Month: August 2018

Back to School

No Comments

The start of a new school year. A time of promise and excitement and shock at the cost of new shoes. Going back to school or going to school for the first time can be exciting and sometimes a little scary for kids and parents. In addition to the joys of peer pressure and unreasonable expectations from teachers that we all went through, our kids today also contend with a sudden avalanche of new online content, and the threats and challenges that come with it.

The start of a new school year will often find kids sharing the websites or online communities they have become used to over the summer, so kids are exposed to a lot of new online options in a short period of time. And for kids heading off to school for the first time, it’s never too early to talk about online safety. Even our youngest kids are surprisingly connected, and that can be a great thing. But it also means we need to be educating kids as early as possible about how to stay safe.

The best thing you can do is talk to your kids about what they are doing online. Encourage them to show you the funny (or usually not so funny) YouTube videos that are going around and ask them to introduce you to their online communities. You don’t need to join all their Facebook groups. They can and should have some sense of privacy, but you want to know as much about their online friends as you do about their real life friends. This goes beyond just having kids tell you when they think something is wrong. You want them to share with you the things they don’t see as a problem so you can help them develop the judgement needed online.

US-CERT put together a nice list of resources to help Parents talk with kids, https://www.us-cert.gov/ncas/current-activity/2018/08/10/Back-School-Cyber-Safety. And I particularly like the Safe and Secure program, https://safeandsecureonline.org/.

You should also check out what computer classes are available at your school. Contact your local PTA or your school administrators and ask if/how computers are being integrated into classrooms, and if there is specific instruction about information technology and basic computer skills. Most middle and high schools offer classes in basic computer skills and many offer classes in things like coding or graphic design. These can be great opportunities for kids to develop some basic skills that will help them no matter what career they choose.

There is a great program called the Hour of Code. The program aims to provide every student from kindergarten though high school with a minimum of one hour of instruction in computer science. The program tries to show kids that anyone can learn to code (that’s what we geeks call making computer programs) and to spark an interest in computer science. I’ve volunteered at my kids’ elementary school the last few years and it’s amazing to watch what these little kids can learn to do in just an hour. And to see the joy on their little faces as they make a cat dance around the computer screen. You don’t need to know anything about computers yourself to help with the Hour of Code. It’s always helpful to have extra adults in the room for crowd control and you will probably learn a few things yourself. If your school doesn’t have an Hour of Code program, you can work with your PTA and your school administrators to create one.

Like everything, the key is to talk with your kids and engage with them about technology. Tech is one of the great topics where you can probably learn as much from your kids as they will learn from you. 

Passwords

No Comments

Quick note: This is a longer post and will help you understand some of the more technical aspects of cybersecurity. You may want to go grab a beverage before getting started… 


Passwords are the one security tool that almost everyone is familiar with. But surprisingly, I find passwords are also one of the most misunderstood tools for protecting yourself online. Today I’m going to talk about the real purposes of passwords and how you can improve their effectiveness with a few easy steps.

First, it’s important to understand what we call the CIA triad. Which, now that I write it down, is kind of a scary sounding name. CIA is an acronym -yes I know it is also an acronym for that other thing, but in this case is stands for Confidentiality, Integrity, and Accessibility. These are the three goals we are trying to achieve whenever we talk about cybersecurity.

  • Confidentiality refers to protecting information from disclosure to unauthorized parties. So you and your bank should both know your account balance, but no one else.
  • Integrity is about making sure information is not changed improperly. So if you withdraw $200 from your bank to buy 18 boxes of delicious Tagalong cookies from the Girl Scouts, then it is important that your account be debited exactly $200, but you wouldn’t want anyone besides your bank to be able to make those kinds of changes.
  • Availability is probably the most often overlooked piece of the cybersecurity puzzle, but it is equally important. If your bank account balance is kept confidential and no unauthorized changes are made to it, it’s still not very helpful if you cannot check it to see if you can afford those little globs of peanut butter goodness.

The CIA triad is commonly represented as a triangle to show that the three goals require a balance. In every case we have to accept compromises in one or more of the three goals. If you turn your computer off and unplug it and lock it inside a safe guarded by poisonous cobras, I can pretty much guarantee that no one is going to be able to access your computer without permission, so we have very high confidentiality and integrity, but the availability of the computer will be severely reduced.

Now that we have that basic understanding, let’s talk about what the purpose of a password is. Passwords are obviously intended to preserve the confidentiality of your information. By protecting your bank account (or your email account or whatever) with a password, you are trying to ensure that no unauthorized people can access that information. Passwords also preserve integrity. When you login to your bank account, you are providing proof to the bank that you are who you say you are. Like showing your driver’s license when you go to the bank in person. Your password is kind of like a digital fingerprint that should be able to uniquely identify you.

If your password is going to be the way your identity is verified online, obviously you should never share it with anyone. I make an exception here for your kids. It is OK for your kids to share their passwords with you, but you should not share the other way around. If you are sharing your password, you need to make sure that whomever you share it with is going to protect it as effectively as you are. Unless you are confident your kids can do that, you are better off setting up seperate accounts for them with their own passwords. Keeping our password a secret is a good first step, but we are talking about computers here and computers are exceptionally good at guessing things. In this case, when I say “guessing” what I mean is trying every conceivable combination of letters and numbers until they find the right one and doing it very fast. So we want a password that is complex, meaning it would take a computer, or a person, a long time to guess the password. Let’s pause for a minute to talk about how that works…

Think of a number between 0 and 9. Got it? Good. Now, it doesn’t matter what the number was. I can definitely guess it in no more than 10 tries, right? Good. Next step, pick again, but this time you can pick a number 0-9 or a letter of the alphabet. So now it will take me a maximum of 36 guesses. I might still stumble onto the right answer on the first try, but the maximum is 36 guesses. If we treat capital and lowercase letters separately then we have 62 possible answers (26 lowercase letters + 26 upper case letters + 10 numbers). If I had you pick 2 characters then the number of possible solutions is 3844 (62*62). So that will already take a person a pretty long time to guess. But for a computer, a computer can guess thousands or even millions of options per second. So this isn’t going to be a problem for me to crack using a computer. But if I have you pick 16 characters then that is 6216 = 47,672,401,7 06,823,533,450,263,330,816. That’s gonna take me a bit even using a pretty powerful computer. If I add in a few common punctuation characters, I can make this number even higher. There are a lot of other things we can do to make it take even longer to guess a password, but the important point is that even with all this math, ALL passwords can be guessed or “cracked” as we call it.

Well that sucks! I can hear you saying it. I guess we may as well just give up and go back to bartering with chickens, right? Well, hold on all is not lost. There is one very easy thing you can do to almost eliminate this risk. Change your password.

Huh? Let’s say it is going to take someone with a really fast computer 100 days on average to guess your password. If you change your password on the 90th day than the bad guy has to start all over. There is still a chance that the bad guy could guess your password on the first try, but given the numbers involved it is staggeringly unlikely. In fact, this is how we in the cybersecurity world pick those annoying time limits for you to change your password.

Feeling pretty good now, right? Well hold on. We have been assuming a truly random set of characters here. If I only have to check for dictionary words let say and not all possible combinations, then I can drastically reduce the number of attempts I need. If I have some information about you like your kids names, or your birthdate that I think you may have used, I can bring that number down even further. For example, let’s say you have three kids. Alex, Scott, and Jane. If I think you have used some combination of these names as the password, then I only have to check the unique characters in each name. So that is just 10 letters (a,l,e,x,s,c,o,t,j,n) to try. Even in a 16 character password that is only 10,000,000,000,000,000 options which is a lot, but is only 0.00000000002{12810d732553a0644ecc90a0e23d1efc26a399b3533b5403ed90d6fcf4bb1dcd} as many as when we used all the letters and numbers.

Sorry but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin.

One more factor to consider. Suppose you use the same password for two different websites. For example your bank and your Starbucks account. We can assume your bank is being pretty darn careful about protecting your password. Starbucks maybe not as much. And if someone gets your Starbucks password, they now also have your bank password. Same thing if you write your passwords down. If all my  passwords are on a sticky note next to the computer or in a note on my phone, the bad guy just needs to get one quick look at that and I’ve lost everything.

We now understand we want random passwords with uppercase and lowercase letters as well as numbers and maybe some punctuation. We also want a unique password for every account and we don’t want to share our password with anyone ever or write them down. This is great and I now have very low risk in the confidentiality and integrity of my data. Except now I can’t remember any of my passwords and I can’t access any of my accounts so my risk for availability is very high. The answer to this is password managers.

A password manager is different than a document or note on your computer. It is usually a seperate program or service that does just one thing. Store your passwords for you. Most also will generate random passwords for you and many provide some extra features like alerting you to weak passwords or sites that have been hacked. Password managers can be integrated into your web browser so they will automatically fill in your password for you, so you really don’t need to remember it at all or even know what it is. Most modern web browsers have a built in password manager which is pretty good, but they do need to be set up correctly. Most importantly make sure your passwords are being securely backed up so if something happens to your computer they are not all lost. For a better solution, you may want to look at a dedicated password management service like LastPass, 1Password, or Dashlane. Most browsers and all password managers will generate secure random passwords for you and this is absolutely the best way to make your passwords more secure.

Dr. Malware, or how I learned to stop worrying and love the Internet

No Comments

Viruses, Worms, Trojans, Ransomware… they go by many names but they all mean the same thing. For now we’ll just call them all malware, short for malicious software. Malware is any computer program that does something we don’t like. It is kind of like the definition of a weed. If you didn’t plant it and you don’t want it there, it’s a weed. Your weed may be someone else’s flower, although that isn’t often the case with malware.

Whatever it’s called, most people have the same reaction when they hear someone was “infected”. You did something you shouldn’t have and now your computer is broken. Except neither of those things are true. With very few exceptions, malware is going to affect how the software on your computer functions, not the computer itself. This is good news because software is much easier to fix than hardware. More importantly, getting infected with malware doesn’t mean you did anything wrong. One of the most common ways malware is spread is when a bad actor creates an ad with malware in it and then submits that ad to an advertising service. This very legitimate advertising service then shows the ad on Facebook and Google and a hundred other sites where it is viewed by well-behaved internet users who can now be infected. So getting infected doesn’t mean you did anything wrong, but this also means you can’t protect yourself by just staying on “safe” websites.

You can do a lot to protect yourself though. It’s pretty easy, and free, to do. Here is a list of helpful tools and practices that can protect you and your computer.

Antivirus Software

This is important if you are using a Windows PC. If you have a Mac you can skip this section. Antivirus software looks at the programs installed on your computer and compares them to the “signature” of known malware. It will usually scan files you download from the internet and can be set up to scan your computer on a regular schedule. “But wait!” I hear you saying. “If it scans the files when I download them, why would I need to scan them AGAIN every week?” Good question, the answer is that the antivirus software can only find malware it already knows about. So you might get infected with something which the antivirus vendors have not seen yet (this is what we call a Zero Day attack. Sounds cool right?) but once the malware is identified, the vendors will update their “Definitions” meaning the list of viruses they know to look for, and when they re-scan your computer they will find and, hopefully, eliminate the malware.

Malware is just like any other program. The Windows version won’t run on a Mac and vice-versa. Most malware today is written for Windows. The good news is that Microsoft provides a very good antivirus program for free. The program is called Windows Defender and it comes free with all modern versions of Windows. Microsoft has some very simple instructions on how to enable and use Windows Defender.

https://support.microsoft.com/en-us/help/17464/help-protect-my-computer-with-windows-defender

Don’t use an admin account

This one is also MOSTLY for Windows people, but Mac owners should read this one as well. Both Windows and Mac have two basic kinds of accounts. Administrator accounts are more powerful and allow you to do things like install new software and make changes to security settings on your computer. User accounts usually cannot do these things. Since most malware needs to be installed or change settings to have any effect, using a regular user account when doing things like browsing the web or playing games can drastically reduce your risk of being infected. The best idea is to have one or more user accounts on your computer and to use these all of the time. You should have one or two administrator accounts and only use these when you need to make changes or install new software.

Macs have the same two kinds of accounts, but in Mac OS X it is a bit safer to use an admin account all the time. This is because whenever you try to do something that actually requires your admin permissions, you will need to type in your password. This next sentence is important for both Mac and Windows users:

 When you get a pop-up message, you MUST actually read the words in the message!!!

The message should very clearly explain what is about to happen and what program initiated the request. If it doesn’t, or you don’t understand it. Say No or click Cancel. Malicious programs can sometimes control the text in these pop-ups so sometimes you’ll see a pop-up like this:

Related image

In this case, the text may be misleading or just an outright lie. Notice the grammar in this example. If you get a pop-up like this and you have any doubt about the validity, click Cancel or No or Don’t allow.

Browser configuration

This issue is probably going to be covered in a future post, but for now, there is a very good summary over at UC-CERT about why and how to configure the major browsers for online safety, https://www.us-cert.gov/publications/securing-your-web-browser

Adblock plugins

As we mentioned earlier, one of the most common ways bad actors attack our computers these days is through ads. Additionally, ads are one of the main way our online activity is tracked, for good or evil. One of my favorite Adblocking plugins is AdBlock, https://getadblock.com/.