Wednesday, May 30, 2018

Web Secret 521: Cybersecurity - part 3

This is the 3rd in a 5 part series on cybersecurity.

The Media used this terminology in the aftermath of the Trump election:Russia hacked our electoral system during the 2016 election.” One presenter at the Yale Cyber Leader Forum I attended explained that in actuality, our electoral system was not hacked.

What actually happened is that Russia used Facebook and other social media to propagate fake news stories about Hillary Clinton. They perpetrated identity fraud to do this. Interestingly, these events were not seen to be a failure of the US government but rather a problem with social media. Separating the fake news from legitimate information is a massive challenge. And separate from cyber-attacks.

There are more and more cyber-security companies but the number of breaches isn’t going down. Only 20% of cyber security budgets go towards prevention.

Hackers are ever more sophisticated. Malware can be delivered in a video download. An innocent sounding e-mail will have a subject heading like “Look at these cute cat videos” and a link to download a corrupted video.

The US government has been reactive rather than proactive in its approach to cyber-attacks. One Yale Forum expert believes we should also “degrade the potential of adversaries to harm us.”

During another Forum break, the owner of a cyber security company explained he had to go through great lengths to get his employees to use encrypted email. The irony was not lost on him.

What about the future?

Yale experts made the following predictions:
  • There will be more and more digitization of our lives.
  • The Internet of Things (the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity enabling them to operate within our existing Internet infrastructure,) will continue to grow and permeate every facet of our existence. Devices are going to go from being outside of our bodies to inside our bodies. One expert wondered about the risk of soldiers going on a training run while wearing a fitness tracker.
  • More and more of our data will move to the cloud. (The cloud refers to software and services that run on the Internet, instead of locally on your computer. Think Spotify.)
  • Identity theft will become easier as we will develop products that can perfectly imitate our voices and other aspects of our individuality.
  • Compliance with cyber-security needs to be easier. Is there an equivalent to putting all the smart phones in a lead box before entering the meeting room?
  • We may never be ahead of the adversary.
  • The disaster of the future will be a cyber-attack.
Asked to imagine a news headline of the future, one attendee said: “Botnet of human body parts takes down the power grid.” (FYI: a botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge.) As we become increasingly bionic, we become increasingly vulnerable.

So what can we do? I answer that question in the 4th and final post in this series.

Wednesday, May 23, 2018

Web Secret 520: Cybersecurity - part 2

This is part 2 of a 5 part series on cybersecurity.

We are vulnerable to cyber-attacks for a variety of reasons:
  • As early as 1994 experts called for a national information infrastructure – that hasn’t happened
  • Much of the USA’s most sensitive information is not encrypted. How comforting.
  • A recently enacted 2017 Trump law allows your internet service provider (AKA FIOS et al) to sell your metadata without your permission.
  • When companies upgrade their websites, they upgrade their security but old webpages still exist and are vulnerable to hacking. One expert said, “We have 20 years of vulnerable websites.”
  • Two-Factor Authentication was devised in the 70s but has only recently begun to have traction. In other words, we have technology to foil attacks but decision makers are slow to deploy it. And people are even slower to adopt it. Two Factor Authentication is an extra layer of security known as "multi factor authentication." It requires not only a password and username but also something that only the user has on them, i.e. a piece of information only they should know. For example, the answer to questions like "What is the name of your first pet" or "what is your dream vacation spot?"
  • In an April article titled “Failed by Facebook, We’ll Return to the Scene of the Crime. We Always Do.”, the New York Times reported how even when a company is hacked, or fails to protect our privacy, we go right back to using it.

    “The reality is that when it comes to privacy, the trade-off has already been made: We decided long ago to give away our personal information in exchange for free content and the ability to interact seamlessly with others… After just about every big privacy hack over the past decade, people quickly returned to the scene of the crime, using the same store or online site that had been compromised.”

    During the Forum, one expert pointed out how even the most egregious lapse will result in only a brief downtick in a company’s stock market performance.
  • We are fighting a 21st century crime with outdated approaches. The attack vectors multiply and the preparedness of end users is very low.
  • In the 21st century, US armed forces do not manufacture the weapons they need, they subcontract with a private enterprise. Similarly, US apps, software, and hardware are in the hands of the Apple, Microsoft and Googles of this world. The US government turns to these companies to self-police themselves.
  • Cyber-security is not primarily a technical challenge but rather a social/political problem. An educational problem. A legal problem. A policy problem.
It is concerning that several Yale Forum experts stated that there needs to be “carnage” for the country and its citizens to pay attention to cyber security. Meaning one or more people need to die as a result of a hack for the public to demand that attention must be paid. One expert even wondered if we need a “grand carnage moment” to make it happen.

Along that line, some of us during a lunch break wondered when a person’s medical history will be hacked causing them serious injury, even death. Would we even know if it happened? So far hospital records have only been hacked by ransomware.

What happens next?

To be continued next week...

Wednesday, May 16, 2018

Web Secret 519: Cybersecurity - part 1

This past March, I was the recipient of a $3,000 scholarship to attend the 2018 Yale Cyber Leadership Forum.

Yes, my alma mater charges $3,000 to attend a day and a half conference.

The Yale Cyber Leadership Forum aims to bridge the divide among legal scholars and practitioners, technology experts, business leaders, and policymakers from across the globe on how best to understand and counter the most pressing cyber security challenges of our day.” This article aims to summarize what was discussed as it applies to mental health practitioners and organizations.

The Forum brings together a diverse set of thought leaders who are eager to share their experiences, learn more about the array of cyber threats, gather new strategies for overcoming cybersecurity challenges, and contribute to discussions of the best way to tackle the challenges ahead.

Note: Forum attendees were asked to follow the Chatham House Rule. We like to be as pretentious as possible in the Ivy League. For the rest of the world, at a meeting held under the Chatham House Rule, anyone who attends is free to use information from the discussion, but is not allowed to reveal who made any comment. It is designed to increase openness of discussion.

In a nutshell, this is what I learned:
  • The field of cyber security is in its infancy
  • Law and policy are lagging far behind technology
  • It’s not just a tech issue, it’s a people issue. More on that later.
To elaborate, our intelligence leaders believe the risk of a cyber-attack eclipses terrorism as the greatest threat to the USA. If even one of our major infrastructure components (power grid, Internet, financial system) is compromised by a cyber-attack, the other two collapses and we are headed towards catastrophe. Complicating this narrative is the fact that through the world wide web, everyone around the globe is inter-connected.

As one expert put it: “We are as secure as the rest of the Internet.” Great.

These are the countries which have the greatest expertise in cyber warfare:
  1. Russia
  2. China
  3. North Korea
  4. Iran.
Quelle surprise!

We are vulnerable to cyber-attacks for a variety of reasons, which I will explain in next week's post.

None of it is good news.

Wednesday, May 9, 2018

Web Secret 518: The Weed Tube

The US and marijuana regulation = mess.

While the federal government style views pot as illegal, most of the states are in full rebellion. No two states are alike - some have legalized both medical and recreational marijuana, some just medical, some (a minority) don't allow either.

I am fairly confident that eventually both medical and recreational will be legal.

In the meantime, there is, (since March 1,) The Weed Tube, a how to channel devoted to - you guessed it - marijuana focused videos.

If you want to take the pulse of the marijuana legalization movement, there's no better place to start.

The posts range from the fanciful to serious demos and reviews. Here are a few:

Sesh Cannabis First Impressions

How To Make A Strawberry Bowl

A week in my life – Hilton Head Island

Don't judge.

Wednesday, May 2, 2018

Web Secret 517: Protecting your privacy on Facebook

Unless you've been living under the proverbial rock, you know that Facebook is experiencing (putting it mildly) a privacy problem.

We have been advised to shut down our accounts. Realistically, not everyone wants to do that.

Wired magazine published guerilla warfare alternative: "A drag queen's guide to protecting your privacy on Facebook by breaking the rules."

To wit:

Change Your Name: Using a chosen name allows you a bit more control over how your data is collected, stored, and used. By adopting a chosen name, it’s possible to stay in touch with friends who can decode who you really are, while avoiding others who you’d rather not be able to find you. Plus, using a different name on different platforms makes it just a bit harder for trackers to connect the dots between your accounts, activity, and behaviors. But it’s not always practical to change your name; you may have better luck starting with a new account.

“Like” Like Everyone’s Watching: Another easy way to make it more difficult for companies to paint a clear picture of you is to give them false, misleading, or simply too much information. For example, if you don’t want to be targeted by manipulative political ads, perhaps try “liking” some pages or politicians who don’t fully match your values; the same goes for favorite brands, places, celebrities, or anything else you can support. Think of this as throwing the company off the scent.

Tag Photos Incorrectly: Similarly, try mis-tagging photos of friends—or use photos of celebrities, cartoons, or inanimate objects—to confuse Facebook’s facial recognition and computer vision algorithms.

Click All the Ads: You may also want to try clicking all the ads Facebook and other platforms deliver to you—especially the ones you’re not actually interested in. Again, this effectively hides your real interests within a sea of not-quite-real information.

Share Accounts: Finally, for those of us trying to curb our social media addictions, another option is to share an account with friends or family. That way, you can still make sure you don’t miss important updates or events, while making it harder to trace you personally.

Here's my suggestion: go through your list of your Facebook friends and ruthlessly delete the people who you are not close too.

At the end of the article, the author writes: "Are these foolproof? Certainly not... Are they ethical? I think so. Until companies come clean about their motives and give us real options to present ourselves authentically, to control the flow of our data, and to opt out of particular kinds of tracking, I’d say we’re justified in taking steps to protect ourselves..."

And that, my friends, is the truth.