Halloween Special: The Perils of Living in a Wireless World

c3a9858fea258f9a5eb36db82c94a45d--halloween-painting-halloween-art

Everyone loves wireless. It’s a liberating technology that’s allowed us to do anything pretty much anywhere. But data flying through the air comes with additional vulnerabilities.

Considering how ubiquitous Wi-Fi is, it surprising how little most of us know about it. Here are a few random factoids to get us started. And some of them are decidedly spooky.

Spooky Fact 1 – folks talk about wireless speed in terms of bits per second – so how many zeros and ones can fly through the air. This is known as maximum data capacity & you typically see it so written as 54 Megabits per second etc. That’s cool right?

But, like a mysterious ghost story – just over half of this speed vanishes into the misty night when using Wi-Fi. What you’re left with is zombie-like throughput. That’s a scary factoid – even before any nasties attack your wireless network, you only get around half of the speed you think. The causes of this are, in no order, ghosts hiding in your router, all the bits of information added to your data to help it find its way & the fact this devilish ‘overhead’ increases the further you away from the safely of your router….well, two of these are true anyway….

Spooky Fact 2 – by adding monster names to the follow list – you can see 3 terrifying areas of danger – not just on wireless but being on wireless is the equivalent of adding scary music & this making it even scarier.

  • Devilish Physical Hardware – Dracula could easily hypnotise you then steal your device. Got a password – an easy to remember one, probably take the Prince of Darkness a few hours to crack it. (So, think the obvious physical security, keeping your devices safe plus a kick-ass password.)
  • Ghastly Software – Frankenstein isn’t as stupid as he looks. He could use loopholes in programs to do bad stuff. (This monster doesn’t like patches & updates. Get anti-virus software, keep everything updated & you can loosen this monster’s bolts.)
  • Deadly Data – Zombies could easily nick your data in transit, feasting on it as it flies through the air. (Mmm…trickier – just how do you protect data in the air? Fly spray? Read on for details….)

Spooky Fact 3 – Holy Water (WPA2) – You might recognise WPA2 from when you’ve been fiddling with your wireless router. It is a stallion of an encryption protocol with few known weaknesses at the moment. Most routers are now set default to WPA2 but it’s wise to check. Having WPA2 encryption is like having Van Diesel turning up to your wireless horror movie – fully ‘tooled up’. And he’s going help you kick a lot of ass. Does that mix enough metaphors for you?

d849484ece47ad16ca1f16881507ae08--halloween-clipart-free-halloween-bats

Right, sick of Halloween-type banter?

OK – here are 3 processes to set up. Get this right, along with all the other advice around patching, passwords & crucifixes & you’re be as secure as you can be.

  1. Set the right security protocol – remember WPA2 on your router – probably already set – it’s like holy water…
  2. Securing access – do some research & find out how to control access to your wireless access point. Might be something I look at in a future blog but check it out – you’ll come across something called MAC addresses (not your ancestral home in Scotland.)
  3. Default passwords – routers come with those tricky passwords – something like E83HHG3g21 – remember typing that is for access. For public area free Wi-Fi, you get stuff like ‘cafepassword’. This can be changed & you should do it. Again, do a bit of research. I’ll try to cover it in future blogs.

Finally, remember, just like any decent horror movie. When that nice calm bit comes at the end, you’re never 100% sure it’s over. Could the axe murderer still be alive? Could he burst through the window at any time? The truth is no medium (not the crystal ball kind) wired or wireless is 100% safe.

And, wireless still has greater risks. For example, I went into a Costa Coffee the other day & logged onto their ‘free Wi-Fi’. The password was on the front desk – anyone can use that. Blimey I’m scaring myself now so I’m going to check my stuff….stay safe out there in wireless monster land….

Free-halloween-halloween-clip-art-black-and-white-free-clipart

Threat Horizons (including a Robot Takeover

Very smart people at organisations like the ISF (Information Security Forum) & Gartner consulting produce some excellent predictions of terror for everyone to be scared of.

They help by projecting forward to look at the kind of threats we’re going to face in cyber security in the next 5 years.

My diagram provides a good overview of the ones I suspect will cause a few sleepless nights (No I haven’t employed a professional graphic designer – it’s all my own work, scanned in.):

 

New Picture (10)

Automated Misinformation

Pretty much every point on this list is underpinned by smarter AI capability. Think deliberate, automated & targeted false information – targeting organizations & corporates. This could be anything from a sea of misinformation to false profit warnings, artificially created scandals & fake board level announcements. We can do much of this at the moment but think how powerful it would be with evolving AI personas driving it at a relentless pace. Are the PR & Comms team ready for this?

Unexpected Outcomes

No knows the future – not even Mystic Meg but the experts see a headlong rush into AI projects leading to new vulnerabilities. In science terms, ‘unexpected outcomes’ is a terrifying phrase which could mean anything from a button you didn’t know about to thermonuclear war & the eradication of life on Earth. Realistically, cyber criminals will quickly exploit any gaps or vulnerabilities in AI decision-making. This we can be sure of.

Opaque Algorithms

Mmm….I was going to put legacy systems collapsing, as few people realize how much institutions like the Stock Exchange rely on old code. Still, imagine you’re turned down for some form of insurance – you query it – who knows how the algorithm works – the business probably won’t. Who knows what could happen? My point is they are getting ever more complex mathematically & the pool of those who understand them is already small. People on Facebook are already blaming the algorithm for things going wrong. Will we see forms of discrimination we don’t even know about? How important is that that we understand how important decisions about us are made?

Robot Takeover

We all know it’s coming but maybe not in the way we imagine. People get excited about robot waiters but the real challenge will come as AI replaces thousands of ‘middle’ jobs. We’re not the first generation to face disruption but if we fail to plan for this, I’m convincved we’ll face serious civil unrest. One option is to offer everyone a basic universal income – regardless of whether they work or not. If you want to earn more, you can apply for one of the few jobs open to humans. (I’ll cover this in more detail later.)

 

The ‘Diamond of Unwelcomeness’

I’ve read a lot about cyber security on my journey so far & I think I’ve already mentioned that many debates are dominated by the on-going theme that the industry needs more people….fair enough……

However, I have to say, they don’t make it easy.

I’d be classified as a career changer – a general business/IT project managery type of person, shifting some of his focus to cyber & data security. But, trying to find your way through the jungle is just so confusing.

I present here what I call the ‘Diamond of Unwelcomeness’ which shows just how unwelcoming the profession really is to newcomers & career changers….

DiamondOfUnwelcomeness

(To help us (& this is only from a selfish point of view!) there are regular ‘women in cyber’ sessions to which I can’t really go.)

Qualifications, Training & Standards – don’t get me started here. Never have I come across such a confusing nexus of industry standards, associations & qualifications. I’m a member of BCS but there are about 4 other industry groups you could join – it would cost you a fortune to join all of them…

Barriers to First Jobs – Accountants have it good don’t they – CIMA/ACCA – a recognised path…everything I think we are missing. My solution is to look for the cyber security elements in my current role & that is working really well.

Apologies if this all sounds a bit grim…if you’re new like me you also find conventions full of these folks:

Type As – glossy sales people on stands who know all the lingo but have a surprisingly shallow knowledge of the industry & technology.

Type Bs – industry old-hands who have been in it for years. There’s not much you can tell these guys & most of them used to code.

Type Cs – network & helpdesk folks – they’re big on the technical side – they know how to configure a firewall. This is their domain & they don’t want it de-mystified too much..

I say this all slightly tongue in cheek – you kinda get this with every professional. But, I hope there are also some serious points in here.

I’ll keep on chipping away & keep you posted on how I get on.

If I disappear, you’ll know I’ve probably been taken out by one of the industry associations in a revenge attack…

 

 

Four Types of Cybercrime

Let’s start with four. More are available. There are more sub-divisions than there are branded coffee outlets in London.

Personally, I’d never heard of malvertising but it’s a big problem in India at the moment. Identify theft we are all aware of but how many of us really take this seriously. I always imagine someone coming up to you in the street & talking about your most personal information – all stuff you’ve shared online.

Cyberstalking – a nasty, very personal attack which can be motivated by money or something even worse.

Spam & Phishing – team this one up with a bit of social engineering & it’s like finding an irritated scorpion in your sleeping bag that was in a real bad mood even before you sat on him. Just one click, that’s all it took. So convincing. Click on the mysterious link, go on, we’re friends now – Clickie Click Here

(Note to my few readers – yeah things are a bit simple at the moment on my blog. Yeah there are lines in the drawings. That’s just how it is. I’ll keep updating the site as I learn stuff but if you’re an MSc student from somewhere or a 20 year security veteran who knows what a container is, hey you’re not gonna learnt a lot here.)

Here’s a graphic to summarise what’s in my brain:

New Picture (3)

 

 

7 Odd things in cyber security

Here are some of my early observations as a noob on the wacky world of cyber security.

(1) It’s complex. Lordy is it complex. No one really seems to understand it. We don’t even really grasp the scope of the risks. That explains why even our hospitals are vulnerable to relatively simple cyber-attacks. That should worry us shouldn’t it? If all the PhD’s in the industry don’t get it, what chance do we have? To paraphrase Whoopi Goldberg in Ghost :-

tumblr_mkwuxusXbm1qbshgko4_250

(2) We’re told North Korea is a backward nation, cut off from the world & isolated from everyone. Yeah – even if they are, they still managed to (digitally) pull the pants down on businesses & organisation across the world. What does this teach us? Well, we are told that cyber-crime is a relatively easy game. That’s not good. Also, it gives an amazing new avenue for any Bond villains redundant since the Cold War.

(3) I went to a cyber security event last week. I came away with a stack of brochures. And some branded socks. For some reason, everyone was giving away branded socks. One of the big messages was that there’s a skill shortage. The industry goes on & on about this one. Metaphorically, they’re hammering pieces of wood over the windows and locking the doors, they’re so short of qualified people. And yet, as a noob, there are multiple qualification & accreditation paths & little in the way of a structured route into the professional for career changers. Basically, it stinks of professionals that have a vested interested in keeping the pool of qualified talent limited. The only real growth is in people to write more articles about how short the industry is of qualified professionals.

DSCF6221
Training Materials from the 1980s. Step 1 – Call the Ministry

(4) A snotty but smart teenager who spends a lot of time in his bedroom can bring the FBI & the US Army to its knees. Seriously, if these guys can’t defend their digital baggage then why bother renewing that McAfee subscription. (Seriously though, do keep your virus protection updated. It does do something, apparently.)

(5) No one cares about data until it goes where it shouldn’t. Edward Snowdon taught us this. Of course, a few people worry about it. But, most of us need a saline drip just to stay alive in any data protection training. It’s just below going to the dentist on everyone’s ‘what I don’t want to be doing’ list.

(6) There are lots of different aspects to cyber security. I learnt this from a brochure. There’s the network stuff – that’s all I really knew about. There’s the software angle. Even the people angle. Who would have thought it? I met the National Cyber Security crew from MI5 at the conference. Their ethos is ‘a pratt with a USB stick is just as dangerous as a Russian hacker with a bit coin account.

(7) Finally, block chain is nothing to do with plumbing. I read an article on it but still do not understand entirely what it is. I know it’s good to drop into conversation if you work in tech circles. You should also try Gamification. That’s another good one. Block chain is a buzzword. We should really find out what it is.

If in doubt – What the F*&* is Blockchain?

An adventure begins…

This isn’t my first blog. I’ve got a trail of graveyard blogs behind me. From zombies to deserts. Now a new blog – cyber security.

This blog is going to be a weird look into the world of cyber security. Weird because I’m no expert. I’m learning on the job. Just like the rest of the world.

There are lots of very clever people in the cyber security industry. Some of whom I’ve met and will hopefully appear on the blog from time to time. Like 007 in binary form – the heroes and heroines of a secret war.

Weird because I hope that it will have a broader appeal that just a review of the latest technical jargon. Cyber security should be in the public domain. My first prediction is that they’ll soon start calling is something different. Like Cyber Welfare or Digital Health or something no one has thought up yet.

I hope, in time, we’ll have some technical experts on to help us understand what in the hell’s going on in cyberspace.

So that’s it. A new blog on cyber security. A subject guaranteed to turn folks off. Let’s try and make it a bit more…spicy….

cropped-sean_in_the_bunker.jpg