

The more we protect our systems, even when we don’t have “anything of importance” on them, the harder we make it for attackers to attack the systems that we really do care about, the ones that contain our financial and health information, and the ones that keep our communities safe.