Comment

How Secure is My Digital Self?

Sitting here watching TV and thinking about everything that is traversing the globe, I start to wonder how often my digital self moves around this blue rock. Then I start to think about where digital me has rested or how many copies of digital me there are in the ether.

Are there full copies of digital me or partial? Maybe it is a combination of the two but I wonder how many. I am going to go with thousands. Yes there are thousands of copies of digital me running around or kicking back having a digital brew.

Now these digital representations of me are in the hands of the government (maybe I should say governments) and commercial entities. There may even be some copies in the hands of private individuals for all that I know. Though it does make me wonder why, I mean I am great and all but you have to have somebody better to collect. 

With thousands of copies here, I could go off on the ‘Many Worlds’ theory in which there are infinite numbers of copies of biological me with thousands of infinite numbers of copies of digital me but I will not do that...today. No I want to think about the type of entities that hold my digital self and who I should be most worried about at this time.

First I am going to drop the private individuals from my thinking just because I do not think I have a stalker at this time and I am not that paranoid. Maybe as I get older I will bring this type back into the mix. For now I will focus on the government and corporate entities.

Of the two I am more worried about the digital me that is held by the corporate interest versus that digital me held by the government. I feel that the danger to biological me will come from the corporate interests. When I say danger I am not focusing on physical arm though it could come to that. No I am looking at mental and financial arm from the misuse of digital me. 

Google, Microsoft, Apple, insurance, banking and even the fast food industry to name a few have a digital image of me that I could probably not duplicate in years. This image, this digital picture of me tracks biological me, it predicts what biological me will do. Digital me carries my various usernames and passwords. It can be used to determine what types of restaurants I like and where I travel. My health information is out there and not all of it is protected. 

Health information, it is sometimes so hard to get the doctor to release health information to the patient. It is your information is it not? It took a week for me to get dental records and they charged me $20.00 and I watched as the receptionist stuck it in the machine and waited on someone else. I could have gone to Kinko’s brought the originals back and had money for KFC with a cookie desert for two.

Ok I digress but it came to me and I had to get it out. Needless to say all this information out there can be used against me or it can be used not to my interest. The worse part of it is I don’t own digital me. Whoever owns where I am stored or transits owns me. I have knowingly in some cases given away parts of digital me for free stuff. Those loyalty cards are from the devil.

Ok enough prattle, why is this a security issue, why a cyber security issue? Well my worry is predictive behavior. The worry is that these companies will have such an excellent picture of me and that their computer models will be so accurate that they will model my behavior and sell it. What if it could predict how I choose passwords. 

Now I think that I have a good method for choosing passwords but if the model is that good then maybe the model is not that good. I am not as random as I think. Am I not as secure as I thought? Are my 16 character passwords weak though they do not repeat, use letters, numbers and special characters? Can my encrypted data stored in the cloud be retrieved and unencrypted in less that a day?

Can my identity be stolen not by a breach at the local Home Depot but by purchasing digital me from Google or some unknown commercial data warehouse? Are these corporate entities making it easier? 

What do you think?

Comment

Comment

Automation, Religion & Security

    As I grow older with teenage children, I find myself looking at aspects of life that have a negative bearing on security but not from the traditional thought. My current thoughts are on how security is affected in the world by the automation and religion.

    Right I am thinking that information security, cyber security, or whatever you want to call it is being negatively affected by automation and religion. You are probably saying to yourself that it is obvious that automation affects security since it opens up additional avenues for penetration. Network accessibility on the factory floor allowing control from across the building to across the country. We have seen how power generation with SCADA is allowing centralized control of power plants via the Internet.

    So we know that automation opens the attack fabric. What I now see is that with the open fabric and increase in population there is a greater danger. Western civilization is in the middle of a divide of the haves and have nots. The divide in income between the rich and middle class is growing fast while the divide between the middle and the poor is shrinking and not in a good way.

    Now lets bring in the topic of religion. Most religions have the goal of precreation. The need to increase numbers is not just a human need but is seen in all aspects of life on Earth.  The desire to increase ones genetic code is a hard-wired act. Religion just puts the words behind it with the force being that God wants you to do it or you are a bad person. The person of the cloth wants the flock to increase. Increased in the flock leads to more money and/or power (more likely and versus or).

    The increase in population with increase in automation means that a greater portion of the population will have no hope of contributing to society. Rather they will increasingly become a greater burden.  The service industry has no hope of absorbing this sub-set of the population. Maybe it will not be a sub-set but rather a super-set of the population. We are really speaking to the increase of the disenfranchised. An increase in those who are seeking something to give meaning to their lives such that they feel that they make a difference.

    News reports are showing that radicals are being created from this population. How else would one explain the ability of such organizations as ISIS being able to recruit from Western society? Our political leaders seem astounded that young men and women are being drawn to these so-called fringe elements. 

    Going back to the automation side, there are a number of good aspects to automation. Quality of products is greater as well as providing products that are the same with minimal variations. Automation brings efficiencies that humans will never achieve. Automation reduces the number of humans needed to produce the same number of products. Automation can reduce the amount of physical theft though as stated earlier it increases the cyber avenues for breaches. Automation as also opened the door for a larger number to utilize and study computer science to further the automation trend.

    Though it brings efficiencies it disenfranchises more and more which drains the hope for those individuals. What do you do for a population that cannot hope for something better? Increasingly the American dream is out of reach for those who need it most. 

    The problem is even worse if we think about feeding an increasing worldwide population. The number of farmers is decreasing as big agricultural entities move in to grow not just food but fuel for the energy starved industrial complex. We can’t blame the industrial complex. Their goal is to increase income and decrease cost. For industry humans are a large cost.

    Historically, son would follow the father into a career field. This gave generations of factory workers or farmers. People knew the direction their lives would take. During the industrial age there was always the American dream with the house and a two-car garage. 

    Our religious leaders say be fruitful and multiply but they offer no solution to how to feed and direct the growing population. I realize the Bible states we should be fruitful and multiply but even Pope Francis has said that Catholics do not need to breed like rabbits. 

    Religion cannot ask this of people anymore. Our religious leaders need to come up with sound solutions to the problems that we face. It also cannot be a blind redistribution of wealth that will not solve the problem. It may lower the number of disenfranchised but not to a level that will relive the pressure of hopelessness.

    Ok so how am I tying this into cyber security. The Internet gives power to those without. It levels the playing field a bit for corporations big and small and for countries that don’t have a large military to project. Those with no voice in the physical world can find that they have a megaphone on the net.

    Recently the Danes announced that they would be putting in approximately $74 million for a cyber offensive capability: http://www.defensenews.com/story/defense/policy-budget/cyber/2015/01/08/denmark-cyber-hackers-china-terma/21448705/

The Danish military wants to get into the cyber warfare arena. I have always thought of the Danish as the other neutral guys but on the net any country can play with the big dogs.

    This just leads me to the conclusion that with net access a tiny bit of skill to cover your tracks and the Metasploit framework anyone can be a cyber threat. With the disenfranchised growing the threat is growing.

Comment

Comment

What Keeps Me Up @ Night - Mobile Part II

What Keeps Me Up @ Night and what should keep you up as well is a short series on different tech items that worry me as we march to the future. The first topic will be on mobile devices.

 

This is Part II of the mobile theme. Please read part I so that you can follow my thoughts on this topic. Now in part I, I talked about the trend of placing large amounts of PII, financial, and other data on mobile devices.

Part II, I am going to talk about user access to these devices. I break mobile devices into three categories: a) mobile phones (cell phones), b) tablets, and c) netbooks/laptops with cellular connectivity. Accessing these devices is typically through a username and password/passcode. The exceptions to this rule are usually  categories a and b.

The exceptions take the form of not having a username and only using the password/passcode. Why do these exceptions exist, one reason is that the devices in these two categories typically have only one user. Therefore there is no need for a username from the OEM’s perspective. OEM stands for original equipment manufacturer.

Now for cell phones, after you lock the device you need to put in a 4 digit PIN (personal identification number) also known as a passcode. This is not a password. Passwords can have letters, numbers, and/or special characters. Passwords tend to be stronger, read more secure, than passcodes/PINs.

Thus the security control for cell phones and most tablets is a 4 digit PIN. This is what is protecting the users data, your data. Now some cell phones and tablets will turn the device into a brick (lock down the device so it is unusable) or erase the data if someone enters the wrong PIN/passcode a certain number of times. This means that some devices will shutdown if someone enters the wrong 4 digits 4 or more times. The number of times is usually determined by the owner.

One of the problems is that most people who own these devices do not know about this feature and either don’t enable it or forget their code and are then locked out of their device and must reset it to factory settings and start all over again.

The other problem is that the 4 digit PIN is not that secure. Some people will use numbers that are easy to remember say their address, birthdates, or even 1111. Yes 1111 has been used by some individuals. Scary right? The 4 digit PIN is also susceptible to shoulder surfing.

Shoulder surfing is the art of looking over someone’s shoulder as they enter information. This has been used to get individual’s PIN’s while at ATM’s. Experienced shoulder surfers can look at the position and movement of the person’s fingers to determine which numbers were entered at an ATM. This method can be used to determine the PIN of a mobile device.

There are other ways to determine the 4 digit code besides shoulder surfing. Another method would be to look at which keys were used to enter the pin. The attacker (person trying to get to your data) may not know the correct sequence to enter the numbers but knowing the numbers will decrease the number of combinations that needed to be tested.

Now most tablets and netbooks/laptops allow you to use a true password rather than a simple PIN. This provides greater security than a PIN. As stated earlier a password may contain letters, numbers, and even special characters. Passwords are usually longer than 4 characters in length. The longer the password and the more variation in the characters used makes for greater strength of the password.

From Wikipedia, Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.[1]

There is still one thing missing and that is username. Netbooks/laptops typically make use of usernames in the login process. The username, if implemented correctly, is associated with one and only one user. Each username has one and only one password associated with it.

If the mobile device makes use of passwords and usernames then the device has close to adequate access control. This is usually strong access control for the average user. But as was discussed above most mobile devices do not employ username and passwords, instead they rely on the 4 digit PIN.

I hope this keeps you up at night thinking about how much information is stored on the mobile device and how little security protects access to that data. I will discuss other aspects of the mobile device in Part III.

1. “Cyber Security Tip ST04-002”. Choosing and Protecting Passwords. US CERT. Retrieved June 20, 2009.

 

Follow me also at: Google+LinkedIn

Comment

What Keeps Me Up @ Night - Mobile Part I

What Keeps Me Up @ Night and what should keep you up as well is a short series on different tech items that worry me as we march to the future. The first topic will be on mobile devices.

Mobile devices are/will be the new method for compromising infrastructures. These devices are becoming ubiquitous. Corporations and individuals are tying these devices into their corporate and personal networks. Mobile devices offer the user access to their data without regard to their geographic location.

Mobile devices have allowed organizations to downsize and improve the bottom line by allowing their workers to access and manipulate data on the corporate servers while sitting in the customers spaces. Productivity amongst the corporate sales forces has increased with the incorporation of mobile devices to their arsenal.

Now I have presented what I think are the benefits of using mobile devices. I will not go into the downside of these devices from a social aspect. I refer to the mobile device serving as the gateway for interactions with other people rather than simply talking to them face-to-face. That is for another area. My colleague/wife who is a director of social media can/will handle that topic. 

Now what I am discussing here is going to be obvious to those in the security and IT realms. This writing are for the average person that needs to be aware of the dangers of these devices and not approach them as little bundles of sunshine.

Lets first think about how some individuals use these devices. For the younger generation the mobile device is their primary connection to the world. They do not have a landline phone and the phone or tablet device may serve as the primary (read only) connection to the Internet.

The device is their gateway. Bills are probably paid using the device. Access to financial and healthcare data is through the device. Personally Identifiable Information (PII) is now stored now stored on the device. The near future holds that Near Field Communication (NFC) offers the ability for the user to use these devices in lieu of a credit card.

Now the device is not just for verbal or text communications but it is handling transactional data exchanges, PII, and other sensitive data of their user. All this data stored in a convenient device that is portable. This data, if it is backed up, is probably not easily retrieved. So what happens when the device breaks. I mean the screen cracks, it gets wet, or just drops and becomes unresponsive.

The user is now up the (you know what) creek and their mobile device was the paddle. Their only paddle in this boat is the mobile device. Take a look at Apple, if you drop your iPhone in water then you are probably going to have to pay full price for a replacement. Do it twice in one year you are over a thousand dollars in replacement costs.

The younger generation, which I mean those people in the range of 15 – 25 years of age are more reliant than any other group on these devices. They are also the most likely to damage or lose their devices. This is the generation that is growing up with the digital social network. They are sharing more of their PII.

The reliance on these devices as the gateway for all electronic communications is a recipe for disaster. The realization is that this will get worse, more and more people will fall into this situation. What can we do to remediate?

The first thing I would suggest is backing up your data. Some would same decrease the reliance on the mobile devices but I feel that this trend is established.

Data must not only be backed up to some other system, device, or cloud, but there must be a mechanism for data owner to access the data in a reasonable timeframe. There are a number of commercial solutions for backing up data, such as, Carbonite, iCloud, or Amazon for example. There are a number of freeware applications that facilitate backing up data. The main thing is to pick something and use it.

When I say use it, I mean make backups on a regular schedule. Don’t allow yourself to become complacent. Now with all of that said I have to go and follow my own advice.

Follow me also at: Google+LinkedIn