Alexa – can you eavesdrop on us please

After my post last week about the Panorama programme here in the UK, there was a story in the news today about a couple in the US who were surprised by a call from a friend who had been emailed a recording of their conversation. Read all about it here. And no, I couldn’t believe Amazon’s excuse either!

Connected at home – what’s the problem?

You’ve probably heard by now of the Internet of Things (IoT). It’s essentially anything that is connected to the internet that isn’t a “standard” laptop or computer. But how secure is it? And how secure is your car? Just because your key fob is in your house doesn’t mean your car can’t be stolen.

The TV show Panorama here in the UK aired a really interesting episode this week, looking at just these issues. Have a watch here and see what you think.

I think the show does really well at showing how quickly systems can be compromised and what the effects could be. New iPad anyone? The truly horrifying part came with the expose of home CCTV footage available to anyone on the web, particularly baby monitors.

This should be a wake up call to everyone with a home router. Change the password and make it complex, at least 15 characters or more. Do it today.

Presentations – an update

Last week I shared some tips on how to produce good presentations. Earlier this week I found out that at a different conference I’d been voted one of the top speakers at the event. As you can imagine I was very pleased to hear this.

I’m convinced that this was a direct result of all the effort I put in to making sure it wasn’t just another bland PowerPoint. I’d prepared well, taken time to have good graphics, tried to engage the audience and most of all didn’t just stand there and drone on, reading out the slides.

Security is more than just a set of controls. Raising awareness, helping people understand the risks and what they can do to minimise those risks, is a key part of any security professional’s role.

Yes, public speaking takes a lot of hard work, but I’m positive that work is worthwhile. Watch TED talks, read up on what makes them work well and what doesn’t work well, and above all, be prepared. You’ll get a lot out of it too!

Presenting…presentations

A big aspect of information security for me is awareness ie helping spread the word about what Security is and how it affects individuals (after all, this Easy Cyber blog site is all about that). I thought I’d share this story about a presentation I gave last year, and how I did my best to avoid it being dull.

Last year I was fortunate enough to present to a room full of fellow professionals at an event in Europe. I’d known for several months that I’d be doing so, and for me it was a big deal. It was the first time I’d had the opportunity, and there was the potential to be presenting to well over 100 people – but I wouldn’t know the real figure till I got started.

The room I was due to present in…

I was determined that I wasn’t going to blow it.

I’m guessing that most of you have, like me, sat through your fair share of presentations. I’m also guessing that many of those have been dire, where the presenter spent most of the time droning on in a monotone, reading verbatim from every slide, and every slide was covered in dense text with occasional bullet points.

I’m guessing that the number of presentations which has given you a lightbulb moment, an “aha” moment, some kind of inspiration and which have left you feeling energised and enthusiastic is few and far between.

For my talk, I was determined that I wasn’t going to produce a dire presentation, and that I would do my best to be inspirational and have the attendees enthused by my presentation.  I was also aware that the topic – retraining existing staff to work in cyber security – had the potential to be very dull indeed.

I really like TED talks, and I watch or listen to a lot of them, so I thought I’d try to produce my own version.  I therefore did a lot of background reading, with emphasis on how to prepare and deliver TED-worthy presentations (yes, there are a lot of books out there which cover that topic).

I learned that even before starting on my slides, I should work out what messages I wanted to convey, what the key points were. I should work on having a killer opening, one which engaged and intrigued the audience from the outset, one which grabbed their attention.

I also learned that when it comes to slides, words = bad, pictures or images = good. After all, you want people to be focussed on what you’re saying, not on reading what’s on the slide. If you’re reading off the slide, why are you there? The attendees could simply be sent the slide deck and read that for themselves. Slides are an aide memoire, nothing more.

And I learned that your body gives a lot away when you’re talking. Moving around, shuffling from one foot to the next, fidgeting with your hands, jingling keys, says “so” or “um” a lot, all those sort of things detract from the message you’re hoping to convey, and reduce the perception that you’re an expert in the topic.

I practiced what I was going to say – many times. I wrote out my introduction and honed that, many times.  I recorded clips of me presenting so I could see what bad habits I had – and tried not to do them. I ran through the slides over and over, reducing them to no more than 5 or 6 words on each.  All of this helped boost my confidence and reduce my nerves.  Unfortunately for Dee she also had to hear it several times, and her feedback was invaluable.

Did it work?  Yes, I think it did.  Of the 60 or so people who came along, less than half left feedback, but on the whole the presentation was well received. For my first attempt at a big event like that, I was really pleased with the feedback.

Will I take the same approach in future? Absolutely, if time permits.  I think the attendees benefited and I think I benefited from the process.

The days of wordy slides and boring presenters should be at an end.  Make sure you’re not stuck in the past with them.

It’s just a Like…

What harm can it do? You know, seeing your favourite hairdresser or coffee shop on social media, and clicking on the Like button? And what about all those little quizzes and fun games that appear? Like what are your top 5 places to visit, what was your first pet called etc. Not to mention the “your rock star name is…” and you have to give two pieces of information and then share them with your friends. That’s just opened up a treasure trove for the bad guys.

This short video shows what can happen in the time it takes you to order and receive your coffee.

How can you protect yourself from giving away all this information? Just spend a little time going through the security settings on all your social media platforms. If you’re not sure how to do this, use Google to find the answer. Oh, and do this on a regular basis, as the social media firms can and do change your settings from time to time.

How did Cambridge Analytica do what they did?

I wasn’t going to post any more on this topic, but found a really good video on the BBC which explains the psychology behind targeted adverts etc. I thought it might be helpful for you to see how it worked, so check out the video here.

One thing I really like about the video is that it’s very clear: it explains things in simple terms which is, after all, what this site is about.

Let me know what you think of it.

Cambridge Analytica – who knew?

Err, we did!

Regular readers will have seen my post last year which talked about the dangers of over sharing. It described pretty much exactly what’s happened with Cambridge Analytica, on a massive scale.

I’m not going to go into detail on what they did – there’s a lot of news coverage you can check out – but basically an individual’s details and those of their friends were harvested and used for targeted advertising with the aim of swaying voting in the US election in 2016. Other elections may also have been influenced in this way.

This is a great example of why you should regularly check your privacy settings on social media, and be careful what information you decide to share.

Do you have privacy fatigue?

It’s a fact of life these days that we constantly seem to have people giving out dire warnings about being careful what information you share online, who can overhear you giving out your credit card numbers etc. It seems like we’re being warned that there are ears everywhere.

Do you know what? There are.

But these constant messages of your impending doom could also have a negative effect, a sort of “it doesn’t matter what I do, the bad guys will get my data anyway” attitude. This sort of apathy and resignation could be a form of privacy fatigue, and is discussed in this excellent article which my better half kindly shared with me.

It describes how you can tell if you’re suffering from privacy fatigue, and explains what the term means and is based on academic research, which I liked.

There are a couple of points to note about the article though: the sample was quite small – less than 400 people, and the demographic was quite narrow – only people in their 40s and early 50s.

Perhaps the biggest shortcoming in the article as far as I could see was that it didn’t talk about the “so what” aspect of what it had to say (but then it’s in a psychology publication, not a security one so that makes sense). What are the risks of sharing, and why is it important not to become fatigued?

I can still remember the days when mobile phones, smartphones, email, social media and computers didn’t exist. Back then, you wouldn’t dream of standing in the middle of the street and handing out your bank details including statements, or shouting out details of when you were going on holiday. You almost certainly wouldn’t go up to everyone you met and told them where you kept your cheque book and cheque guarantee card (told you I remember a long way back!). Would you have stood on one side of a wall and shouted over it, to whoever might have been listening, who you’re thinking of employing and how much you’re thinking of paying them, or details of a business proposal you’re writing?

I’m guessing that you would agree all of those would be pretty foolish things to do. But effectively, that’s what you’re doing when you drop your guard in respect of privacy.

If you don’t lock down your privacy settings on your social media applications, you’re making every aspect of your life visible to anyone else on the internet.

If you use the same password on multiple websites, you’re making it easier for the bad guys to get access to more of your life.

If you’re talking about confidential things, knowing who else is listening is really important.

Please don’t be complacent. Please be careful. Please don’t get privacy fatigue.

Vehicle Security

You’ve no doubt heard the stories about cars being hacked over WifI or Bluetooth, but today I want to talk about an easier security risk: second-hand, hire and courtesy cars…

I’ve recently had my car in the garage to have it serviced, and I was provided with a reasonably new courtesy car. I had to drive a fair distance so paired my mobile phone over Bluetooth so I could listen to podcasts while driving. As part of the pairing process I was asked if I wanted to replace the existing contact list for the phone in the car, and that set me thinking…

I looked at the sat nav, and guess what? Several pages of addresses were listed, none of which I’d added: these had been created by those who had the car before me.

I looked at the list of connected phones, other than mine, and there were a couple of pages of paired phones, including some which said things like “John Smith’s iPhone”.

I looked at the existing phone contacts listed on the car – none of them were mine.

What does all this mean? It’s all pretty innocent stuff, right? Wrong.

I can now try to match “John Smith” with the addresses listed. I can use the phone contact list to look for people that “John Smith” might know: for example, on social media and sites like LinkedIn. I know what kind of phone he uses, so that tells me more about him too. This is all information I could use to mount a spear phishing attack, if I was so inclined.

Of course, I’m not so inclined: I’d much rather tell you about it so you can protect yourself.

So, what can you do? Simple: if you borrow a car, whether as a hire car, courtesy car, or if you’re selling your car, make sure you delete all your details including addresses and contact information before you hand the car back.

Should we be worried about our MPs security awareness?

Over the weekend a couple of tweets by a UK Member of Parliament (MP) have generated a wave of outrage and comment amongst the security community. Nadine Dorries mentioned that she routinely shares her password with her staff and often has to ask them what it is. (Incidentally, Nadine should make sure all her other accounts don’t use the same password eg her online banking and shopping accounts.) The big question appears to be “is this a big deal”? I think it is, and here’s why.

Earlier this year there was a cyber security attack on MPs by an unknown government – variously reported as Russia or Iran – and a number of MPs fell for phishing attempts. You have to ask now whether it was the MP or a member of their staff: either way it shows that more awareness and better controls are needed.

In the last couple of weeks an MP was accused of viewing pornography on his work PC, a charge which he has denied despite the investigating police officer presenting comments which might indicate it was likely. Nadine Dorries’ comments were (I’m sure) meant to illustrate that just because the MPs credentials had been used to log on to the computer it didn’t necessarily mean that he had accessed the material. And this is the main point, why it’s important for individuals to take ownership of and responsibility for their log on credentials (their user name and password), why they should keep the password secret.

In the staff handbook at Parliament, section 5.8 states clearly that “you must not… share your password”. One of the reasons why we’re advised (told) not to share passwords is to protect us. If any wrongdoing is discovered or suspected using our user name, we are responsible. If someone else has had access to your machine using your details – you are still responsible.

If you have colleagues who you think should have access to your email, give them delegated access, which means they can access it using their own credentials. If they need to access documents etc, put them on a shared network drive where again they use their own credentials. This protects both parties and is more in line with industry best practice.

I’m hoping that the events of the weekend will encourage MPs and their staff to improve their working practice, but I’m not sure it’ll happen because there doesn’t seem to be anyone holding them to account, taking them to task for these flagrant breaches of policy. I’m also hoping that those in charge of systems in Parliament (who I know are very capable and knowledgeable) will get the backing they need to bring working practices more in line with the rest of industry. Finally, I’m also hoping that all passwords will be reset over the next day or two.