Cyber Security Awareness

Modding hardware is a tricky subject. Obviously, if you weren’t allowed to mod any computer hardware, everyone who’s ever built their own computer from parts or installed extra RAM would be in big trouble. But then there are issues like jailbreaking phones or modding a video game console to play pirated games. Those subjects are a little trickier. Here’s what you need to know before popping that shiny new phone or laptop open with a flathead screwdriver:

Jailbreaking Apple Devices

Here’s why this is such a confusing subject: Jailbreaking an iPhone has been kept legal through an exemption in the DMCA (Digital Millennium Copyright Act, the same thing keeping your favorite songs off of Youtube), but jailbreaking your iPad is actually against the law. Unlocking your own iPhone is illegal, as well. A carrier can unlock your phone for you, but it’s illegal to go through a third party to do it, or to do it yourself.

Note that even when it’s legal, jailbreaking a device can void your warranty unless you can return it to factory settings.

Game Console Modding

Most console mods are done for the purpose of allowing the console to play pirated games. Here’s the trick: Physically modding your console is fine, you can go ahead and gut your Xbox One and put it in a custom Super Nintendo body if you like, but you’re not allowed to alter the firmware that prevents the console from playing pirated games (another ruling we owe to the DMCA).

If you want to mod your own console, you probably won’t get caught. The FBI has its hands full without going to everyone’s home and looking for burned DVD copies of Grand Theft Auto V. The people getting caught are usually the ones doing it for profit. It’s easy to convince someone to pay you twenty, thirty bucks to mod your console rather than risk destroying their three hundred dollar gaming machine trying to do it themselves.

Obviously we’re not going to recommend that you do anything illegal, but if you’ve modded your Nintendo 3DS so that you can play NES roms on it, you probably don’t need to worry about a SWAT team raiding your home.

Removing the Shutter Sound

Many phones are legally required to make a shutter sound when you snap a photo so as to protect people’s privacy, preventing people from taking secret photos of strangers. But, you are allowed to disable the sound.

What it comes down to is this: Mod hardware all you like, just don’t mess with the firmware, and you won’t be breaking any laws.

People tend to treat “hacker” and “cyber-criminal” as interchangeable terms. The truth is that legal hacking isn’t the exception to the rule, illegal hacking is the exception. All hacking really consists of is cracking a system, and not all systems are illegal to crack. If you hack a video game without infringing on copyright, the worst that can happen is you might have your online multiplayer privileges revoked. If you hack your phone so that you can use homebrewed apps, but you don’t tamper with the firmware, then the worst you’ve done is voided your warranty.

Computer crime usually doesn’t even involve any sort of special knowledge of coding. Most identity theft has to do with credit cards being physically stolen and password-guessing. Chances are if you’re the kind of person who devotes years of your life to learning how to code well enough to break into a bank, you have so many job offers coming at you that you wouldn’t even put any serious consideration into cyber-theft.

The question remains: At what point does hacking become illegal? Can you crack into a company’s private data just to have a looksie, do you have to actually leak information before you’ve broken any laws? Are you risking jailtime by taking just one guess at a bank account PIN?

The Computer Misuse Act deems it an offense to hack into a system belonging to someone else, or to send them a virus that will allow you to obtain private information. There are exceptions to this, of course. Many websites like Google actually offer bounties for anyone who can crack into their system, as the assistance of white-hat hackers can help to make their system stronger against legitimate threats. This said, you’ll want to make sure that a website’s owners want it to be hacked before you take a shot at it. Some companies won’t take it lightly and may pursue legal action against a benign hacker.

The short answer is that, while hacking itself isn’t necessarily illegal, the act of hacking is punishable when it’s attached to a more serious crime, or the potential to commit a more serious crime. If you’re hacking so as to break through copyright protection, or if you’re hacking into a system where private data is held and there isn’t an open invitation out there to see if you can do it, then you could be looking at serious consequences, and as with any misdemeanor or felony, an unsuccessful attempt can be punished just as easily as a successful attempt.

A general rule of thumb worth following: Any device that you can plug into the internet or a USB stick is going to be vulnerable, and the same goes for anything you might punch a password into. You know that you should keep your laptops, desktop computers and tablets safe, but you’re also going to want to spend some time thinking about software security when it comes to…

Phones

For a long time, people simply assumed that phones were impervious, but as we’re seeing more and more, this is not the case. There are more viruses for laptops and desktops than there are for smart phones simply because smart phones are newer, and hackers are still learning their way around the device.

Video Game Devices

Not so long ago, the only people hacking video game consoles were trying to remove region-lock so that they could play Japanese games that haven’t been released in the US. Now we have quite a bit of sensitive information on our Xboxes and Playstations, including payment information. There are plenty of stories out there of consoles being hacked for money.

Wearable Devices

A lot of the talk on wearable devices is still theoretical. People aren’t using augmented reality glasses as an every day device just yet, and the only people who are really on the cutting edge of this trend are the health-conscious, who use wearables to track their exercise progress. That doesn’t mean that these devices aren’t already vulnerable. Although your fitness records aren’t the most vulnerable data, there’s nothing stopping viruses from piggybacking on those devices and into others.

USB Thumb Drives

A report from PC World suggests that most thumb drives can be programmed to infect a computer without the user’s knowledge. Even if you use firewalls and web security, loaning someone your USB drive means that anything their computer has, your computer might catch. In some of these cases you have to admire the ingenuity a bit, such as the virus that uses your USB drive as a keyboard, taking manual access of your computer.

Some items are more vulnerable than others, but none are magic. Keep this in mind when securing your office networks, you want to ensure that everything from your printer to your fax machine to your employees’ smart phones are capable of holding up to cyber attacks, viruses, malware, and everything in between.

Your security software can do a lot, but it isn’t psychic. It doesn’t always know if you meant to install something, or if it piggybacked along with some freeware you picked up. Every now and then, it’s a good idea to just browse your uninstaller and see if there’s anything in there you don’t recognize.

For Windows

For most versions of Windows, the quickest way to get rid of your bloat ware is to go to the search bar from the Start button and type in “uninstall.” You’ll find a program called “uninstall a program.” You can list the programs by date of install, so you can look for things that were installed recently and make sure that it’s all stuff that’s supposed to be there.

For Mac

There are a lot of different easy to use Mac OS X uninstallers. We recommend AppCleaner, a simple, to the point uninstaller for unwanted apps.

Deleting apps from your iPhone is pretty easy: Press and hold any icon for a few seconds and all the icons will start to jiggle. Tap the X in the upper left corner of the app you’d like to get rid of and select “delete.” You can delete anything this way except for official apps that came with your phone.

When in Doubt…

If you uninstall something you needed by accident, it’s usually no big deal to reinstall it, but when you’re not sure of whether or not you need something, you can always Google it. Viruses and bots and malware are often installed under deceptive names like “Google Installer,” so do your research, and remember that, short of removing your whole operating system and every web browser on your drive, it’s usually safer to uninstall and find out than it is to just assume that something is safe.

Cleaning Out Your Web Browser

Your web browser might get hit with installations for search bars you don’t need and useless plugins and tools. You can remove most of them by just going to your settings and returning everything to how you like it. Worst-case-scenario, you can completely uninstall your browser and redownload it with Internet Explorer.

Sometimes it’s a good idea to just go down the uninstall list and get rid of software you don’t use anymore in order to clear up some RAM and hard drive space. In any event, security software and an occasional run-down of your uninstall list should be enough to keep all but the worst viruses and malware at bay.

In 1995, a computer virus or a cyber attack meant that you had to maybe spend a few bucks taking your desktop to a professional to get it fixed. Now we do everything on our computers and devices, so a serious cyber attack could mean being out of work, losing a lot of money, or having our identity stolen. With  virtual reality “VR” and augmented reality, we’re taking an even greater risk, putting our very perception of reality on the line.

Although we may simply want to opt out of augmented reality, there may come a time when that’s easier said than done. Twenty years ago you might have said that you weren’t interested in using the internet, but here we are. Even if you don’t actively surf the web, all of your transactions make it through the internet sooner or later. Maybe you’ll never get outfitted with a Google Glass headset, but it’s going to be simply a part of our lives sooner or later.

More likely than not, it will wind up being an integral part of how you do business, just as the internet became an integral part of doing business in the 00’s. As such, we need to start thinking about how we’re going to manage the cyber security risks associated with augmented reality and VR.

The use of augmented reality or VR in conjunction with wearable devices has the potential to even allow hackers and malware to create bodily harm, say some experts. We’ve already seen that, in theory, smart pacemakers can suffer a cyber attack. Augmented reality means that hackers could do something as simple as triggering an epileptic seizure in their targets, or use wearable items like the Google Glass as surveillance devices.

Even assuming that you never strap a wearable device onto your body for the rest of your life, simply offering free Wifi to your customers could open you up to liability should a wearable device be hacked on your watch.

The way that we fight hackers on the new frontier of wearable devices, augmented reality and VR won’t likely be much different than the way that we fight them right now. The challenge lies in the fact that cyber security tends to be, by its very nature, reactive. Hackers tend to be a step ahead of security providers because we won’t know what the vulnerabilities are until they’re capitalized upon. Fortunately, we’re seeing more and more proactive efforts to keep up with vulnerabilities affecting new technologies.

The word “data” can be misleading. When we see that word we think of ones and zeroes, bank account numbers, debit card PINs, financial records and software code. Technically speaking, any information stored on any electronic device is data. Data could be how many minutes you like to put on the microwave timer to let you know when your tea is done brewing, it could be the receipt that Amazon sends you when you purchase a Christmas gift for your nephew.

We use the word “data” because we’re talking about cyber security, but “information” might be the more accurate term. We’re not just concerned that someone is going to steal the code for a program we’re developing to compete with Adobe Photoshop, we simply don’t want our secrets getting out. That secret could be a bank account password, or it could be the secret recipe to a restaurant’s signature barbecue sauce. Sensitive data is more than just a bunch of ones and zeroes.

In other words, we need to think not so much of “sensitive data” as “private information.” And this extends beyond data that is stored digitally. Paper-shredders were invented for a reason.

Beyond trade secrets, there are also instances where an information leak might not do any direct harm to your business or to a client or a partner, but it might affect your reputation. An attorney who boasts a little too loudly of all the high-profile clients he’s assisted isn’t proving himself capable so much as he is proving himself incapable of discretion. Even letting information that isn’t-quite-sensitive can be bad news for earning the trust of new clients.

A good rule of thumb is that any information that isn’t attached to a press release or already public knowledge should generally be kept to oneself. Of course it’s fine if your new assistant manager boasts about his promotion to her friends, but if she starts getting too specific about her new responsibilities, she could be putting client trust at risk.

Sensitive data should include anything and everything that someone involved with your company might not want the public to know about. The Internet is full of armchair detectives with nothing better to do than pore over leaked information for anything they can use. They might not even be malicious, they might be major supporters of your brand who lack the self control not to spoil your next product launch. In short: If you’re not already planning to make it public, don’t make public.

Signing up for a new account somewhere is always a bit of a pain. You may have a basic password that you use for almost every account, but then this one says you need something that’s 16 characters long with three numbers, a capital letter and a symbol. How are you going to remember all of that, and how are you going to remember that this is one of the accounts where your password is Olympiu$998 instead of just olympius?

Although these password measures are intended to make your account more secure, they can have the opposite effect simply because you need to write those complicated passwords down somewhere so that you don’t forget them.

So, here are some tips for coming up with new passwords, and remembering them without having to leave a sticky right on your monitor:

• Base your password on a secret. People can look up your date of birth, they can ask you what your dog’s name is, they know your favorite brand of coffee. They might not know the name of your first crush, how old you were the first time you stole your dad’s car, or which Backstreet Boys song you secretly listen to when you’re alone. If you base your password on personal information, make sure it’s not personal information that just anyone might now.

• If you have to write your passwords down, don’t write them down in an unencrypted file on your computer, and don’t keep a list in your wallet. An encrypted file with a password that you can remember is a safe place to keep your codes, or you can stash them in a notepad somewhere private, like under a mattress or in your car’s glovebox.

• If you like to use one password for everything, at least switch it up every now and then. Maybe you can’t remember a list of thirty two passwords for everything you have to log into online, but you can change that skeleton-key password once every six months or so just in case anyone’s cracked it.

Of course, you can also just download a password manager. There are apps that can sync with a smartphone and with the cloud, and can even auto-generate passwords for you so that you don’t need to worry about it. You log into your password manager, and it logs into everything else for you, so you only need to remember one of them. Here are some of the top managers according toPC World.

Source http://www.pcworld.com/article/221505/passwords.html

It’s pretty easy to print out a few pages on how employees can keep private data private. It’s not so easy getting your employees to keep those reminders in mind. Here are a few ideas for ensuring compliance in security protocol:

Clearance Levels

There’s no reason for your interns to have the same clearance level as your senior IT people. Having tiered clearance levels ensures that nobody has to be responsible for anything that isn’t directly related to their own work. If an employee doesn’t have access to certain data, then there’s no way for them to put it at risk in the first place. This will also help you to determine who can be trusted with higher clearance levels by seeing how they comply to security protocol at a lower level.

Get It In Writing

Having employees sign an agreement to comply with all security protocol is a good way to sort of set it in stone. A memo is just a memo, we can take or leave it. Signing one’s name to a legal document, on the other hand, can go a long way to imparting the importance of protocol. Even if you never plan to do anything more than give someone a warning for violating the agreement, simply having the agreement in place can go a long way towards compliance.

Put Responsibility On Your Staff

You don’t even need to have any serious discipline measures in place. If an employee is expected to replace it themselves should they lose their phone, then they’re probably not going to lose their phone. In essence, compliance has a lot to do with making sure that security is just as much a concern for your employees as it is for their employer. It’s easier to keep protocol in mind when it’s for one’s own sake, but not so much when you approach a job with a sort of mercenary attitude. Putting some responsibility on your employees is sort of a way to remind them that they are part of the company, so security is just as much their concern as it is yours.

A lot of compliance issues can be solved simply by hiring the right people. You want people who are experienced enough to appreciate the importance of security, and professional enough to follow protocol. As with any area of running a business, hiring the right people will always make your job easier.

Most cyber-criminals are never caught. It’s a high-reward, low-risk area of crime. Cyber-thieves don’t typically drain bank accounts, they steal a nickel here, a dollar there from thousands and thousands of users, and almost nobody is going to go file a police report over seventy eight cents, and if they do, it’s not going to be a high priority for law-enforcement. Changing your MAC address regularly makes it almost impossible to trace a hacker through the web, and physically capturing a hacker in the act isn’t easy.

And yet, hackers do get caught now and then.

The question is: How?

Bragging

Sometimes hackers just can’t shut up about it, as was the case with a hacker from Anonymous who apparently needs to reread the first chapter of the dictionary. John Anthony Borell III had some fun hacking into the website of the Utah Chiefs of Police Association and the SLC Police Department. He would have gotten away with it too except… he went and took credit for it on Twitter. Other hackers, like “Sabu” got caught after bragging about their dirty deeds in IRC chatrooms. A lot of hackers are in it for the thrill, not the financial reward, and they simply need for others to recognize how clever they are. Sort of like The Riddler in the old Batman TV series: He’d never spend a day in jail if he’d learn to stop leaving clues behind.

Blind Ambition

Some hackers simply don’t know to quit while they’re ahead, like Albert Gonzalez. Gonzalez ran a website where hackers could sell stolen credit card numbers, passports and other sensitive information. After an arrest for credit card fraud, he signed up for Operation Firewall as a key informant. This earned him immunity and a job offer from the Secret Service. So of course, with the Secret Service now keeping tabs on him, what was Gonzalez to do but partner with Ukrainian hacker Maksik and start swiping credit cards, and then start driving BMW’s into work at the Secret Service.

Fame

When you’re too high-profile, the fame alone will do you in. This is what happened to Kevin Pulsen, known as Dark Dante in the late 80’s online scene. Poulsen used to hack government documents, leaking wiretap details on foreign leaders, the mafia and the ACLU. His abilities were so impressive that he actually knocked out Unsolved Mysteries‘ phone lines when they did a feature on him. All the same, the episode made him famous, and he was recognized in a supermarket, leading to his arrest.

Source http://www.adweek.com/socialtimes/hacker-brags-on-twitter/462620 http://www.bbc.com/news/technology-17302656