tag:blogger.com,1999:blog-133703482024-03-17T08:54:57.190+00:00Stephen and Chey Cobb: Independent ResearchersPublic-interest technology, information security, data privacy, risk and gender issues in techStephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.comBlogger217125tag:blogger.com,1999:blog-13370348.post-86909698414917083582023-11-29T09:22:00.009+00:002023-11-29T18:32:45.231+00:00QR code abuse 2012-2023<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfUEw1xIbf6RweF-bEmk2cJOLjdocQUOm7iOJGCUxT3ctOQL_m5KupOBYa-EoGCyyADWHXeNWwSYa0kuLYNSxu20OoTsEpWikI4WqCYCDE60-9nEPCXD_VvPaqE-GecMTpAUu7DPgbp7mT-UpIHHaTNunf6A2KM9i-2XPwCHGix47lMEXUKc3W7Q/s2121/qr-code-to=cobb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="QR Code Scam with Three QR Codes" border="0" data-original-height="1085" data-original-width="2121" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfUEw1xIbf6RweF-bEmk2cJOLjdocQUOm7iOJGCUxT3ctOQL_m5KupOBYa-EoGCyyADWHXeNWwSYa0kuLYNSxu20OoTsEpWikI4WqCYCDE60-9nEPCXD_VvPaqE-GecMTpAUu7DPgbp7mT-UpIHHaTNunf6A2KM9i-2XPwCHGix47lMEXUKc3W7Q/w417-h214/qr-code-to=cobb.jpg" width="417" /></a></div>QR code abuse is in the news again—see the list of headlines below—whch reminds me that I first wrote about this in 2012 (<a href="https://www.welivesecurity.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default/" target="_blank">eleven years ago</a>). Back then I made a short video to demonstrate one potential type of abuse, tricking people into visiting a malicious website:<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='560' height='380' src='https://www.blogger.com/video.g?token=AD6v5dzokOVeYMJAp7IBrvgQrH3eGxoKT82FVlZzQCxpq8oeS6OnjeRDE1Q-PoYJtiS78UUA-fV7DCXs-W4' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As you can see from this video, there is plenty of potential for hijacking and misdirection via both QR and NFC technology, and that potential has existed for over a decade. In fact, this is a great example of how a known technology vulnerability can linger untapped for over a decade, before all the factors leading to active criminal exploitation align. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">In other words, just because a vulnerability has not yet been turned into a common crime, does not mean it never will be. For example, the potential for ransomware attacks was there for many years before criminals turned it into a profitable business. Back in 2016, I suggested that combining ransomware with the increasing automation of vehicles would eventually lead to a form of criminal exploitation that I dubbed <a href="https://scobbs.blogspot.com/2016/05/jackware-coming-soon-to-car-or-truck.html">jackware</a>. As of now, jackware is not a thing, but by 2026 it well might be.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Here are some recent QR code scam headlines:</div><div class="separator" style="clear: both; text-align: left;"><a class="WlydOe" data-ved="2ahUKEwj8xsyeoumCAxWaVEEAHQxeAGsQxfQBKAB6BAgJEAE" href="https://www.bbc.co.uk/news/uk-england-tees-67335952" jsname="YKoRaf" ping="/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.bbc.co.uk/news/uk-england-tees-67335952&ved=2ahUKEwj8xsyeoumCAxWaVEEAHQxeAGsQxfQBKAB6BAgJEAE" rel="noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.1); background-color: white; color: #1a0dab; display: flex; flex-direction: column; flex-grow: 1; outline-offset: -1px; outline: 0px; text-decoration-line: none;" target="_blank"><div class="vJOb1e aIfcHf qlOiDc" style="display: flex; flex-direction: row-reverse; justify-content: space-between;"><div class="iRPxbe" style="flex-grow: 1; margin-bottom: 0px; margin-top: 0px; padding: 0px 0px 24px; position: relative; width: 0px;"><div aria-level="3" class="n0jPhd ynAwRc MBeuO nDgy9d" role="heading" style="-webkit-box-orient: vertical; -webkit-line-clamp: 3; display: -webkit-box; line-height: 24px; overflow: hidden; text-decoration-line: underline;"><ul style="text-align: left;"><li><span style="font-family: inherit;">The QR code scam leaving victims thousands out of pocket</span></li><li><span style="font-family: inherit;">Woman targeted in £13k railway station QR code scam</span></li><li><span style="font-family: inherit;">QR code warning: Cybersecurity experts report alarming rise in 'quishing' scam</span></li><li><span style="font-family: inherit;">QR code scams on the rise during festive celebrations; here’s how to be safe</span></li></ul></div></div></div></a></div>
<div class="separator" style="clear: both; text-align: left;"></div><br />
Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-69650705826620523132023-11-04T18:22:00.076+00:002023-11-05T19:20:53.296+00:00Artificial Intelligence is really just another vulnerable, hackable, information system<div class="separator" style="clear: both; text-align: left;">Recent hype around Artificial Intelligence (AI) and the amazingly good and bad things that it can and will do has prompted me to remind everyone that every AI is an information system and every information system has vulnerabilities. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">These vulnerabilities put AI systems at risk of exploitation and abuse for selfish ends when the ‘right’ conditions arise. As a visual aid, I put together a checklist that shows the current status of the five essential ingredients of an AI:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSGJjIOdIMOi9nuZhmpNFSe3MNA4UrVoiVY3mu1JiCStzErj7KGP8GhE8w74T7xIZ2oxJhRU8Ws6eSZ4kR18e_VEsbIn1KW6S5F2YnfmKM48cysLfzSC5ZVgzrTXkABPCFtb9q4U_nhehHU-5PiMZZ8A64E5osnxpHE9nO2o4I29AuTceBfQCYng/s2058/AI-checklist-zcobb.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="Checklist that shows the current status of the five essential ingredients of an AI" border="0" data-original-height="1120" data-original-width="2058" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSGJjIOdIMOi9nuZhmpNFSe3MNA4UrVoiVY3mu1JiCStzErj7KGP8GhE8w74T7xIZ2oxJhRU8Ws6eSZ4kR18e_VEsbIn1KW6S5F2YnfmKM48cysLfzSC5ZVgzrTXkABPCFtb9q4U_nhehHU-5PiMZZ8A64E5osnxpHE9nO2o4I29AuTceBfQCYng/w528-h287/AI-checklist-zcobb.jpg" width="528" /></a></div><span style="text-align: left;">Please let me know if you think I'm wrong about any of those checks and crosses (ticks and Xs if you prefer). </span><div><span style="text-align: left;"><br /></span></div><div><span style="text-align: left;">According to classic criminology theory, the right conditions for exploitation of an information system, such as an AI, are as follows: </span></div><div><ul style="text-align: left;"><li><span style="text-align: left;">a motivated offender, </span></li><li><span style="text-align: left;">a suitable target, and </span></li><li><span style="text-align: left;">the absence of a capable guardian. </span></li></ul></div><div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;">Both good and bad uses of AI will motivate targeting by offenders. Do CEOs, many of whom are pushing their organizations to adopt AI, realise that? Do they understand that all five ingredients of AI are vulnerable? If you need to give them examples, here's a starter list:</div><div class="separator" style="clear: both;"><ol style="text-align: left;"><li>Chips – Meltdown, Spectre, Rowhammer, Downfall</li><li>Code – Firmware, OS, apps, viruses, worms, Trojans, logic bombs</li><li>Data – Poisoning, micro and macro (e.g. LLMs and SEO poisoning)</li><li>Connections – Remote access compromise, AITM attacks</li><li>Electricity – Backhoe attack, malware e.g. BlackEnergy, Industroyer</li></ol></div><div><div>Whether or not vulnerabilities in one or more of these five ingredients are maliciously exploited depends on risk/reward calculations with which many offenders are very familiar. If not capably guarded, vulnerabilities in AI implementations will be exploited by motivated offenders, for both "bad" and "good." (For a look at how capable guardianship in the digital realm is going take a look at the rate at which <a href="https://scobbs.blogspot.com/2022/03/ic3-fbi-internet-crime-report-2021.html">losses due to Internet crime are climbing</a> in spite of record levels of spending on cybersecurity.) </div></div><div><br /></div><div><div>Some offenders will try to make money attacking AI systems relied upon by hospitals, schools, companies, governments, military, etc. Unfortunately, the criminal infrastructure to monetize the exploitation of vulnerabilities in information systems already exists (see: darkweb, malware as a service, botnets, ransomware, cryptocurrency, etc.)</div><div><br /></div><div>Other offenders will try to stop an AI doing things of which they don’t approve: driving cars, taking jobs, firing weapons, educating children, making movies, exterminating humans.</div><div><br /></div><div>How and at what level AI should be regulated are tough questions to answer. But we can take some comfort in the likelihood that, based on what has happened to every new digital technology in the last 40 years, AI will prove vulnerable to exploitation and abuse, in other words, less likely to deliver happiness or hell on earth than techbro fans or foes expect.</div></div></div><p></p></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-47385339743153603712023-04-12T20:07:00.151+00:002023-04-15T13:23:42.761+00:00What is ChatGPT and how can AI get things wrong: an annotated example using jackware<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizLzKUL3MfrRnLPcv_WjUR2BMmx-AUvtLDadUi8vrlrPRI-8SlKAJKque82pCKte8mvpuwBpYJxiZ4-nxxSSCRlrSOY3NabmDNHePOLmoPsHLs3yUtRm6oLZfV0hNrlblnPXPeNBR_3SFhE37xE1fxnYMGFLKEaRgjNEhhdnUpIhe8ZjneLCw/s1452/chatgpt-wrong-shot.png" style="margin-left: auto; margin-right: auto;"><img alt="An example of ChatGPT giving a wrong answer" border="0" data-original-height="898" data-original-width="1452" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizLzKUL3MfrRnLPcv_WjUR2BMmx-AUvtLDadUi8vrlrPRI-8SlKAJKque82pCKte8mvpuwBpYJxiZ4-nxxSSCRlrSOY3NabmDNHePOLmoPsHLs3yUtRm6oLZfV0hNrlblnPXPeNBR_3SFhE37xE1fxnYMGFLKEaRgjNEhhdnUpIhe8ZjneLCw/w586-h364/chatgpt-wrong-shot.png" width="586" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-family: arial;"><a href="goog_1098300429">You can't trust what ChatGPT says</a></span></td></tr></tbody></table>ChatGPT is, as you probably know, a computer system that uses artificial intelligence (AI) to answer questions. Sometimes the answers it gives are wrong, and that's the short version of this article. The long version explains more about what ChatGPT is, with a detailed look at an example of how wrong it can be. <div><br /></div><div><div>Here's how Mashable describes ChatGPT in <a href="https://mashable.com/article/what-is-chatgpt" target="_blank">Everything you need to know about ChatGPT</a>: "in essence, a simple online artificial intelligence chatbot created by OpenAI in December 2022." Technically speaking, ChatGPT describes itself as "a language model developed by OpenAI, based on the GPT (Generative Pre-trained Transformer) architecture...designed to understand and respond to natural language queries and generate human-like text in response." </div><div><br /></div><div>If you check out <a href="https://chat.openai.com/chat" target="_blank">ChatGPT online</a> it can come across as a chatty version of a search engine, but it can do things that search engines don't, such as put together plausible explanations of phenomena, as opposed to simply listing search results relating to them. For example, suppose you encounter the word <i>jackware</i> and wonder what it means. You could put the word into a search box and get a bunch of responses, like this:</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSEKMgnr5ZFCdi_RJsmchCUgnDdhaSEVXoC2p4yb_zcn8hv82BiPisCTbcsq0Os7wtsomkBcGbne5wuaW_y22l8RKvMAsi8iX6S13tOMjco77IBfm4loZXSWHb4AGXiy4ybCgYiLAyWGQyCRhBroAF4Hg0mjXRcu4SyH4FGqOFRlpmCKh2E0E/s1398/jackware-google.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1398" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSEKMgnr5ZFCdi_RJsmchCUgnDdhaSEVXoC2p4yb_zcn8hv82BiPisCTbcsq0Os7wtsomkBcGbne5wuaW_y22l8RKvMAsi8iX6S13tOMjco77IBfm4loZXSWHb4AGXiy4ybCgYiLAyWGQyCRhBroAF4Hg0mjXRcu4SyH4FGqOFRlpmCKh2E0E/w601-h257/jackware-google.png" width="601" /></a></div>If you are lucky, one or more of the search results will give you an idea of what the search term means. In this case we can see that "The goal of a jackware attack is to lock up the hijacked device until you pay" (which happens to be correct). </div><div><br /></div><div>But what if you're writing an article or essay about jackware and want to know who came up with the term and when it was coined? I couldn't find that information in the search results for jackware, and looking for it took time. In my experience, search engines often fail to answer questions like this, as you can see from the following example. When asked who coined the term jackware, Google provides one link to a story about jackware, but all the rest of the results—many thousands of them—assume that <i>jackware</i> is just a typo for <i>Jaguar</i>, as in the car, not the animal:</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScht0tcQF8o_iAQX0ragCbCxTY2eA6WPllHhqw2hBeQntq4GGhsE2qukkwYApWAydaq0koXclWvR-4aimQU2hnDXVwBTgJqfR1V-b0wb5IVj-9PGVdJLVn_jPcmWUyhZy0xzXrmuoqPJcdhXqjwSXw14_pgdESikSdQc57e2RF7uqJjMYW4A/s1430/jackware-jaguar-google.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Screenshot of Google assume jackware is a typo for jaguar" border="0" data-original-height="962" data-original-width="1430" height="405" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScht0tcQF8o_iAQX0ragCbCxTY2eA6WPllHhqw2hBeQntq4GGhsE2qukkwYApWAydaq0koXclWvR-4aimQU2hnDXVwBTgJqfR1V-b0wb5IVj-9PGVdJLVn_jPcmWUyhZy0xzXrmuoqPJcdhXqjwSXw14_pgdESikSdQc57e2RF7uqJjMYW4A/w603-h405/jackware-jaguar-google.png" width="603" /></a></div>Personally, I find the jackware/jaguar assumption very amusing—for reasons I will explain later—but first, let's see how ChatGPT gets on when asked the same question: Who coined the term jackware? Here's the answer ChatGPT provides:</div><div><span style="background-color: #fcff01;"><br /></span></div></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><div><div style="text-align: left;"><span style="background-color: #f3f3f3;">The term "jackware" was coined by two researchers, Stefan Savage and Tadayoshi Kohno, in a 2016 paper titled "Experimental Security Analysis of a Modern Automobile". In the paper, Savage and Kohno described a proof-of-concept attack in which they were able to take control of a car's electronic systems using a laptop computer. They used the term "jackware" to describe a new class of malware that could be used to take control of vehicles in a similar way to how ransomware is used to take control of computer systems.</span></div></div></blockquote><p>Frankly, at first glance this looks like is a very impressive answer: it names names and cites an academic source, while providing a helpful description of jackware, all articulated in grammatically correct English. It's way more helpful than the output of a plain old search. You can see why so many people get so excited about artificial intelligence. </p><p>But sadly, several key facts in ChatGPT's answer are just plain wrong, so wrong that you could be in serious trouble with your teacher-editor-readers if you pasted that paragraph of ChatGPT output into a piece of work. For a start, anyone familiar with the subject matter would know that you hadn't read that paper.</p><p>The academic paper to which ChaGPT refers was published in 2010, not 2016. You can see that from <a href="https://www.researchgate.net/publication/220713691_Experimental_Security_Analysis_of_a_Modern_Automobile/link/0deec52f4f0406030e000000/download" target="_blank">this listing of the paper</a>. This is not just a pedantic quibble; the named paper is legendary in the world of automotive cybersecurity, partly because it was published way back in 2010. It documents groundbreaking work done by Savage et al. in the 2000s, way before the flashy <a href="https://fractionalciso.com/the-groundbreaking-2015-jeep-hack-changed-automotive-cybersecurity/" target="_blank">Jeep hack of 2015</a> by Miller and Valasek.</p><p>More blatantly erroneous is the identification of this 2010 paper and its authors as the source of the term jackware. Simply put, the paper does not contain the word jackware. In fact, the person who coined the term jackware to describe malicious code used to take over vehicles, was me, Stephen Cobb, and I did that in May of 2016, on this blog, in a post titled: <a href="https://scobbs.blogspot.com/2016/05/jackware-coming-soon-to-car-or-truck.html">Jackware: coming soon to a car or truck near you?</a> </p><p>In July of 2016, I penned <a href="https://www.welivesecurity.com/2016/07/20/jackware-connected-cars-meet-ransomware/" target="_blank">Jackware: When connected cars meet ransomware</a> for <i>We Live Security</i>, the award-winning global cybersecurity blog. As further evidence, I present exhibit A, which shows how you can iterative time-constrained searches to identify when something first appears. Constraining the search to the years 1998 to 2015, we see that no relevant mention of jackware was found prior to 2016:<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh4hA_W1wN5afv1_mbaL6rO2d54qvcpS2VwfVwTq6wUT0yXuq3XFwcSAIwO74LrKE7M6NHpO0IfwwR4PSCWM8t0QUNVz1IxD3ryAkpS-0mEQ8R_uttcuYZ7NPVtzvN8MfCZtl40Kn859H3_erw93FnEIdIz8RLk5adB_4aUuS1WqWQiEYXcAc/s1448/google-jackware-2015.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="644" data-original-width="1448" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh4hA_W1wN5afv1_mbaL6rO2d54qvcpS2VwfVwTq6wUT0yXuq3XFwcSAIwO74LrKE7M6NHpO0IfwwR4PSCWM8t0QUNVz1IxD3ryAkpS-0mEQ8R_uttcuYZ7NPVtzvN8MfCZtl40Kn859H3_erw93FnEIdIz8RLk5adB_4aUuS1WqWQiEYXcAc/w608-h269/google-jackware-2015.png" width="608" /></a>Apparently, jackware had been used as a collective noun for leather mugs, but there are no software-related search results before 2016. Next you can see that, when the search is expanded to include 2016, the We Live Security article tops the results:<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGbxt0RSDP5i3ilD8ViSYv8R7ecPHNxAN-5PhYlAEdFaubGX66AFdmOkflSLZHw5lkeWttjHsYR6iATu8NoaGNm92BjTdYPE2RFxEJXlkGkXqQqiRjox-bmrPE6AhSo78dH7_M34tyhaakjfMx7oAYClWChZzGPuqMFGFhWVAPK1wQGP8Sd1c/s1256/google-jackware-2016.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="458" data-original-width="1256" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGbxt0RSDP5i3ilD8ViSYv8R7ecPHNxAN-5PhYlAEdFaubGX66AFdmOkflSLZHw5lkeWttjHsYR6iATu8NoaGNm92BjTdYPE2RFxEJXlkGkXqQqiRjox-bmrPE6AhSo78dH7_M34tyhaakjfMx7oAYClWChZzGPuqMFGFhWVAPK1wQGP8Sd1c/w560-h204/google-jackware-2016.png" title="Google search for jackware through 2016" width="560" /></a></p><p>So how did ChatGPT get things so wrong? The simple answer is that ChatGPT doesn't know what it's talking about. What it does know is how to string relevant words and numbers together in a plausible way. Stefan Savage is definitely relevant to car hacking. The year 2016 is relevant because that's when jackware was coined. And the research paper that ChatGPT referenced does contain numerous instances of the word jack. Why? Because the researchers wisely tested their automotive computer hacks on cars that were on jack stands.</p><p>To be clear, ChatGPT is not programmed to use a range of tools to make sure it is giving you the right answer. For example, it didn't perform an iterative time-constrained online search like the one I did in order to find the first use of a new term. </p><p>Hopefully, this example will help people see what I think is a massive gap between the bold claims made for artificial intelligence and the plain fact that AI is not yet intelligent in a way that equates to human intelligence. That means you cannot rely on ChatGPT to give you the right answer to your questions. </p><p>So what happens if we do get to a point where people rely—wisely or not—on AI? That's when AI will be maliciously targeted and abused by criminals, just like every other computer system, something I have <a href="https://zcobb.medium.com/the-existential-ai-risk-nobody-is-talking-about-35ba8a5a03fe" target="_blank">written about here</a>.</p><p>Ironically, the vulnerability of AI to abuse can be both a comfort to those who fear AI will exterminate humans, and a nightmare for those who dream of a blissful future powered by AI. In my opinion, the outlook for AI, at least for the next few decades, is likely to be a continuation of the enthusiasm-disillusionment cycle, with more AI winters to come.</p><center>--------------^-------------</center> <p><b>Note 1</b>: For more on those AI dreams and fears, I should first point out that they are based on expectations that the capabilities of AI will evolve from their current level to a far more powerful technology referred to as Artificial General Intelligence or AGI. For perspective on this, I recommend listening to "<a href="https://youtu.be/P7XT4TWLzJw" target="_blank">Eugenics and the Promise of Utopia through Artificial General Intelligence</a>" by two of my Twitter friends, <a href="https://twitter.com/timnitGebru" target="_blank">@timnitGebru</a> and <a href="https://twitter.com/xriskology" target="_blank">@xriskology</a>. This is a good introduction the relationship between AI development and a bundle of beliefs/ideals/ideas known as TESCREAL: Transhumanism, Extropianism, Singularitarianism, Cosmism, Rationalism, Effective Altruism, Longtermism.</p><p><b>Note 2</b>: When I first saw Google assume <i>jackware</i> was a typo for <i>Jaguar</i> I laughed out loud because I was born and raised in Coventry, England, the birthplace of Jaguar cars. In 2019, when my mum, who lives in Coventry, turned 90, Chey and I moved here, and that's where I am writing this. Jaguars are a common sight in our neighbourhood, not because it's a posh part of the city, but because a lot of folks around here work at Jaguar and have company cars.</p><p><br /></p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-28363317587501860842023-03-14T13:53:00.000+00:002023-03-14T13:53:02.048+00:00Internet crime surged in 2022: possibly causing as much as $160 billion in non-financial losses<p></p><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8eTL8ZWdRmCmzV10MxsFabYa2l8KtaH4IJWF9xV3StanqILLnrO1XDzLQsULOMdf2wN_OHduPb-TJUrHUGWFy7qmv13d9AVq4c42Q3iDNEFoXde-RGQx48Mdxp95wLHzSntNYGT2SM0o7LvwSkJnMr6LNT1aAEn1Lf9mjEAVxoNWk1YiOMfo/s1418/ic3-losses-2012-2022.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="Chart of annual Internet crime losses reported to IC3/FBI 2012-22, as compiled by S. Cobb" border="0" data-original-height="1116" data-original-width="1418" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8eTL8ZWdRmCmzV10MxsFabYa2l8KtaH4IJWF9xV3StanqILLnrO1XDzLQsULOMdf2wN_OHduPb-TJUrHUGWFy7qmv13d9AVq4c42Q3iDNEFoXde-RGQx48Mdxp95wLHzSntNYGT2SM0o7LvwSkJnMr6LNT1aAEn1Lf9mjEAVxoNWk1YiOMfo/w404-h318/ic3-losses-2012-2022.png" width="404" /></a></div>Financial losses reported to the FBI's Internet Crime Complaint Center in 2022 rose almost 50% over the prior year, reaching $10.3 billion according to the recently released annual report (<a href="https://www.ic3.gov/Home/AnnualReports" target="_blank">available here</a>). <p></p><p>This increase, which comes on top of a 64% surge from 2020 to 2021, has serious implications for companies and consumers who use the Internet, as well as for law enforcement and government.</p><p>Those implications are discussed in an article that I <a href="https://www.linkedin.com/pulse/internet-crime-losses-soared-2022-rising-49-pretty-much-stephen-cobb/">wrote over on LinkedIn</a> in the hope that more people will pay attention to the increasingly dire state of Internet crime prevention and deterrence, and how that impacts people. In that article I also discuss the growing awareness that Internet crime creates even more harm than is reflected in the financial losses suffered by victims. There is mounting evidence—some of which I cite in the article—that the health and wellbeing of individuals hit by online fraud suffers considerably, even in cases of attempted fraud where no financial loss occurs. </p><p>One UK study estimated the value of this damage at the equivalent of more than $4,000 per victim. Consider what happens if we round down the number of cases reported in the IC3/FBI annual summary for 2020 to 800,000, then assume that number reflects a fifth of the actual number of cases in which financial loss occurred. That's 4 million cases. Now assume those cases were one tenth of the attempted online crimes and multiply that 40 million by the $4,000 average hit to health and wellbeing estimated by researchers. The result is $160 billion, and that's just for one year; a huge amount of harm to individuals and society. </p><p><br /></p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-53074537579114967042022-12-17T13:04:00.004+00:002022-12-17T14:34:44.027+00:00Digital Baitballs and Shrinkage: a cybersecurity lesson from 2022<p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYi55VBtHQRs3LJBPvAWce5H6d5CI7puVmEsPqPJbvObTJpFpB8BegY9Ei_XQerJE54EfYQJmZfdpgq8aXDfBc_EgsJMhciXse-o-pbP7XeZqYIDfqJhoOpz9sfkT7heNj9SKfh45Weaxf0ef_G156_7u7_KuoJCjRErcC4JT9Im2Up7jVF80/s1280/bait-ball-linkedin.jpg" style="margin-left: auto; margin-right: auto;"><img alt="A school of fish forming a baitball to minimize predation" border="0" data-original-height="720" data-original-width="1280" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYi55VBtHQRs3LJBPvAWce5H6d5CI7puVmEsPqPJbvObTJpFpB8BegY9Ei_XQerJE54EfYQJmZfdpgq8aXDfBc_EgsJMhciXse-o-pbP7XeZqYIDfqJhoOpz9sfkT7heNj9SKfh45Weaxf0ef_G156_7u7_KuoJCjRErcC4JT9Im2Up7jVF80/w552-h311/bait-ball-linkedin.jpg" width="552" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;">A school of baitfish forming a ball to reduce predation (Shutterstock) </span></td></tr></tbody></table><br />If 2022 has taught us anything about cybersecurity, it is this: our combined efforts to protect the world's digital systems and the vital data that they process are capable of thwarting very high levels of sustained criminal activity, where "thwart" means preventing the complete collapse of trust in digital technology and limiting casualties to levels that appear to be survivable, if not acceptable. <p></p><p>In other words, despite all the efforts of bad actors, from local scammers to nation states, abusing all manner of digital technologies, to commit everything from petty crimes to war crimes, humans are surviving, and we are continuing to expand our reliance on said technologies.</p><p>Of course, this lesson would appear to offer little comfort to the victims of digital crime in 2022, the countless companies, consumers, non-profit organizations, and government entities that lost money and peace of mind to the hordes of ethically challenged and maliciously motivated perpetrators of cyber-badness.*</p><h3 style="text-align: left;">Is survival enough?</h3><p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn2-gKdOXYzvF7elMnSPTfTelevhK5r5pq7AZkYSX5bYtyR0lNPDxdor5qrajprjgdf02aqlT47_pkh9aG_nqka-BTzFEgKe9Iyr1DRfXHOq6uXNylhuxsUV16heYRvwAFLBCaedPcvUmqFhwjtKfYwOHMFulE8_7q-3gYXjqDfRiEvt5xh7Y/s1268/baitball-vertical-j.jpg" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img alt="Swordfish checking out a baitball" border="0" data-original-height="1268" data-original-width="640" height="572" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn2-gKdOXYzvF7elMnSPTfTelevhK5r5pq7AZkYSX5bYtyR0lNPDxdor5qrajprjgdf02aqlT47_pkh9aG_nqka-BTzFEgKe9Iyr1DRfXHOq6uXNylhuxsUV16heYRvwAFLBCaedPcvUmqFhwjtKfYwOHMFulE8_7q-3gYXjqDfRiEvt5xh7Y/w290-h572/baitball-vertical-j.jpg" width="290" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;">Baitball and a swordfish (Shutterstock)</span></td></tr></tbody></table>You could argue that humans are in deep trouble if the best we can say about the struggle between cybersecurity and cybercrime at the end of 2022 is: "most of us survived." However, other species on our planet have endured for millions of years by embracing "most of us survive" as the goal of their defensive strategy. <p></p><p>For example, small fish that spend most of their lives in the open ocean form a tight group when predators approach; then they swirl around in a ball to make it harder for predators to select targets. I wrote about this phenomenon—the baitball—in a recent article on <a href="https://www.linkedin.com/pulse/cybersecurity-baitball-analogy-stephen-cobb/" target="_blank">LinkedIn</a>.</p><p>So, the good news for 2022 is that we can head into 2023 knowing that the world can survive a large amount of ongoing cyberbadness. We have seen that levels of criminal abuse of digital technology can rise quite high without resulting in the breakdown of society. </p><p>(You could even argue that cybercrime is falling in relation to the growing number of criminal opportunities created by the ongoing deployment of new digital technologies and devices, but that's for a different article.)</p><p>The bad news is that surviving is not as enjoyable and fulfilling as thriving. Living just this side of the breakdown of society means the other side is a looming presence, a constant stress factor, as is the knowledge that any one of us could be the next cybercrime victim.</p><h3 style="text-align: left;">Shrinkage</h3><p>So what will it take to get from surviving to thriving, to a state in which cybercrime is either eliminated or reduced to a manageable level? Unfortunately, the short answer is: it will take a lot. The countries of the world need to agree to, and enforce, norms of ethical behaviour in the digital realm. If that sounds almost impossible given the current state of the world, then you have a measure of how much effort it is going to take to eliminate cybercrime or reduce it to a manageable level. However, it should be noted that the idea of reducing crime to a manageable level is not unprecedented. </p><p>Shopkeepers learned long ago that it is almost impossible to stop their stock from shrinking. Some employees will swipe stock from the stockroom. Some customers will shoplift. Furthermore, some vendors will over-charge and under-deliver. Taken together, these money-losing phenomena are known as shrinkage. </p><p>Despite efforts to reduce shrinkage, including the use of technology, it still cuts into retail revenue in America to the tune of 1.5% per year on average, equating to losses in the order of $100 billion in 2021. Nevertheless, despite shrinkage, the retail sector keeps going. Retailers don't expect to eliminate shrinkage, but they will spend time and money on measures to keep it to a relatively low percentage.</p><p>So what are the prospects for reducing the impact of cybercrime to a very low level, perhaps a very small percentage of GDP? I honestly don't know. We are still a long way from getting a full picture of cybercrime's impact; this is particularly true of the psychological and health impacts. There are hidden social and economic costs as well, given the not insignificant percentage of people who don't go online due to fear of cybercrime.</p><p>Some would argue that the term <i>cybercrime</i> is becoming problematic in discussions like this, given that most predatory crime today has "cyber" aspects. Fortunately, there is plenty of evidence that people who commit predatory crime can stop, and many do so as they get older, start families, get a "proper" job. In criminology this is known as desistance and may actually be easier for people with digital skills to desist.</p><p>In the broad scheme of things, the most intractable obstacle to reducing cyberbadness may not be predatory criminals clinging to a crooked lifestyle; it could well be humans who are prepared to use digital technologies like social media to spread disinformation, undermine truth, and foster hatred in furtherance of selfish agendas.</p><p><b><br />Note: </b>To the best of my knowledge, the term <i>cyber-badness</i> was first coined by Cameron Camp, my friend and colleague at ESET.</p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-41181505394242157282022-07-22T10:31:00.101+00:002023-07-24T11:30:38.351+00:00Cobb's Guide to PC and LAN Security: the 30th anniversary of the first version<div class="separator"><a href="http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Dstripbooks&field-keywords=stephen+cobb+pc+and+lan+security" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB2_RpKnwP2cDxizor8AuURqSQf0x0j3a-QxJO3vLgJPG7R0_IrH8nJaKX6vjA4u4gAP33FLejIuLabmDg5rNH9iagVAXC6yRQ_L6sdJWWwGoQCL5Vgwum6ygiHICVm-ghIPE69w/s1600/pc-and-lan-security-amazon.png" /></a></div><p>The <b>Stephen Cobb Complete Book of PC and LAN Security</b> first appeared in print in 1992, an amazing 30 years ago. In celebration of this anniversary, I'm reminding people that a PDF copy of the last version of the book is freely downloadable under a Creative Commons license. </p><p>While a lot of the book's technical content is now dated—a polite way of saying it is stuck in the late 1990s and thus mainly of historical interest—much of the theory and strategy still rings true </p><p>The large file size of this 700 page tome led me to publish it in three easily digestible parts: <a href="https://www.dropbox.com/s/233jf4fpd4sy1ml/cobb-pclan-security-chaps01-05.pdf" target="_blank">Part One</a>; <a href="https://www.dropbox.com/s/05nxyx0ai1ni9kd/cobb-pclan-security-chaps06-12.pdf" target="_blank">Part Two</a>; and <a href="https://www.dropbox.com/s/fuscs9e28248h08/cobb-pclan-security-chaps13-End.pdf" target="_blank">Part Three</a>. (You can also scroll down the column on the right of this page for download inks.)</p>
Despite the original title, which was imposed by the publisher, the volume that appeared 30 years ago was by no means a "complete book" on the subject; nor is it now a contemporary guide. However, you can still find it on Amazon, even though Amazon.com did not exist when the first version was published. The images on the left of this article are the <a href="http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Dstripbooks&field-keywords=stephen+cobb+pc+and+lan+security" target="_blank">current Amazon listings</a> of the three versions (which I will explain shortly).
<br />
<br />
If you are inclined to take this particular trip down computer security's memory lane, I suggest you download the free electronic version rather than purchase on Amazon. On that trip you will find a few items of note, such as this observation:<br />
<blockquote class="tr_bq">"The goal of personal computer security is to protect and foster the increased creativity and productivity made possible by a technology that has so far flourished with a minimum of controls, but which finds itself increasingly threatened by the very openness that led to its early success. To achieve this goal, you must step from an age of trusting innocence into a new era of realism and responsibility, without lurching into paranoia and repression."</blockquote>
I'd say that's a decent piece of prognostication for 1992. It's one of the reasons I have kept the book available all these years, a mix of nostalgia, history, and first principles. Along with a number of friends and fellow security professionals—like <a href="https://en.wikipedia.org/wiki/Winn_Schwartau" target="_blank">Winn Schwartau</a>, <a href="https://en.wikipedia.org/wiki/Bruce_Schneier">Bruce Schneier</a>, and <a href="https://en.wikipedia.org/wiki/Jeff_Moss_(hacker)">Jeff Moss</a>—I am inclined to think that the parlous state of cybersecurity in 2022, relative to the level of <a href="https://scobbs.blogspot.com/2022/03/ic3-fbi-internet-crime-report-2021.html">cybercriminal activity</a>, could have been avoided is only more people had taken our advice more seriiously in the 1990s.<br />
<h3>
Three Versions and a Free Version</h3>
I made a lot of changes when I turned that 1992 volume into <b>The NCSA Guide to PC and LAN Security</b>—a 700 page paperback that was published in 1995—but that edition is also very outdated these days. Around 12 years ago I obtained the copyright to these works and, through an arrangement with the Authors Guild, got it reprinted as <b>Cobb's Guide to PC and LAN Security</b>. This was done largely for sentimental reasons and the copies are only printed on demand. <div><br /></div><div>However, in that process I obtained a high resolution scan of the entire book. I then converted this to text using
Adobe OCR software. The result is what I have put online. (Warning: you may encounter OCR errors and artifacts; n<span style="background-color: white;">o
claims are made as to accuracy of the information in this document; use
at your own risk and discretion, etc.).</span><br />
<blockquote class="tr_bq">
LEGAL STUFF: <span style="background-color: white;">THIS FREE ELECTRONIC EDITION IS LICENSED BY THE AUTHOR FOR USE UNDER <a href="http://creativecommons.org/licenses/by-nc-nd/3.0/" target="_blank">CREATIVE COMMONS</a>, ATTRIBUTION, NONCOMMERCIAL, NO DERIVATES. </span></blockquote>
<h3>
Computer Security Prognosis and Predictions </h3>
I plan to post more thoughts on computer security "then and now" but for now I leave you with another quote from the 1992<span style="background-color: white;"> </span><b>Stephen Cobb Complete Book of PC and LAN Security</b><span style="background-color: white;">:</span><br />
<blockquote class="tr_bq">"The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use."</blockquote></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0Coventry, UK52.4128163 -1.508952124.102582463821157 -36.6652021 80.723050136178841 33.6472979tag:blogger.com,1999:blog-13370348.post-51156425103270145552022-03-28T19:09:00.005+00:002022-03-28T19:19:13.379+00:00Big jump in losses due to Internet crimes in 2021, up 64% according to latest IC3/FBI report<p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi33ZQ1QGtoS5v2plJkcBqag8isKuSeuQSD7uOpbZN5h00s4QCTUZ1aWAIU0cRO4vuaWINxh3pGQ4Nqqc4C50wwuOJVANSTWfooycTKE8WzIKh2TZT22K6tX87-rv26kgEMNiMtYYregFE5IEu8NmiYNIWfoPa7IIlu1cxKm9ruec1c8VCXG1M/s1495/ic3-fbi-loss-chart-2021a.jpg" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1273" data-original-width="1495" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi33ZQ1QGtoS5v2plJkcBqag8isKuSeuQSD7uOpbZN5h00s4QCTUZ1aWAIU0cRO4vuaWINxh3pGQ4Nqqc4C50wwuOJVANSTWfooycTKE8WzIKh2TZT22K6tX87-rv26kgEMNiMtYYregFE5IEu8NmiYNIWfoPa7IIlu1cxKm9ruec1c8VCXG1M/w418-h356/ic3-fbi-loss-chart-2021a.jpg" width="418" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">IC3/FBI internet crime data graphed by S. Cobb</span></td></tr></tbody></table>In 2021, the world came to rely on digital technologies even more than it had in 2020. Sadly, but quite predictably, at least from my perspective, 2021 also saw a lot more sleazy digital scams and dastardly data breaches than 2020. <div><br /></div><div>How much more were the estimated losses suffered by individuals and businesses who reported internet crimes to IC3 in 2021? They were up 64% over 2020 according to the recently published <a href="https://www.ic3.gov/Home/AnnualReports" target="_blank">2021 Internet Crimes Report</a> from the FBI and IC3, the Internet Crime Complaint Center.<div><div><br /></div><div>The annual figure for this Internet crime metric rose from US$4.2 billion in 2020 to US$6.9 billion in 2021. That's almost a doubling in two years, from the 2019 figure of US$3.5 billion. The rise in losses from 2020 to 2021 was the second steepest annual increase in the last decade (2017-2018 saw a 91% jump).</div><div> </div><div>While there are some issues with using the IC3 numbers as crime metrics—they were not originally collected as an exercise in crime metrics, but rather as an avenue of attack against the crimes they represent—I have studied each IC3 annual report and am satisfied that they reflect real world trends in cybercrime's impact on victims, as measured by direct monetary loss. (You can find out more about this in my article, <a href="https://jnslp.com/2020/02/13/advancing-accurate-objective-cybercrime-metrics/" target="_blank">Advancing Accurate and Objective Cybercrime Metrics</a> in the <i>Journal of National Security Law & Policy.</i>)</div><div><br /></div><div>When you put a 64% rise in annual internet crime losses in the context of record levels of spending on cybersecurity in recent years, it says to me that current strategies for securing our digital world against criminal activity are not working as well as they should. For more on cybercrime metrics relative to cybersecurity efforts, see this <a href="https://scobbs.blogspot.com/2021/04/cyber-scams-fraud-harm.html">blog post from last year</a>.</div><div><br /></div><div>For more on the work that IC3 and the FBI do, please download the <a href="https://www.ic3.gov/Home/AnnualReports" target="_blank">2021 report, and any of the previous reports</a>. If you're a criminology or risk and security geek like me, they make for interesting reading. The report lets you see which types of crime were on the increase in 2021—e.g. there is a growing overlap between romance scams and cryptocurrency fraud—and what steps IC3 has been taking to mitigate scams. The report's chart of losses by age group in 2021 was frankly depressing: older members of society are being hit hard by digital scammers.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKP2MAMOIugfokDiFJ6N3kotINCaNN2pYN1L0BxxQoLAscHi6plWP9O9zPNruZCtPFvr7eyR9iPsfsdkrtJvgcPbIuJOfoYEuqnA6muTH9auRVGuqKoEipbdY9L3jSTU2E8U1Z0KjOigFrdV_YIpgn11KIvBUR7aoeC2VgvYzOv7whTbIdk50/s1494/ic3-vics-by-age-2021chart.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1494" data-original-width="1493" height="505" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKP2MAMOIugfokDiFJ6N3kotINCaNN2pYN1L0BxxQoLAscHi6plWP9O9zPNruZCtPFvr7eyR9iPsfsdkrtJvgcPbIuJOfoYEuqnA6muTH9auRVGuqKoEipbdY9L3jSTU2E8U1Z0KjOigFrdV_YIpgn11KIvBUR7aoeC2VgvYzOv7whTbIdk50/w505-h505/ic3-vics-by-age-2021chart.jpg" width="505" /></a></div><h3 style="text-align: left;">What's next for cybercrime and its victims?</h3><div>Firstly, I think we have to be honest with ourselves and acknowledge that, as human activities go, the abuse of digital systems for selfish ends has been a runaway success. Second, we need to realize that we are all victims of this success, regardless of whether or not we have lost any money as a direct result on such abuse. </div><div><br /></div><div>As I have said elsewhere, the psychological impact of internet crime creates significant costs, to victims and to society. People lose self-esteem, confidence, and trust. They may need counselling. Their productivity may suffer. Unfortunately, we have not done a good job of measuring harms from criminal abuse of digital systems that are not easily summed up as "how much did you lose?" </div><div><br /></div><div>One recent step in the right direction was research in the UK prompted by the consumer group <b>Which?</b> and <a href="https://www.bbc.co.uk/news/business-58926333" target="_blank">reported here by the BBC</a>. As the article states, the annual cost of the impact of scams on wellbeing was calculated to be £9.3 billion (roughly US$13 billion). The research suggested that "scam victims faced a drop in life satisfaction, significantly higher levels of anxiety, and lower levels of happiness." In addition, some victims reported "worse general health." Those findings echo this one in 2014 from the non-profit senior support organization Age UK: "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed." </div><div><br /></div><div>When you translate these non-financial harms into the costs they produce: "The average drop in wellbeing for victims of fraud has been valued at £2,509 per year. For online fraud, this estimate is even higher at £3,684" (<a href="https://www.which.co.uk/news/2021/10/scams-impact-on-victims-costs-9-3-billion-a-year/ - Which?" target="_blank">Which?</a>). </div><div><br /></div><div>Now, if assume that this UK estimate holds true in the US and turn £3,684 into US dollars we get roughly $5,000 per victim. I know this is guesswork, but I'd really love to see some entity replicate the Which? research in the US. Because, if that $5,000 proves to be a valid assumption, and we multiply it by the number of people reporting crimes to IC3 (847,376 in 2021) we get a figure that represents: "the personal and social cost of Internet crimes reported to IC3 in 2021 in addition to the reported financial losses." </div><div><br /></div><div>And that number is a whopping US$4.2 billion (which is a bit uncanny because that same figure was the IC3 financial loss total for 2020). Then, if you put that US$4.2 billion together with the IC3 loss number for 2021 (US$6.9 billion) you're looking at an attention-grabbing annual impact for reported Internet crime of more than US$11 billion; hopefully, enough attention to get more public resources channeled into Internet crime prevention and victim support.</div><div><br /></div><div><b>Notes:</b></div><div><div><ul style="text-align: left;"><li>A detailed look at the impact of fraud in general, 24-page PDF <a href="https://www.routledge.com/rsc/downloads/9781138931206_-_chapter_4.pdf" target="_blank">of a chapter from the book</a> <i>Cyber Frauds, Scams and Their Victims</i> by Cassandra Cross and Mark Button, 2017.<br /></li><li>The <a href="https://fightcybercrime.org/" target="_blank">Fight Cybercrime</a> website which has a lot of helpful info for victims of online fraud, in 12 languages!</li><li>The source for the statistic that "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed" — <a href="https://www.ageuk.org.uk/globalassets/age-uk/documents/reports-and-publications/reports-and-briefings/safe-at-home/age_uk_briefing_fraud_and_scams_sept_2016.pdf" target="_blank">PDF of Age UK report</a>, 2016.</li></ul></div><div class="separator" style="clear: both; text-align: center;"><br /></div></div></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-40544038209873283342021-04-29T11:18:00.948+00:002021-10-28T12:44:10.180+00:00From cyber-crime metrics to cyber-harm stories: shifting cybersecurity perspectives and cybercrime strategies<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZxQMABLp0kNnUqHdr1XDn-cyhps90KQzNznglB5La2lQpxGFQAcD49gbjbojaL6PUlliSYHAKYP6_vKi34MYeDS4mUMVmTN67-PluI1O9eJtM_I01t4uP1GqDd8i_tHA9RrEOeg/s1948/walmart-scam.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1512" data-original-width="1948" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZxQMABLp0kNnUqHdr1XDn-cyhps90KQzNznglB5La2lQpxGFQAcD49gbjbojaL6PUlliSYHAKYP6_vKi34MYeDS4mUMVmTN67-PluI1O9eJtM_I01t4uP1GqDd8i_tHA9RrEOeg/w344-h267/walmart-scam.png" width="344" /></a></div>Is measuring the amount of cybercrime important? I have argued that it is, and for several different reasons which I have presented in many places; for example, in this article: <a href="https://jnslp.com/2020/02/13/advancing-accurate-objective-cybercrime-metrics/" target="_blank">Advancing Accurate and Objective Cybercrime Metrics</a> in the <i>Journal of National Security Law & Policy</i>. <div><br /></div><div>For me, the most pressing reason to pursue accurate and objective cybercrime metrics is the potential of those numbers to persuade governments and world leaders to do more to counter cybercrime (as in: detect, deter, disrupt, prosecute and sanction perpetrators). The persuasion goes like this: </div><div><ol style="text-align: left;"><li>Here's how big the cybercrime problem is.</li><li>Here's how fast it is growing despite current efforts to solve/reduce it.</li><li>Can you see how bad things will get if you don't do more to solve/reduce it?</li></ol></div><div>A similar persuasion strategy has long existed in the cybersecurity industry as part of its efforts to make technology safer (while selling more security products and services—a reality that has undermined the value of industry metrics in policy debates). </div><div><br /></div><div>The efficacy of this strategy—"look at these numbers, that's how bad the cyberbadness is, it's time you did more to protect us/you"—has been been disappointing to say the least, given the rate at which the cybercrime problem keeps growing. </div><div><br /></div><div>Back in 2014, I decided to research this lack of efficacy, exploring risk perception as it relates to crime and technology. I delved into <a href="https://en.wikipedia.org/wiki/Cultural_theory_of_risk" target="_blank">cultural theory of risk</a>, <a href="https://www.culturalcognition.net/" target="_blank">cultural cognition</a>, white male effect, identity protective cognition, and the science of science communication. One thing I learned was that some people are unmoved by statistics and data. </div><div><br /></div><div>Relying on stats+facts to convince everyone that there is an urgent problem, one which merits attention and action, is a mistake. For whatever reason, some folk are relatively immune to stats+facts; however, they may be moved by stories.</div><div><br /></div><div>Ironically, this was a phenomenon that I had already experienced in my early days of promoting security solutions. For some audiences there was nothing more effective than a case study, a story of how some person or organization had become a victim, or how someone had avoided becoming a victim. Even before then, when I was writing my first computer security book, I had made sure that I included stories from which people could learn the value of security policies and practices (<i>The Stephen Cobb Handbook of PC and LAN Security</i>, 1991). </div><div><br /></div><div>The problem you run into when you try to use victim stories to pitch security is that, historically, very few people have been willing to share their stories. This may be due to embarrassment or, ironically, for operational reasons. (As a <a href="https://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional" target="_blank">CISSP</a>, I would advise organizations not to share the helpful story of "how Acme firewall is keeping us safe," or the helpful tale of "how our network was penetrated despite Acme firewall.")</div><div><br /></div><div>All of which leads to some helpful coincidences. If you investigate the amount of harm caused by cybercrime, rather than just count the number of cybercrimes committed, you get more than just persuasive data, you get moving stories. </div><div><br /></div><div>Furthermore, you get a fresh perspective on the problem of cybercrime and the challenge of getting more people to take it more seriously, at four different levels:</div><div><ol style="text-align: left;"><li>Personal: understand how I, or my organization, could be victimized and steps I can take to minimize the risk of that happening.</li><li>Political: grasp the level of pain and suffering caused by digitally enabled or enhanced crimes, and calculate their impact on society, down to the medical and social care burdens that victimization generated.</li><li>Strategic: use this perspective to argue that funding for medical and social care should include cyber-harm reduction initiatives because <i>fewer people scammed</i> = <i>smaller care burden.</i></li><li>Professional: pursue both qualitative and quantitative research into the harms caused by rampant cyberbadness, from criminal successes to cybersecurity fails.</li></ol></div><div>Moving forward, I want to explore all four levels and share what I find. The process took a step forward this week when I talked myself into delivering a training session about scam avoidance to a community support group. I've done this in the past, but in America. This session will be delivered to a UK audience, specifically people who support carers. </div><h2 style="text-align: left;">The Carer Factor</h2><div>Since we moved back to the UK in 2019, we have found that the importance of social care and the work of unpaid <i>carers</i> is widely-recognized. These carers—who tend to be known as <i>caregivers</i> in America—are people who have become part-time or full-time unpaid carers for relatives and friends. (As you can imagine, part of that care work may include technical support, and that may include several aspects of cybersecurity.)</div><div><br /></div><div>Local governments and charities in the UK make a concerted effort to support unpaid carers, both practically and emotionally. Let me give you an example: thanks to a charity called Carers Trust, I am formally registered as the designated carer for my partner Chey, and for my mother. That means, among other things, that if I get hit by a bus and first responders check my wallet, they will find a card that says I care for these two people plus a number to call if I am incapacitated. </div><div><br /></div><div>That call triggers several services. Carers Trust will step in to provide care to my <i>carees</i> if I cannot be there for them. The organization already has a comprehensive file on the needs of my carees, their circumstances, and so on. Furthermore if the bus misses me, but I feel like I could really use a break from caring, the carers' support group can cover for me.</div><div><br /></div><div>I'm sure you can imagine what a huge weight this care group has lifted from my shoulders, and how much peace of mind it has provided to my carees, now they know that there is backup help available. On a less dramatic, but still very important level, the care group provides me a place to meet with other carers and I find this helpful, both psychologically and practically.</div><div><br /></div><div>My involvement with the care community has led me to consider fresh lines of inquiry into the reduction of cybercrime and technology abuse. Indeed, I can see this care group, and the many others like it around the country, becoming a valuable resource in the quest to reduce the harms caused by scammers and fraudsters.</div><div><br /></div><div>If you check back here in the latter part of May there should have a link to the training session content. (Like all of my content these days, it is free and suitable for sharing.) In the meantime, here are some links that might be of interest:</div><div><ul style="text-align: left;"><li>A detailed look at the impact of fraud in general, 24-page PDF <a href="https://www.routledge.com/rsc/downloads/9781138931206_-_chapter_4.pdf" target="_blank">of a chapter from the book</a> <i>Cyber Frauds, Scams and Their Victims</i> by Cassandra Cross and Mark Button, 2017.<br /></li><li>The <a href="https://fightcybercrime.org/" target="_blank">Fight Cybercrime</a> website which has a lot of helpful info for victims of online fraud, in 12 languages!</li><li>The source for the statistic that "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed" — <a href="https://www.ageuk.org.uk/globalassets/age-uk/documents/reports-and-publications/reports-and-briefings/safe-at-home/age_uk_briefing_fraud_and_scams_sept_2016.pdf" target="_blank">PDF of Age UK report</a>, 2016.</li><li>The website of <a href="https://carers.org/" target="_blank">Carers Trust</a> in the UK: "a major charity for, with and about carers".</li></ul></div><div><b><br /></b></div><div><b>Note:</b> If you found this page interesting or helpful or both, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause while fueling more independent research and ad-free content like this. Thanks!</div><div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="color: #8832ff; margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" style="border: none; position: relative;" /></a></div></div><div class="separator" style="clear: both; text-align: center;"><br /><br /></div><br />Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-60181316200090336932021-03-18T12:24:00.005+00:002021-05-06T14:54:06.178+00:00As predicted, Internet crime surged in 2020, losses up 20% based on FBI and IC3 reports: analysis and opinion<p>Losses to individual and business victims of internet crime in 2020 exceeded $4 billion according to the recently published <a href="https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics" target="_blank">2020 Internet Crimes Report</a> from the FBI and IC3; this represents a 20% increase over losses reported in 2019. The number of complaints also rose dramatically, up nearly 70%.</p><p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5iU50ZIqb8a-l9ZHK0KNI7DoVBst928fx7yaUuXklZOPH6uhIhACm0snXD1j1a0YCgdCgquFIIoZD10iWC4NxtNdmtXHRksuYVEMzU0H3FfrXYSAO8pis5XzC-fFn0-8wk02bXQ/s1340/ic3-fbi-internet-crime-chart-to-2020.png" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1340" data-original-width="1300" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5iU50ZIqb8a-l9ZHK0KNI7DoVBst928fx7yaUuXklZOPH6uhIhACm0snXD1j1a0YCgdCgquFIIoZD10iWC4NxtNdmtXHRksuYVEMzU0H3FfrXYSAO8pis5XzC-fFn0-8wk02bXQ/w378-h390/ic3-fbi-internet-crime-chart-to-2020.png" width="378" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;">IC3/FBI internet crime data graphed by S. Cobb</span></td></tr></tbody></table>Throughout 2020, criminologists and cybersecurity experts had expressed growing fears that 2020 would be a big year for internet crime, particularly as it became clear that many criminals were prepared to ruthlessly exploit the COVID-19 pandemic for their own selfish ends.<p></p><p>When the 2019 Internet Crimes Report was published in February of 2020 it documented "$3.5 billion in losses to individual and business victims."</p><p>What I said back then, about the loss number that I expected to see in the 2020 report, was this: "I certainly wouldn't bet against it blowing through $4 billion"</p><p>(Here's <a href="https://scobbs.blogspot.com/2020/02/crime-metrics-matter-two-charts-of-mess.html">a link to the article where I said that</a>). </p><p>Quite frankly, I'm not the least bit happy that I was right. Just as I take no pleasure in having been right for each of the last 20 years, when my annual response to "what does the year ahead look like for cybersecurity?" has been to say, with depressingly consistent accuracy: it's going to get worse before it gets better. As I see it, a 20% annual increase in losses to internet crime, despite record levels of spending on cybersecurity, is a clear indicator that current strategies for securing our digital world against criminal activity are not working.</p><h2>A shred of hope?</h2><p>However, like many cybersecurity professionals, I have always had an optimistic streak, a vein of hope compressed deep beneath the bedrock of my experience. (Periodically, we have to mine this hope to counter the urge to throw up our hands and declare: "We're screwed! Let's just go make music.")</p><p>So let me offer a small shred of hope. </p><p>I am honor bound to point out that cybercrime's impact last year may not have been as bad I had come to expect. Yes, at the start of 2020 I predicted that cybercrime would maintain its steep upward trajectory. I said the IC3/FBI loss number for 2020 would pass $4 billion and it did. But then "<a href="https://www.linkedin.com/pulse/covid-effect-means-we-can-longer-ignore-malware-factor-stephen-cobb/" target="_blank">the Covid effect</a>" kicked in, generating scores of headlines about criminal exploitation of the pandemic in both cyberspace and meatspace. And behind each of those headlines were thousands of victims experiencing a range of distressing psychological impacts and economic loss.</p><p>By the end of 2020 I was predicting that the IC3/FBI number could be as high as $4.7 billion (see my December, 2020, article: <a href="https://scobbs.blogspot.com/2020/12/cybersecurity-outlook-2021.html">Cybersecurity had a rough 2020</a>). In that context, the reported 2020 number of $4.2 billion was "better than expected." Indeed, the year-on-year increase from 2019 to 2020 of 20% was not as bad as the 2018-2019 increase of 29%. </p><p>However, when I look at the graph at the top of this article I'm not yet ready to say things are improving. And I'm very aware that every one of the 791,790 complaints of suspected internet crime that the IC3 catalogued in 2020—an increase of more than 300,000 from 2019—signifies a distressing incident that negatively impacted the victim, and often their family and friends as well.</p><p>In 2020, the pandemic proved to be a very criminogenic phenomenon. I'm pretty sure it also generated greater public awareness of statistical terms like growth curves, rolling averages, trend lines, dips, and plateaus. Right now I see no reason to think cybercrime will dip or even plateau in 2021. But let's hope I'm wrong and in the months and years to come there is a turnaround in the struggle to reduce to the abuse of digital technologies, hopefully before my vein of optimism is all mined out.</p>Disclaimer: I acknowledge that there are issues with using the IC3 numbers as crime metrics. For a start, they are not collected as an exercise in crime metrics, but rather as part of one avenue of attack against the crimes they represent, an issue I addressed in this <a href="https://jnslp.com/2020/02/13/advancing-accurate-objective-cybercrime-metrics/" target="_blank">law journal article</a>. However, I have studied each IC3 annual report and am satisfied that collectively they reflect real world trends in cybercrime's impact on victims, as measured by direct monetary lost (the psychological impact of internet crime creates other costs, to victims and society, but so far we have done a woefully poor job of measuring those).<div><br /></div><div>As soon as I get a chance I will dig deeper into the 2020 IC3/FBI report and report back; I'm particularly interested in trends impacting the "60 and over" demographic which <a href="https://twitter.com/chey_cobb" target="_blank">@Chey_Cobb</a> and I highlighted in the <a href="https://technologyandsociety.org/smarter-homes-for-the-elderly-a-reality-check/" target="_blank">IEEE piece we wrote about age tech after last year's report</a>. </div><p><b>Note:</b></p><p>If you found this page interesting or helpful or both, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause, while fueling more independent research and ad-free content like this. Thanks!</p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-30138685061779546972021-03-05T17:16:00.008+00:002021-05-06T14:54:26.724+00:00Secu-ring video doorbells and other 'smart' security cameras: some helpful links<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj61h-L0NorL9JpQ-4lqnmxamyeutRHEhugcSRXDE5VLKFlGjjToTTvI7gbeg5sSx4ZFNz1l_7yG6km91-m8kVvWnJzsfR1SrfwtlGiiAruA4Smcht10KKeaof7PXmtTuv947Jg1g/s800/doorbell-image.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="Photo of a doorbell by Yan Ots. Available freely on @unsplash." border="0" data-original-height="500" data-original-width="800" height="375" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj61h-L0NorL9JpQ-4lqnmxamyeutRHEhugcSRXDE5VLKFlGjjToTTvI7gbeg5sSx4ZFNz1l_7yG6km91-m8kVvWnJzsfR1SrfwtlGiiAruA4Smcht10KKeaof7PXmtTuv947Jg1g/w600-h375/doorbell-image.jpg" width="600" /></a></div><br />Are you thinking of installing a video doorbell or smart security camera? Are you concerned about the security of the one you have already installed? These links should help: <p></p><p>How to secure your Ring camera and account<br /><a href="https://www.theverge.com/2019/12/19/21030147/how-to-secure-ring-camera-account-amazon-set-up-2fa-password-strength-hack">https://www.theverge.com/2019/12/19/21030147/how-to-secure-ring-camera-account-amazon-set-up-2fa-password-strength-hack</a></p><p>Ring security camera settings<br /><a href="https://www.wired.co.uk/article/ring-security-camera-settings">https://www.wired.co.uk/article/ring-security-camera-settings</a></p><p>Video doorbell security: How to stop your smart doorbell from being hacked<br /><a href="https://www.which.co.uk/reviews/smart-video-doorbells/article/video-doorbell-security-how-to-stop-your-smart-doorbell-from-being-hacked-aCklb4Y4rZnw">https://www.which.co.uk/reviews/smart-video-doorbells/article/video-doorbell-security-how-to-stop-your-smart-doorbell-from-being-hacked-aCklb4Y4rZnw</a></p><p>How the WYZE camera can be hacked<br /><a href="https://learncctv.com/can-the-wyze-camera-be-hacked/">https://learncctv.com/can-the-wyze-camera-be-hacked/</a></p><p>How to secure your WYZE security camera account<br /><a href="https://www.cnet.com/how-to/wyze-camera-data-leak-how-to-secure-your-account-right-now/">https://www.cnet.com/how-to/wyze-camera-data-leak-how-to-secure-your-account-right-now/</a></p><p>How to protect 'smart' security cameras and baby monitors from cyber attack<br /><a href="https://www.ncsc.gov.uk/guidance/smart-security-cameras-using-them-safely-in-your-home">https://www.ncsc.gov.uk/guidance/smart-security-cameras-using-them-safely-in-your-home</a></p><p>Yes, your security camera could be hacked: Here's how to stop spying eyes<br /><a href="https://www.cnet.com/how-to/yes-your-security-camera-could-be-hacked-heres-how-to-stop-spying-eyes/">https://www.cnet.com/how-to/yes-your-security-camera-could-be-hacked-heres-how-to-stop-spying-eyes/</a></p><p>On a related topic, and as a way to understand how hackers look for vulnerabilities in digital devices, check out this article at Hackaday: <a href="https://hackaday.com/2019/03/28/reverse-engineering-a-modern-ip-camera/">https://hackaday.com/2019/03/28/reverse-engineering-a-modern-ip-camera/</a>. It links to a cool, four-part reverse engineering exercise by Alex Oporto: <a href="https://dalpix.com/reverse-engineering-ip-camera-part-1">https://dalpix.com/reverse-engineering-ip-camera-part-1</a></p><p><b>Note:</b></p><p>If you found this page interesting or helpful or both, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause, while fueling more independent research and ad-free content like this. Thanks!</p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-66525368849669570952021-01-28T14:11:00.018+00:002021-05-06T14:54:54.565+00:00Data Privacy Day 2021: Selected data privacy reading and viewing, past and present<p>For this Day Privacy Day—January 28, 2021—I have put together an assortment of items, suggested resources and observations that might prove helpful. </p><p><b>The first item</b> is time-sensitive: a live streamed virtual privacy day event: <a href="https://staysafeonline.org/event/data-privacy-day-2021/" target="_blank">Data Privacy in an Era of Global Change</a>. The event begins at Noon, New York time, 5PM London time, and features a wide range of excellent speakers. This is the latest iteration of an annual event organized by the National Cyber Security Alliance that going back at least seven years, each one live streamed.</p><p>The 2014 event included me on a panel at Pew Research in D.C., along with Omer Tene of the International Association of Privacy Professionals (IAPP), plus John Gevertz, Global Chief Privacy Officer of ADP, and Erin Egan, CPO of Facebook (which arranged the live streaming). </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGGG4fudsQRo1Ij-3fLN4HDuGX0Qjrust2GBfSFK23cfVhXA7x-akgxv8Zm9JPwv-MCMTl1uMDVw4i4MDj-u4XGtYjmaks1BI3GY7T4HYdsuv7Ko5WyGnkC9qj39ZvdZUW4iJHwg/s1258/frankie.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="742" data-original-width="1258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGGG4fudsQRo1Ij-3fLN4HDuGX0Qjrust2GBfSFK23cfVhXA7x-akgxv8Zm9JPwv-MCMTl1uMDVw4i4MDj-u4XGtYjmaks1BI3GY7T4HYdsuv7Ko5WyGnkC9qj39ZvdZUW4iJHwg/s320/frankie.jpg" width="320" /></a></div>In 2015, I was on another Data Privacy Day panel, this one focused on medical data and health privacy. It featured Peter Swire who was heavily involved in the creation of the HIPAA. By request, I told the story of Frankie and Jamie, "A Tale of Medical Fraud" that involved identity theft with serious data privacy implications.<p></p><p>Also on the panel were: Anne Adams, Chief Compliance & Privacy Officer for Emory Healthcare; Pam Dixon Executive Director of the World Privacy Forum, and Hilary M. Wandall, CPO of Merck—the person to whom I was listening very carefully in this still from the recorded video on Vimeo (which is <a href="https://livestream.com/ncsa/dataprivacyday/videos/75266007" target="_blank">still online but</a> I could not get it to play):</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6AilzwrU_f1lkRU0LtRj7jPj8KYdBaqfmhgCuqLphTelyPpy2EUf6Hv9cDYImsOXvjl6rKizf7XVoBlzg-oBr9X5flw10xXDVaDLvrJWaszRRrSG0xCO-vY1FtOI6mNYxzngoZA/s848/privacy-atlanta-2015.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="848" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6AilzwrU_f1lkRU0LtRj7jPj8KYdBaqfmhgCuqLphTelyPpy2EUf6Hv9cDYImsOXvjl6rKizf7XVoBlzg-oBr9X5flw10xXDVaDLvrJWaszRRrSG0xCO-vY1FtOI6mNYxzngoZA/w593-h266/privacy-atlanta-2015.jpg" width="593" /></a></div><p><b>The second item</b> is <i>The Circle</i>, both the 2013 novel by Dave Eggers—my fairly lengthy <a href="https://www.welivesecurity.com/2017/05/05/surveillance-cybersecurity-future-of-privacy-the-circle/" target="_blank">review of which appears here</a>—and the <a href="https://www.imdb.com/title/tt4287320/" target="_blank">2017 movie starring Emily Watson and Tom Hanks</a>, the trailer for which should be playable below.</p><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="320" src="https://www.youtube.com/embed/QCOXARv6J9k" width="600" youtube-src-id="QCOXARv6J9k"></iframe></div><div><br /></div><div>While many critics didn't like the film (Metascore is only 43), the content was close enough to the book for me to enjoy it (bearing in mind that I'm someone who's "into" data privacy). Also, the film managed to convey some of the privacy nuances central to Eggers' prescient novel. Consider the affirmation often used by the social media company at the heart of the story: "Sharing is caring." This is used to guilt trip users into sharing more and more of their lives with more and more people, because some of those people derive emotional and psychological support from that sharing. </div><div><br /></div><div>Depending on where in the world you live, you may be able to catch <i>The Circle</i> on either Amazon Prime or Netflix (although the latter has—ironically, and possibly intentionally so—a reality TV series of the same name, the premise of which is about as depressing as it gets: ""Big Brother" meets "Catfish" on this reality series on which not everything is as it seems").</div><div><br /></div><div>Note, if you are working in any sort of "need to raise awareness and/or spark discussions of privacy issues" role then films can be very helpful. Back around 2005 or so, Chey organized a week-long "Privacy Film Festival" at Microsoft's headquarters. Four movies were screened at lunchtime on consecutive weekdays and then a Friday panel session brought in some privacy and security heavyweights (including both Don Parker and Ari Schwartz as I recall—movies included <a href="https://www.imdb.com/title/tt0120660/" target="_blank">Enemy of the State</a> and <a href="https://www.imdb.com/title/tt0181689/" target="_blank">Minority Report</a>). The overall feedback on the whole endeavor was very positive.</div><div><br /></div><div><b>Item number three:</b> the privacy meter. This also relates to the "need to raise awareness and/or spark discussions of privacy issues." I started using it in 2002 when talking to companies about what at that time was, for many of them, an emerging issue/concern/requirement.</div><div> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Z2RuCqZ3XJp3JQPfj4htxQu1WvzsyijIKxJFeg9mg-YAdfU9WeDnUU8yM147DJ6Q2-iqa7Bu288b9p_mJiuu4Qp2SXFH3rGXZFdc_c_yQWuyJLw7zLvi08sU-m5QmSzIEKqCrA/s1080/the-privacy-meter.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="1080" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Z2RuCqZ3XJp3JQPfj4htxQu1WvzsyijIKxJFeg9mg-YAdfU9WeDnUU8yM147DJ6Q2-iqa7Bu288b9p_mJiuu4Qp2SXFH3rGXZFdc_c_yQWuyJLw7zLvi08sU-m5QmSzIEKqCrA/w505-h374/the-privacy-meter.jpg" width="505" /></a></div>The idea was to provide a starting point for reflection and conversation. The goal was to help everyone from management to employees to see that there were many different attitudes to personal privacy within the organization. What I did not convey back then—at least not as much as I probably should have—was the extent to which privilege and economic status can influence these attitudes. See the next item for more on that.<div><br /></div><div><b>Item number Four</b> is a privacy reading list, shamelessly headed by my 2016 <a href="https://www.welivesecurity.com/2016/04/26/data-privacy-data-protection-us-law-legislation-white-paper/" target="_blank">white paper on data privacy law</a>. While the paper does not cover developments in data privacy law in the last few years, several people have told me that the historical background it provides is very helpful, particularly when it comes to understanding why Data Privacy Day in America is Data Protection Day in many other countries. And, it does contain about 80 references, including links to all major US privacy legislation up into 2016.</div><p>Moving from privacy laws to privacy realities, like the intersection of privacy, poverty, and privilege, here are a number of thought-provoking articles you might want to read: </p><p></p><ul><li><a href="https://webdevlaw.uk/2020/07/03/check-your-privacy-privilege/" target="_blank">Check your privacy privilege</a>, by Heather Burns, 2020</li><li><a href="https://virginia-eubanks.com/books/" target="_blank">Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor</a>, Virginia Eubanks, 2018 ("systematically investigates the impacts of data mining, policy algorithms, and predictive risk models on poor and working-class people in America").</li><li><a href="https://thenewinquiry.com/privacy-for-whom/" target="_blank">Privacy for Whom?</a> Sam Adler Bell, the New Inquiry, 2018</li><li><a href="https://www.bloomberg.com/news/articles/2017-07-24/why-poor-women-don-t-have-the-right-to-privacy" target="_blank">Why Some Women Don't Actually Have Privacy Right</a>s, Tanvi Misra, Bloomberg, 2017</li><li><a href="https://www.sup.org/books/title/?id=25115" target="_blank">The Poverty of Privacy Rights</a>, Khiara M. Bridges, 2016 </li><li><a href="https://scholarship.law.bu.edu/cgi/viewcontent.cgi?article=1635&context=faculty_scholarship" target="_blank">A Poor Mother's Right to Privacy: A Review</a>, Danielle K. Citron, 2018</li></ul><p>Finally, getting back to a point raised earlier in this post, one that comes up every Data Privacy Day, here is my 2018 article "<a href="https://www.welivesecurity.com/2018/01/25/data-privacy-vs-data-protection-gdpr/" target="_blank">Data Privacy vs. Data Protection: Reflecting on Privacy Day and GDPR</a>."</p><p>P.S. If you're on Twitter you might enjoy what I've been tweeting about <a href="https://twitter.com/search?q=%23DataPrivacyDay%20(from%3Azcobb)&src=typed_query">#DataPrivacyDay</a>. </p><p><b>Note:</b></p><p>If you found this page interesting or helpful or both, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause, while fueling more independent research and ad-free content like this. Thanks!</p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-74841199872547304882021-01-05T11:55:00.187+00:002023-02-23T12:17:50.857+00:00AI's most troubling problem? It's made of chips and code<p>If we define "AI problem" as an obstacle to maximizing the benefits of Artificial Intelligence, it is clear that there are a number of these, ranging from the technical and practical to the ethical and cultural. As we say goodbye to 2020, I think that we may look back on it in, a few years' time, as the year in which some of the most serious AI problems emerged into the mainstream of public discourse. However, there is one very troubling gap in this growing awareness of AI problems, a seldom discussed problem that I present below.</p><p></p><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAdxCCH0YXuAkyZ_b0NbR_YLsP_lrlEfc5CU22p4vrIZBgOXiYs2TGtINS4gZQIyTVqk9oPUwY19NbJ_9O_3YhwxsWwyMFIrtLumX0lHnoEItEecXZg9go3RN-El-LbyTA_SXw0g/s1860/computer-unsplash-twidested.jpg"><img alt="Image of computer servers, visually distorted" border="0" data-original-height="1040" data-original-width="1860" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAdxCCH0YXuAkyZ_b0NbR_YLsP_lrlEfc5CU22p4vrIZBgOXiYs2TGtINS4gZQIyTVqk9oPUwY19NbJ_9O_3YhwxsWwyMFIrtLumX0lHnoEItEecXZg9go3RN-El-LbyTA_SXw0g/w590-h330/computer-unsplash-twidested.jpg" width="590" /></a></div><br /><h2 style="text-align: left;">Growing Doubts About AI?</h2><p></p><p>As one data science publication put it, 2020 was: "marked by ethical issues of AI going mainstream, including, but not limited to, gender/race bias, police and military use, face recognition, surveillance, and deep fakes." — <a href="https://towardsdatascience.com/the-state-of-ai-in-2020-f0d38740e749" target="_blank">The State of AI in 2020</a>.</p><p>One of the most widely discussed indicators of problems in AI in 2020 was the “Timnit Gebru incident” (<a href="https://medium.com/r/?url=https%3A%2F%2Fwww.theguardian.com%2Ftechnology%2F2020%2Fdec%2F04%2Ftimnit-gebru-google-ai-fired-diversity-ethics" target="_blank">More than 1,200 Google workers condemn firing of AI scientist Timnit Gebru</a>). This seems to be a debacle of Google’s own making, but it surfaced issues of AI bias, AI accountability, erosion of privacy, and environmental impact. </p><p>As we enter 2021, bias seems to be the AI problem that is “enjoying” the widest awareness. A quick Google search for <i>ai bias</i> produces 139 million results, of which more than 300,000 appear as News. However, 2020 also brought growing concerns about attacks on the way AI systems work, and the ways in which AI can be used to commit harm, notably the "<a href="https://medium.com/r/?url=https%3A%2F%2Fwww.europol.europa.eu%2Fnewsroom%2Fnews%2Fnew-report-finds-criminals-leverage-ai-for-malicious-use-%25E2%2580%2593-and-it%25E2%2580%2599s-not-just-deep-fakes" target="_blank">Malicious Uses and Abuses of Artificial Intelligence</a>," produced by Trend Micro Research in conjunction with the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Europol’s European Cybercrime Centre (EC3). </p><p>Thankfully, awareness of AI problems was much in evidence at the "<a href="https://www.tortoisemedia.com/thinkin/the-tortoise-global-ai-summit/" target="_blank">The Global AI Summit</a>," an online "think-in" that I attended last month. The event was organized by Tortoise Media and some frank discussion of AI problems occurred after the presentation of highlights from the heavily researched and data rich <a href="https://www.tortoisemedia.com/intelligence/global-ai/" target="_blank">Global AI Index</a>. Unfortunately, the AI problem that troubles me the most was not on the agenda (it was also absent from the Trend/UN report). </p><h2 style="text-align: left;">AI's Chip and Code Problem</h2><p>The stark reality, obscured by the hype around AI, is this: all implementations of AI are vulnerable to attacks on the hardware and software that run them. At the heart of every AI beats one or more CPUs running an operating system and applications. As someone who has spent decades studying and dealing with vulnerabilities in, and abuse of, chips and code, this is the AI problem that worries me the most:</p><p style="text-align: center;"><b><span style="color: #990000;">AI RUNS ON CHIPS AND CODE, BOTH OF WHICH ARE VULNERABLE TO ABUSE</span></b></p><p>In the last 10 years we have seen successful attacks on the hardware and software at the heart of mission critical information systems in hundreds of prestigious entities both commercial and governmental. The roll call of organizations and technologies that have proven vulnerable to abuse includes the CIA, NSA, DHS, NASA, Intel, Cisco, Microsoft, Fireye, Linux, SS7, and AWS. </p><p>Yet despite a constant litany of new chip and code vulnerabilities, and wave after wave of cybercrime and systemic intrusions by nation states—some of which go undetected for months, even years—a constantly growing chorus of AI pundits persists in heralding imminent human reliance on AI systems as though it was an unequivocally good thing. </p><p>Such "AI boosterism" keeps building, seemingly regardless of the large body of compelling evidence that supports this statement: no builder or operator of any computer system, including those that run AI, can guarantee that it will not be abused, misused, impaired, corrupted, or commandeered through unauthorized access or changes to its chips and code.</p><p>And <i>this</i> AI problem is even more more serious when you consider it is the one about which meaningful awareness seems to be lowest. Frankly, I've been amazed at how infrequently this underlying vulnerability of AI is publicly mentioned, noted, or addressed, where publicly means: "discoverable by me using Google and asking around in AI circles."</p><p>Of course, AI enthusiasts are not alone in assuming that, by the time their favorite technology is fully deployed, it will be magically immune to the chip-and-code vulnerabilities inherent in computing systems. Fans of space exploration are prone to similar assumptions. (Here's a suggestion for any journalists reading this: the next time you interview Elon Musk, ask him what kind of malware protection will be in place when he rides the SpaceX Starship to Mars.)</p><p>Boosters of every new technology — pun intended— seem destined to assume that the near future holds easy fixes for whatever downsides skeptics of that technology point out. Mankind has a habit of saying "we can fix that" but not actually fixing it, from the air-poisoning pollution of fossil fuels to ocean-clogging plastic waste. (I bet Mr. Musk sees no insurmountable problems with adding thousands of satellites to the Earth's growing shroud of space clutter.) </p><p>I'm not sure if I'm the first person to say that the path to progress is paved with assumptions, but I'm pretty sure it's true. I would also observe that many new technologies arrive wearing a veil of assumptions. This is evident when people present AI as so virtuous and beneficent that it would be downright churlish and immodest of anyone to question the vulnerability of their enabling technology.</p><h2 style="text-align: left;">The Ethics of AI Boosterism</h2><p>One question I kept coming back to in 2020 was this: how does one avert the giddy rush to deploy AI systems for critical missions before they can be adequately protected from abuse? While I am prepared to engage in more detailed discussions about the validity of my concerns, I do worry that these will get bogged down in technicalities of which there is limited understanding among the general public.</p><p>However, as 2020 progressed and "the ethics of AI" began to enjoy long-overdue public attention, another way of breaking through the veil of assumptions obscuring AI's inherent technical vulnerability occurred to me. Why not question the ethics of "AI boosterism"? I mean, surely we can all agree that advocating development and adoption of AI without adequately disclosing its limitations raises ethical questions.</p><p>Consider this statement: as AI improves, doctors will be able to rely upon AI systems for faster diagnosis of more and more diseases. How ethical is it to say that, given what we know about how vulnerable AI systems will be if the hardware and software on which they run is not significantly more secure than what we have available today?</p><p>To be ethical, any pitches for AI backing and adoption should come with a qualifier, something like "provided that the current limitations of the enabling technology can be overcome." For example, I would argue that the earlier statement about medical use of AI would not be ethical unless it was worded something like this: as AI improves, and if the current limitations of the enabling technology can be overcome, doctors will be able to rely upon AI systems for faster diagnosis of more and more diseases.</p><p></p>Unlikely? Far-fetched? Never going to happen? I am optimistic that the correct answer is no. But I invite doubters to imagine for just a moment how much better things might have gone, how much better we might feel about digital technology today, if previous innovations had come with a clear up-front warning about their potential for abuse.<p></p><p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://scobbs.blogspot.com/2020/09/a-brief-history-of-digital-technology.html" style="clear: right; margin-bottom: 1em; margin-left: 1em; margin-right: auto;"><img border="0" data-original-height="926" data-original-width="1125" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif6TiRqfmp8Rs_UpsSP75uaY_mjGJkkImaepLf862F-1Zk82b6yiONisOcqwzBM2tkixqU1q37jWygwi9qpgjH2CN8AhqUa1yyu3K4HK4cUt67aU0ZWkdYVG3fxrx2d1Qndff_8A/w396-h326/40-tech-thing-square.jpg" title="40 digital technologies proving impossible to protect against abuse" width="396" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">40 digital technologies open to abuse</td></tr></tbody></table>A few months ago, to help us all think about this, I wrote "<a href="https://scobbs.blogspot.com/2020/09/a-brief-history-of-digital-technology.html">A Brief History of Digital Technology Abuse</a>." The article title refers to "40 chapters" but these are only chapter headings that match the 40 items in this word cloud. I invite you to check it out.<p></p><p>In a few weeks I will have some statistics to share about the general public's awareness of AI problems. I will be sure to provide a link here. (See: <a href="https://zcobb.medium.com/ai-problem-awareness-grew-in-2020-but-46-still-not-aware-at-all-of-problems-with-artificial-633b00d596e5">AI problem awareness grew in 2020, but 46% still “not aware at all” of problems with artificial intelligence</a>.)</p><p>In the meantime, I would love to hear from anyone about their work, or anyone else's, on the problem of defending systems that run AI against abuse. (Use the Comments or the contact form at the top of the page, or DM <a href="https://twitter.com/zcobb" target="_blank">@zobb on Twitter</a>.) </p>
<p><b>Notes</b>: </p><p>If you found this article interesting or helpful or both, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause, while fueling more independent research and ad-free content like this. Thanks!</p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-31148482755481550822020-12-31T17:00:00.175+00:002021-05-06T14:55:44.218+00:00Cybersecurity had a rough 2020, but 50 recent headlines suggest the outlook for 2021 could be even worse<p>Sadly, my annual outlook for cybersecurity has, for the past 20 years, been this: "things will get worse before they get better." </p><p>In this context, "the outlook for cybersecurity" is the expected performance of efforts to defend information systems from abuse, as measured by the amount of system abuse that occurs despite those efforts. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKHflc0JyHTBuxj-VgdP1O01bcpmU214-rkdIIvKItMm5oqWMDlBkxtuAl6-azYkbS_we0QqPRqDbVk9HusOENQlylm-mELVHQjm8zRjWwb0oM8WQYqadDCnptAOAERJ2kwGU4sQ/s910/ic3-2021c-predicted.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="882" data-original-width="910" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKHflc0JyHTBuxj-VgdP1O01bcpmU214-rkdIIvKItMm5oqWMDlBkxtuAl6-azYkbS_we0QqPRqDbVk9HusOENQlylm-mELVHQjm8zRjWwb0oM8WQYqadDCnptAOAERJ2kwGU4sQ/w405-h392/ic3-2021c-predicted.jpg" width="405" /></a></div>If you boil <i>cybersecurity outlook</i> down to a single question it is this: will criminal acts targeting digital systems and the data they process cause more harm next year than they did this year?<p></p><p></p><p>On the right you can see just one measure of such harm, a dollar figure for internet crime losses reported to IC3 and the FBI. The losses recorded in this metric hit $3.5B in 2019.*</p><p>I predict that for 2020, the IC3/FBI report will show around $4.7B in losses, barring significant changes to the report's methodology. I further predict that the number will reach $6B in 2021.</p><p>Of course, I could be wrong, and I sincerely hope that the losses turn out to be lower than my predictions. What I can promise is that I will post the 2020 number as soon as it is published (about 45 days from now, if the Biden-Harris administration sticks to the traditional schedule).</p><h2 style="text-align: left;">One way of looking at the problem</h2><p>Regardless of the IC3/FBI numbers for 2020, I think that criminal acts targeting digital systems and the data they process will cause more harm in 2021 than they did this year. And I say that despite 2020 being a quite unusual year, what with all that <a href="https://scobbs.blogspot.com/2020/04/the-malware-factor-biggest-problem-our.html">cybercrime which leveraged the pandemic</a>, and the presidential election in the US, plus the massive Russian SolarWinds breaches. </p><p>The rest of this blog post is just one way of documenting why my outlook is bleak (I am working on a longer article about the history of my "will get worse before it gets better" perspective). What you have here are 50 cybersecurity headlines that I noticed during the last 30 days of 2020. These are not ALL the cybercrime headlines from December, 2020. These they are just a sample, plucked from one of the best cybersecurity "feeds" that I have found: <a href="https://nuzzel.com/InfoSecSherpa" target="_blank">InfoSecSherpa's Newsletter</a> (subscription strongly recommended).</p><p>This daily email newsletter is produced by <a href="https://twitter.com/InfoSecSherpa" target="_blank">@InfoSecSherpa</a> who pledges to provide: "a daily summary of 10 Information Security news items that aren't necessarily getting a lot of attention." So, here are 50 items I picked out to reflect the range of cyber-criminal activity currently taking place. I'm not saying that you should read them all. I think a quick scan will make my point: </p>
<p></p><ol style="text-align: left;"><li><a href="https://nuzzel.com/subscriptionstory/12292020/govinfosecurity/fresh_card_skimmer_attacks_multiple_ecommerce_platforms?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Fresh Card Skimmer Attacks Multiple E-Commerce Platforms</a></li><li><a href="https://nuzzel.com/subscriptionstory/12302020/euroweeklynews/massive_cyber_attack_takes_down_major_german_newsgroup?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Massive Cyber Attack Takes Down Major German Newsgroup</a></li><li><a href="https://nuzzel.com/subscriptionstory/12292020/portswigger/kawasaki_heavy_industries_reports_data_breach_as_attackers_found?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Kawasaki Heavy Industries reports data breach as attackers found with year-long network access</a></li><li><a href="https://nuzzel.com/subscriptionstory/12292020/cruisehive/cruise_ships_forced_to_cancel_sailings_due_to_possible_cyberattack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Cruise Ships Forced to Cancel Sailings Due to Possible Cyberattack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12282020/oodaloop/vietnam_targeted_in_complex_supply_chain_attack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Vietnam targeted in complex supply chain attack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12282020/euronews/serious_attack_on_our_democracy_cyber_strike_hits_finnish_mps?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Serious attack on our democracy': Cyber strike hits Finnish MPs</a></li><li><a href="https://nuzzel.com/subscriptionstory/12282020/hackread/revil_hackers_to_leak_photos_of_plastic_surgery_patients_after?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">REvil hackers to leak photos of plastic surgery patients after massive hack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12272020/siliconangle/voip_hardware_and_software_maker_sangoma_struck_by_ransomware_attack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">VOIP hardware and software maker Sangoma struck by ransomware attack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12272020/pymnts/hackers_tapped_microsoft_resellers_to_gain_access?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Hackers Tapped Microsoft Resellers To Gain Access</a></li><li><a href="https://nuzzel.com/subscriptionstory/12252020/japantimes.co/rakuten_exposes_148_million_sets_of_data_to_access_from_outside?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Rakuten exposes 1.48 million sets of data to access from outside</a></li><li><a href="https://nuzzel.com/subscriptionstory/12252020/natlawreview/pension_plan_personal_data_breached_thirdparty_blamed?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Pension Plan Personal Data Breached, Third-Party Blamed</a></li><li><a href="https://nuzzel.com/subscriptionstory/12242020/zdnet/russian_cryptoexchange_livecoin_hacked_after_it_lost_control_of_its?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Russian crypto-exchange Livecoin hacked after it lost control of its servers</a></li><li><a href="https://nuzzel.com/subscriptionstory/12232020/businessinsurance/major_swedish_firms_suffer_prolonged_malware_attack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Major Swedish firms suffer prolonged malware attack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12232020/threatpost/emotet_returns_to_hit_100k_mailboxes_per_day?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Emotet Returns to Hit 100K Mailboxes Per Day</a></li><li><a href="https://nuzzel.com/subscriptionstory/12232020/npr/us_cyber_agency_solarwinds_attack_hitting_local_governments?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">U.S. Cyber Agency: SolarWinds Attack Hitting Local Governments</a></li><li><a href="https://nuzzel.com/subscriptionstory/12232020/scmagazine/credential_phishing_attack_impersonating_usps_targets_consumers_over?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Credential phishing attack impersonating USPS targets consumers over the holidays</a></li><li><a href="https://nuzzel.com/subscriptionstory/12232020/thediplomat/japanese_companies_fall_victim_to_unprecedented_wave_of_cyber?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Japanese Companies Fall Victim To Unprecedented Wave of Cyber Attacks</a></li><li><a href="https://nuzzel.com/subscriptionstory/12212020/courier-journal/louisville_pva_office_temporarily_closes_due_to_a_cyber_threat?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Louisville PVA office temporarily closes due to a cyber threat</a></li><li><a href="https://nuzzel.com/subscriptionstory/12222020/inquirer/treasury_dept_email_accounts_were_compromised_in_hack_blamed_on?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Treasury Dept. email accounts were compromised in hack blamed on Russia</a></li><li><a href="https://nuzzel.com/subscriptionstory/12202020/thenationonlineng/iranian_hackers_hit_israel_aerospace_industries?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Iranian hackers hit Israel aerospace industries</a></li><li><a href="https://nuzzel.com/subscriptionstory/12202020/theguardian/iphones_vulnerable_to_hacking_tool_for_months_researchers_say?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">iPhones vulnerable to hacking tool for months, researchers say | Malware</a></li><li><a href="https://nuzzel.com/subscriptionstory/12192020/bitcoin/two_rubygems_infected_with_cryptostealing_feature_malware_spotted_by?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Two Rubygems Infected With Crypto-Stealing Feature Malware</a></li><li><a href="https://nuzzel.com/subscriptionstory/12162020/thehackernews/ransomware_attackers_using_systembc_malware_with_tor_proxy?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Ransomware Attackers Using SystemBC Malware With Tor Proxy</a></li><li><a href="https://nuzzel.com/subscriptionstory/12172020/businessworld/cybercrime_fake_call_centre_duping_foreign_nationals_busted_in_delhi?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Cybercrime: Fake call centre duping foreign nationals busted in Delhi, 54 arrested</a></li><li><a href="https://nuzzel.com/subscriptionstory/12142020/grahamcluley/house_purchases_in_hackney_fall_through_following_cyber_attack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">House purchases in Hackney fall through following cyber attack against council</a></li><li><a href="https://nuzzel.com/subscriptionstory/12152020/itproportal/print_security_is_the_remote_working_cyber_risk_very_few_saw_coming?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Print security is the remote working cyber risk very few saw coming</a></li><li><a href="https://nuzzel.com/subscriptionstory/12152020/washingtontimes/poland_lithuania_are_targets_of_cyber_disinformation_attack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Poland, Lithuania are targets of cyber disinformation attack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12142020/yahoo/norwegian_cruise_liner_hurtigruten_sustains_cyber_attack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Norwegian cruise liner Hurtigruten sustains cyber attack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12142020/tricitiesbusinessnews/port_of_kennewick_crippled_by_cyberattack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Port of Kennewick crippled by cyberattack</a></li><li><a href="https://nuzzel.com/subscriptionstory/12142020/itwire/two_indian_banks_affected_by_windows_ransomware_attacks?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Two Indian banks affected by Windows ransomware attacks</a></li><li><a href="https://nuzzel.com/subscriptionstory/12132020/haaretz/iran_suspected_after_massive_cyberattack_on_israeli_firms_revealed?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Iran suspected after massive cyberattack on Israeli firms revealed</a></li><li><a href="https://nuzzel.com/subscriptionstory/12122020/dailymail.co/files_expose_mass_infiltration_of_uk_firms_by_chinese_communist?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Files expose mass infiltration of UK firms by Chinese Communist Party</a></li><li><a href="https://nuzzel.com/subscriptionstory/12112020/bbc.co/subway_customers_receive_malware_emails?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Subway customers receive 'malware' emails</a></li><li><a href="https://nuzzel.com/subscriptionstory/12122020/kansascity/kc_suburb_spent_millions_on_cyber_security_protections_but_still_got?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">KC suburb spent millions on cyber security protections but still got hit by ransomware</a></li><li><a href="https://nuzzel.com/subscriptionstory/12122020/govinfosecurity/ransomware_attacks_hitting_vulnerable_mysql_servers?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Ransomware Attacks Hitting Vulnerable MySQL Servers</a></li><li><a href="https://nuzzel.com/subscriptionstory/12112020/freightwaves/hackers_leak_data_from_trucking_firm_cardinal_logistics?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Hackers leak data from trucking firm Cardinal Logistics</a></li><li><a href="https://nuzzel.com/subscriptionstory/12112020/threatpost/adrozek_malware_delivers_fake_ads_to_30k_devices_a_day?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Adrozek Malware Delivers Fake Ads to 30K Devices a Day</a></li><li><a href="https://nuzzel.com/subscriptionstory/12082020/cybereason/new_malware_arsenal_abusing_cloud_platforms_in_middle_east_espionage?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign</a></li><li><a href="https://nuzzel.com/subscriptionstory/12092020/masslive/springfield_public_schools_servers_back_to_normal_after_october?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Springfield Public Schools servers back to normal after October cyberattack that put abrupt pause to remote learning</a></li><li><a href="https://nuzzel.com/subscriptionstory/12052020/zdnet/ransomware_gangs_are_now_coldcalling_victims_if_they_restore_from?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Ransomware gangs are now cold-calling victims if they restore from backups without paying</a></li><li><a href="https://nuzzel.com/subscriptionstory/12062020/cnbc/middle_east_facing_cyber_pandemic_as_covid_exposes_security?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Middle East facing 'cyber pandemic' as Covid exposes security vulnerabilities, cyber chief says</a></li><li><a href="https://nuzzel.com/subscriptionstory/12042020/threatpost/vancouver_metro_disrupted_by_egregor_ransomware?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Vancouver Metro Disrupted by Egregor Ransomware</a></li><li><a href="https://nuzzel.com/subscriptionstory/12032020/juneauempire/113000_alaskan_voter_ids_exposed_in_data_breach?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">113,000 Alaskan voter IDs exposed in data breach</a></li><li><a href="https://nuzzel.com/subscriptionstory/12032020/zdnet/data_of_243_million_brazilians_exposed_online_via_website_source?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Data of 243 million Brazilians exposed online via website source code</a></li><li><a href="https://nuzzel.com/subscriptionstory/12032020/nytimes/cyberattacks_discovered_on_vaccine_distribution_operations?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Cyberattacks Discovered on Vaccine Distribution Operations</a></li><li><a href="https://nuzzel.com/subscriptionstory/12022020/zdnet/brazilian_aerospace_firm_embraer_hit_by_cyberattack?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Brazilian aerospace firm Embraer hit by cyberattack</a></li><li><a href="https://nuzzel.com/subscriptionstory/11302020/helpnetsecurity/malware_may_trick_biologists_into_generating_dangerous_toxins_in?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Malware may trick biologists into generating dangerous toxins in their labs</a></li><li><a href="https://nuzzel.com/subscriptionstory/11232020/ic3/spoofed_fbi_internet_domains_pose_cyber_and_disinformation_risks?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks</a></li><li><a href="https://nuzzel.com/subscriptionstory/12012020/businessinsurance/cyber_attacks_against_vaccine_makers_rise?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">Cyber attacks against vaccine makers rise</a></li><li><a href="https://nuzzel.com/subscriptionstory/11302020/threatpost/macos_users_targeted_by_oceanlotus_backdoor?e=4119532&c=zVk80INhESNDhyNUSqlkqPwZppDardpjLzmJd5qFjY&u=InfoSecSherpa&utm_campaign=newsletter_subscription&utm_medium=email&utm_source=nuzzel%22%20%5Ct%20%22_blank">MacOS Users Targeted By OceanLotus Backdoor</a></li></ol><p></p>
<p>These headlines paint a picture of rampant criminal activity abusing all manner of digital technology in all regions of the world, across all sectors of human endeavor, including education, research, medicine, healthcare, pharmaceuticals, heavy industry, light industry, commercial shipping, recreational shipping, retail, banking, software, hardware, the media, local government, state government, national government. </p><p>These headlines also document the main reason that I think the harm caused by such activity in 2021 will be even greater than in 2020: whatever deterrents there are to people continuing to engage in this type of activity, they are clearly not working. And in 2021 there will be more people than ever with both the motive and means to engage in cybercrime, and more opportunities than ever to commit cybercrime.</p><p></p><ul style="text-align: left;"><li><b>Motive increase</b>: widespread pandemic-related economic hardship</li><li><b>Means increase</b>: constantly improving cybercrime skills, increasingly accessible (e.g. crime-as-a-service)</li><li><b>Opportunities increase</b>: more devices and data, in more locations, performing increasingly valuable functions</li></ul><p></p><p>As 2021 rolls on I will continue to document the scale of the cybersecurity challenge as I see it. For now, let me extend a massive THANK YOU to all the dedicated and righteous souls who labored so hard in 2020 to fend off the bad actors.</p><p>Is there any room for optimism in 2021? Maybe, if the Biden Harris administration is allowed to get on with the job of instigating major improvements in globally coordinated cybercrime deterrence. (And to be clear, I do sincerely hope that six months from now reality will show that my current outlook was overly pessimistic.)</p><p>In any event, here's to "cyber" becoming way less crimey in 2021. <b>Happy New Year!</b></p><h2 style="text-align: left;">Notes</h2><div><div><div>If you found this article interesting and/or helpful, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause, while fueling more independent research and ad-free content like this. Thanks!</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><br class="Apple-interchange-newline" /><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div></div><br class="Apple-interchange-newline" />* While <a href="https://www.ic3.gov/default.aspx" target="_blank">IC3 is the source of the numbers</a> in the graph, IC3 has not—to my knowledge—published them in a graph, in other words, I built the graph from their numbers. And I know that the IC3 numbers are by no means perfect crime metrics; they are based on data that is accumulated as a by-product of one avenue of attack against the crimes they represent. However, I have studied each of the annual report and I am satisfied that collectively they provide solid evidence of a real world cybercrime impact trend that looks very much like the line shown in the graph. For more on issues with cybercrime measurement, see my article in the <i>Journal of National Security Law & Policy</i>: <a href="https://jnslp.com/2020/02/13/advancing-accurate-objective-cybercrime-metrics/" target="_blank">Advancing Accurate and Objective Cybercrime Metrics</a>.</div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-56759065425124677672020-11-05T21:07:00.008+00:002021-05-06T14:56:25.508+00:00Universal Recipe for Disaster: Works in Cyberspace as well as Meatspace (a plea to heed experts)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgymJrQltR5Iq2IGyvibXzIAmtKKzPURFoj5Zbu8k5grAQN5XUgCcGAyU2_gsysPp4sxBGZd3HaKgslKdcHEri8LwLU7BwhpAtMglmlELoYWP2XU4jgmBZ6zotXEjtJt6Cl8j6kxA/s941/cyber-meat-recipe-scobb.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="Image says Recipe for disaster that works in both cyberspace and meatspace: rapid embrace of global connectivity and complex interdependence, at scale and absent universally agreed enforceable norms of behavior." border="0" data-original-height="582" data-original-width="941" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgymJrQltR5Iq2IGyvibXzIAmtKKzPURFoj5Zbu8k5grAQN5XUgCcGAyU2_gsysPp4sxBGZd3HaKgslKdcHEri8LwLU7BwhpAtMglmlELoYWP2XU4jgmBZ6zotXEjtJt6Cl8j6kxA/w490-h303/cyber-meat-recipe-scobb.jpg" width="490" /></a></div><br /><div>Getting people to heed your warnings is one of the toughest aspects of being an expert, whether your specialty is epidemiology or criminology, virology or malicious code, biology or botnets. How do you get people to pay attention to a problem that seems very urgent to you, but not urgent enough to others? One approach is to just keep trying. </div><div><br /></div><div>One of my recent efforts was to describe "<a href="https://www.linkedin.com/pulse/covid-effect-means-we-can-longer-ignore-malware-factor-stephen-cobb/" target="_blank">The COVID Effect</a>." Another effort was "<a href="https://scobbs.blogspot.com/2020/04/the-malware-factor-biggest-problem-our.html" target="_blank">The Malware Factor</a>." Today, I give you: <b>Recipe for Disaster</b>.</div><div><br /></div><div>This <i>Recipe for Disaster</i> works in both cyberspace and meatspace. You simply combine these ingredients: rapid embrace of global connectivity and complex interdependence, at scale, absent universally agreed enforceable norms of behavior.</div><div><br /></div><div>In other words, you create a situation where everything and everybody is not only connected to every other thing and person, but also heavily dependent upon those things and people and connections. Obviously this creates some level of risk that things could go wrong, but the trick to maximizing the potential for disaster is to do all this without everyone involved first committing to abide by an agreed set of rules as to what is permissible, or figuring out how you can and will censure anyone who breaks the rules. </div><div><br /></div><div><div>What you get from this recipe is a situation in which every kind of human endeavor is at serious risk of failing, badly, and with potentially dire consequences. </div><div><br /></div><div>A meatspace example would be a global pandemic caused by a deadly biological virus. A cyberspace example would be a digital infrastructure that enables a crisis like a biological pandemic to be abused for selfish ends by criminals wielding malicious code, potentially hindering efforts to deal with the crisis.</div><div><br /></div><div>Of course, it is now clear that many experts in many fields were right in many ways. As has happened far too often in human history, we are finding out far too late that, like the song says: "What they've been saying all these years is true"* Had experts been heeded in the past, we could have avoided the deadly mess we're in today. </div><div><br /></div><div>I can already hear some people saying "Okay, so we should have listened back then, but is there anything you can tell us now that will help us get out of this mess?" Well, as it happens, there is. For a start, I can tell you that increasing the number of people who recognize the mess for what it is will be critical for getting out of it. </div><div><br /></div></div><div>And that's why I will keep trying to improve the effectiveness of my efforts to get people to pay attention.</div><div><br /></div><div>Please feel free to share the recipe card at the top of the page, or make your own version.</div><div><br /></div><div>Thanks.</div><div><br /></div><div><b>Notes:</b> </div><div><br /></div><div>If you found this article interesting and/or helpful, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause, while fueling more independent research and ad-free content like this. Thanks!</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><br class="Apple-interchange-newline" /><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div><div><br /></div></div><div>*The song being quoted is Bonnie Dobson's 1962 classic "<a href="https://youtu.be/zZXuuKwhVvI" target="_blank">Morning Dew</a>," popularised in the late sixties by the late Tim Rose whose version is used to great effect by Japanese director Mori Masaki is this <a href="https://youtu.be/WnWtUOktCwQ" target="_blank">anti-war video</a>, which some readers might find upsetting.</div><div><br /></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-2264691969836563942020-10-31T17:00:00.106+00:002021-05-06T14:58:04.250+00:00Thanks for reading and heeding. Please #BeCyberSmart! (Cybersecurity Awareness Month, Day 31)<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYdEhY4ZUhzQxZeQDa3hc2lAi1W_BvcVmSnRnhET5EajHXdELKWh2Cx_ObJ6TIO3rP0dB4b_B_hEHV_txhyYyyfDq3KDu0AiYzBZCEDL6jKHG-dXAwcX4WJ2HPcC2BFfEOjde9IQ/s900/aware-vote-button.jpg" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img alt="Vote for those committed to doing more about cybersecurity than has been done so far" border="0" data-original-height="546" data-original-width="900" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYdEhY4ZUhzQxZeQDa3hc2lAi1W_BvcVmSnRnhET5EajHXdELKWh2Cx_ObJ6TIO3rP0dB4b_B_hEHV_txhyYyyfDq3KDu0AiYzBZCEDL6jKHG-dXAwcX4WJ2HPcC2BFfEOjde9IQ/w320-h194/aware-vote-button.jpg" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Vote for those committed to doing <br />a lot more about cybersecurity<br />than has been done so far</td></tr></tbody></table>This is blog post 31 of the 31 posts that I pledged to write in October, 2020, for Cybersecurity Awareness Month, an international effort to help people improve the security of their devices and protect the privacy of their data.<div><br /><div>There is a lot more that I wanted to say, and I will get round to saying it in the coming weeks. However, for the moment, there is just time for some final cybersecurity awareness thoughts. <div><br /></div><div>We should all heed the advice that has been dished up during the month, from locking down our logins and limiting access to all of our connected digital devices, to being careful how and where we reveal sensitive personal information. </div><div><br /></div><div>But the world now faces unprecedented levels of criminal behavior in cyberspace, and in my opinion a lot more of the heavy lifting in cybersecurity must be done by governments. Firstly, by taking seriously the need to achieve global consensus that abuse of digital technology is wrong, morally reprehensible, and will be prosecuted. Secondly, by funding efforts to enforce that consensus at levels many times greater than the paltry sums that have been allocated so far. </div><div><br /></div><div>So I will close the month by repeating something that I said <a href="https://scobbs.blogspot.com/2020/10/ehr-health-data-security.html">back on Day 22</a>:</div><div><blockquote><p>Whenever we vote to elect representatives, we can vote for those most likely to take all this as seriously as it needs to be taken.</p></blockquote><p>Take care, stay safe, and #BeCyberSmart</p><div><b><br /></b></div><div><b>Author's Note</b></div><div>If you found this article interesting and/or helpful, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and support a good cause, while fueling more independent research and ad-free content like this. Thanks!</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><br class="Apple-interchange-newline" /><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div><div><br /></div></div><div><br /></div></div></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-2457356049880068532020-10-30T17:37:01.011+00:002020-10-31T17:44:01.574+00:00Cybersecurity needs more women, now and in the future (Cybersecurity Awareness Month, Day 30)<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA6WGA2DC_HRb4KtLGCJORJvKMHT65-8TAjJhXvCAVhgq2ysvFVrbIrkCME1ZOg-qId444u6dGzPo3loOPeGSpoudjO-nlHPPO8U0ps8ATNT-1_Lei0MXPXr3ZTZEozF7zpept4g/s1044/Cybersecurity+Is+Everyone%2527s+Job+2.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="A woman with a laptop next to a server, making the point that IT needs more women. Cybersecurity needs more women. Shoutout to Christina @ wocintechchat.com for the image on UnSplashsocial or copy the text below to attribute." border="0" data-original-height="651" data-original-width="1044" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA6WGA2DC_HRb4KtLGCJORJvKMHT65-8TAjJhXvCAVhgq2ysvFVrbIrkCME1ZOg-qId444u6dGzPo3loOPeGSpoudjO-nlHPPO8U0ps8ATNT-1_Lei0MXPXr3ZTZEozF7zpept4g/w518-h323/Cybersecurity+Is+Everyone%2527s+Job+2.jpg" width="518" /></a></div><p>Hopefully, you have seen many images like the one above during Cybersecurity Awareness Month 2020, which is now drawing to a close. This messaging emphasizes our individual and collective responsibility for taking whatever steps we can to protect digital devices and data from being abused for selfish purposes. To me, this particular image is a reminder that cybersecurity is not only a shared obligation, but also a field of endeavor that offers a lot of job opportunities for women. And that is the subject of today's blog post. </p><div>If you have been reading along on this blog this month you will know that there is post for each day of the month. I hope you have found these helpful and, if so, that you will share them with friends and colleagues through the coming months and into next year. You don't need to read many of these posts to realize that, while I fully support raising awareness of cybersecurity, I also think a lot more than awareness needs to be raised if humans are ever going to get ahead of the cybersecurity problem. One of the things that needs raising is the percentage of women working in technology.<p></p>Today we look at the need for more women in technology generally, and in cybersecurity specifically. But before I go any further with this, I need to give a shoutout to Christina at <a href="https://www.wocintechchat.com/" target="_blank">wocintechchat.com</a> for the great photo that makes up the right half of the image at the top of this article. Women of Color in Tech are creators of the WOCinTech stock photo collection, full of great images that are easy to find on <a href="https://unsplash.com/@wocintechchat" target="_blank">UnSplash</a>.<div><h2>More women in cybersecurity</h2></div></div><p>As I outlined in the article for October 28, there is a <a href="https://scobbs.blogspot.com/2020/10/awareness-of-the-cybersecurity-skills-gap.html" target="_blank">huge cybersecurity skills gap</a>, despite the fact that the pay for some cybersecurity roles can be very good.* We're talking half a million open positions in North America this year, and most countries are faced with large shortfalls in qualified applicants for cybersecurity roles. </p><p>Note that these are funded jobs, waiting for the right applicants; and there is no reason that all those applicants need to be men. Indeed, I would argue that the cybersecurity workforce would benefit from becoming far more gender diverse, and just more diverse in general. When a field of endeavor embraces greater diversity that means a larger pool of talent from which to recruit, plus the potential to benefit from a wider range of perspectives.</p><p>Clearly, there are multiple ways in which it makes sense to encourage women to consider a job in cybersecurity, starting with the number of openings and the levels of pay available. Industry organizations—like CompTIA, (ISC)2, and ISSA—recognize this and have done a lot to encourage recruitment of women and minorities into tech in general, and cybersecurity specifically. Here's just a sample of web pages and articles that have more information about this: </p><p></p><ul style="text-align: left;"><li><a href="https://www.comparitech.com/blog/information-security/women-cybersecurity-initiatives/" target="_blank">35+ initiatives to get more women into cybersecurity</a></li><li><a href="https://www.creatingitfutures.org/" target="_blank">Creating IT Futures</a> </li><li><a href="https://www.issa.org/cyber-security-career-lifecycle/pre-professional/" target="_blank">ISSA Pre-Professional Resources</a> </li><li><a href="https://www.businesstelegraph.co.uk/tech-skills-gap-gives-rise-to-it-apprenticeship-programs-techtarget/" target="_blank">Initiatives mentioned in this article</a></li><li><a href="https://www.techradar.com/uk/news/how-to-get-into-cybersecurity" target="_blank">How to get into cybersecurity</a></li><li><a href="https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2020/cyber-security-skills-in-the-uk-labour-market-2020" target="_blank">Cyber security skills in the UK labour market 2020</a></li><li><a href="https://www.microsoft.com/security/blog/2020/03/19/welcoming-more-women-in-cybersecurity-power-mentorships/" target="_blank">Welcoming more women into cybersecurity</a></li></ul><p></p><p>Of course, getting into the field may require some knowledge and training that you don't have yet, but these can be acquired, often through self-paced learning, on the job or in your own time, combined with security certifications. There are also community college course and apprenticeship programs. In other words, getting into a career in cybersecurity and progressing to the point where you're earning a six figure salary does not require a university degree (there are still some employers who don't believe this, but they are wrong, and there are a lot of people, like me, working at convincing them of this).</p><p>Cybersecurity can be a great fit for women returning to the workforce, or entering it "late" (as defined by social convention). In my experience, women can acquire the necessary knowledge and training for cybersecurity work just as fast as men, if not faster. In yesterday's article I <a href="https://scobbs.blogspot.com/2020/10/risk-perception-and-cybersecurity-awareness.html" target="_blank">looked at reasons why</a> some people might be more aware of technology risks than others, and I believe that lot of those <i>more aware</i> people are female.</p><p>Here are a couple of examples that show women being particularly adept in one particular aspect of cybersecurity: raising awareness of how easily our digital devices and data can be compromised. To be clear, both women are making a good living advising organizations on how to avoid becoming victims of the kind of "vishing" attacks that they so effectively demonstrate. </p><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="346" src="https://www.youtube.com/embed/xuYoMs6CLEw" width="416" youtube-src-id="xuYoMs6CLEw"></iframe></div><p>This second example offers more detail, some colorful language, and live video of a fairly serious theft of information, plus airline points. It also works as a great cybersecurity awareness video. Use it when you need to show someone how all that online authentication stuff we talked about on days <a href="https://scobbs.blogspot.com/2020/10/passwords-and-authentication.html">19</a>, <a href="https://scobbs.blogspot.com/2020/10/tokens-and-authentication.html">20</a>, and <a href="https://scobbs.blogspot.com/2020/10/biometric-authentication.html">21</a>, can be bypassed if you shift communications to the phone and the target is not vishing-aware). </p><div class="separator" style="clear: both; text-align: center;"><iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/LYilP-1TwMg" width="560"></iframe></div><p>Of course, the cybersecurity realm is much, much wider than this, and women are making valuable contributions across the board. From the very human side, seen in these videos, to the most cerebral, like Artificial Intelligence, a topic I will get back to in tomorrow's blog post). </p><p>One thing I find particularly encouraging about the state of play for women entering cybersecurity today, is the amount of encouragement that is on offer, not just upon entering the field, but throughout career development. One of my favorite encouragers is <a href="https://www.keirstenbrager.tech/securetheinfosecbag/" target="_blank">Keirsten Brager</a>. Consider the approach she took when investigating the recurring career question of "<a href="https://www.keirstenbrager.tech/salarytips-part1/" target="_blank">what should I be paid?</a>" (When I heard Keirsten speaking at <a href="https://www.dianainitiative.org/" target="_blank">The Diana Initiative</a> as few years ago, I learned several career strategies that were new to me, and cybersecurity has been my career for more than three decades.)</p><h2 style="text-align: left;">Women <i>on </i>cybersecurity</h2><p></p><div><div><p>Getting more women to enter the field of cybersecurity is only part of what needs to happen. I would like to see, and the world would benefit from, more non-male influencers in the field. For example, several of my cybersecurity awareness blog posts this month recommended websites and newsletters that are good for keeping up with the latest security news, incidents, breaches, vulnerabilities, research findings, etc. </p><p>You might have noticed that these cybersecurity resources tend to be helmed by men, guys who have developed a reputation for providing, useful and un-gated information about, and analysis of, cybersecurity trends and issues. I wanted to include more non-male sources in my posts, but I encountered a very interesting phenomenon: women charging for their take on cybersecurity. This makes sense given the way that the field has evolved; guys who rose to prominence in the field early on have developed followings that can be monetized with ads and paid speaking engagements, and so on. </p><p>But what if you have achieved expertise and a perspective worth sharing, but no prominence (circumstances with which many women may be familiar)? Why not build the following your work merits while also monetizing it: pay as you grow as it were. That is what some women in cybersecurity are now doing, charging for their cybersecurity content on a pay-as-you-go basis. Here are two of the paid sources that I have signed up for: <a href="https://nuzzel.com/InfoSecSherpa/" target="_blank">Infosec Sherpa</a> and <a href="https://www.patreon.com/posts/cybersecurity-27-43194896">Cybersecurity Roundup</a>. </p><p>If you know of others, please <a href="https://twitter.com/zcobb" target="_blank">ping me on Twitter</a> and I will check them out. In the meantime, here is a very helpful <a href="https://onlinedegrees.sandiego.edu/top-cyber-security-blogs-websites/" target="_blank">list of top cybersecurity and website blogs to follow</a>, curated by a woman. And here is an impressive list of <a href="https://cybersecurityventures.com/list-of-women-in-cybersecurity-associations-in-the-u-s-and-internationally/" target="_blank">50 Women In Cybersecurity Associations And Groups To Follow</a>. Also check out Lisa Forte's <a href="https://www.youtube.com/channel/UCaj1V0ptRrMDucohq41LDmg" target="_blank">Rebooting channel on YouTube</a>.</p><p><b>#BeCyberSmart</b></p></div><div><p>* When I say there is a huge cybersecurity skills gap "despite the fact that the pay for some cybersecurity roles <i>can</i> be very good" I mean yes, you can earn good money, but not all the jobs pay well. Furthermore, very sadly and all too predictably, the sector currently pays women 21% less than men <a href="https://www.infosecurity-magazine.com/news/women-in-cybersecurity-paid-21/" target="_blank">according to a recent study</a>. Clearly, this is wrong and needs to change. </p></div></div><p></p><p></p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-13169688106511716442020-10-29T19:18:01.001+00:002020-10-30T15:50:54.880+00:00Cybersecurity awareness: Why some people get it, more than others (Cybersecurity Awareness Month, Day 29)<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVC3inHtet3KS05YgqtysRDmte5dNuwOFiIOYUfA1pLK89ORYEpbi5JQ0if6cNlgnv5k9oo2JfbHRI9uABZ8lH2UV27Jl1ewrJz8sv8yTL3F-iP3MsxgAndV2fA1Jr3R7p6Amlfw/s804/GENDER-RISK-PERCEPTION.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="470" data-original-width="804" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVC3inHtet3KS05YgqtysRDmte5dNuwOFiIOYUfA1pLK89ORYEpbi5JQ0if6cNlgnv5k9oo2JfbHRI9uABZ8lH2UV27Jl1ewrJz8sv8yTL3F-iP3MsxgAndV2fA1Jr3R7p6Amlfw/w464-h271/GENDER-RISK-PERCEPTION.jpg" width="464" /></a></div><br />In 2017, I wrote: “the digital technologies that enable much of what we think of as modern life have introduced new risks into the world and amplified some old ones. Attitudes towards risks arising from our use of both digital and non-digital technologies vary considerably, creating challenges for people who seek to manage risk.” <p></p><p>This is still true today, the 29<span style="font-size: x-small;">th</span> day of Cybersecurity Awareness Month, 2020; and, as the month draws to a close, I think it is helpful to reflect on how we feel about "cyber" risks, those created by our use of connected devices and the rest of the digital infrastructure that supports so many facets of life in the 21<span style="font-size: x-small;">st</span> century. You may have found that not everyone seems to be as concerned about some risks as you are.</p><p>Conversely, you might not be as worried about some things as some of your friends are. For some reason this makes me think of a Chief Information Security Officer cycling to work: she's more aware of, and concerned about, the risks posed by a new operating system vulnerability than most people, but she's less concerned than her friends and family about the risks of cycling to work. </p><p>The reasons for differences in risk perception are many and complex, and there's not enough room in this article to address them all in a fully-documented fashion. What I do have room for is a short account of my considered opinions on this, followed by some sources at the end. The underlying theme of what I have to say is this: the failure of some people to heed expert advice, particularly experts who are warning that something is a problem and poses risks that need to be taken more seriously. </p><h2 style="text-align: left;">The Way I/We/You/They See Certain Risks</h2><p>Consider a survey question that offers the following choices for your answer: Low risk, Between low and moderate risk, Moderate risk. Between moderate and high risk, High risk. Suppose the question is this: <i>How much risk do you believe global warming poses to human health, safety, or prosperity</i>? What is your answer?</p><p>Over the last decade or so, numerous surveys have asked that question and the most frequent response is High risk. Almost all climate scientists agree that High risk is the "correct" answer, based on the science. But not everyone agrees, and that is clearly hampering efforts to slow down global warning. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq2stRWhRdYd62N-A2hXDqyx3BqDjglbLLumbR7hndxb4YSb9LQ8Nuc9pXlxDGizySW66gZTjV4Iii47ZM1_H5EQrzXQEcv3idlUMcnmWl6i1ZVjyju2yD2Y5U7NDtlP6Do0CRCw/s653/wme-small-square.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="653" data-original-width="600" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq2stRWhRdYd62N-A2hXDqyx3BqDjglbLLumbR7hndxb4YSb9LQ8Nuc9pXlxDGizySW66gZTjV4Iii47ZM1_H5EQrzXQEcv3idlUMcnmWl6i1ZVjyju2yD2Y5U7NDtlP6Do0CRCw/w365-h398/wme-small-square.jpg" width="365" /></a></div>So guess what what happens when you analyze the survey responses by gender you find that men are more likely to rate this risk Low. In fact, whenever you ask people to rate risks pertaining to a bunch of different technologies, you tend to find men see less risk than women. Furthermore, white males tend to see less risk than white females, non-white males, and non-white women.<p></p><p>And this is not a new phenomenon. There is a long history of failure to heed the warnings sounded by experts on a wide range of issues. Consider the 1994 survey results graphed on the right. The grey line with the round data points is white males who saw less risk than everyone else in nuclear waste, chemical pollution, motor vehicle accidents, outdoor air quality, nuclear power plants and medical X-rays.</p><p>To be a bit more precise, the implication is that, on aggregate, white men in America tend to under-estimate technology risks, relative to the mean. And if you think, like I do, that the technologies we have been talking about so far present serious risks to human health, safety, or prosperity, then those men are wrong. What is more, their opinions act as a brake on efforts to address the risks that others are concerned about. And not only are they wrong, history has shown it is hard to persuade them of this, and of the need to raise awareness of these risks. All of which could have serious implications for cybersecurity awareness if it turns out that this pattern of findings extends to cyber risks.</p><p>Guess what? The pattern <i>does</i> extend to the digital realm, as you can see from this chart based on research I did a few years ago, working with my good friend <a href="https://www.blossoms2breaches.com/" target="_blank">Lysa Myers</a> who was on my research team at ESET at the time, with some assistance from Dan Kahan of the <a href="http://www.culturalcognition.net/" target="_blank">Cultural Cognition Project</a> at Yale Law School.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_IdoRxeLzn67ctNyUYgfBegmNhSB3KbTmVmv-oOYJmzFviFDSb36DiEpkml3Lv9r7Dq8duMaRyuK7KLVcgatvFLqZtaCGDTPSoTFyX9YvU7cQGM-r30qRYzIUiM-Xn4Dlm4dZww/s1066/1-tech-risk-chart.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="536" data-original-width="1066" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_IdoRxeLzn67ctNyUYgfBegmNhSB3KbTmVmv-oOYJmzFviFDSb36DiEpkml3Lv9r7Dq8duMaRyuK7KLVcgatvFLqZtaCGDTPSoTFyX9YvU7cQGM-r30qRYzIUiM-Xn4Dlm4dZww/w548-h275/1-tech-risk-chart.png" width="548" /></a></div><br /><p>See that White Male line undercutting the others across a wide range of risk categories? The yellow highlighting picks out the “digital risks,” and it shows that white males tend to see less risk from digital technology than the other groups, although the gap is smaller than with some other risks (and there is one notable exception: government data monitoring seems to trouble non-white males even less than white males—there could be several explanations for this, but that is a subject for a different blog post).</p><h2 style="text-align: left;">"Not All White Men"</h2><p>Of course, the story here is not as simple as it appears from these graphs. If you watched the TEDx talk on <a href="https://scobbs.blogspot.com/2020/10/3-ways-to-improve-our-digital-future.html">Day 8 of this month's cybersecurity awareness blog posts</a> you will know that, the first time I got excited about this White Male Effect in technology risk perception, my wife point out that I am a white male; and I don't—in her professional opinion—under-estimate risk. And in fact, research shows that significantly less than half of white males are what I would call the "problem" here: refusing to accept expert opinion as to how serious the risks of technology are to human health, safety, and prosperity.</p><p>One of the pioneers in risk perception research, Dan Kahan, collaborated in a <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=995634">2007 study</a> that found a certain type of white male was "so extremely skeptical of risks involving, say, the environment ... that they create the appearance of a sample-wide "white male" effect." </p><p>As Kahan puts it, "that effect 'disappears' once the extreme skepticism of these individuals (less than 1/6 of the white [male] population) is taken into account." (see <a href="http://www.culturalcognition.net/blog/2013/6/10/what-are-fearless-white-hierarchical-individualist-males-afr.html" target="_blank">Kahan's discussion here</a>). This makes a lot of sense when you look at cybersecurity. I think we can safely assume that most cybersecurity professionals perceive the risks from digital technology abuse to be high rather than low. And we know that for decades the cybersecurity profession has been dominated by white males. So what distinguishes them from the "certain type of white male" to which Kahan refers?</p><p>The answer lies in something called the Cultural Theory of Risk, and in the language of that theory, the white men in question, the guys drastically underestimating technology risks, are <i>white hierarchical and individualistic males</i>. According to this theory, "structures of social organization endow individuals with perceptions that reinforce those structures in competition against alternative ones" (<a href="https://en.wikipedia.org/wiki/Cultural_theory_of_risk" target="_blank">Wikipedia</a>). A hierarchical individualistic is inclined to agree with statements like: it's not the government's business to try to protect people from themselves, and this whole "everyone is equal" thing has gone to far. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL9ipjA96VnN1SOTszUpWbvLIbs_GkE9A-qcPhIDx6K1wKUs2PuhhNBXxfzJ1SYjtKai4sESkB9AKvWHHvVamdG2ULBUyvHFi68Nbz_mvTU9wPIoBq78uIIg943kx4uWzV2GNU7Q/s1721/cultural-theory-orthagonal2.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1282" data-original-width="1721" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL9ipjA96VnN1SOTszUpWbvLIbs_GkE9A-qcPhIDx6K1wKUs2PuhhNBXxfzJ1SYjtKai4sESkB9AKvWHHvVamdG2ULBUyvHFi68Nbz_mvTU9wPIoBq78uIIg943kx4uWzV2GNU7Q/w354-h263/cultural-theory-orthagonal2.png" width="354" /></a></div><p>This blog post does not have room for a discussion of the Cultural Theory, but the diagram on the right helps put the terms hierarchical and individualistic into context. To grossly over-simplify, the folks who see as much risk as I do in technology tend to be in the lower right: egalitarian and community-minded (we're all equal and in this together). A lot of women tend to be in that quadrant. </p><p>For much more on this, you can read about the ground-breaking digital risk research that Lysa and I did on this theory in the context of digital risks in this two-part report: <i>Adventures in cybersecurity research: Risk, Cultural Theory, and the White Male Effect</i>, <a href="https://www.welivesecurity.com/2017/12/18/adventures-cybersecurity-research/" target="_blank">part one</a>, and <a href="https://www.welivesecurity.com/2017/12/20/adventures-cybersecurity-risk/" target="_blank">part two</a>. (Kudos to ESET for supporting this work.) There is also a <a href="https://medium.com/@zcobb/risk-perception-and-digital-security-f9d2d8c192a9" target="_blank">summary here on Medium</a>. </p><p>Lysa and I gave a talk about this work at the (ICS)2 Security Congress in 2017, describing how the failure to listen to experts, rooted in these differences in risk perception, impacts cybersecurity. The main points are as follows:</p><p></p><ul><li>The security of digital systems (cybersecurity) is undermined by vulnerabilities in products and systems.</li><li>Failure to heed experts is a major source of vulnerability.</li><li>Failure to heed experts is a known problem in technology.</li><li>The Cultural Theory of risk perception helps explain this problem.</li><li>Cultural Theory exposes the tendency of some males to underestimate risk (White Male Effect or WME).</li><li>Our research assessed the public’s perceptions of a range of technology risks (digital and non-digital).</li><li>The findings provide the first ever assessment of WME in the digital or cyber-realm.</li><li>Additional findings indicate that cyber-related risks are now firmly embedded in public consciousness.</li><li>Practical benefits from the research include pointers to improved risk communication strategies and a novel take on the need for greater diversity in technology leadership roles.</li></ul><p>We suggested several ways in which our findings, and those of other experts researching risk perception, might help improve risk communication. Here is the relevant slide from the talk. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0sTBe0csUam1ZICst5F7O8lbC6AkJB1NCejtVMTme_YgdJbIyxectznvoAzizLVeq_Xkcv4KaEWy93lDE5BeLy4emJa2_079NJP0CLgVsh7ADlUzx4MEymWMZ-NO9gh4QAXRuWA/s1406/cultural-theory-awareness.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="797" data-original-width="1406" height="335" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0sTBe0csUam1ZICst5F7O8lbC6AkJB1NCejtVMTme_YgdJbIyxectznvoAzizLVeq_Xkcv4KaEWy93lDE5BeLy4emJa2_079NJP0CLgVsh7ADlUzx4MEymWMZ-NO9gh4QAXRuWA/w593-h335/cultural-theory-awareness.jpg" width="593" /></a></div><div><br /></div><div>If you want to explore this line of thinking further, I recommend reading about "<a href="https://digitalcommons.law.yale.edu/fss_papers/101/" target="_blank">identity protective cognition</a>," a form of motivated reasoning that, according to Kahan, describes the tendency of people to fit their perceptions of risk (and related facts) to ones that reflect and reinforce their connection to important affinity groups, membership in which confers psychic, emotional, and material benefits. </div><p><b>#BeCyberSmart</b></p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-23537956796814754522020-10-28T21:24:00.005+00:002021-01-03T13:05:12.341+00:00Are you aware of the cybersecurity skills gap? (Cybersecurity Awareness Month: Day 28)<p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Muv8Dc_nsxCUHYXDgHbajUxzLHB4Xl7VftgM3pLBHlmhOlYEgh2lxdyKSuPdognM6k_3T4rGjCuXgZ6XZ3X-LawQjWgDmSToHVuoAMdJW716Ets4AdRCENGPhX2Vb-ZRyPcKkA/s905/cybersecurity-skills-gap.jpg" style="margin-left: auto; margin-right: auto;"><img alt="Graphic illustrating the idea of a skills gap" border="0" data-original-height="562" data-original-width="905" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Muv8Dc_nsxCUHYXDgHbajUxzLHB4Xl7VftgM3pLBHlmhOlYEgh2lxdyKSuPdognM6k_3T4rGjCuXgZ6XZ3X-LawQjWgDmSToHVuoAMdJW716Ets4AdRCENGPhX2Vb-ZRyPcKkA/w494-h307/cybersecurity-skills-gap.jpg" width="494" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">There is a shortage of <i>effective guardians</i><br /></td></tr></tbody></table><br /><div>Remember back on Day 1 of this Cybersecurity Awareness Month when I talked about how much cybercrime there is these days? And on Day 15 I put up this graph of Internet crime losses reported to IC3 and the FBI? <p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOC1L1NAgDmUudB2gAAz9GWNrdYxkzw_0wb9Y0-Lh6sAPcoy2gxCOHmkd1DC8pLSRuaDK048-Wbpw7dL2RdaljIsbyolAGuGiJU0EvO5NjtUeij3QixLPlZuYSXyZMOiWG96dRRw/s764/ic3-2011-2019.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="764" data-original-width="495" height="514" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOC1L1NAgDmUudB2gAAz9GWNrdYxkzw_0wb9Y0-Lh6sAPcoy2gxCOHmkd1DC8pLSRuaDK048-Wbpw7dL2RdaljIsbyolAGuGiJU0EvO5NjtUeij3QixLPlZuYSXyZMOiWG96dRRw/w333-h514/ic3-2011-2019.jpg" width="333" /></a></div>We talked about how this graph is a pretty good representation of the overall trend in cybercrime—which is likely to set new records this year—and how that makes raising cybersecurity awareness a very urgent task. <div><br /></div><div>During this month we have also looked at some of the reasons why there is so much cybercrime, including one very fundamental insight into crime in general, from Felson and Cohen. Back in 1980 they said that crimes occur when there is: </div><blockquote><div>"convergence in space and time of offenders, of suitable targets, and of the absence of effective guardians."</div></blockquote><div>So, one way to look at the seemingly relentless rise of cybercrime is to see it as the convergence of offenders and suitable targets in cyberspace, a place where, at the present time, there is a very real absence of effective guardians. </div><div><br /></div><div>In fact, there are literally hundreds of thousands of unfilled jobs for effective guardians. Sadly, governments and companies just cannot find enough people to do the cybersecurity work that needs to be done to effectively guard against cybercrime. </div><div><br /></div><div>I don't mean that organizations don't have the money to hire people with the necessary cybersecurity skills to be effective guardians. I mean that even when they have the money, i.e. when positions are funded, they just can't find enough qualified applicants to fill those positions. </div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDwQNWx-agKH9Q8G6-fzW8l1HvcAq-9ldDdLpf8eUVpNgtRp0ijC8emZ26D8tHoyzGtP9BUH6gAU_vBhRrr7w9eYVWvS7fmfPsRMFlvv9KMHo70XH7ebC0Hquy3kVbcOG9wma8BQ/s280/cyber-gap-state.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="241" data-original-width="280" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDwQNWx-agKH9Q8G6-fzW8l1HvcAq-9ldDdLpf8eUVpNgtRp0ijC8emZ26D8tHoyzGtP9BUH6gAU_vBhRrr7w9eYVWvS7fmfPsRMFlvv9KMHo70XH7ebC0Hquy3kVbcOG9wma8BQ/w212-h182/cyber-gap-state.jpg" width="212" /></a></div>In America, this shortfall is actually mapped out on the web at <a href="https://www.cyberseek.org/heatmap.html" target="_blank">a site called CyberSeek</a>. That link takes you straight to a map that shows you where the demand is and where the supply is located. Nationally, there are half a million jobs open in cybersecurity, or to out it another way, one third of the "effective guardian workforce" is missing.</div><div><br /></div><div>This phenomenon is widely referred to as the "cybersecurity skills gap" and it is not a new thing. This gap has been there for years now. I studied the problem in some detail in 2016 and presented a paper on it in 2016 titled: <a href="https://www.virusbulletin.com/virusbulletin/2016/12/vb2016-paper-mind-gap-criminal-hacking-and-global-cybersecurity-skills-shortage-critical-analysis/" target="_blank">Mind this gap: criminal hacking and the global cybersecurity skills shortage, a critical analysis</a>. Back then I said this about the cybersecurity skills gap: "It is real, it is large, and it is growing, despite recent efforts to close it."</div><div><p>I said exactly the same thing about a month ago when a reporter was looking for input on the skills gap in 2020 relative to the pandemic. That reporter did not use my input, but here is how it might have appeared in an article: </p><blockquote><p>Cobb started exploring the cybersecurity skills shortage in 2015 after a report from Cisco said the global gap could be as big as one million people. In 2016, drawing on relationships with CompTIA and (ISC)2, he researched the gap for a master’s dissertation and presented a paper titled “Mind This Gap” at that year’s Virus Bulletin Conference. His conclusion: the gap is real and could easily be as big as one million globally.</p></blockquote><blockquote><p>Cobb says skills gap skeptics who claim its size is exaggerated tend either to be people who have skills but can’t find a job, or market-oriented economists who say any claim of a skills gap must have this qualifier with <i>at current pay levels</i>.</p></blockquote><blockquote><p>"I have a lot of sympathy for those who have skills but no job," says Cobb, "In my experience, a lot of this is due to serious shortcomings in hiring processes at many organizations; hiring for cybersecurity roles is a skill in itself, one that many HR departments lack." </p></blockquote><blockquote><p>According to Cobb, reducing bottlenecks in hiring, while ensuring that recruitment efforts are as diverse as possible, would definitely help to reduce the number of unfilled or under-filled cybersecurity positions.</p></blockquote><blockquote><p>As for closing the skills gap by increasing pay levels, Cobb says this is an overly simplistic view of markets. "Paying higher and higher wages until your company has all the security people it needs only works for goods and services sold at “cost plus” prices. While some defense contractors may be able to do that, most businesses see increased spending on security as a reduction in profit."</p></blockquote><p>The reporter specifically asked: Do you see the pandemic adding to this shortage? If so, why?</p><blockquote><p>"The pandemic is clearly increasing both the demand for people with cybersecurity skills and the demands put upon those people," says Cobb. "It’s not just the sudden shift to home working, but the rapid rise in levels of cybercrime, and the heightened levels of anxiety and fear that can affect an employee’s judgment."</p></blockquote><blockquote><p>Cobb added: "A lot of cybersecurity teams started out 2020 with a smaller headcount than they needed and open roles that they were struggling to fill, then suddenly they find themselves fighting more battles, on more fronts, than ever before; they’re going to need a lot more people than are available to hire."</p></blockquote><blockquote><p>On a brighter note, Cobb sees the increasing openness to employing remote staff as a positive factor for recruiting cybersecurity talent: "There are people who have great potential do well in security but for whom a conventional office environment is not a good fit."</p></blockquote><p>Another good question was this: Is the new work-from-home model adding to the problem by creating more work for cybersecurity professionals?</p><blockquote><p>Cobb says that, "Many organizations have made a fast-paced switch from office-based computing, where systems and users can be tightly controlled and closely monitored, to a loose-net web of connections over public networks via an almost infinite combination of home-based hardware and software. In other words, he says, "attack vectors have multiplied, controls have been weakened, users are stressed, and criminals are on a tear."</p></blockquote><blockquote><p>"Organizations are currently faced with multiple factors that magnify the cybersecurity challenge: complexity, rapid change, economic anxiety, personal stress, and increasingly aggressive adversaries operating with apparent impunity."</p></blockquote><blockquote><p>However, bad as the pandemic is, Cobb sees the failure of governments to tackle the root causes of cybercrime as a bigger long-term threat to cybersecurity, one which may make closing of the skills gap impossible any time soon.</p></blockquote><p>So, there you have an up-to-date view of the cybersecurity skills gap, served up in article format, without the annoying adverts and pop-up requests to subscribe. But what does this mean for cybersecurity awareness? Here are two things:</p><p></p><ol style="text-align: left;"><li>Any time you finding yourself assuming that a connected device or online service is well-protected, remind yourself that the organization behind that device or service is probably struggling to fill positions that involve making that assumption valid. </li><li>If you find cybersecurity interesting, there are plenty of ways you can turn that interest into a well-paid job.</li></ol><p></p><p>I will talk more about point two before the week is out. </p><p>In the meantime: <b>#BeCyberSafe</b></p></div></div><p><b>Note</b>: If you found this article interesting and/or helpful, please consider clicking the button below to <a href="https://buymeacoffee.com/stephencobb" target="_blank">buy me a coffee</a> and fuel more content like this. Thanks!</p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://buymeacoffee.com/stephencobb" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="Button says Buy Me a Coffee, in case you feel like supporting more writing like this." border="0" data-original-height="37" data-original-width="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtKtep2KiB5toSvIKnfvA-9bynX1QkrtG_R4M8QFpETAA08co8_C7iJuhL15BPr6rTEYrARx22FeIQGnnrGgjVwoa6wHPcYmB3kBZvgNIim9LzhWH0GUAL5pjVgEi_QitCaBCy5w/s16000/bmc-button.png" /></a></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-59276836136589544682020-10-27T21:00:00.279+00:002020-10-28T13:00:55.836+00:00From ransomware to blackmail: cybercrime takes a nasty, evil turn (Cybersecurity Awareness Month, Day 27)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggH4DIeWQuGUJkljxeceZfdsv1uTPy_RggCc_Hc1pLnZsIJuQVUnZbd5clouUsupH9Dle23UI5eciWki8bHo_uppa1mCk_wUgy3otysTXK13nOXWRWzy9nSONVX4xlqd2BnNnf_A/s917/depravity.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="Criminal abuse of digital technology hits new depths of depravity with blackmail of psychotherapy patients, headline" border="0" data-original-height="243" data-original-width="917" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggH4DIeWQuGUJkljxeceZfdsv1uTPy_RggCc_Hc1pLnZsIJuQVUnZbd5clouUsupH9Dle23UI5eciWki8bHo_uppa1mCk_wUgy3otysTXK13nOXWRWzy9nSONVX4xlqd2BnNnf_A/w482-h128/depravity.jpg" width="482" /></a></div><p>We interrupt our regularly scheduled cybersecurity awareness blog post to bring you this deeply disturbing news:</p><p></p><blockquote><b>One or more criminals are trying to blackmail psychotherapy patients after gaining access to their computerized medical records from therapy sessions.</b></blockquote><p></p><p>This is not fake news. This is not an imaginary scenario. This is the state of play in cybercrime today: some truly evil person or persons threatening to leak stolen mental health records onto the Internet unless patients pay up. Some of the people whose records have been stolen are underaged.</p><p>I'm so angry about this I don't think I will have much more to say in today's article for Cybersecurity Awareness Month. I was going to publish something to raise awareness of the cybersecurity skills gap but am putting that off until tomorrow. </p><p>Here's what is known publicly so far: this <i>psychotherapy patient blackmail </i>incident is still evolving. An early <a href="https://www.politico.eu/article/cybercriminal-extorts-finnish-therapy-patients-in-shocking-attack-ransomware-blackmail-vastaamo/" target="_blank">report from Politico</a> provides the basic details. There are more details in this <a href="https://www.securitymagazine.com/articles/93756-hackers-are-blackmailing-vastaamo-psychotherapy-patients" target="_blank">Security Magazine article</a>, and <a href="https://www.scmagazine.com/home/security-news/data-breach/finnish-psychotherapy-center-fires-ceo-for-suppressing-breach-details/" target="_blank">SC Magazine is reporting</a> that the CEO of the psychotherapy center that was breached has been fired.</p><h2 style="text-align: left;">Who should we blame? Criminals and governments</h2><p>While firing the CEO of the organization that got breached may well be the right thing to do, the bulk of the blame for this heinous incident lies squarely on the shoulders of the person or persons who perpetrated it, and the government that failed to adequately deter this from happening to its citizens. </p><p>I am not singling out the government of Finland, where this particular incident is centered; every country in which ransomware attackers are operating and thriving has to share this blame. This is a dereliction of a government's duty to protect the people who pay it to protect them. </p><p>Just a few days ago I was trying to raise awareness of <a href="https://scobbs.blogspot.com/2020/10/ehr-health-data-security.html" target="_blank">What's different about health data security</a> (Cybersecurity Awareness Month, Day 22). I flagged the very real possibility of suicide triggered by the revelation of medical information, made possible by weaknesses in computer security and human ethics. That was in the context of an incident that occurred 25 years ago. </p><p>The risk of such a tragedy has not gone away. The amount of sensitive medical information stored in bits and bytes today is exponentially greater than it was a quarter of a century ago. I know from personal experience that suicide can occur in the wake of sensitive personal information being revealed. Even the possibility of such revelations can be enough to push someone to the edge.</p><p>Yesterday, I highlighted the question <i><a href="https://scobbs.blogspot.com/2020/10/future-security-awareness.html">what could possibly go wrong</a>?</i> I did so in the context of cybersecurity folks asking that question to help surface potential problems with new technology. Clearly, there are cybercriminals out there who need to think long and hard about what could possibly go wrong when they execute a ransomware attack against a medical facility. </p><p>It is hard to believe that this needs to be spelled out, but I'm going to: if the medical facility refuses to pay your ransomware demand, do not try to blackmail the patients whose records you have illegally accessed. People may die. And if that happens, the level of moral condemnation heaped upon you may well haunt you for the rest of your life. </p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-66713215794066559902020-10-26T18:27:00.999+00:002020-10-27T20:43:45.040+00:00Cybersecurity for our hyperconnected future (Cybersecurity Awareness Month, Day 26)<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFgXpvUqF4KUdAAPUDn7HS-gRj5Cc3wKAzOMjtuHe9KZ4R7p9VNnHnjiv1rWkxA2Ph0juJw5IYiGF72X5U2xtPK2AlIckieJ5y-OT8Jp8diS0iq1KZ7M5XfaUtphtCVlXUC642HA/s1200/BeCyberSmart+%25282%2529.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Graphic for: Do Your Part. #BeCyberSmart’, helping to empower individuals and organizations to own their role in protecting their part of cyberspace" border="0" data-original-height="675" data-original-width="1200" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFgXpvUqF4KUdAAPUDn7HS-gRj5Cc3wKAzOMjtuHe9KZ4R7p9VNnHnjiv1rWkxA2Ph0juJw5IYiGF72X5U2xtPK2AlIckieJ5y-OT8Jp8diS0iq1KZ7M5XfaUtphtCVlXUC642HA/w592-h334/BeCyberSmart+%25282%2529.png" width="592" /></a></div><p>We are now in the final week of Cybersecurity Awareness Month, 2020. The theme for this week is to look at the future of connected devices, specifically:</p><blockquote><p>"how technological innovations, such as 5G, might impact consumers’ and business’ online experiences (e.g. faster speeds and data transmission, larger attack surface for hackers), as well as how people/infrastructure can adapt to the continuous evolution of the connected devices moving forward."</p></blockquote><p>I am quoting there from the guidelines on the <a href="https://staysafeonline.org/cybersecurity-awareness-month/theme/" target="_blank">National Cybersecurity Alliance website</a>. They go on to say: "No matter what the future holds, however, every user needs to be empowered to do their part." So what does that mean in practice? I will try to answer that question this week, beginning with this article, written for day 26 of Cybersecurity Awareness Month.</p><p>But first, we need some context, and if you like to get your context via video, watch this short one from <a href="https://staysafeonline.org/wp-content/uploads/2020/08/Video_-Future-of-IoT-2.mp4" target="_blank">the StaySafeOnline website</a>. It makes the important point that "as technologies evolve, so will the behaviors and tactics of cyber criminals." </p><div class="separator" style="clear: both; text-align: center;"><a href="https://staysafeonline.org/wp-content/uploads/2020/08/Video_-Future-of-IoT-2.mp4" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img alt="Image of temperature control app, making the important point that "as technologies evolve, so will the behaviors and tactics of cyber criminals" border="0" data-original-height="604" data-original-width="1204" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo8nV-vu7BpozYBhLV6DKxogmMLwtgnCMiyR7ufMJdIrKkgPgHfOSo674bxnb2uFZjgtK_n0wcPuNkUtrjfL8aVgwpIuG2UCwDPYOpkKnHrxg7wleosPorU2r4BH_l3Le61Tpleg/w508-h256/tech-evolves.jpg" width="508" /></a></div><p>I captured this image from the video because it suggests a cool way of researching people's attitudes to technology. First, we show our subjects a clip of this, without the text, then you ask what they saw. Most people will probably say something like: it's a person using a smartphone app to adjust the temperature of something, maybe a room somewhere. </p><p>Now we ask our subjects second question: Assume this is a person changing the temperature of a room somewhere and give me all the reasons you can think of for doing this? If none of the answers involve some sort of negative reason—such as "annoying the person in that room" or "proving to the owner of the room that you have taken control of their heating system"—then I suggest that this group of subjects needs more cybersecurity awareness training.</p><p>Why do I say that? Because protecting technology from abuse requires us to think about what could possibly go wrong. In fact, <i>what could possibly go wrong</i> is something of a mantra for people working in cybersecurity. Because if you're not thinking about what could possibly go wrong with any given piece of hardware or software or combinations thereof, you're probably not going to do a good job of preventing it actually going wrong.</p><p>Of course, <i>what could possibly go wrong</i> is used in contexts other than cyber, often with a question mark. You can sometimes find the hashtag #WCPGW trending. I used it when I tweeted my response to this Apple announcement a few months ago: "The digital car key on your compatible iPhone allows you to conveniently and securely lock, unlock, and even start your BMW." I mean WCPGW!</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMqLPDmYL2OeX9qGxE8Rtj2letJB9PczT4_CV85W5kmn_KCX-Pi7w38ZjqrAlqqgAxaUun9Iwo8aT3s2K8783y6_NgkOwVrRQ3PuX5WXFhSJViQ5Y1dvVPnBDDSDORVD5oQdd0xQ/s1020/40-tech-stack.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1020" data-original-width="189" height="868" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMqLPDmYL2OeX9qGxE8Rtj2letJB9PczT4_CV85W5kmn_KCX-Pi7w38ZjqrAlqqgAxaUun9Iwo8aT3s2K8783y6_NgkOwVrRQ3PuX5WXFhSJViQ5Y1dvVPnBDDSDORVD5oQdd0xQ/w160-h868/40-tech-stack.jpg" width="160" /></a></div>That response is not me being some cynical old white dude, even though I might look like one. It is me being aware of dozens of examples of new technology being hailed as cool and convenient and safe, only to become yet another contributing factor in the relentless expansion of global cyberbadness (see the list of tech that I have posted on the right, about which I will have more to say later).<p></p><p>Still think it's just me be a cranky curmudgeon? Look at what happens when we Google <i>can thieves steal keyless cars</i>. Right away we see that: </p><blockquote><p>Criminals can easily steal top keyless-car models using cheap equipment that's available online ... The study looked at 237 models of cars that can be started with an electronic rather than mechanical key, and found thieves could unlock 230 of them without much difficulty. (<a href="https://fortune.com/2019/01/28/keyless-car-theft-steal/" target="_blank">Fortune, 28 Jan 2019</a>)</p></blockquote><p>Of course, technophilic tech bros may discount Fortune magazine as just a bunch of cynical old white dudes, but the facts speak for themselves, and so does the app, the one that my local police force uses to let folks know whenever a car is stolen <i>without keys</i>.</p><p>Which brings us back to cybersecurity awareness, which for millions of people now includes their keyless cars. If you are one of them, here are the top five security <a href="https://www.locksmiths.co.uk/faq/keyless-car-theft/" target="_blank">tips from a leading UK locksmith</a>: </p><p></p><ol style="text-align: left;"><li>Use a blocking pouch</li><li>Turn off keyless fob's wireless signal</li><li>Use a steering wheel lock or car alarm</li><li>Re-programme your keys</li><li>Park defensively</li></ol><p></p><h2 style="text-align: left;">Jackware: a case study in future threats</h2><p>Bearing all of the above in mind, you can maybe understand why, back in 2016, I tried to raise awareness of a future cyber-threat that I called <i>jackware</i>, a threat that was not "real" at the time, but one which will—I firmly believe—become real under the "right" circumstances. </p><p>Here's how I first <a href="https://scobbs.blogspot.com/2016/05/jackware-coming-soon-to-car-or-truck.html" target="">described jackware on this blog</a>: "Think of jackware as a specialized form of ransomware. With ransomware, the malicious code encrypts your documents and demands a ransom to unlock them. The goal of jackware would be to lock up a car or other piece of equipment until you pay up."</p><p>A formal definition of jackware would be: malicious software that seeks to take control of a device, the primary purpose of which is not data processing or communications, for example: your car. In my original article I said jackware would become particularly dangerous when there are more self-driving cars and vehicle-to-vehicle networks; and I suggested this nightmare scenario: </p><blockquote><p>"You're in a self-driving car. There's a drive-by infection, silent but effective. Suddenly the doors are locked with you inside. You're being driven to a destination not of your choosing. A voice comes on the in-car audio and calmly informs you of how much Bitcoin it's going to take to get you out of this mess.</p></blockquote><p>Not long after I wrote that, the possibility of jackware began to generate media attention, in both automotive and IT news outlets. Here are the top 10 articles that address it, only two of which were written by me: </p><p></p><ol style="text-align: left;"><li><a href="https://www.welivesecurity.com/2016/07/20/jackware-connected-cars-meet-ransomware/" target="_blank">Jackware: When connected cars meet ransomware</a></li><li><a href="https://driving.ca/auto-news/news/will-your-autonomous-self-driving-car-kidnap-you" target="_blank">Motor Mouth: Will your self-driving car kidnap you?</a></li><li><a href="https://www.caranddriver.com/news/a15344335/ransomware-the-next-big-automotive-cybersecurity-threat/" target="_blank">Ransomware: The Next Big Automotive Cybersecurity Threat?</a></li><li><a href="https://nationalpost.com/auto-news/news/will-your-autonomous-self-driving-car-kidnap-you" target="_blank">Prepare for the day when a hacker takes over your self-driving car and kidnaps you enroute</a></li><li><a href="https://www.thetruthaboutcars.com/2016/08/safe-cars-hackers/" target="_blank">How Safe Are Cars from Hackers?</a></li><li><a href="https://securitybrief.com.au/story/heard-jackware-when-connected-cars-meet-ransomware" target="_blank">Heard of Jackware? When connected cars meet ransomware</a></li><li><a href="https://www.welivesecurity.com/2017/05/09/jackware-hits-the-big-screen-in-fast8-fate-of-the-furious/" target="_blank">Jackware hits the big screen in #Fast8: Fate of the Furious</a></li><li><a href="http://anthillonline.com/evolution-jackware-impact-internet-things-connected-cars/" target="_blank">‘Who the hell hacked my car?’ Is jackware (ransomware for connected cars) inevitable?</a></li><li><a href="https://www.scmagazine.com/home/security-news/cybercrime/ransomware-iot-jackware-the-evolution-of-ransomware-attacks/" target="_blank">Ransomware + IoT = Jackware?: the evolution of ransomware attacks</a></li><li><a href="http://www.itechpost.com/articles/102013/20200220/why-data-security-more-important.htm" target="_blank">Why Data Security is More Important Than Ever</a></li></ol><p></p><p>As of today, the nightmare scenario that I described in 2016 has not played out in real life (assuming you don't count the Fast and Furious movies as real life). But even though the automotive industry is taking cybersecurity a lot more seriously today than it did 10 or even five years ago, nothing I have seen or heard in the last four years leads me to think jackware will never happen. </p><p>To be clear, I have been actively tracking this issue. I attended a 2018 talk by <a href="https://www.scmagazine.com/home/security-news/network-security/black-hat-usa-2018-car-hackers-miller-and-valasek-now-using-their-skills-for-good/" target="_blank">the two guys</a> who infamously hacked a <a href="https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/" target="_blank">Jeep in 2015</a>. I discussed the practical aspects of ransomware with several experts under Chatham House rules, including award-winning researchers at UCSD who were already alerting the automotive industry to weaknesses in vehicle computer systems back in 2010 (and have recently been <a href="https://ucsdnews.ucsd.edu/pressrelease/computer-scientists-win-test-of-time-award-for-paper-that-changed-the-auto-industry" target="_blank">recognized for their pioneering work</a>). </p><p>My point is that the technology industry has such a long history of getting security wrong—which was the point of the list shown earlier—that there has to be a presumption of failure, perhaps more kindly described as an eventual inadequacy relative to threats. That is what I was getting when I gave this quote in Car and Driver: </p><blockquote><p>"The computer systems are designed, features are designed, products are brought to market, and people adopt them. On the other side, hackers speculate, probe, develop a proof of concept, [criminals] attack, and then finally monetize the threat.”</p></blockquote><p>When you add to the equation the incredibly low probability of capture and sanction that criminals currently face when monetizing the exploitation of vulnerabilities in technology, and the abject failure of world governments—so far—when it comes to agreeing upon ethical norms in cyberspace, you can see why I am so concerned about the future of cybersecurity.</p><h2>But what can we do about this?</h2><div><div>So here we are, in the final week of Cybersecurity Awareness Month, thinking about how technological innovations might impact consumers’ and business’ online experiences, as well as how people and infrastructure "can adapt to the continuous evolution of the connected devices moving forward," while trying to kind in mind that "no matter what the future holds, however, every user needs to be empowered to do their part."</div></div><div><br /></div><div><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAoikkZWv_3DEDrrA7KWXVg1_1hmnRykU9BNnxaSG_Rj2UFYCXeHRa5J0EBHyETAZLfrX31ebhDBerbxcAMl9rME7yiOGngkmIVrLK6QwaBH7sAzwcpMzIuipyfpnAKNup5g7jiA/s440/blocking-pouch.jpg" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="440" data-original-width="280" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAoikkZWv_3DEDrrA7KWXVg1_1hmnRykU9BNnxaSG_Rj2UFYCXeHRa5J0EBHyETAZLfrX31ebhDBerbxcAMl9rME7yiOGngkmIVrLK6QwaBH7sAzwcpMzIuipyfpnAKNup5g7jiA/w189-h296/blocking-pouch.jpg" width="189" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;">Keyless Fob Pouch<br />6,648 reviews, 4.5 stars</span> <span style="font-size: x-small;"><br />Amazon UK</span></td></tr></tbody></table>We've looked at a some technologies—such as keyless cars and self-driving cars—that are advancing and spreading rapidly, while at the same time introducing new security challenges. We've even noted several individually empowering security tips, like keeping your keyless car fob in a blocking pouch. Another tip might be to only buy those cars that have the least hackable features. But somehow I don't see steps like that holding back the rising tide of hackable connected devices on our planet and in our lives. </div><div><br /></div><div>One 2019 report projects that the number of connected IoT devices will be <a href="https://www.prnewswire.com/news-releases/global-iot-market-will-grow-to-24-1-billion-devices-in-2030--generating-1-5-trillion-annual-revenue-301061873.html" target="_blank">24 billion by 2030</a>. If you add up both "normal computers" and IoT devices, that number probably passed <a href="https://www.helpnetsecurity.com/2019/05/23/connected-devices-growth/" target="_blank">22 billion total during 2018</a>. That works out to just under three connected devices per woman, child, and man. </div><div><br /></div><div>The UN reckons humans will number 8.5 billion by 2030. That means there could be six connected devices per every one of them by the early thirties (that 2019 report predicts there will be 50 billion such devices by 2030). </div><div><br /></div><div>Now consider the predictions about 5G growth. If those are correct, most of those 50 billion devices will be connecting at very high speeds, from just about everywhere. Stated bluntly, if governments and technology companies don't step up, a decade from now we will have more crime, way faster, in way more places, affecting way more people. </div><div><br /></div><div>So how do we get governments and technology companies to step up? We can start by reaching out to them and letting them know how concerned we are. I will offer some suggestions along those lines before the end of the month. For now I will just note that there are many ways in which technology itself can help with this outreach, for example, by making it very easy to contact <a href="https://democracy.io" target="_blank">representatives in the US</a> and just about any <a href="https://www.writetothem.com/" target="_blank">elected official in the UK</a>.</div><div><br /></div><div>P.S. Remember, whenever we vote to elect representatives, we can vote for those most likely to take cybersecurity as seriously as it needs to be taken.</div><p><b>#BeCyberSmart</b></p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-80244275910111047252020-10-25T11:55:00.112+00:002020-10-26T21:28:04.628+00:00Time and awareness and other security musings (Cybersecurity Awareness Month, Day 25)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHnyMM0s_hYJdyNqVIbPm_eifpMnw5jozXzsukd_ALe94luCMWz2FVl9rcvzilP0QtOv5ULyI75m2JQ79K2jNNeKRF9pHGjplWlD40JsfVQJ1Cud6MqBISHD9M5dCR3AYuKohvWQ/s1200/October+%25282%2529.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="675" data-original-width="1200" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHnyMM0s_hYJdyNqVIbPm_eifpMnw5jozXzsukd_ALe94luCMWz2FVl9rcvzilP0QtOv5ULyI75m2JQ79K2jNNeKRF9pHGjplWlD40JsfVQJ1Cud6MqBISHD9M5dCR3AYuKohvWQ/w541-h304/October+%25282%2529.png" width="541" /></a></div><p>Because October is the designated month for cybersecurity awareness, and because this year is 2020, that means the 25th day of the month is a Sunday. So today's security awareness blog post will be less like a work day call to action, and more like a mediation on <i>time</i> as it relates to <i>security</i>.</p><p>You see, this is not just any Sunday, it's the one that may seem longer than the others, the one on which, during the wee hours of the morning, the clocks go back one hour, marking the end of Daylight Saving Time in many countries, but not all. Folks in many parts of North America will have to wait another week for their "extra" hour. </p><p>For everything you ever wanted to know about Daylight Saving Time, including where and when it happens in every country of the world, <a href="https://www.timeanddate.com/time/dst/2020.html" target="_blank">check out this page</a>. And if you are one of the many people who will be holding international conference calls and Zoom meetings next week, check out this cool page for <a href="https://www.timeanddate.com/worldclock/meeting.html" target="_blank">coordinating the timing of events across time zones</a>. </p><p>But what, you may well ask, has time and timing got to do with cybersecurity? </p><p><b>A LOT! </b></p><p>That would certainly be the answer if you asked my good friend Winn Schwartau "what does time have to do with security ?" (and Winn often speaks like <b>THAT</b>.) Indeed, Winn wrote a whole book about this very question; it's called <a href="https://www.amazon.com/Time-Based-Security-Winn-Schwartau/dp/0962870048">Time Based Security</a> (1999). And while you can still buy a copy on Amazon, it is also <a href="https://winnschwartau.com/wp-content/uploads/2019/06/TimeBasedSecurity.pdf" target="_blank">available from Winn as a PDF</a> (a gesture that other noted security "mavens" have made with their earlier works, as you can see from the upper right of the web page you are reading now).</p><p>You can think of time-based security like this: the longer it takes a burglar to break into your house, the greater the chances that:</p><p></p><ul style="text-align: left;"><li>the burglar will give up and move on to another house</li><li>the burglar will spotted by a neighbor or security camera</li><li>your stuff will not be stolen</li></ul><p></p><div>Time also matters if you hear someone trying to break into your house and call the police. The less time they take to respond, the greater the chances the burglar will be apprehended. So, if you substitute network and cybercriminal for burglar and house you can see that Time Based Security makes a lot of sense, even before you dig deeper, which Winn does in the book.</div><div><br /></div><div>The goal is to give cybersecurity professionals: "a process methodology by which a security practitioner can quantifiably test and measure the effectiveness of security in enterprise and inter-enterprise environments." The book also lays out: "a quantifiable framework so that the security professional and management can make informed decisions as to where to smartly invest their security budget dollars."</div><div><br /></div><div>But what if you're not a security professional or IT manager? Why is time an important factor in cybersecurity awareness for the general populace, all of whom are now, in one way or another, interacting with computers? </div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlAuTW8FCtvg5D9TIFdwhtPSR06N8-k1x-YgEPUdmfmM_M1tIffWEmEDktMuw_Yxo2IRv1ysm4X0ND70hxSknk7tWZtPWtKbiinCkuoncv7V6DRHakuQV6ambKcA9vC9f90v2XWQ/s567/tv-license-scam1.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="508" data-original-width="567" height="331" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlAuTW8FCtvg5D9TIFdwhtPSR06N8-k1x-YgEPUdmfmM_M1tIffWEmEDktMuw_Yxo2IRv1ysm4X0ND70hxSknk7tWZtPWtKbiinCkuoncv7V6DRHakuQV6ambKcA9vC9f90v2XWQ/w369-h331/tv-license-scam1.jpg" width="369" /></a></div>Let me give you an example: when my mum gets an email that she thinks is a scam she forwards it to me. The one shown here is an attempt to scare recipients into clicking on a link to "update their details," in other words gather information, such as account numbers and passwords. </div><div><br /></div><div>The fear factor leverages the fact that every household in England is required to have a TV license (the fees from which fund commercial free television programs from the BBC). However, my mum immediately spotted the false claim that she missed a payment on her TV license, because she doesn't have to pay! (An exemption based on her age.)</div><div><br /></div><div>When mum sends me something like this, I notify the malware analysts at ESET and they immediately make sure it is blocked by ESET security software. If they have not seen this particular scam email before, they let me know. In the last few years, my mum has supplied ESET with several "first seen" scam messages. Clearly, the speed with which one person—in this case a retired English teacher in her nineties—can identify a cyber threat has the potential to make a difference for millions of other people.</div><h2 style="text-align: left;">Time for some spam</h2><div>Remember, Time based Security was published in 1999, clearly ahead of its time, but also at a time when I was seriously distracted by spam, unwanted mass emails that were a particularly serious problem in the late nineties because a) they were not illegal at that time, and b) organizations were struggling to prevent spam traffic overwhelming email systems and networks. As part of my research back then I was collecting spam, purposefully receiving any and all email sent to any address at one of the Internet domains that I owned, even if that address did not exist.</div><div><br /></div><div>To make a long story short, when some friends and I founded a company to address the spam problem, I used my analysis of that collection of spam to prove that delaying spam delivery would be very painful for spammers. One of those friends, a person with amazing network skills, devised a way for organizations to slow down incoming spam. This led to several patents and the development of a very successful product which was eventually acquired by Symantec, due in part to customer testimonials like this: "Thanks to your product, we were able to reduce the number of email servers from four to one, saving us a ton of money." </div><h2 style="text-align: left;">End times</h2><p>Sadly, I'm running out of blogging time this Sunday, so I need to wrap this up and bring it back around to the beginning (cue theme <a href="https://www.youtube.com/watch?v=Z2TyzFBt0mQ&feature=youtu.be&t=86" target="_blank">song from Bron/Broen</a>, the original TV series Bridge, about 1 minute and 26 seconds in). </p><p>I won't go all the way back to the beginning of time, or even the beginning of Daylight Saving Time, the topic with which I began. And I won't get into agents of the apocalypse, which really is a topic that I covered in my recent conference talk: <a href="https://youtu.be/4vpK2xsb4-A" target="_blank">How Hackers Save Humanity - a cautionary tale</a>.</p><p>But I do want to go back 15 years to the time when America broke the DST norms, namely 2005. That is the year "George W. Bush Ruined Daylight Saving Time" according this <a href="https://newrepublic.com/article/79023/roll-back-the-bush-changes-daylight-saving-time" target="_blank">very enjoyable 2010 article</a>. In effect, the president broke the DST norm, putting America out of step with many of the countries with which it does business. </p><p>Apparently, "the rationale for the new daylight savings calendar was that it would reduce energy use by encouraging people to use less electric light," but as the author of the article points out, that was a poorly tested assumption. The result has been the addition of two periods of annoyance and confusion twice a year, with no serious reduction in energy consumption (numerous serious proposals for which were on the table in 2005, but were rejected by Bush and the Republicans). </p><p>As you might know, if you read the article from Day 23, I am a big believer in norms if they are universally agreed and enforced for the common good. For example, it would be great if all humans could embrace a norm like this: "thou shall not access, use, or abuse someone else's device or data without their permission." </p><p>So how about this: the first president of the United States who negotiates a global commitment to establishing and enforcing that norm gets to decide when DST begins and ends?</p><p><b>#BeCyberSmart</b></p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-64569298420716126402020-10-24T15:00:00.472+00:002020-10-26T21:47:30.840+00:00Cybersecurity resources for your modestly-sized business (Cybersecurity Awareness Month, Day 24)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzpZh-xviRhmjoh0EphE2kkitUnDvZDB2NJo2-n7o5-Nl6hxyhfedQ6_DONYI-m7vjeQJOJ-lzWX6932RliAGwatEUEv70078ZoDjntjrhTrOEZdlWxl3C3YhhSxv3zfZs108QYw/s1080/SMB-cybersecurity.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="595" data-original-width="1080" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzpZh-xviRhmjoh0EphE2kkitUnDvZDB2NJo2-n7o5-Nl6hxyhfedQ6_DONYI-m7vjeQJOJ-lzWX6932RliAGwatEUEv70078ZoDjntjrhTrOEZdlWxl3C3YhhSxv3zfZs108QYw/w550-h303/SMB-cybersecurity.jpg" width="550" /></a></div><p>This year, 2020, the 24th day of Cybersecurity Awareness Month is a Saturday. For many smaller businesses, like retailers and restauranteurs, Saturdays can be very busy workdays. For others, like accountants and lawyers, Saturday may be a quiet day, or a day to catch up on things. </p><p>In my case, speaking as a one-person business, I'm using today to catch up on the business of posting one cybersecurity article every day of this month (something I pledged to do for reasons that I hope to explain by the end of the month, if I have any words left). </p><p>My strategy today is this: provide helpful cybersecurity advice for smaller firms by drawing on work that's been published before and/or by other people. That way I may still get out of my study in time for the curry that's being delivered for dinner tonight, while providing some genuinely helpful security resources for the smaller business.</p><p>A great place to start if your modestly-sized business wants to learn how to be safer and more secure online is <a href="https://staysafeonline.org/cybersecure-business/" target="_blank">CyberSecure My Business</a>, a national program coordinated and funded through the National Cyber Security Alliance. Another good starting place might be to review the basic steps that I have mapped out below.</p><p>(Note that I am using the term "smaller businesses" because there seems to be no general consensus on what constitutes a small business. I tend to think anywhere from 1 to 100 employees is "small" but you can still meet the US Small Business Administration definition of small business if you have up to 1,500 employees and under $38.5 million in average annual receipts. To my mind that encompasses a lot of companies that I think of as medium in size, hence the widespread use of the more flexible term <i>Small to Medium Business </i>(SMB). In the UK, the preferred term is <i>Small to Medium Enterprise </i>and your firm is an SME if it meets two out of three criteria: it has a turnover of less than £25m, it has fewer than 250 employees, or has gross assets of less than £12.5m.)</p><h2 style="text-align: left;">A cybersecurity roadmap for the smaller business</h2><p>The task of securing your business against cybercriminals can seem daunting, particularly if your business is of modest size, the kind of place that does not have a crack team of cybersecurity experts on staff. But small size and a strained budget does not mean that you should avoid addressing the challenges of cybersecurity and the very real risk to your business that the rising tide of cybercrime presents. Fortunately, the problem becomes more manageable if you break it down into a series of steps. </p><p>The following six-step program or roadmap can get you started. It is helpfully constructed so that the steps are alphabetically named, A through F:</p><p></p><ul><li>Assess your assets, risks, resources</li><li>Build your policy</li><li>Choose your controls</li><li>Deploy the controls</li><li>Educate employees, execs, vendors</li><li>Further assess, audit, test</li></ul><p></p><p>Bear in mind that defending your organization against cybercriminals is not a project, it is a process, one that should be ongoing. Too often we see organizations suffer a data breach these days because the security measures they put in place a few years ago have not been updated, leaving newer aspects of their digital activities undefended. This means it is not a case of doing A through F and you're done. You will need to keep going:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuWwvDvFG54hH2HjfbTz1eyVAt_bz76DJKBU8QODFL6yIT8Hea3lsJVJVdXzDJFJ53MhnO2-13aNxfWJXnciwrwpyGsRlXlqKbmTxvGzKmGClVbKKNU3muOuQaGwGH0PUP-TpWSA/s956/security-cycle-abcdef.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="Graphic illustrating that defending your organization against cybercriminals is not a project, it is a process that gets repeated" border="0" data-original-height="226" data-original-width="956" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuWwvDvFG54hH2HjfbTz1eyVAt_bz76DJKBU8QODFL6yIT8Hea3lsJVJVdXzDJFJ53MhnO2-13aNxfWJXnciwrwpyGsRlXlqKbmTxvGzKmGClVbKKNU3muOuQaGwGH0PUP-TpWSA/w479-h113/security-cycle-abcdef.jpg" width="479" /></a></div><p><b>A: Assess assets, risks, resources</b></p><p>The first step in this process is to take stock. What kinds of information does your organization handle? How valuable is it? What threats exist? What resources do you have to counter those threats?</p><p><b><i>Catalog assets: digital, physical</i></b></p><p>If you don’t know what you’ve got, you can’t protect it. List out the data that makes your organization tick and the systems that process it. (I assume you already have an inventory system for tracking all company computers, routers, access points, tablets, printers, scanners, computer-controlled machines, IoT devices, etc.)</p><p>Be sure to include the systems receiving data and outputting data as well as those that process and store it. For example, if your company depends on a central database of clients and their orders it is possible to focus on that as your main digital asset, and feel fairly secure because it resides on a well-protected server in a locked room or in a private cloud. But connections in and out of that database may come from a wide range of devices that are beyond your physical control (and bear in mind that some of the most valuable data may exist in highlights, summaries, and attachments emailed between executives. You need to catalog those connections.</p><p><b><i>Calculate risk</i></b></p><p>You need to answer this question: What are the main threats to your data and systems? Try stating these in terms of actors, actions, assets, attributes, and motives. For example, criminals (actors) might gain remote access (action) to your server (asset) to encrypt the files on it (attribute) to extort money from you in return for the key to unlock those files (motive). </p><p>But don't just think of money-seeking attacks; for example, people who don't like your construction company's use of imported timber (actors) might attack (action) your website (asset) to prevent you taking orders (attribute) to make a point (motive).</p><p>This type of breakdown is used in the annual Verizon Data Breach Investigation Report (DBIR) which provides a solid background to internal discussions about risks because it is based on recent, real world attacks. You can <a href="https://enterprise.verizon.com/en-gb/resources/reports/dbir/" target="_blank">download the 2020 DBIR here</a>. The action categories are: Malware, Hacking, Social engineering, Misuse, Physical, Error, and Environmental. The motives are Financial, Espionage, Activism, and Other. These are handy schemas to use when performing your review of the risks faced by your organization.</p><p><b><i>List resources</i></b></p><p>After cataloging all the digital assets that you need to protect, and reviewing the threats ranged against them, you can feel overwhelmed, so it is time to take heart and list out the resources you have the potential to tap as you swing into action. This can include current employees with cybersecurity skills, to consultants recommended by friends, partners, and trusted vendors. You may be able to get help from trade associations, local business groups, even the federal government. </p><p><b>Build your policy</b></p><p>The only sustainable approach to cybersecurity begins with, and depends on, good policy (that is the consensus opinion of information security professionals, myself included). Ideally, policy begins with top-level buy-in and flows naturally from there. Your organization needs a high-level commitment to protecting the privacy and security of all data handled by the organization. For example:</p><blockquote><p style="text-align: left;">We declare that it is the official policy of Acme Enterprises that information, in all its forms, written, spoken, recorded electronically or printed, will be protected from accidental or intentional unauthorized modification, or destruction throughout its life cycle. </p></blockquote><p>From this flow policies on specifics. For example:</p><blockquote><p>Customer information access policy: Access to customer information stored on the company network shall be restricted to those employees who need the information to perform their assigned duties.</p></blockquote><p>You implement this policy through controls, which we discuss in a moment. First, I want to stress that for many companies, information security policy is not optional, no matter how small the business. I'm not just talking about legal requirements to have policy, which exist in areas such as health and financial data. </p><p>I'm talking about the need to have such policies in place in order to close deals. These days it is not unusual for a company that you want as a client to want you to have security policies. For many years now, some companies have required potential suppliers to comply with requirements like this:</p><blockquote><p>Vendor must have a written policy, approved by its management, that addresses information security, states its management commitment to security, and defines the approach to managing information security.</p></blockquote><p>In other words: you don't get to be one of their approved vendors if you don't have written and defined information security policies. (That is actual language presented as part of contract negotiations between a small software company and a large, well-known retailer.)</p><p><b>Choose the controls to enforce your policies</b></p><p>Information system security professionals use the term "controls" for those mechanisms by which policies are enforced. For example, if policy states that only authorized employees can access certain data, a suitable control might be:</p><p></p><ul style="text-align: left;"><li>Limit access to specific data to specified individuals by requiring employees to identify and authenticate themselves to the system.</li></ul>That's a high level description of the control. You will need to get more specific as you move toward selection of actual controls, for example:<br /><ul style="text-align: left;"><li>Require identification and authentication of all employees via unique credentials (e.g. user name and password).</li><li>Forbid the sharing of user credentials.</li><li>Log all access to data by unique identifier.</li><li>Periodically review logs and investigate anomalies.</li></ul><p></p><p>Spelling out the controls will help you identify any new products you may need, bearing in mind that there may be suitable security features available in products you already use. For example, if policy states that sensitive data shall not be emailed outside the organization in clear text, the control to apply, encrypting of documents, may be accomplished through the document password protection features in products like Microsoft Office and Adobe Acrobat. (Note: I'm not saying that is strong enough for very sensitive data, but it does make intercepted documents a lot harder to read than ones that are not encrypted.)</p><p><b>Deploy and test controls</b></p><p>Putting controls in place is the deployment phase but this also includes part of the next phase, education. For example, when you roll out a control like unique user IDs and passwords you will need to educate users about why this is happening and how it works (in this example, that process should include explaining what constitutes a strong password—<a href="https://scobbs.blogspot.com/2020/10/passwords-and-authentication.html" target="_blank">see Day 19 for tips on that</a>). You will also need to test as you deploy, to make sure that the controls are working.</p><p>A phased approach to roll out often works better because you can identify problems and find solutions while scale is still limited. Rolling out to more experienced users first is a good way to get initial feedback and improve messaging to be used with the wider population (bearing in mind that some things which experienced users already know may nevertheless need to be explained to the general user population).</p><p>When testing a control, you need to make sure that it works technically, but also that it "works" with your work, that is, does not impose too great a burden on employees or processes.</p><p><b>Educate employees, execs, vendors, partners</b></p><p>Security education is too often the neglected step in cybersecurity. In my opinion, for your cybersecurity efforts to be as successful as they can be, everyone needs to know and understand:</p><p></p><ul><li>What the organization's cybersecurity policies are.</li><li>How to comply with them through proper use of controls.</li><li>Why compliance is important.</li><li>The consequences of failure to comply.</li></ul><p></p><p>Your goal should be a "security aware workforce" that is self-policing. In other words, employees are empowered to say "No" to practices that are risky and report them to management (even if the persons engaged in unsafe cyber-practices are management).</p><p>In terms of consequences, there is no need to sound overly-draconian but calmly point out that a breach of security could be very bad news for the organization and even threaten its continued operation, including employment.</p><p>Two areas of education you don't want to skimp on are executives (who may feel they are above being educated about security) and partners, vendors, even clients. In fact, any data-sharing relationship should be encompassed in policies, controls, and security awareness education.</p><p><b>Further assess, audit, test…</b></p><p>Step F on the road map is by no means the end of the line, in fact, it is a reminder that this process continues. Once polices and controls are in place and education is under way, it is time to re-assess security, by testing and auditing. You can do some of this in-house but you may also want to engage an outside entity to get an objective perspective on your efforts so far.</p><p>Best practice is to have a plan to assess security on a periodic basis and adjust defenses accordingly. Even when there is no audit scheduled, you will want to stay up-to-date on emerging threats and adjust your controls accordingly. For example, just a few years ago it was unusual to see RDP attacks on small business servers but today they are happening a lot. (See this <a href="https://www.infosecurity-magazine.com/news/pandemic-bruteforce-rdp-attacks/" target="_blank">article to learn what an RDP attack is</a>.) This means you may need to pay more attention to the security of your remotely accessed servers than you have been accustomed to doing. How would you know this is a trend? One way is to subscribe to good security websites, like <a href="https://www.darkreading.com/" target="_blank">Dark Reading</a>, <a href="https://www.infosecurity-magazine.com/" target="_blank">Info Security</a>, <a href="https://grahamcluley.com/">GCHQ</a>, <a href="https://krebsonsecurity.com/" target="_blank">Krebs on Security</a>, and <a href="https://www.welivesecurity.com/" target="_blank">We Live Security</a>. </p><p>You should also be alert to changes in your systems and connections to your data. For example, there are security implications whenever you establish new vendor relationships, create new partnerships, and design new digital marketing initiatives. The departure of an employee is another event that requires security attention, making sure that access to data and systems is terminated appropriately.</p><p><b>Cybersecurity checklist</b></p><p>Yes, there is a lot to think about when tackling cybersecurity for your organization. Here are some high points you don't want to miss: </p><p></p><ul style="text-align: left;"><li>Do you know what data you are handling?</li><li>Do your employees understand their duty to protect the data?</li><li>Have you given them the tools to work with?</li><li>Can you tie all data access to specific people, times and devices?</li><li>Have you off-loaded security to someone else?</li><ul><li>Managed service provider</li><li>Privacy cloud provider</li><li>Public cloud provider</li></ul><li>Be sure you understand the contract</li><ul><li>You can’t off-load your liability</li><li>Ask how security is handled, what assurances are given</li></ul></ul><p></p><p><b>Cybersecurity resources and a sweet diagram</b></p><p>If you are still wondering if cybersecurity is a big deal for smaller businesses, or if you are convinced it is, but you need to persuade someone else, try using this diagram that I came up with some years ago while I was working at ESET: </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZUPWwMR-FEWVLM-6k0BH_y2jTXAzv6OXEhLbtnMyo96Ninhks0ez4xEQFXLuxwJbqt411LPAXmnfwAs0DLe1ieVuyoELVPf4I6pMKmdhisAl-V_R2LB1904QAldpa34T6B86qsw/s862/smb-sweetspot.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="862" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZUPWwMR-FEWVLM-6k0BH_y2jTXAzv6OXEhLbtnMyo96Ninhks0ez4xEQFXLuxwJbqt411LPAXmnfwAs0DLe1ieVuyoELVPf4I6pMKmdhisAl-V_R2LB1904QAldpa34T6B86qsw/w483-h266/smb-sweetspot.jpg" width="483" /></a></div>(This diagram illustrates the "SMB sweet spot" as seen from a cybercriminal perspective. While many smaller firms have lower levels of cybersecurity protection, they may well handle enough money and digital assets to be worth attacking. For example, a small construction firm may think of itself as too small to attack because each year it only shows a small profit, yet during the year it may handle large amounts of money from different sources to fund projects.)<p></p><p>For further learning and assistance here are some more resources, some in the form of PDF files:</p><p></p><ul><li><a href="https://transition.fcc.gov/cyber/cyberplanner.pdf" target="_blank">FCC Cyber Security Planning Guide</a> (PDF)</li><li><a href="https://www.sans.org/critical-security-controls" target="_blank">Critical Controls for Effective Cyber Defense from SANS</a></li><li><a href="https://www.cisecurity.org/controls/cis-controls-list/" target="_blank">The website for 20 Critical Security Controls</a> </li><li><a href="https://www.welivesecurity.com/wp-content/uploads/2013/02/RSA2013-Cobb-ESET-Briefing.pdf" target="_blank">The SMB Cyber Security Survival Guide</a> (slides of road map as a PDF)</li><li><a href="https://www.darkreading.com/" target="_blank">Dark Reading</a> - sign up for email updates</li><li><a href="https://grahamcluley.com/">GCHQ</a> - sign up for email updates</li><li><a href="https://krebsonsecurity.com/" target="_blank">Krebs on Security</a> - sign up for email updates</li><li><a href="https://www.welivesecurity.com/" target="_blank">We Live Security</a> - sign up for email updates</li><li><a href="https://www.amazon.com/Creating-Small-Business-Cybersecurity-Program-ebook/dp/B08C2GFFBY" target="_blank">Creating a Small Business Cybersecurity Program</a> (book worth buying, see review below)</li></ul><h2 style="text-align: left;">Creating a Small Business Cybersecurity Program</h2><p>There's a very helpful book that I've been recommending lately called <i>Creating a Small Business Cybersecurity Program</i>. It was published earlier this year, authored by Alan Watkins and edited by Bill Bonney. These gentlemen are two security experts that I had the pleasure of working with in San Diego, and this book is a great cybersecurity resource if you are a small organization (say 25 to 500 people). Indeed, any organization looking to take a structured approach to meeting the security and privacy challenges created by the digital information systems—on which business, consumers, and governments now rely—will find this book a solid place from which to start, and from which to build. </p><p>The current trend lines for both cybercrime and technology dependence point sharply upwards. Every entity in every sector—business, non-profit, education, government—needs a cybersecurity program if it hopes to manage and survive the many risks that these trends create. The approach that Alan takes to creating that cybersecurity program is based on his decades of experience in the field. The book is practical, the concepts and strategies are clearly articulated. Alan is thorough without being overwhelming. Based on sound theories developed through decades of work in the field, this book is a generous source of knowledge, advice, ideas, resources, examples, and links to many more.</p><p>In my experience, protecting your digital assets is not about buying the latest and greatest security products. It’s about properly deploying the right products for the cybersecurity program that’s right for your organization. While Alan does point to suitable products, his focus is on making sure you have the right plan, the necessary policies, and the appropriate controls to guide the purchasing decisions you make.</p><p>A long time ago I wrote one of the first books about the security of computers used by small businesses, so I am keenly aware that the task of distilling cybersecurity advice into a readable work of a manageable scale is far from easy—and much harder than it was back then. So my hat is off to Alan, and his skillful editor Bill Bonney, for creating a much needed book that was hard to write but easy to use.</p><p>And as someone who has given talks and presentations on cybersecurity to hundreds of small organizations, the question I’ve been asked the most, a question I frankly dread, is: “where do I even start?” Now I have a ready answer: read <i>Creating a Small Business Cybersecurity Program </i>by Alan Watkins.</p><p><b>#BeCyberSmart</b></p><p></p>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-75858568236938952522020-10-23T13:00:00.571+00:002020-10-25T15:06:28.084+00:00Facing the challenge of protecting health data from abuse (Cybersecurity Awareness Month, Day 23)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Xoxngam56VsXyAr6aCJ3dRD2iPjpAoiu15Vigqu74eV01TRsSMZh88Nbt2om4qinkZ1Lls5D2KF-WZ-S3TLroh81KpiD7HavWV53b4ZyJbCLjiFjG4QP53kyZBGnkwRSDBGcdA/s1200/October.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="675" data-original-width="1200" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Xoxngam56VsXyAr6aCJ3dRD2iPjpAoiu15Vigqu74eV01TRsSMZh88Nbt2om4qinkZ1Lls5D2KF-WZ-S3TLroh81KpiD7HavWV53b4ZyJbCLjiFjG4QP53kyZBGnkwRSDBGcdA/w541-h305/October.png" width="541" /></a></div><p>On this, the 23rd day of Cybersecurity Awareness Month, it's time to acknowledge something this is both sad and true: cybersecurity awareness sometimes means accepting that some of the things that we enjoy a lot may not do us a lot of good. It's a bit like pumpkin spice lattes: I really enjoy drinking them, but doing so is not particularly good for me, and the science strongly suggests that drinking a lot of them is bad for me. </p><p>Likewise, I really enjoy sharing information about myself, but I need to do so carefully in order to minimize certain risks. For example, I should probably think twice about sharing on social media the fact that I really like using the Acme Patient Portal App for Android; and maybe think three times if I've also been sharing lots of pictures of our new cat Nadia while using her name as my password on that portal, and all my other accounts. </p><p>In <a href="https://scobbs.blogspot.com/2020/10/ehr-health-data-security.html">yesterday's blog post</a> I talked about how serious the threats to health information have become now that so much of it is stored on, processed by, and communicated between, digital devices, things that now range from wearable tracking devices to mainframe computers and huge server farms "in the cloud." </p><p>While most people would argue that this massive digitization of medical data is not wrong in itself, criminologists like myself would argue that abuse of this new reality for selfish ends is inevitable, particularly if the data is not protected at all times by "effective guardians" (a term we <a href="https://scobbs.blogspot.com/2020/10/cyber-situational-crime-prevention.html">talked about on Day 7</a>). </p><p>Unfortunately, the mass digitization of medical data has been occurring at the same time as an explosion in the number of points at which "bad actors" can attack the systems processing the data, the so-called <i>attack vectors </i>that I referred to on Day 9 (<a href="https://scobbs.blogspot.com/2020/10/digital-device-security.html">The Internet of Things to Get Smart About</a>). The rapid adoption of everything from tablets to smartphones to connected watches and health trackers is expanding the <i>attack surface</i>, the amount of digital territory that needs to be monitored and defended. </p><p>Some years ago I started diagramming this for folks in healthcare, and while it's not the prettiest picture I've ever drawn, I think this one does convey how complex all of these develops have made the task of maintaining cybersecurity: </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtqBKdQ5TCEvgB2L7ZPf3VprX5sa1vhbN2NLkl2r9dBzy4nO0U0DLWzDXj2IWMhBNK7BVAu2G-sEQqZlOT3BwF3JFTqUMr94JoJRGSnc8qC54v1vutCsYOOl58YNjqdDIeSYRYXA/s1503/attack-surface-iot-mHEALTH.pptx.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Diagram of the attack surface for medical data, from smartwatch to clinic" border="0" data-original-height="1012" data-original-width="1503" height="397" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtqBKdQ5TCEvgB2L7ZPf3VprX5sa1vhbN2NLkl2r9dBzy4nO0U0DLWzDXj2IWMhBNK7BVAu2G-sEQqZlOT3BwF3JFTqUMr94JoJRGSnc8qC54v1vutCsYOOl58YNjqdDIeSYRYXA/w590-h397/attack-surface-iot-mHEALTH.pptx.jpg" width="590" /></a></div><div><br /></div><div>To carry on being a bit technical, I should point out one more thing that makes cybersecurity so difficult in the healthcare sector: the required level of granularity and multiplicity in the sharing and not-sharing of medical data. Think of all the entities that might be in the data sharing mix, requiring some of your medical details, sometimes in a hurry, but without exposing all of those details to criminals or the public:</div><div></div><blockquote><div>your doctor; that doctor's colleagues, nurses, and assistants; any specialists you see and staff at the places to which you are referred; your pharmacy; the accounting and administrative departments for all of these; the same again for any insurance companies involved, plus their claims assessors and adjudicators; your employer, who may be paying for all or part of your insurance; and your government, that might be funding, researching, or otherwise tracking some or all of the medical services you need.</div><div></div></blockquote><div>Yet, challenging as cybersecurity is when it comes to healthcare, there are always things you can do to reduce the odds of your medical data being abused. Thanks to the National Cybersecurity Alliance, four of these things have been put into is a handy infographic (<a href="https://staysafeonline.org/wp-content/uploads/2020/08/Connected-Healthcare.png" target="_blank">full version downloadable here</a>).</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqXjbd_m1jwo84IyR1oj8T15u3bgsZ3z7xc5Lk_U935qhFgqOW7xotpy8JR81Z3ipdRj6aa4-LD9nFdj7unX_Tz6WGp6umjLdi2_B_nYPhXvRXtGtBOYSKWbgWxambQsUMmahjxQ/s1740/Connected-Healthcare-info.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1740" data-original-width="800" height="1235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqXjbd_m1jwo84IyR1oj8T15u3bgsZ3z7xc5Lk_U935qhFgqOW7xotpy8JR81Z3ipdRj6aa4-LD9nFdj7unX_Tz6WGp6umjLdi2_B_nYPhXvRXtGtBOYSKWbgWxambQsUMmahjxQ/w567-h1235/Connected-Healthcare-info.jpg" width="567" /></a></div><div><br /></div>You might find this graphic helpful if you are working on raising the cybersecurity awareness of others, perhaps in your office, church, social group, or household. Here is a link to a <a href="https://staysafeonline.org/wp-content/uploads/2020/08/Securing_Personal_Health_Data_306922158_720x720_F30.mp4">short video that might also help</a> (I'd say loop it on the monitors in the company cafeteria, but I'm not sure how many people are in company cafeterias these days).<div><br /></div><div>If you are trying to reach management with the urgency of this topic, please urge them to watch this interview with an expert that I respect a lot, Joshua Corman, titled <a href="https://www.healthcareinfosecurity.com/cybersecurity-advice-for-covid-19-era-a-15173" target="_blank">Cybersecurity Advice for the COVID-19 Era</a>. For more on dealing with things at an organizational level in healthcare, see this article: <a href="https://staysafeonline.org/blog/putting-people-at-the-center-three-ways/" target="_blank">Putting People at the Center: Three Ways the Healthcare Industry Can Proactively Prevent Cyberattacks</a>. <div><p><b>#BeCyberSmart</b></p></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-68635216940791612602020-10-22T14:46:00.783+00:002021-01-03T12:19:17.988+00:00What's different about health data security? A lot! (Cybersecurity Awareness Month, Day 22)<p> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhix5o0C5oq8Y6zz2Yg2Z8yGc-Zu5OXaccPPCW5AqHU-PGEuSS6tbTAOpX0UbPuw3a2VAJTDlxYFoH_IYqoqTJyYR00zVIAAqVuBznAW1r_CcvgyoF_1-mxLNkqzXGCbD2uGUB7Vw/s1168/cam-banner-medical.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="497" data-original-width="1168" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhix5o0C5oq8Y6zz2Yg2Z8yGc-Zu5OXaccPPCW5AqHU-PGEuSS6tbTAOpX0UbPuw3a2VAJTDlxYFoH_IYqoqTJyYR00zVIAAqVuBznAW1r_CcvgyoF_1-mxLNkqzXGCbD2uGUB7Vw/w578-h245/cam-banner-medical.png" width="578" /></a></p><div>The "official" theme for week three of Cybersecurity Awareness Month, 2020, is <i>Securing Internet-Connected Devices in Healthcare</i>. This an important topic, but there are many aspects of cybersecurity as it relates to healthcare data and devices that need our awareness.</div><div><br /></div><div>Let's start with this: medical information is fundamentally different from financial information. To understand what I mean, consider the consequences of the following actions as they relate to a person’s medical information:</div><div><ul style="text-align: left;"><li>unauthorized access, change, disclosure, or destruction</li><li>ransoming of access</li><li>denial of access</li></ul></div><div>All of those actions have the potential to create seriously negative impacts on someone's life, including ending it prematurely. Those same actions can definitely cause harm when directed at information that is financial in nature—like credit cards, bank accounts, online purchases—but not like the abuse of medical information. </div><div><br /></div><div>This is not a fresh insight. Consider this true story which I cited in my 1995 computer security book:</div><div><div></div></div><blockquote><div><div>When a clerk at University Medical Center, Jacksonville, went into work last Sunday, she took along her 13-year-old daughter, Tammy. Taking advantage of poor computer security, Tammy obtained a two-page report listing former emergency room patients and their phone numbers. She then proceeded to call people on the list and tell them that they had tested HIV positive. Appearing in court this week in handcuffs and leg shackles, Tammy was ordered into state custody. The judge justified harsh measures in this case because Tammy "seemed unconcerned about her arrest or the possible effects of her actions." — Orlando Sentinel, March, 1995</div></div><div></div></blockquote><div>Anyone who remembers the extremely high levels of fear and stigma surrounding HIV back then will know how much damage to individual lives a security and privacy breach like that could cause (there were cases of people taking their own lives upon learning that they had AIDS—although I'm not aware of any suicides resulting from this particular incident).</div><div><br /></div><div>I'm also unaware of the exact nature of the poor security behind that particular security incident—maybe a workstation had a weak password or was left unlocked while unattended—but it was an early warning of things to come at the intersection of health information and technology.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs-jBiYnNeNUh4-TJKixt9sV2H34DVudLd6CabGR4ckDbsr2meBsMxsgEMzRhBzV6lKsYcIOIIjo02DsIL8lZ8HQNdc8isAlyRW-4_5K0DP4x8n4WyYHqm5k5Ir-W_UK7KQcFwpQ/s1448/tammy-wynette-training.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="Tabloid headline based on stolen medical data about the singer Tammy Wynette" border="0" data-original-height="997" data-original-width="1448" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs-jBiYnNeNUh4-TJKixt9sV2H34DVudLd6CabGR4ckDbsr2meBsMxsgEMzRhBzV6lKsYcIOIIjo02DsIL8lZ8HQNdc8isAlyRW-4_5K0DP4x8n4WyYHqm5k5Ir-W_UK7KQcFwpQ/w410-h283/tammy-wynette-training.jpg" width="410" /></a></div>Another warning sign made headlines in 1995: a trashy newspaper paid an employee of UPMC Presbyterian Hospital in Pittsburgh for stolen copies of computerized medical records pertaining to country music legend the Tammy Wynette.</div><div><br /></div><div>The singer's alleged condition made for a shocking headline, one for which she claimed damages in a lawsuit against the publisher that cited, among other harms, cancelled bookings. Details of the settlement of that suit were never made public, and sleazy papers like that have slush funds for such contingencies, but I would argue that the case raised the security stakes for medical institutions. You can be sure that the hospital took hits to its reputation at multiple stages, from the day the incident came to light, to the coverage of Wynette's lawsuit, then the criminal investigation, prosecution, and conviction of the hospital employee. Along the way it became clear that UPMC Presbyterian‘s authentication systems, password hygiene, and security awareness were all woefully inadequate.</div><h2 style="text-align: left;">HIPAA hooray?</h2><div>Bear in mind that both of those cases occurred before America had HIPAA, the one "privacy law" of which just about every American has heard (although most don't know that the "P" in HIPAA doesn't stand for Privacy—see the section headed Health Insurance Portability and Accountability Act in Chapter 4 of <a href="https://scobbs.blogspot.com/2014/05/privacy-for-business-ebook-from-2002.html">my free privacy hook</a>, or page 5 of my white paper, <a href="https://www.welivesecurity.com/2016/04/26/data-privacy-data-protection-us-law-legislation-white-paper/" target="_blank">Data privacy and data protection: US law and legislation</a>). </div><div><br /></div><div>In a nutshell, the purpose of HIPAA was to improve employment-based health insurance coverage. However:</div><div></div><blockquote><div>commercial interests—notably insurance companies—claimed that this would be too costly, so provisions to promote the adoption of cost-saving electronic transactions by the healthcare industry were added. Given that such adoption would greatly expand the computerized processing of personal health information, legislators mandated protections for this data in HIPAA.</div><div></div></blockquote><div>Although legislators decreed that there should be rules about the privacy and security of health data in HIPAA, they declined to spell them out in the law that they passed. Indeed, legislators dithered on this for several years after the law was passed. Eventually the task of making and enforcing such rules fell to the Department of Health and Human Services (HHS). </div><div><br /></div><div>The HIPAA Privacy Rule was first proposed in November of 1999, then enacted in December of 2000. It was not until April of 2003 that HIPAA covered entities were required to be in compliance with the Privacy Rule. In conjunction with the Privacy Rule there was also a Security Rule. This was first proposed in August of 1998, and got enacted. in February of 2003, with compliance mandated by April of 2006. </div><div><br /></div><div>By that time, I had written many thousands of words about HIPAA and delivered dozens of seminars about cybersecurity to healthcare professionals. The image of Tammy Wynette shown above is from a slide deck that I used in those seminars, and in an online privacy training program that I developed. </div><div><br /></div><div>Note that even then, circa 2000, I was saying "this is not new." What is new in the world of health-related information protection today is the threat level, which has never been higher than it is right now. </div><div><br /></div><div>This is because criminals have spent a lot of time over the last 20 years devising different ways, to "monetize" the compromising of medical data and systems. At the same time more of this data than ever before is being stored electronically, in one or more types of Electronic Health Record (EHR), held and processed in many different places.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfMfgiaufZ8OIp_JwlZVP6Oe-q1nufyyQHGramJa4VNesNTD0hi5NmGlFvSM6gyQWi5O33WlDTDXLg7YkAvh1Z7rd691d7Baju0muQtXK47hS1a75bx1GX0LGCC5JsMOzNk469uw/s938/health-records-criminals.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="938" data-original-width="707" height="564" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfMfgiaufZ8OIp_JwlZVP6Oe-q1nufyyQHGramJa4VNesNTD0hi5NmGlFvSM6gyQWi5O33WlDTDXLg7YkAvh1Z7rd691d7Baju0muQtXK47hS1a75bx1GX0LGCC5JsMOzNk469uw/w425-h564/health-records-criminals.jpg" width="425" /></a></div><br /></div><div>To help raise awareness of this, in 2015 I printed up a bunch of reference cards titled "Electronic Health Records for Criminals" (shown on the right). I started to hand these out to people at healthcare IT events. The size of a postcard, this infographic encapsulates some of the many ways in which the different types of data handled by medical organizations can be abused by criminals. </div><div><br /></div><div>By the time I gave my talk titled "Cybercrime Triage: Managing Health IT Security Risk" at the massive annual conference of the Health Information Management System Society (HIMSS) in 2016, it was standing room only. (I'm pretty sure the event was larger than RSA that year—with 40,000 attendees and an exhibit space bigger than 20 football fields).</div><div><br /></div><div><div>I should note that by the beginning of 2016 the federal government had forced hospitals and other medical organizations to pay out tens of millions of dollars to settle HIPAA cases, brought in large part because these entities had failed to get their cybersecurity act together (despite more than a decade of fair warning).</div></div><h2 style="text-align: left;">Trying timing </h2><div>So why, you might ask, was the medical community so slow to get a grip on cybersecurity? In the US, a lot of can be explained by the government incentivizing, and IT companies enabling, the rapid computerization of health records at scale, without factoring in:</div><div><ul style="text-align: left;"><li>the well-documented tendency of humans to exploit opportunities for crime</li><li>the perennial reluctance of organizations to invest in computer security</li><li>the historic failure of governments to deter cybercrime</li><li>the healthcare sector's historic lack of exposure to, and experience with IT</li></ul></div><div>On top of all that—or perhaps underlying it if you are a healthcare professional—is a phenomenon that can be summarized in statements like this, which have become part of my cybersecurity awareness talks: </div><div><blockquote>"Doctors and nurses get up and go to work every day to help people. Some criminals get up every day to abuse data, and they don't care how that might hurt people, as long as they can make money doing it."</blockquote><p>That reality can be hard to grasp and we might not want to accept it. But it is our current reality here on Planet Earth. If you are in any doubt, fast forward to September, 2020, which brought this headline: "<b>Woman dies during a ransomware attack on a German hospital</b>." </p><p>Apparently, "the hospital couldn’t accept emergency patients because of the attack, and the woman was sent to a health care facility around 20 miles away" (<a href="https://www.theverge.com/2020/9/17/21443851/death-ransomware-attack-hospital-germany-cybersecurity" target="_blank">The Verge</a>). German prosecutors "believe the woman died from delayed treatment after hackers attacked a hospital’s computers" (<a href="https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html?auth=login-google" target="_blank">The New York Times</a>). What makes this troubling incident all the more emblematic of cybercrime is the fact that it took place during a global pandemic, and the hospital was not the intended target but a case of collateral damage. </p></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6lkeLjrI9DK0XkXcwXB4G9JqCSrz_mtWzq7BMrkiQKaS387mFGW5zEoLJJ3GQTJ-k3e50facdt4yRQ4RGHDMo7nLeFUm6aJNH9c8-g1Gp5rhJrxHMWVTK4681ALWgnZOVLHO_6w/s480/share-with-care.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="Advice about sharing sensitive information online, from NCSA and StaySayOnline" border="0" data-original-height="460" data-original-width="480" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6lkeLjrI9DK0XkXcwXB4G9JqCSrz_mtWzq7BMrkiQKaS387mFGW5zEoLJJ3GQTJ-k3e50facdt4yRQ4RGHDMo7nLeFUm6aJNH9c8-g1Gp5rhJrxHMWVTK4681ALWgnZOVLHO_6w/w373-h358/share-with-care.jpg" width="373" /></a></div>Unfortunately, at this point in time, there is a limit to what you and I can do in terms of immediate action to protect our health data from abuse. </div><div><br /></div><div>Of course, we should all be doing all of the things that everyone's been talking about during this Cybersecurity Awareness Month, from locking down our login and limiting access to all of our connected electronic devices, to being careful how and where we reveal sensitive personal information.</div><div><br /></div><div>But in my opinion, the heavy lifting in cybersecurity for healthcare has to be done by governments. Firstly, by taking seriously the need to achieve global consensus that health data is off limits to criminals. Secondly, by funding efforts to enforce that consensus at levels many times greater than the paltry sums that have been allocated so far. </div><div><br /></div><div>Of course, we can all play our part in making these things happen. We can tell our elected representatives that we want these steps to be taken, and that we care about deeply about solving this set of problems. And whenever we vote to elect representatives, we can vote for those most likely to take all this as seriously as it needs to be taken.</div><div><br /></div><div><b>Do your part. #BeCyberSmart. Vote!</b></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0tag:blogger.com,1999:blog-13370348.post-84993010808004097782020-10-21T15:30:00.171+00:002020-10-23T20:42:00.171+00:00Authentication Factor 3: Something you are, like your thumbprint (Cybersecurity Awareness Month, Day 21)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmI6t6cRYL9egnAAR_mH1xNpxa-Au1CjxBiDsr1Ca-8lu3BKl9MnBcQqeVbR7hIVgAPyeSfmzs-7X3AiOQd9Sfvuso5RZLLy2wOR0NuSVjLM6XsfmWnkMQ8Sy4D3iOiw4jah3WAg/s1600/biometric-def.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="(image credit: engin akyurt at Unsplash)" border="0" data-original-height="1028" data-original-width="1600" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmI6t6cRYL9egnAAR_mH1xNpxa-Au1CjxBiDsr1Ca-8lu3BKl9MnBcQqeVbR7hIVgAPyeSfmzs-7X3AiOQd9Sfvuso5RZLLy2wOR0NuSVjLM6XsfmWnkMQ8Sy4D3iOiw4jah3WAg/w543-h350/biometric-def.jpg" width="543" /></a></div><div><br /></div>To protect your digital devices and private data from unauthorized access and/or abuse, you need to use technology known as authentication. In the context of computing devices and online services, authentication is typically taken to mean "making sure people are who they say they are." <div><br /></div><div>In the preceding articles for Cybersecurity Awareness Month—<a href="https://scobbs.blogspot.com/2020/10/passwords-and-authentication.html">Authentication 1</a> and <a href="https://scobbs.blogspot.com/2020/10/tokens-and-authentication.html">Authentication 2</a>—I explained that there are multiple ways for computing devices and online accounts to authenticate people. They can ask you to provide one or more of the following, shown here with their technical category names:<div><ul style="text-align: left;"><li><a href="https://scobbs.blogspot.com/2020/10/passwords-and-authentication.html">Something they know, like a password</a> — <i>knowledge</i></li><li><a href="https://scobbs.blogspot.com/2020/10/tokens-and-authentication.html">Something they possess, like a token</a> — <i>possession</i></li><li>Something they are, like a thumbprint — <i>inherence</i></li></ul><div>Today's article is about the last category of "authentication factors," commonly referred to as biometrics. Broadly defined, biometrics are measurements of human characteristics. However, in the context of computer science and security, a biometric is defined as "a measurable physical characteristic or personal trait used to recognize the identity, or verify the claimed identity, of a person through automated means." </div><div><br /></div><div>That particular definition of a biometric comes from the International Biometric Association, which I quoted in my 1991 book on security. Believe it or not, biometrics were already being used back then, sometimes to control access to computing facilities. Today, they are in much wider use and may even be built into your phone. tablet, or laptop computer. </div><div><br /></div><div><div>Biometrics include your fingerprints, your face, the sound of your voice, the veins in your hands and eyes, and behavioral traits such as your signature, handwriting, and typing rhythm, all of which can be recognized "by automated means." For example, I am writing this on a Macbook and to prove that I am the authorized user, Stephen Cobb, I let it scan one of my registered fingertips (there is a special key on the keyboard that is actually a fingerprint reader).</div><div><br /></div><div>We have seen fingerprint readers on smartphones in recent years, but the technology has been available as an added level of security for laptop and desktop computers for many years (for example, integrated into a mouse, or a USB stick). Some laptops now let you use the integrated camera for authentication by means of facial recognition.</div><div><br /></div><div>In general, I am a fan of biometrics as an authentication factor tied to a specific device or account. Unlike tokens that might be stolen or passwords that might be shared, biometric identifiers cannot be transferred either by theft or gift. A properly implemented biometric authentication system offers a fairly positive identification of an individual person. </div><div><br /></div><div>(I am not a fan of broad uses of biometrics, such as facial recognition, in public places, at scale, but I don't have time to get into my thinking on that right now.)</div><div><br /></div><div>Unfortunately, basic biometric access controls, like those on your phone, are not without problems. For example, facial recognition can present practical challenges, some of which the COVID-19 pandemic has revealed. For example, put on a mask and your device may not recognize you. That means you may need to full your mask up and down several times a day. </div></div><div><br /></div><div>Another important pandemic precaution, washing your hands, can introduce another wrinkle, pun intended. Do you sometimes find that your phone won't recognize your fingers when you're soaking in the bathtub? It has definitely happened to me. That means you have to enter your passcode, hopefully without the phone joining you in the tub. Other scenarios, like wearing gloves and having to bandage fingers, create problems when a device won't unlock without reading your fingerprint. </div><div><br /></div><div>While biometric authentications are likely to evolve quite quickly in response to these issues, any given authentication systems based on biometrics needs alternative 'emergency' authentication processes. For example, if we're all going around talking to our phones, why not add an element of include voice recognition to make sure we are the rightful owner of the phone? Apple was actually <a href="https://appleinsider.com/articles/18/10/16/siri-could-recognize-users-voice-patterns-for-identification-in-future-iphone-or-ipad" target="_blank">filing patents on this idea</a> a couple of years ago.</div><div><br /></div><div>The bottom line is that using two authentication factors makes it less likely that someone can access your devices or accounts by pretending to be you. Using a biometric as one of those factors may be more appealing to some people than tokens. </div><div><br /></div><div>Let me end with something I wrote 25 years ago: Whatever you use for authentication, it is important to bear in mind that security problems go beyond proper user identification. Authorized users who are corrupt is a prime example. User integrity cannot be programmed or scanned. If authorized people log on and then share their account with others, the best biometrics are defeated. Proper data security, user education, and transaction tracking are equally important.</div></div></div>Stephen Cobbhttp://www.blogger.com/profile/04204736531276318817noreply@blogger.com0