Posts

Showing posts from 2016

Cybersecurity under the Trump Administration

A journalist asked me about cybersecurity under the Trump administration, whether anything will change. Here are my thoughts. Note that this is just my opinion and does not represent my employers or any of my funders. -------------- I don't expect much to change. President Obama already  made cybersecurity one of his top 10 priorities, and as a result, a lot of the heavy lifting has already started. However, there are still some opportunities for the  next administration . For example: A lot more research funds for longer-term thinking and solutions to big problems. Security today is dominated by the latest data breach, and there isn't enough funding for problems 5-10 years down the road, in particular Internet of Things. Another area that needs longer-term thinking and solutions is foreign countries interfering with elections . It's unclear how much happened this year, but it's only going to get worse. There are a lot of concerns that foreign countries are

Some Tips on Protecting Yourself from Ransomware

I've been asked by more and more journalists to offer some insights into various aspects of cybersecurity. I figured that since I'm already writing these up, I might as well share them with the public. This one is on ransomware. ------------------ Ransomware is a kind of malware that holds your data hostage. The malware scrambles your data and makes it so that you can't access it, unless you pay a ransom, typically in Bitcoin. It's not really clear if you can recover your data or not. Some people have been able to by paying the ransom, while others have not. Instead, the best thing you can do is to prevent being infected in the first place. Here are some tips for protecting yourself: Don't install any software you weren't expecting to install. A lot of malware and ransomware are designed to trick you into installing them. They might pretend to be anti-virus, or say that you need to update your browser. Don't do it! Be especially careful of email

Android Smartphone Settings for Privacy

I was just asked to write up some tips for managing privacy on smartphones. I figured this would be generally useful to share with folks on the Internet. 1. Many Android phones track a person's location history. You can check if Google has your location history by logging into your Google account and going to:     https://www.google.com/maps/timeline If you want to turn this feature off, on your smartphone, go to:   Google Settings (app) -> Location -> Location History Or go to:   Settings -> Location -> Google Location History ----------------- 2. You can also choose to opt out of personalized ads. Android phones can share an advertising ID with sites, and this ID can be used to build up a profile of interests. These advertising IDs are just like web browser cookies. If you want to turn this feature off, go to:   Google Settings (app) -> Ads Or go to:   Settings -> Accounts -> Google -> Personal Info & Privacy You can also use this

Toward a Safe and Secure Internet of Things

Image
I wrote up a white paper about the cybersecurity issues that we will face as the Internet of Things becomes more common. I discuss issues like physical security, scale, lack of experience by manufacturers, and lack of tools and best practices. One idea I also advance is this pyramid of IoT Devices. At the top tier we will all have a few devices that have a lot of computational horsepower, such as laptops, smartphones, and glasses. In the middle tier we will have dozens of devices that have moderate computational capabilities, but also only require a little bit of our attention. These include TVs, refrigerators, and smart toys. At the bottom tier are hundreds of cheap devices or ones that we are barely aware of. These include RFIDs, smart toilets, digital picture frames, electronic locks, smart meters, cheap environmental sensors, and more. The bottom two tiers are the ones we need to worry about the most. The top tier already has major tech manufacturers worrying about the cyb

Chase Fraud Alert from SMS 28107

I got a fraud alert on my phone this morning from SMS short code 28107. Is this legitimate? The short story, from what I can tell, is yes. The alert I got was: FREE MSG: Chase Fraud-Did you use card ending xxxx for $xx.xx at INGLES MARKETS on 07/13? If YES reply 1, NO reply 2 In cybersecurity, getting these kinds of alerts is a pretty common kind of scam. Attackers will send out lots of these kinds of SMS and email and try to get you to verify your account, essentially tricking you into sharing sensitive information. If you ever get one of these kinds of alerts, you should try to verify it independently. So I logged into my credit card account and saw that there were several purchases that morning. Looking up the name of the store, it appears to be a chain of grocery stores in North Carolina. Ok so definitely fraud. So I responded with a "1" to the SMS message, and it said that Chase would call when a specialist is available, or call the number on the card. There&

Should companies be allowed to "hack back" against thieves?

Here are my comments on New America responding to the question of whether companies should be allowed to hack back against thieves . Companies should absolutely not hack back against cyber thieves. One major concern is attribution, namely knowing that you have identified the right parties. Intruders typically use other people’s computers and servers, so odds are high that a company would simply be attacking an innocent party. Furthermore, if a company does take down an attacking server, they might take down many other innocent third-party web sites and services, which would make the company potentially liable for damages. Companies also have varying levels of talent and resources. While a very large tech company might be able to mount a proportional countermeasure, the vast majority of companies can’t. It would only be a matter of time before one of these other companies oversteps its bounds and inadvertently causes collateral damage and a great deal of embarrassment. Lastly,

My Article in Slate on Human Weaknesses in Cybersecurity

I published an article on Slate about human aspects of cybersecurity . A great deal of metadata and surrounding context can still be inferred from unclassified emails. These inferences might include the social connections between people, the names of projects a person is working on, how emails are formatted, and what jargon a person uses. On the surface, this kind of information might seem innocuous. However, in the hands of a skilled and patient adversary, this information can be used to exploit human weaknesses in cybersecurity.