Category Archives: Technology Trends

Cybersecurity Awareness… or not?

An interesting exchange of opinions recently occurred between two of my favorite news sources related to information technology security.

Since we are still in the midst of a month declared by the federal government as “Cybersecurity Awareness Month” (see both https://www.dhs.gov/national-cyber-security-awareness-month and https://staysafeonline.org/ncsam/), which is an effort to increase security awareness among regular technology users, the disagreement is interesting.

The premise of “cybersecurity awareness” is that all computer users need to be trained to be more knowledgeable and to apply their experience, knowledge and expertise in making the use of modern technology more secure.  This is a worthy goal, I believe.

However, Bruce Schneier,  a highly respected security expert and author, persuasively argued recently that maybe the computing industry should be less focused on educating the user and more on fixing the current state of technology:

Stop Trying to Fix the User

I am sure that many technology users will agree that there are basic technology fixes that should happen!  However, Lance Spitzer, the training director for the Securing the Human of the SANS Institute and security blogger for Educause disagreed with Bruce’s emphasis on the technology:

Why Bruce is Wrong

The college’s Information Technology Services division does as much as can be done technically to ensure that all users have as safe a computing experience as they can on campus.  However, given the state of computing technology, solving IT security issues with technical solutions is never going to be enough to make them non-existent.

Every one of you, as users of college systems, are still an important part of a robust security solution, and your ability to recognize something is wrong often proves better than the best technology solution.

So in a way, both of these authors are correct:  There absolutely should be better, more secure technological ways of doing some of the everyday things we do with computers, like click a link or login, but until that exists, users need to be better trained and more aware of how to evaluate the risks inherent in technology use on a daily basis and to respond when they experience attacks by malicious users.

This  will continue to be an interesting discussion, I think…

Safe Computing!

Lock Down Your Login

As October’s Cybersecurity Awareness Month continues, I thought I would refer once again to the federal Stop.Think.Connect information campaign and focus briefly on one particular topic currently being emphasized there.

Be careful and turn your speakers down before clicking on this link, as the page automatically plays a cutesy animated YouTube video, but the Lock Down Your Login page is a good introduction to what is known as Multi-Factor Authentication (MFA).   This site calls it “strong authentication.”

Once you as a user have been authorized to use a particular technology system, such as a banking website or your work computing network, authentication is the process of verifying your identity to that system so it can provide you the access needed.

Commonly, this is done by prompting a user to provide a login name and password, which in computing terms is considered “single-factor” authentication.

Multi-Factor Authentication is a mechanism through which a user is granted access only after more than one form of authentication is presented.  MFA may sometimes be referred to in the media or on websites as two-step authentication or two-factor authentication (2FA) , but technically 2FA is a subset of MFA.

One very common example of two-factor authentication is the use of a debit card (factor one-something you HAVE) and a PIN (factor two-something you KNOW) to withdraw money from an ATM.

Another example of MFA you may already experienced is the use of your thumb or finger print to unlock your cell phone.  In this case, the first factor (something you HAVE) is the phone, the second factor (something you KNOW) is the password you have previously saved on the phone, and a third factor (something you ARE) is the ability of the phone to read your thumbprint (also called biometrics).  If any of these factors are not available, you cannot access the information on the phone.

Most information security experts now recommend the use of MFA in all cases of authentication, particularly as more and more of our login information is being stored on servers all over the world and more and more of those servers are compromised.

For instance, commerce websites such as Amazon.com asks that you create a username and password (single-factor) to be able to use their service.  A compromise of that information on their servers by hackers or even company insiders could allow malicious users to pretend to be you and make purchases on your account without your knowledge.

The problem multiplies if you happen to employ the same password for different accounts on different systems.  Once one is compromised, all your accounts secured with a single-factor using the same password are potentially compromised.

If, however, if you have set up MFA with your Amazon account,  which allows you to receive a one-time random code via text message, automated phone call or third-party app (such as Google Authenticator or Microsoft Authenticator),  the malicious user cannot get into your account without using that code which only you have on your phone.  Even if they have somehow obtained both your username and password, they cannot login to the MFA protected account.

Other websites or networks now also use phone-based MFA, but there are also methods that are not phone-based, such as the use of security token generators or smart cards.

A few people think the extra step of obtaining and using a random code is too onerous to do every time you log into a particular account.  But this simple extra step increases the security of that account so significantly that most major online companies are preparing or already offering some sort of MFA for use with their accounts.  If that extra step prevents the use of your personal credentials even after a security breach, it is obviously worth it.

As someone who pays close attention to information security and the scary trending online threats and growing malicious practices, I choose to use MFA for my personal accounts whenever it is available, and use both phone text-based codes and app-based code generators.

The use of MFA is also growing quickly in the work place as institutions and business work to protect their internal technology resources, and is currently being tested here at Bellevue College for possible use with Office 365.

If you are worried about this, remember that a couple of decades ago our typewriters didn’t require a login at all, but after computers became ubiquitous, we learned how to function with usernames and passwords. Now it seems natural.

MFA will be the same kind of cultural revolution.   I think it is safe to predict that one day we will be using MFA for all of our accounts as another line of defense against malicious users, and won’t think twice about it.

Safe Computing!

Free Stuff!!

Information Security part:

It is not uncommon for malicious parties to send out e-mail or other communications with the text “Free Stuff!!” as part of the subject line or emblazoned in bold letters across the top of the ad.  Often this lure of the possibility of getting something free is irresistible to we human beings.

This means we, as consumers of technology, need to be cautious whenever we see offers that seem too good to be true.  In one of my favorite childhood science fiction books, The Moon is a Harsh Mistress by Robert Heinlein, I learned to look carefully at free offers through the lens of the acronym TANSTAAFL.

“There Ain’t No Such Thing As A Free Lunch” means simply that there is often a hidden cost behind “free” offers, and that an intelligent person will be certain to look for that cost before jumping onto any “free” bandwagon.

Non-Information Security part (sort-of):

I’ve mentioned before that I would periodically include in this blog things outside the realm of information security if I found it interesting and worth sharing.  This is one of those times.

Microsoft yesterday announced that they are increasing in July the amount of storage space allocated to users of their OneDrive cloud file storage.  OneDrive allows users to access saved files through the internet from anywhere, using any computer or device (such as a smart phone or pad).

The amount of storage space available in the “free” (advertiser supported) version of OneDrive is increasing from 7 GB (gigabytes) to 15 GB.

Microsoft also offers paid OneDrive subscriptions, the first as a stand alone product for which they are charging $1.99 for 100 GB [previously $7.49] or $3.99 for 200 GB [previously $11.49] per month.

The second subscription version is associated with the various (and variously priced) versions of their online Office 365 product.  They have not changed the price of the monthly or annual Office 365 subscriptions, but are changing the amount of OneDrive space available to subscribers to 1 TB (terabytes; equivalent to about 1,000 GB).  This is a HUGE amount of personal storage space!

This offer, including it’s “free” version, may well be worth checking out if you are interested in personal cloud storage of your files.

Privacy Disclaimer

It is important to always keep in mind that in storing your personal files “in the cloud” –whether it is OneDrive or other free or paid offerings, like BOXDropBoxGoogle Drive, Amazon Cloud,  Apple’s iCloud, or any other company–those files are resting on servers controlled by whichever company is providing the service.

This means they are subject to disclosure either to certain company technical employees or through legal requests, to courts or law-enforcement officials.  Just as with files stored on college systems, they are not totally protected from disclosure in certain situations.

However, if you make an informed decision, weighing the benefit of using such personal file storage services against their hidden costs (such as lack of perfect privacy), they can be pretty useful, especially if you access files from multiple locations on multiple devices.

Security Intelligence Report

Warning:  for serious information security buffs only!

Microsoft has recently published it most recent security intelligence report (152 pages!) on the current state of information security and exploitation trends in the world.  While it is not really intended for the casual computer user, it is fascinating reading if you are interested in diving a little deeper into the bigger information security picture.

There is a 21 page summary version and a 94 page worldwide threat assessment also posted on their Security Intelligence Report website, along with lots of links to other related information if you are bored and have an afternoon to kill…

Just think!  Some of us get to read this stuff every day!

ENJOY the beginning of summer this weekend.