Cyber Security: the Dos and the Don’ts

Image credit: Wikipedia

Cyber security.

What a sexy term!

We can imagine the Hollywood CGI-heavy blockbuster already: nerdy kid typing away, some random series of integers and characters streaming across an old terminal-type display, and the fate of the entire world (at least!) hanging in the balance. Gotta hack that encrypted hashed password that only a computer genius (or at least a hyper-active three year old) could possibly crack.

Only in real life, everything is quite different.

A few years ago I was at a cyber security conference that was heavily attended by government employees from all the well-known acronym agencies. Two things stood out: the private sector was decades ahead of the feds; and the feds were really, really dumb.

Now, I didn’t expect much because I’d been doing work for certain acronyms and I knew that they couldn’t even send emails to each other through their incompatible internal systems so they’d attach top secret unencrypted files to each other via Yahoo!mail and Gmail. From their ancient computers running no-longer-supported versions of Windows.

But even though I’d set my mental bar very low, these guys were unable to clear it.

Exhibit one: the then-CIO of the FBI boasting about how he dealt with a new hire who within 30 minutes of starting work demonstrated that it was child’s play to hack the centralized FBI database holding details of every single agent in the country. When this enthusiastic new hire, on his first morning, explained to his superior how vulnerable the database was and presented suggestions about how to improve its resilience against intrusion, the FBI did the predictable thing: they had the employee arrested and charged with treason. Problem solved.

According to the proud and manly chest-thumping CIO they never did fix the many security vulnerabilities the employee exposed. They simply threw him in jail, convinced that by making an example of him everyone else in the entire world would thereby be deterred from hacking their systems. Or more likely, they just didn’t think at all.

One more fun fact: when setting up the computer equipment used in covert surveillance vans, FBI techs used to name their WiFi networks things like FBI7. So if you were a foreign operative and you wanted to know if the FBI was watching you, all you had to do was look on your smartphone settings for nearby WiFi options.

It’s not surprising that the world’s intelligence agencies refer to the FBI as “the feebs” (e.g. feeble minded). But the other acronyms aren’t really much better.

Exhibit two: one of Microsoft’s cyber security experts held a panel for government employees & contractors to explain how important security was and how it could be achieved. Her two (and only two) talking points were (i) install updates regularly, and (ii) don’t always use password as your password because, well, there are some really, really, smart people out there who will likely guess it.

She obviously knew her audience. But even so I heard a couple of govvies whispering to each other, “So how am I supposed to remember a different one?”

Meanwhile in the corporate sector we have supposed security experts telling the IT guys they need to enforce a policy of mandatory password changes every 6 months. All this does is ensure that employees write their passwords down on post-it notes or simply increment as per password, password1, password2, etc.

Today any bad actor can use cloud services to perform a brute force attack on password protection and crack 99.999% of passwords within a few minutes. Changing the password every six months is therefore hilariously useless. Better to have a decent password you can remember than to have the inconvenience of incrementing twice a year for no benefit whatsoever.

Then there is more sensible advice such as “have a different password for each website account.”

This sounds lovely, except most of us won’t remember a plethora of passwords. The hi-tech solution is to use a password vault but then… sigh…. What if a bad actor hacks the vault? Sure, it’s encrypted etc. but really, we need a password to get into our vault and so that password is subject to vulnerability: it can be cracked in seconds or, more likely, we’ll give it away without realizing we’ve been phished.

And now all our passwords are available to Mister Bad Actor.

Tech folk always look for whizzy tech solutions and that’s often what makes the solutions so vulnerable. Sometimes low-tech is the way to go.

If we want to follow the advice and have a different password for each account, each website, etc. we can just write them down on a piece of paper and store it in a locked filing cabinet. Unless we have a super-important job (President of the USA, CFO of MegaCorp Inc) no one is going to break into our house in the hope that we are hiding the passwords to offshore bank accounts stuffed with embezzled funds. We’re just not worth that kind of effort and risk.

If we don’t like that idea, perhaps because we won’t always be home to retrieve the paper on which our passwords are written, we can try this instead:

We can choose one simple password we will always remember, maybe 8 to 10 characters/integers in total. Let’s use the example Guardian4.

Now let’s create a salt.

A salt is merely a mental algorithm that alters the password a little. Let’s make our salt a simple displacement of 2 characters backward. We can decide to use this for when we log into our BigBank checking account.

Now the password changes from Guardian4 to Esypbgl2

We can store a file on our phone or laptop to remind us: BigBank-2

We can create another more complex salt for the same password, this time to use for our NewFlix account:

NewFlix +3–1

Here we take Guardian4 and increment the G three places forward so it becomes J. We then decrement the u and move it one place back so it becomes t. We then increment the a three places forward so it becomes d, decrement the r one place back so it becomes q, and so forth until we get Jtdqghdm7.

If anyone steals our phone or the piece of paper we’ve written this down on, they can’t easily reverse-engineer the salt because they won’t know the original password (Guardian4) and frankly they probably won’t understand the notation we’re using to remind ourselves of which salt to apply to which account. Most hackers aren’t computer geniuses with advanced math degrees; they’re relatively unsophisticated individuals relying on kiddy scripts they download from the Internet.

Of course, all passwords can be brute forced unless they have ultra-heavy encryption, but at least with a salt we prevent the casual kid from taking the easy way into our online accounts. And as most hacking is opportunistic, this means we’re protecting ourselves from at least 95% of the likely threats we’ll face with regards to password breaking.

It would be lovely if two-factor authentication, the current sexy beast in town, were a rock-solid approach but sadly it’s not. Sure, a combo password and code sent by text message to our phone is better than just password alone, but because the backbone of all phone & SMS communications is a seven-decade old protocol (SS7 or C7) that was never designed to be secure, it’s actually quite easy for a determined hacker to spoof SS7 with the right equipment. The result is that provided they know our phone number (and that’s not difficult to obtain) they can re-route the SMS containing the verification code to their own phone and thus log in apparently as us. And we’ll never know about it.

As for facial recognition and fingerprint recognition…

So, short take-away: outside of ultra-complex and highly expensive systems utilized by very, very few organizations anywhere, most security isn’t that secure after all.

The greatest risks aren’t, however, technological per se. We are our own greatest vulnerability.

A few years ago a colleague of mine held a security seminar at a well-known corporation headquarters. One thing she stressed to her audience was the importance of never, ever, plugging a flash drive into a computer unless they could be 100% certain of its origin and contents. Everyone agreed that would be a really stupid thing to do.

Then she left a few flash drives lying around in the carpark.

Yes, that’s right: they were all picked up and within two days every single one had been plugged into both work and personal computers. According to intelligence experts, every one of the USA’s acronym agencies has been compromised at some point over the last decade by this simple ruse alone.

Another favorite is an “official” email from the corporate IT team asking people for their credentials as part of an audit, or because of an imminent upgrade, or for some other plausible-sounding reason. If you work for XYZ Corp then the sender address will likely be something such as security@itgroupXYZ.com.

Looks legit, right? Except of course it’s not.

I was working at a global pharmaceuticals company a handful of years ago when this type of phishing email appeared in everyone’s InBox. Within an hour the IT security team notified everyone that they should not, repeat NOT, respond to this email. But by then 47% of employees in the three North American time zones had already hit REPLY and sent the requested information.

When it comes to smartphones we’re even worse. People download apps on a whim. Most apps won’t work unless we’ve set permissions for location tracking and all manner of other intrusive monitoring. Many apps automatically record every call we make, every text we send & receive, every place we go, every Internet search we perform. This information is then sent to the companies that made the apps, or to other third parties altogether that we know nothing about. And we don’t mind because, hey, all our friends are using it and if we’ve done nothing wrong we have nothing to fear and everything happens for a reason that was meant to be, or something.

Now let’s think a moment about our children, who are even more naïve and insouciant than we are.

How do we feel about the fact it’s essentially effortless these days for a reasonably sophisticated pedophile willing to spend a few dollars to know exactly where our children are and whether they’re alone or not because one or more of those fun apps is providing all the data they need?

How do we feel about the fact that those lovely shiny computers in school are wide open to intrusion? And so all the details about our children: their ages, names, addresses, photographs, are available to anyone who feels like acquiring them.

The fact is, we’ve failed to understand the importance of privacy and we’ve focused largely on the wrong problems. Cyber attacks, at the end of the day, aren’t about clever technical exploits so much as about simply exploiting human nature: our laziness, our complacency, and the ease with which we can be tricked into handing over private information or not even caring enough to keep it safe in the first place.

But in an era when people pay their own money to put digital spies into their own homes (“Hello Alexa…”), I suspect nothing much is going to change. Which means bad actors will continue to enjoy essentially unfettered access to everything that’s important to us yet which we carelessly expose at every turn.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store