Tuesday, November 15, 2016

Cybersecurity under the Trump Administration

A journalist asked me about cybersecurity under the Trump administration, whether anything will change. Here are my thoughts. Note that this is just my opinion and does not represent my employers or any of my funders.


I don't expect much to change. President Obama already made cybersecurity one of his top 10 priorities, and as a result, a lot of the heavy lifting has already started.

However, there are still some opportunities for the next administration. For example:
  • A lot more research funds for longer-term thinking and solutions to big problems. Security today is dominated by the latest data breach, and there isn't enough funding for problems 5-10 years down the road, in particular Internet of Things.
  • Another area that needs longer-term thinking and solutions is foreign countries interfering with elections. It's unclear how much happened this year, but it's only going to get worse. There are a lot of concerns that foreign countries are using our very own social media to foment uncertainty and unrest.
  • More funds for education. Right now, only about half of developers today have degrees in computer science. But even then, only 3 of the top 50 CS programs require students to take any computer security courses. Furthermore, security goes beyond computer science. We could expand cybersecurity to students in psychology (e.g. social engineering), visual design (e.g. warnings), and so on. There's also just educating the public at large.
  • Expand security to also encompass privacy too. There are many emerging technologies that have tremendous potential to benefit society, such as big data, autonomous vehicles, Internet of Things, and so on. However, these technologies will only be adopted if people feel like they understand what personal data these systems are using, and if they feel that they are in control of these systems.
On a side note, this doesn't deal with cybersecurity as it is conceived of today, but it's a different form of technology and national security. Basically, a lot of jobs are being automated out of existence. For example, once Uber, Google, Tesla, or Ford create a reliable and commercially viable autonomous vehicle, there are tens of thousands of jobs that will never come back. And it's not just the drivers of taxis or eighteen-wheelers, but also people who run the motels, gas stations, and diners
that formed part of the support ecosystem for drivers. And, no politicians are discussing any real solutions to this problem today.

Some Tips on Protecting Yourself from Ransomware

I've been asked by more and more journalists to offer some insights into various aspects of cybersecurity. I figured that since I'm already writing these up, I might as well share them with the public. This one is on ransomware.


Ransomware is a kind of malware that holds your data hostage. The malware scrambles your data and makes it so that you can't access it, unless you pay a ransom, typically in Bitcoin.

It's not really clear if you can recover your data or not. Some people have been able to by paying the ransom, while others have not.

Instead, the best thing you can do is to prevent being infected in the first place. Here are some tips for protecting yourself:

  • Don't install any software you weren't expecting to install. A lot of malware and ransomware are designed to trick you into installing them. They might pretend to be anti-virus, or say that you need to update your browser. Don't do it!
  • Be especially careful of email attachments. A lot of malware and ransomware are spread through email. A lot of these will be caught by spam filters, but check the file extension of attachments before downloading and opening them. Avoid anything with .exe or .com
  • Backup your data regularly. Keep your most important files on a separate backup hard drive, or even on cloud services.

Wednesday, October 05, 2016

Android Smartphone Settings for Privacy

I was just asked to write up some tips for managing privacy on smartphones. I figured this would be generally useful to share with folks on the Internet.

1. Many Android phones track a person's location history. You can check if Google has your location history by logging into your Google account and going to:

If you want to turn this feature off, on your smartphone, go to:
  Google Settings (app) -> Location -> Location History

Or go to:
  Settings -> Location -> Google Location History


2. You can also choose to opt out of personalized ads. Android phones can share an advertising ID with sites, and this ID can be used to build up a profile of interests. These advertising IDs are just like web browser cookies.

If you want to turn this feature off, go to:
  Google Settings (app) -> Ads

Or go to:
  Settings -> Accounts -> Google -> Personal Info & Privacy

You can also use this screen to generate a new advertising ID if you wish.


3. You should add a screen lock to your phone, just in case you lose your phone or if it's stolen. You can find the right settings if you go to:
  Settings -> Security


4. You should also turn on remote location and remote lock and erase, in case you lose your phone. To do this, go to:
  Google Settings (app) -> Security

You'll see that there are some other useful features here for protecting your phone.


5. You can also see basic personal information Google has about you, and do some basic privacy settings here:
  Google Settings (app) -> Personal info & privacy


6. Lastly, you can go to http://myaccount.google.com to manage settings that are connected with your
Google account (rather than just your smartphone). In particular, try out the Privacy Checkup.

Thursday, July 28, 2016

Toward a Safe and Secure Internet of Things

I wrote up a white paper about the cybersecurity issues that we will face as the Internet of Things becomes more common. I discuss issues like physical security, scale, lack of experience by manufacturers, and lack of tools and best practices.

One idea I also advance is this pyramid of IoT Devices. At the top tier we will all have a few devices that have a lot of computational horsepower, such as laptops, smartphones, and glasses. In the middle tier we will have dozens of devices that have moderate computational capabilities, but also only require a little bit of our attention. These include TVs, refrigerators, and smart toys. At the bottom tier are hundreds of cheap devices or ones that we are barely aware of. These include RFIDs, smart toilets, digital picture frames, electronic locks, smart meters, cheap environmental sensors, and more.

The bottom two tiers are the ones we need to worry about the most. The top tier already has major tech manufacturers worrying about the cybersecurity issues, but the other two often do not. Plus, devices in the bottom two tiers can't run standard endpoint security, will likely have battery constraints, poor networking, and minimal CPU processing.

Wednesday, July 13, 2016

Chase Fraud Alert from SMS 28107

I got a fraud alert on my phone this morning from SMS short code 28107. Is this legitimate? The short story, from what I can tell, is yes.

The alert I got was:
FREE MSG: Chase Fraud-Did you use card ending xxxx for $xx.xx at INGLES MARKETS on 07/13? If YES reply 1, NO reply 2
In cybersecurity, getting these kinds of alerts is a pretty common kind of scam. Attackers will send out lots of these kinds of SMS and email and try to get you to verify your account, essentially tricking you into sharing sensitive information.

If you ever get one of these kinds of alerts, you should try to verify it independently. So I logged into my credit card account and saw that there were several purchases that morning. Looking up the name of the store, it appears to be a chain of grocery stores in North Carolina. Ok so definitely fraud.

So I responded with a "1" to the SMS message, and it said that Chase would call when a specialist is available, or call the number on the card.

There's a minor risk here with the first option, which is that getting a phone call from an unknown number doesn't mean that it's legitimate. In computer security, this is the mutual authentication problem, which is that while your credit card company can verify if it's you or not, you don't have any easy ways of verifying if it really is your credit card company calling you.

The safe thing to do here is the second option, which is to call the phone number on the back of the credit card.

Now, as someone who does research in cybersecurity, even all of this is not guaranteed. It's possible that a hacker could have intercepted my web browser request to Chase's web site, knew the last 4 digits of my credit card, knew my mobile phone number for SMS (SMS can be spoofed), and intercepted Chase's 1-800 number, but the combination of all of these is pretty low. Plus, if a hacker were skilled enough to do all of the above, they would chase after bigger fish than me.

So a new credit card is on the way, and the damage is limited, both for me and for Chase. I should also say good on Chase for having an excellent fraud detection department too. This is actually the first time Chase has warned me about possible fraud on my credit card, despite all of my travels around the world, and they got it right.

Wednesday, March 16, 2016

Should companies be allowed to "hack back" against thieves?

Companies should absolutely not hack back against cyber thieves. One major concern is attribution, namely knowing that you have identified the right parties. Intruders typically use other people’s computers and servers, so odds are high that a company would simply be attacking an innocent party.
Furthermore, if a company does take down an attacking server, they might take down many other innocent third-party web sites and services, which would make the company potentially liable for damages.
Companies also have varying levels of talent and resources. While a very large tech company might be able to mount a proportional countermeasure, the vast majority of companies can’t. It would only be a matter of time before one of these other companies oversteps its bounds and inadvertently causes collateral damage and a great deal of embarrassment.
Lastly, in the unlikely case that a company could pinpoint who the attackers are and guarantee a precise counterattack, it is worth pointing out that some cyber thieves are state sponsored. As such, hacking back could spark an unwanted international incident.
A better alternative is to consider softer countermeasures that can slow down thieves and help law enforcement. For example, some banks feed fake data into phishing web sites, to make it easier to trace criminal activities. Many companies also run honeypots, which are servers that, when hacked, contain fake content and a great deal of monitoring software. This kind of approach makes it easier to identify attackers and their strategies, and potentially deter thieves as well.

My Article in Slate on Human Weaknesses in Cybersecurity

I published an article on Slate about human aspects of cybersecurity.
A great deal of metadata and surrounding context can still be inferred from unclassified emails. These inferences might include the social connections between people, the names of projects a person is working on, how emails are formatted, and what jargon a person uses. On the surface, this kind of information might seem innocuous. However, in the hands of a skilled and patient adversary, this information can be used to exploit human weaknesses in cybersecurity.