Wednesday, June 20, 2018

Web Secret 524: Robocalls

I absolutely loathe robocalls.

So imagine how not surprised I was when I came across a New York Times article that confirmed what I already knew: robocalls are proliferating because it is so damn cheap to send them out by the thousands.

Better yet, the Times had a companion article "Robocalls Flooding Your Cellphone? Here’s How to Stop Them."

Let me summarize it for you:

Rule No. 1: Do not answer numbers you don’t know. If you do answer, don’t respond to the invitation to press a number to opt out. That will merely verify that yours is a working number and make you a target for more calls. Turn to the government

Rule No. 2: Turn to technology.Download apps such as Truecaller which will block the calls. YouMail will stop your phone from ringing with calls from suspected robocallers and deliver a message that your number is out of service. Many of these apps are quite pricey. Hiya is free.

Rule No. 3: Turn the tables. The Jolly Roger Telephone Company turns the tables on telemarketers. This program allows a customer to put the phone on mute and patch telemarketing calls to a robot, which understands speech patterns and inflections and works to keep the caller engaged.

The robots string the callers along with vocal fillers like “Uh-huh” and “O.K., O.K.” After several minutes, some will ask the callers to repeat their sales pitch from the beginning, prompting the telemarketers to have angry meltdowns.

Rule No. 4: Watch what you say. One recent scheme involves getting consumers to say “yes” and later using a recording of the response to allow unauthorized charges on the person’s credit card account, the F.C.C. warned in March.

When the caller asks, “Can you hear me?” and the consumer answers “yes,” the caller can gain a voice signature that can later be used to authorize fraudulent charges by telephone.

Best to answer with “I can hear you.”

The future: The callers are evolving. Some have numbers that appear to be from your area code; others employ “imitation of life” software in which the robocall sounds like a live person, complete with coughing, laughing and background noise. This artificial intelligence can be programmed to interact in real time with a consumer.

I'm scared too.

Wednesday, June 13, 2018

Web Secret 523: Cybersecurity - part 5

This is the last in a series of 5 posts about cybersecurity.

Do you ever host or attend conferences or meetings? Rhetorical question.

There are cybersecurity best practices to consider, as I discovered after plowing through "The Cybersecurity Challenge", an article which I summarized for this post.

Registration puts financial information at risk. If you are storing any personally identifiable information and collecting credit card payments, you must comply with the PCI (Payment Card Industry) data security standard. There are companies that can help you with that.

Every assemblage of human beings includes a large mobile devices. It is not unusual for attendees to have a smartphone, a tablet and a laptop.

A large risk facing planners and attendees is the ill-advised use of free or “public” Wi-Fi networks in the destination. A large number of destinations have taken measures to prevent rogue Wi-Fi networks tricking attendees into connecting to them, however it’s still a common threat to take into consideration.

It is a relatively straightforward task for bad guys to generate a Wi-Fi signal that is going to look equal to or better than a real one. And they might even tailor it to your meeting and say, ‘Attention EAPA convention attendees — free Wi-Fi available to you.’ Such a hoax is called a “man in the middle” attack. It means the bad guys now have unfettered access to your computer.

Some experts advise clients to inform meeting attendees they should never use the free Wi-Fi networks in a Starbucks or any other public place.

We’ve gotten people to the point that when they are at a hotel or convention center, they expect free wireless internet. That is what has created the vulnerability that everybody now faces.

The typical meeting attendee, however, is not aware of the risk. And a big part of the problem, is that meeting attendees don’t read their program or background material. And the people running the meeting don’t make announcements telling attendees not to use unofficial free Wi-Fi networks.

Not even the safety of the Wi-Fi network at a hotel or convention center should be taken for granted. You must make sure that the provider is using secure equipment and that it has secure connection from its technology to the internet. You also need to make sure that the people involved in running it have been backgrounded and vetted.

The good news is that there is a simple recommendation to mitigate risk. Before attendees head out to your meeting, send them an email that is about just one thing, online security. It should say, "We are concerned about your cybersecurity, so we are informing you that the official Wi-Fi network for the meeting is named XYZ. That is the only network you should connect to. If you connect to anything else, we cannot promise that you are secure.”

Another option is to make a formal announcement at the meeting. For example, at the beginning of an opening general session.

A more elaborate step is to use a virtual private network, or VPN. A VPN is a computer program that creates encrypted connections. And because of that, it’s much harder for someone to intercept your signal. The technology is widely available and inexpensive today. It can be acquired for just a month to cover the meeting dates, then canceled.

Pay attention, people!

Wednesday, June 6, 2018

Web Secret 522: Cybersecurity - part 4

This is part 4 of a 5 part series on cybersecurity.

What can mental health providers and institutions do to protect themselves from a cyber attack?

Even a one person private practice or a smaller company can implement cyber safeguards.
  1. Become knowledgeable about technology. Mental health clinicians are notoriously tech adverse. However, unless you are living and working off the grid, ignorance is no longer acceptable.
  2. Educate yourself and your employees about the threat of cyber-attacks and ransomware. Education needs to be an ongoing process.
  3. Use two factor authentication and encrypted email for sensitive information. Hushmail is a secure email utility. 
  4. Make sure your website is HTTPS (HTTP Secure), e.g. https://www.mycompany.com. In HTTPS, your website is encrypted by a layer of security and thus is less vulnerable. 
  5. At the Forum, we were told that 95% of malware can be addressed by anti-virus software. So deploy anti-virus and update as needed. 
  6. When Apple or one of the major tech companies you use (e.g. Microsoft) sends you an update patch, download it.
  7. Use complex passwords.
  8. Over and over the experts at Yale talked about the need for “good cyber hygiene.” Establish standards for cyber literacy, and other necessary protocols.
  9. Have a workplace social media policy.
If you aren’t sophisticated about things computer, hire an expert.

As we said good-bye, one attendee said, “and now I go back in my car and drive away while using Waze to find my route and Spotify for entertainment, giving up my privacy and leaving myself wide open to hacking.”

Wednesday, May 30, 2018

Web Secret 521: Cybersecurity - part 3

This is the 3rd in a 5 part series on cybersecurity.

The Media used this terminology in the aftermath of the Trump election:Russia hacked our electoral system during the 2016 election.” One presenter at the Yale Cyber Leader Forum I attended explained that in actuality, our electoral system was not hacked.

What actually happened is that Russia used Facebook and other social media to propagate fake news stories about Hillary Clinton. They perpetrated identity fraud to do this. Interestingly, these events were not seen to be a failure of the US government but rather a problem with social media. Separating the fake news from legitimate information is a massive challenge. And separate from cyber-attacks.

There are more and more cyber-security companies but the number of breaches isn’t going down. Only 20% of cyber security budgets go towards prevention.

Hackers are ever more sophisticated. Malware can be delivered in a video download. An innocent sounding e-mail will have a subject heading like “Look at these cute cat videos” and a link to download a corrupted video.

The US government has been reactive rather than proactive in its approach to cyber-attacks. One Yale Forum expert believes we should also “degrade the potential of adversaries to harm us.”

During another Forum break, the owner of a cyber security company explained he had to go through great lengths to get his employees to use encrypted email. The irony was not lost on him.

What about the future?

Yale experts made the following predictions:
  • There will be more and more digitization of our lives.
  • The Internet of Things (the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity enabling them to operate within our existing Internet infrastructure,) will continue to grow and permeate every facet of our existence. Devices are going to go from being outside of our bodies to inside our bodies. One expert wondered about the risk of soldiers going on a training run while wearing a fitness tracker.
  • More and more of our data will move to the cloud. (The cloud refers to software and services that run on the Internet, instead of locally on your computer. Think Spotify.)
  • Identity theft will become easier as we will develop products that can perfectly imitate our voices and other aspects of our individuality.
  • Compliance with cyber-security needs to be easier. Is there an equivalent to putting all the smart phones in a lead box before entering the meeting room?
  • We may never be ahead of the adversary.
  • The disaster of the future will be a cyber-attack.
Asked to imagine a news headline of the future, one attendee said: “Botnet of human body parts takes down the power grid.” (FYI: a botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge.) As we become increasingly bionic, we become increasingly vulnerable.

So what can we do? I answer that question in the 4th and final post in this series.

Wednesday, May 23, 2018

Web Secret 520: Cybersecurity - part 2

This is part 2 of a 5 part series on cybersecurity.

We are vulnerable to cyber-attacks for a variety of reasons:
  • As early as 1994 experts called for a national information infrastructure – that hasn’t happened
  • Much of the USA’s most sensitive information is not encrypted. How comforting.
  • A recently enacted 2017 Trump law allows your internet service provider (AKA FIOS et al) to sell your metadata without your permission.
  • When companies upgrade their websites, they upgrade their security but old webpages still exist and are vulnerable to hacking. One expert said, “We have 20 years of vulnerable websites.”
  • Two-Factor Authentication was devised in the 70s but has only recently begun to have traction. In other words, we have technology to foil attacks but decision makers are slow to deploy it. And people are even slower to adopt it. Two Factor Authentication is an extra layer of security known as "multi factor authentication." It requires not only a password and username but also something that only the user has on them, i.e. a piece of information only they should know. For example, the answer to questions like "What is the name of your first pet" or "what is your dream vacation spot?"
  • In an April article titled “Failed by Facebook, We’ll Return to the Scene of the Crime. We Always Do.”, the New York Times reported how even when a company is hacked, or fails to protect our privacy, we go right back to using it.

    “The reality is that when it comes to privacy, the trade-off has already been made: We decided long ago to give away our personal information in exchange for free content and the ability to interact seamlessly with others… After just about every big privacy hack over the past decade, people quickly returned to the scene of the crime, using the same store or online site that had been compromised.”

    During the Forum, one expert pointed out how even the most egregious lapse will result in only a brief downtick in a company’s stock market performance.
  • We are fighting a 21st century crime with outdated approaches. The attack vectors multiply and the preparedness of end users is very low.
  • In the 21st century, US armed forces do not manufacture the weapons they need, they subcontract with a private enterprise. Similarly, US apps, software, and hardware are in the hands of the Apple, Microsoft and Googles of this world. The US government turns to these companies to self-police themselves.
  • Cyber-security is not primarily a technical challenge but rather a social/political problem. An educational problem. A legal problem. A policy problem.
It is concerning that several Yale Forum experts stated that there needs to be “carnage” for the country and its citizens to pay attention to cyber security. Meaning one or more people need to die as a result of a hack for the public to demand that attention must be paid. One expert even wondered if we need a “grand carnage moment” to make it happen.

Along that line, some of us during a lunch break wondered when a person’s medical history will be hacked causing them serious injury, even death. Would we even know if it happened? So far hospital records have only been hacked by ransomware.

What happens next?

To be continued next week...

Wednesday, May 16, 2018

Web Secret 519: Cybersecurity - part 1

This past March, I was the recipient of a $3,000 scholarship to attend the 2018 Yale Cyber Leadership Forum.

Yes, my alma mater charges $3,000 to attend a day and a half conference.

The Yale Cyber Leadership Forum aims to bridge the divide among legal scholars and practitioners, technology experts, business leaders, and policymakers from across the globe on how best to understand and counter the most pressing cyber security challenges of our day.” This article aims to summarize what was discussed as it applies to mental health practitioners and organizations.

The Forum brings together a diverse set of thought leaders who are eager to share their experiences, learn more about the array of cyber threats, gather new strategies for overcoming cybersecurity challenges, and contribute to discussions of the best way to tackle the challenges ahead.

Note: Forum attendees were asked to follow the Chatham House Rule. We like to be as pretentious as possible in the Ivy League. For the rest of the world, at a meeting held under the Chatham House Rule, anyone who attends is free to use information from the discussion, but is not allowed to reveal who made any comment. It is designed to increase openness of discussion.

In a nutshell, this is what I learned:
  • The field of cyber security is in its infancy
  • Law and policy are lagging far behind technology
  • It’s not just a tech issue, it’s a people issue. More on that later.
To elaborate, our intelligence leaders believe the risk of a cyber-attack eclipses terrorism as the greatest threat to the USA. If even one of our major infrastructure components (power grid, Internet, financial system) is compromised by a cyber-attack, the other two collapses and we are headed towards catastrophe. Complicating this narrative is the fact that through the world wide web, everyone around the globe is inter-connected.

As one expert put it: “We are as secure as the rest of the Internet.” Great.

These are the countries which have the greatest expertise in cyber warfare:
  1. Russia
  2. China
  3. North Korea
  4. Iran.
Quelle surprise!

We are vulnerable to cyber-attacks for a variety of reasons, which I will explain in next week's post.

None of it is good news.

Wednesday, May 9, 2018

Web Secret 518: The Weed Tube

The US and marijuana regulation = mess.

While the federal government style views pot as illegal, most of the states are in full rebellion. No two states are alike - some have legalized both medical and recreational marijuana, some just medical, some (a minority) don't allow either.

I am fairly confident that eventually both medical and recreational will be legal.

In the meantime, there is, (since March 1,) The Weed Tube, a how to channel devoted to - you guessed it - marijuana focused videos.

If you want to take the pulse of the marijuana legalization movement, there's no better place to start.

The posts range from the fanciful to serious demos and reviews. Here are a few:

Sesh Cannabis First Impressions

How To Make A Strawberry Bowl

A week in my life – Hilton Head Island

Don't judge.