Cyber Security Awareness

If you know much about cyber security, then you know that hacking isn’t as exciting a subject as movies and television make it out to be. Most “hackers” are just guessing passwords or stealing credit cards. But, now and then, along comes a news story about hacking that can actually hold your attention. Here are some interesting high-profile cases in recent headlines:

British Agency Can Hack Any Phone With A Text

Whistleblower Edward Snowden has reported that British Intelligence Agency GCHQ can now hack smartphones by simply sending a text message to the phone. According to reports, there’s no way to prevent this hack, which allows the GCHQ to conduct audio surveillance through the phone, browse the owner’s files and web history, take pictures with the phone, and track the user’s GPS location. This is made possible, according to Snowden, through the “Smurf Suite,” which allows the agency to turn smartphones on and off, use the microphone and geolocation, and hide all of its actions from the user. Snowden says that the NSA has spent around $1 billion USD trying to develop similar technology.

Security Researcher Wins $24,000 Bounty From Microsoft

The general impression that we have of hacking is that it’s flat out illegal. In truth, hacking itself isn’t illegal at all. If you ever go into a “head shop,” they’ll let you know that they’re not selling “bongs,” they’re selling “water pipes.” Like a water pipe, hacking is just a tool, and what you use it for may or may not be legal. One of the legal things you can do with hacking is claim bounties from companies like Microsoft and Google, who offer rewards to people who can find security vulnerabilities in their websites, apps and services. A security researcher recently cashed in on a $24,000 reward for finding an easy hack through OAuth, the authorization code used for Outlook.com and Microsoft Live accounts. If you ever get tired of your dayjob, digital bounty hunting might be a fun career choice.

15 Year Old Gets 6 Months For Hacking NASA

A 15 year old hacker known as c0mrade made news last year after hacking NASA, leading to a 21-day shutdown of the computers supporting the international space station, and poking around in Pentagon weapons computer systems, intercepting thousands of emails and stealing passwords. After six months of plea-bargaining, he’s finally been sentenced to six months. Had he been tried as an adult, he’d be looking at quite a bit more time than that.

The everyday threats we have to deal with in cyber security are kind of ordinary, but these three stories prove that hacking really is just like the movies every now and then.

The main thing to keep in mind when comparing real threats to false flags: The most boring interpretation of the truth is usually the one that’s closest to being correct.

Remember Y2K? Everyone was worried that turning our computer clocks over from 1999 to 2000 was going to crash the whole system and leave the world in chaos. Some companies even made a pretty penny by selling software that would make your system “Y2K compliant.” Then what happened when the clock actually turned over? Absolutely nothing at all.

All that wasted time and energy spent fretting over something as simple as a change of date, and the world just kept on turning.

We need to be able to distinguish between a real threat and an imaginary threat for the simple reason that managing those threats demands that we draw upon finite resources. The team that you have chasing after false alerts are going to be too busy to handle actual threats to your data. Skilled cyber-security professionals are in short supply, which means that even if you have it in the budget to double your current cyber-security staff, the candidates might just not be out there. You might need to make it work with the people you already have on board, and that means spending less time chasing after false alarms.

Here are some steps we can take towards wasting fewer resources in cyber-security:

• Let the software do its job

Preventive antivirus software is a good start, but it’s also a good idea to cross-check with regular scans. This is common sense, but you’d be surprised at how many people don’t do this. A prevention-only based approach is going to lead to longer infection dwell time.

• Follow your security team’s lead

You hire people so that you have less to do, and you’ve likely discovered that you tend to get the best results when you give your staff some breathing room and let them use their own judgment. Unless you’re a cyber-security professional yourself, there’s no reason to micromanage how your security team handles their responsibilities.

• Don’t stress about far-fetched threats

You probably don’t have members of Anonymous working all day to crack your system. Don’t stress about it.

The truth is that cyber-security is something that a good security team and some professional-grade software can manage. It seems like every few years the business world goes into a panic about Y2K or hackers or some supervirus ravaging systems across the globe. The truth is that leaked passwords and garden-variety malware are your main concerns.

Here’s the irony when it comes to phones, tablets and other wireless devices: They’re less likely to be hacked, and more likely to compromise your sensitive information.

Why? Well… they’re easier to lose.

Good luck losing a desktop computer. Besides the fact that we tend to leave those at home, you’re going to remember where you put that thing after you break your back lugging it around, and it’s not going to be easy for someone to snatch it up off of your desk when you’re not looking.

Smartphones and tablets, on the other hand, wind up causing leaks all the time. It’s probably safe to say that more leaks come from lost phones and devices than from actual hacking. That’s not to say that hacking and malware aren’t a threat, only that a wireless device’s relatively resistant nature to cyber-threats is not something that makes these devices any less high-risk than your office network or home computer.

But, let’s reconsider the assumption that devices are relatively impervious to cyber-attacks. Does this actually hold up, or is it just good marketing? Let’s take two key points into account:

1. Devices haven’t been around for as long as laptop and desktop PC’s. This means that there are fewer viruses out there designed to attack Android and iPhone operating systems.
2. That doesn’t mean device-hackers aren’t catching up.

The general shift in computer culture right now is away from the keyboard and the monitor, and towards the device that fits in the pocket or the purse. Even in techier circles, you might walk into an office and not find a single old-school PC, Mac or Laptop. More people are using devices, fewer people are using laptops and desktops, and this means that the hackers developing new malware and looking for security gaps are going to be shifting their attention towards devices. As of the time of this writing, phones and tablets are relatively strong against cyber-threats primarily because they have fewer threats to contend with, but this won’t be the case for much longer. The short answer is that devices are not especially high risk when it comes to cyber attacks, but we’ll see what 2016 has in store for us.

Right now, there’s not a whole lot we can do about this but practice the same common sense as you would on your PC or laptop. There are antivirus apps available for most phones, but the unfortunate truth is that developers are still learning how to keep these devices safe, so these apps aren’t always effective. This means that it’s down to the user to understand that passwords and other sensitive data aren’t that much safer on the Android than they are on the Asus.

We’ve covered the subject of cyber-security myths before, but all it takes is one critical misunderstanding to harm your network, and we could write a phone book’s worth of content on all the misunderstandings floating around out there.

The Internet’s Safer Now

Some users are under the impression that the Internet is no longer the Wild Wild West that it was in the late nineties and early 00’s. Your computer is probably safer, cyber-security software has gotten more advanced, the general public has gotten smarter about web safety, but the Internet itself is still a Petri dish of viruses and worms that have only had greater opportunities to evolve and proliferate over the last two decades. Viruses don’t disappear from the Internet, they keep floating around out there, finding new means of distribution. The Internet is more dangerous than ever, we’ve just gotten a lot tougher.

Security is the Tech Team’s Job

Put simply: leaving security to the techies on staff is a little bit like leaving a tire to the mechanic when it’s low on air. There are a lot of things that you and the rest of your team can do to make the tech team’s job a little easier, and to keep the ship running a little more smoothly. Brief your people on basic security protocol, and you’ll be far less likely to have your tech guy come to you saying that he needs to hire three more people to handle all this extra workload.

It’s All in the Cloud, so What’s at Risk?

Your definition of valuable data might not quite be the same as a hacker’s. You’re thinking about work-related data and personal information. A hacker is looking for any access they can find. A hacker who gains access to your network might not even have any interest in accessing the encrypted information you keep on the cloud, they might be satisfied with simply using your system as a proxy through which to attack other users. Your system is a gateway, it isn’t just a locker for sensitive data, so keeping it empty won’t keep it safe.

Keeping your network safe isn’t that great of a challenge. All it takes is the right software, a little bit of common sense, and a basic sense of responibility. Invest a little time, money and effort into your system, and it’s not hard to keep it running clean.

Ideally, you and your staff are never going to be looking at any sensitive data anywhere but at the office, on a closed, secure network, or at home. But that’s not always practical. We have deadlines to meet and we might have to meet them while at the airport or on the subway heading into work. A bugfix might not be a big enough project t justify a whole trip to the office. When you absolutely have to work on a sensitive project in public, keep these tips in mind:

If your laptop didn’t come with a privacy screen installed, it may be a good idea to invest in one. These screens block visibility from odd angles to ensure that nobody can see what’s on your laptop but you.

As a general rule, you shouldn’t trust any public wireless network that isn’t encrypted with WPA or WPA2. If a network doesn’t use one of these encryption methods, then any other user on that network can see what you’re up to on any unencrypted website.

Tech researchers have found that many mobile apps encrypt data incorrectly. It’s generally safer to use a company’s mobile website rather than trust an app.

If you find yourself at the library without a working laptop or device, avoid the temptation to use a public computer. Even if nobody is looking for vulnerabilities in the network, you’re going to spend the rest of the day wondering if you remembered to sign out of everything before you left. It’s a little like thinking you left the stove on at home.

We’ve all caught one of those viruses that bombards us with pop-up ads for knock-off Viagra or just slows our computer to a crawl. Some computer viruses are a little… stranger than that.

The MacMag virus was known for being considerate. MacMag was developed by Richard Brandow. The virus delivered a message of world peace for Mac users, and then deleted itself automatically. If it did any lasting damage to the networks on which it proliferated, we still don’t know about it.

The Pikachu virus used an image of Pikachu to entice children to spread the virus so that it could delete vital Windows files… but the coder behind the virus wasn’t such a brilliant hacker, and Pikachu accidentally asked for permission before deleting any files.

Created by a New Zealand college student in 1987, Stoned would render your computer “hungry,” “paranoid” and “sluggish.” “Legalize Marijuana” can be found in the code of the virus.

Ika-tako was a Japanese virus created in 2010. The virus was disguised as a music file that would replace your files with images of a cute little cartoon squid. The virus spread over file-sharing networks and infected tens of thousands of computers.

Ping Pong was developed at the University of Turin in the late eighties. After booting from an infected floppy disk, the virus would show a ping pong ball bouncing around the screen.

The Skulls trojan horse was the first virus known to exclusively target mobiles, infecting Nokias in 2004 and replacing applications with icons of skull and crossbones.

We know that hackers aren’t really a bunch of black-leather-clad badasses who look like supermodels and sneak into government buildings to steal information on thumb drives, but there are a lot of subtle myths that people tend to believe about hacking.

In movies and television, a hacker only needs access to a public-facing website to break into any system. If you can figure out the password to an ex-FBI agent’s personal blog, you can break into the government’s mainframe and shut the whole system down. Truth is, there’s not much to hack on most websites. If you can figure out somebody’s Paypal password or bank account information, you can do some damage, but the vast majority of websites aren’t connected to any sort of “mainframe.” It’s just some code, text and images hosted on a server somewhere.

Hacking is based on luck more than anything. The only talent any con-artist really possesses is the ability to not worry about the damage that they’re doing when they rip people off. When you find someone’s ATM card in the machine, you take it to the tellers so they can give it back to its rightful owner. A hacker pockets it. Even the rudimentary computer skills that can make it easy to crack passwords can be learned in about a week’s time.

Stealing is illegal, blackmail is illegal, there are a lot of crimes that can be facilitated by hacking, but hacking itself isn’t illegal. In fact, Google regularly pays hackers bounties for discovering gaps in their security. In other words, hacking is not only legal, it’s actually encouraged by the biggest website on the internet.

It’s a reasonable question: Am I a target? Is anyone out there actively trying to steal my information? Are you in an industry that is frequently targeted by hackers, and are you visible enough within that industry to be a target?

If you’re running a successful business, then you probably do have enough cash flow that a hacker who’s in it to make a quick buck wouldn’t hesitate at the opportunity to steal something from you. However, the vast majority of cyber criminals are looking for crimes of opportunity. Forgetting your credit card at a restaurant, browsing private emails in a public place, or just having poor security on your office network are what make you a target more than any business decisions you might be making or fame you might achieve.

The people who hackers go out of their way to target are typically involved in some sort of politically volatile situation. People running for office may be targeted by opponents and critics who would love to embarrass them with a leaked email, and the same goes for any highly visible industry figure who’s having a bad PR day after perhaps making an off-color joke at a public event.

As for the rest of us, we’re all targets, not because anyone is actively pursuing us, but because when it comes to stealing sensitive data, beggars can’t be choosers. The tenth biggest desk-fan manufacturer in the country is exactly as big a target as the eleventh, twentieth and fiftieth biggest manufacturer.

What really gets a hacker’s attention is a security lapse. If you’re using your laptop at a coffee shop and you leave it open on the table while you go to the restroom, a thief isn’t going to browse your files and find out if you’re anyone important, they’re just going to steal the laptop and do whatever they can with the information they find.

To put it another way: The biggest targets are professionals, companies, and office networks with poor security. We invest in security and insurance not because there’s an army of hackers targeting us, but because the only real targets are those without security and insurance.