Recently while researching the topic of security breaches at corporates, I came across this interesting nugget from the Wall Street Journal that Kellogg’s, the storied American cookie- and cereal bar-maker, is so obsessed about cyber spies ferreting away its trade secrets that it makes sure they are stored in a computer that is not connected to the internet. “Kellogg's management is especially worried that cyberattackers might try to steal the company's know-how, like the way it puts the ‘Snap, Crackle and Pop’ in Rice Krispies or the curve in Pringles potato chips, according to two people briefed on its computer defences,” wrote the WSJ. “Information on our recipes, including where they are stored, is proprietary,” said Kris Charles, a Kellogg spokeswoman. In a February 2014 securities filing, Kellogg said, “To date, we have not experienced a material breach of cybersecurity.” Looks like Kellogg’s is very happy with its tactic. But is this approach hackproof? I turned to authors Richard Torrenzano and Mark Davis for insights from their book Digital Assassination. They let us know that cybersecurity experts have a name for the process of sealing a computer by taking it off from the internet — airgapping. It refers to the belief by certain ccybersecurity experts that “a computer system that is not connected to any other computer or to the Internet is safe”. But Torrenzano and Davis are not very impressed by airgapping. They say, “If evolution teaches us anything, it is that intelligent systems like to network. Of course no computer is going to extend its own cable and plug itself in. But a computer doesn’t have to network itself, because every computer comes complete with a parasite called a human, a creature with an irrepressible desire to network.” RISKS OF A MERE NET CONNECTION So airgapped computers may not be very safe because they are handled by humans, who have a tendency to network. But what happens if a computer is plugged into the internet and allowed to run without any human intervention? Torrenzano and Davis tell us that just such an experiment was conducted by a leading IT company. In step 1, “the company’s engineers purchased a garden-variety PC from a chain retailer”. In step 2, “they installed in it the best off-the-shelf antivirus, anti-spyware protection, and firewall software packages available”. In step 3, “they connected this PC to the Internet. They did not use it for anything. They just tracked the flow of code into and out of the machine”. Any guesses on what happened next? The authors wrote, “Within four hours the engineers detected the first ping by a potential hacker. In two weeks more sophisticated software from a computer in Canada slowly embedded itself in the PC and started running its own software. The Canadian computer soon set up links between the enslaved zombie PC and a computer in Singapore, which used the PC to attack a network in Poland.” So despite the precautions taken, most computers invite security vulnerabilities merely by being connected to the internet. Imagine then the risks involved in the careless approach to security of most users? Airgapping may have its benefits in certain circumstances. Here too, a lot depends on the discipline of the human handlers. No wonder many hackers stay invested in social engineering. For most ordinary people, however, nothing much can be accomplished at work or leisure without an internet connection, especially in these days when Cloud Computing is all the rage. e.o.m
2 Comments
Recently Nicole Perlroth, who covers cybersecurity and privacy for the New York Times, sat down to be interviewed by one of her own colleagues. The interview covered some ground on how readers can protect their own data. Let me list her main recommendations. Wherever possible, I will provide my reasoning on why she may have recommended a particular step: DOs AND DON’Ts ON PERSONAL DATA PROTECTION Do not hand over email or Birthdates to retailers. My take: This may sound a bit harsh. Sometimes retailers may wish to forward a copy of the purchase receipt to your email ID. At other times, they may want to start your Rewards Programme account. There is no denying the convenience. But the worry is can retailers keep your ID safe? Very often, an account or card verification process may start with you being asked to verify your email ID. If someone had harvested your email ID from a retailer, you are providing an easy first step for the criminal. A workaround would be to start a separate email ID just to service retailers, which you won’t link to anything else. Stricter standards should apply to providing Birthdates. My take: Sometimes a retailer may ask for your birthday to offer special discounts. The intention may be harmless. But if the retailer doesn’t keep your data safe, you will be unnecessarily exposing yourself to cyber criminals. There’s no workaround here. Simply avoid providing your birthday details to a retailer. Don't use debit cards unless you are at a bank. Use your credit card when you can, instead of your debit card. My take: This appears to be another harsh prescription. But she may have recommended this because there’s more protection for credit card misuse from the card issuer. In debit cards, you withdraw money directly from your bank account. It is more of your risk than that of the card issuer. Therefore, the protection offered may also be less. Do not use self-checkout systems at merchants, because those are often the first place hackers will scan. My take: The self-checkout system seems to be a feature in the West than in India. In self-checkouts, staff supervision is less. This may have drawn the attention of criminals to such checkout lines. This year’s breach at retailer Home Depot in the US, involving stealing of personal data of 56 million customers, began by criminals infecting the company’s cash registers with malware. So checkout lines are very vulnerable to attacks by criminals. Use long, complex passwords. Do not use the same password across multiple accounts. My take: Too many studies have come out about the unfortunate popularity of useless passwords. Time spent in creating strong passwords will save you a ton of trouble. In her book Online Reputation Management for Dummies, Lori Randall Stradtman has given a simple way to create strong and safe passwords. I recommend it. Here are the steps given by Lori: << 1.) Brainstorm for a minute on a sentence or phrase that has some special meaning to you. (However, try not to choose one that’s really popular right now.) For example: • A favorite song lyric • A line of poetry • A movie quote (my favorite). Let’s use ‘All we are is dust in the wind’ as an example. 2.) Convert your phrase into an acronym. We’re using ‘All we are is dust in the wind,’ so the acronym is ‘awaidinw.’ It’s just the first letter of each word. 3.) Substitute at least one letter with a number. With ‘awaidinw,’ it may look like this: • awa1d1nw (the letter i is replaced with the number 1) 4.) Substitute at least one letter with an upper-case letter. Our password in progress could look like this: • awa1d1nW (the last letter, w, gets capitalized) 5.) Substitute at least one letter with a symbol. Our password in progress could look like this: • @wa1d1nW (the first letter, a, is replaced with @) Congratulations! You’ve just created a password that’s 1.34 tresvigintillion more times, or 1.34 trillion trillion trillion trillion trillion trillion times stronger than your chance of winning the lottery. Please don’t use this particular one! Now that I’ve described, created, and published this password, it is no longer a strong choice. Come up with your own! >> Got it? Now go ahead and create your own passwords using this method, but make sure you do not use the same password for many accounts. Use two different web browsers — one for email and bank account, the other for eCommerce and general web browsing. My take: No comments. Switch on two-factor authentication wherever u can. My take: This is as simple using a debit card and its pin while doing an ATM transaction. The right debit card is the first step, and the right pin is the second step. Many email service providers now allow two-step or two-factor authentication. Make use of it to keep your account secure. For instance, to authenticate your Gmail Account, simply sign in and go to your Accounts section by clicking on the link seen under the icon in RHS top. Once there, please click on Security and then say Enable to 2-Step Verification. Enter your mobile number and click for the 6-digit verification code from Google to your mobile phone. Once you have entered the code, your computer is verified for the particular Google Account. Only when you log in from another unverified computer will you be asked again to authenticate using the code sent to your mobile phone. You can also add other computers to the safe list. Please add this additional layer of safety to your email accounts as an insurance. Put masking tape over the webcam on your computer. My take: You may be surprised to hear this recommendation from the cybersecurity expert at The New York Times, but I am voting for it. There have been too many instances of criminals hacking into webcams and leaving people in grief. Laptop manufacturers sneaked in this ‘innovation’ without taking buyers into confidence. It pays to be careful. Cover the webcam with a masking tape whenever you are not using it. Someone can use stolen data for identity theft and tank your credit score. My take: Credit scores are very important for individuals in developed countries. In India too, credit-rating agencies no play an important role in assessing the loan-worthiness of individuals. Keep your credit cards and online identities safe. Let no one misuse it and cause harm to your reputation as a trusted borrower. Hackers are actively selling medical records on the black market. Someone mayyou’re your medical identity and pollute your lifetime medical records. My take: This advice is more relevant to consumers in developed markets where medical records have been extensively digitized. Recommended tools by Nicole Perlroth: Wickr, a mobile app that encrypts and self-destructs messages. Silent Circle, software which allows encrypted phone calls. My take: These tools could be more relevant to developed markets. e.o.m. |
Archives
December 2014
AuthorI'm Georgy S. Thomas, the chief SEO architect of SEOsamraat. The Searchable site will track interesting developments in the world of Search Engine Optimization, both in India as well as abroad. Categories
All
|