You are currently browsing the category archive for the ‘Security’ category.

5449002019_c15cd9cc3a_b_editI have awoken to an America that I do not recognize.

The 2016 election shows that what I thought I knew about national politics is wrong and I feel humbled.

Nearly all of the expert analyses of the election turned out flawed including my own amateur efforts.

What is frustrating about the failure of professional and academic analyses of this election is that the methods used to project outcomes are the same methods used to explain the outcomes.

That makes it hard to trust any analysis as to why Trump and the GOP succeeded against expectations; it also makes it hard to trust analyses of what Trump is doing and where our country is going.

A source of error in the projections was that the pollsters and the media did not accurately represent the portion of the electorate who made the difference and that turns out to be half of the voters.

That omission is important to reflect upon because the nearly 60 million people who elected Donald Trump are misread by those of us who were caught unawares on election night.

Trump supporter and PayPal co-founder Peter Thiel provides a clue about that misreading;

“I think one thing that should be distinguished here is that the media always is taking Trump literally. It never takes him seriously, but it always takes him literally. I think a lot of the voters who vote for Trump take Trump seriously, but not literally.” [1]

Thiel’s distinction makes all the difference in how we interpret one another across the political divide.

For instance, I suspect that many on the left suppose that Trump cannot practically deliver on promises that he made in the campaign and conclude that this inconsistency will disillusion his supporters and weaken his base.

That conclusion follows only if Trump supporters interpret his Duck-Rabbit_illusionpromises literally and I have come to believe that Trump voters construct his meaning not all literally, but symbolically.

If there are multiple ways to make alternate meanings out of the same words, we must strive to comprehend all of those meanings together.

Unless the people on the opposite sides of the political divide become visible and clear to one another the prospects for national unity will continue to dim.

In the political struggle that fractures America, most of us are boxing with shadows.

I do have one data point to rely on in my account of this election because in August I attended a Trump rally in Everett, WA.

I wanted to find out personally what attraction this unconventional candidate held for his followers.

I want to tell my progressive colleagues and readers that Tump supporters are not bad people; not deplorable.

I talked with a dozen rally attendees and observed hundreds and for the most part, I liked them as individuals.

The rally was thousands large and had a festive atmosphere with families, kids dancing and no physical violence that I witnessed.

The campaign rhetoric was jarring to my ear and I had difficulty referencing what people told me.

They all said that the economy is failing, the military is in decline, billionaires are incorruptible and that America’s core values have been undermined.

None of it looks that way to me, but I did not argue, I listened and listening may be the most important part of dialog.

In academia and on the left of center we have not been listening to half of the electorate and we paid the price for that insensibility on election night.

candle-335965_960_720Perceiving the need to listen to people whose ideas we reject lights a path to a way forward for those of us who value dialog and the exchange of ideas as a means of growth.

The opportunity is to step up to the challenge of creating conversations between people who are not hearing and seeing one another.

This conversation is possible because we all have so much in common.

This conversation is hard because we generally disbelieve what the other side sees as true.

This conversation is necessary because finding our common ground is the one hope that we have to transcend our growing national chasm of ideologies.

To Trump supporters reading this I want to say that those of us who emphasize justice, equity and individual rights are not bad or deplorable either.

We are operating with caricatures of one another, you and I, and it is to our mutual interest to understand how those false images come about and to what purpose.

You know as well as I that election victories are temporary and the political pendulum will swing back in time, so what matters to the good of our nation is how we manage the change together.

I genuinely want to understand what you think and what you trust and what kind of world you aspire to.

flag-american-heart_editWhen enough of us recognize the reflections of ourselves in the human beings on the other side, the bridge building will begin.

I pledge to work towards producing opportunities for political reconciliation and human communication across our community.

I hope that you, dear reader, will join that effort in your own way to make America work together again.

 

Sources
[1] Roller, E. Peter Thiel Wants You to Take Trump Seriously, but Not Too Seriously. November 1, 2016.
http://www.nytimes.com/2016/11/01/opinion/campaign-stops/peter-thiel-wants-you-to-take-trump-seriously-but-not-too-seriously.html

Image Acknowledgements

5449002019_c15cd9cc3a_b.jpg
https://c2.staticflickr.com/6/5298/5449002019_c15cd9cc3a_b.jpg

Duck-Rabbit_illusion.jpg
https://upload.wikimedia.org/wikipedia/commons/4/45/Duck-Rabbit_illusion.jpg

candle-335965_960_720.jpg
https://cdn.pixabay.com/photo/2014/05/02/12/41/candle-335965_960_720.jpg

flag-american-heart.jpg
http://www.publicdomainpictures.net/view-image.php?image=85942&picture=flag-american-heart

muscular arm showing strengthYour passwords safeguard your identity and your property, but it is challenging to manage multiple secure passwords, so many people opt for less safe options putting them at greater risk.

You can have both security and practicality if you understand what your password is and how to protect it from the thieves.

Passwords date back to antiquity such as “The Histories” by Polybius (200-118 BC) which describes the use of passwords, also called “watchwords,” by Roman sentries to challenge those who sought passage; i.e. a pass – word. The Romans used sophisticated systems to distribute the passwords among troops while keeping them secret from their enemies. How do you share a secret and keep it secret? In those days it was not smart to forget your password; you did not get a chance to reset it.

In our time you can reset a forgotten password, but you may not be able to recover from a stolen one.  It is not smart to share your passwords with anyone, no matter how much you trust them, because that practice is precisely what thieves who use social engineering rely on. Your loved one will probably not betray you, but if their account is cracked by a hacker and they have your password, then you are both forsaken.  Sharing passwords radically increases your threat exposure.

Robert Siciliano of McAffee, a major computer security company, reports that; “74% of Internet users use the same password across multiple websites, so if a hacker gets your password, they now have access to all your accounts.” Reusing passwords is an open gate for your enemies to exploit.

Identity thieves also use hacking tools such as “John the Ripper,” a brute force password cracking tool that generates many thousands of variations of text strings until one of them succeeds in logging into your account. Programmers try to defeat brute force attacks by locking the account after a number of incorrect password attempts. The crackers can bypass that safeguard in some instances, so it is really up to you to create passwords that are improbable to match by brute force.

Most people use passwords that free dictionary attack software can crack in picoseconds.

Choosing easy to remember passwords such as a pet’s name like “princess,” a birth date or a common word is an invitation to disaster. A 2012 study showed that the three most frequently used passwords are “password,” “123456,” and “12345678.” Those favorites were followed in popularity by – and I am not making this up – “abc123,” “qwerty,” “login,” “princess” and “starwars.”

It is enough to make a grown tech support man cry and I pray that informed university members such as yourself do not replicate such patterns.

A way to understand this situation is to test the passwords that you are using now.  Please do not go entering your password into a web form just because it says “test your password.” It might be a trap set by the cracker hackers.

One password testing site, sponsored by Dashlane which makes password management software – How Secure is my Password –  lets you check the strength of your passwords.

According to that testing site, it would take the John the Ripper program

grumpy cat says "drat. My password was cracked."

My password was cracked.

about .001 picoseconds to crack the password “princess.”

 

“grumpycat” would take 2 minutes.

My email password would take 158 thousand years for John the Ripper to crack. I can live with that.  You can do the same and still remember your passwords even better than before with a few strategic moves.

The primary qualities in strong passwords are length, diversity and uniqueness.

1. Make your passwords 10 characters or more.

2. Use a diversity of character types in making your passwords; a mixture of lower-case, upper-case, numbers, letters and symbols.

3. Make a unique password for every account.

Here is a schema for implementing these three qualities while crafting passwords that your over-taxed memory can handle with ease.

Start with something that you know well and is not immediately obvious about you.  A favorite movie may be such a choice; let’s go with “Star Wars: Episode III – Revenge of the Sith” (2005) in which Yoda opines; “Not if anything to say about it I have.”

His speech is 30 characters long but you can certainly remember it, if Star Wars is your thing.

Some password systems allow spaces, but we will make Yoda’s wisdom universal by using punctuation; “Not.if.anything.to.say.about.it.I have.”

Using periods or hyphens or underscores or asterisks I can make a nearly impenetrable, but memorable, passphrase.  Note that it already has two capital letters which are intuitively placed for you, but not for the cracker hacker.

The fact that master Yoda is grammatically challenged works to our advantage.

Mixing numbers into the passphrase makes it stronger still and is required by some systems, so’ “Not.if.anything.2.say.about.it.I.have.” This is a very strong passphrase which I’ll bet that you could remember even if you do not care about Star Wars, because you now know the principles by which it was constructed.

What, then about the uniqueness factor? If you have to make a passphrase for every login, how can you remember all of them?

That’s pretty simple because with a super-strong passphrase you can make two ultra-strong moves.

First, consider making unique base passphrases for different types of logins; e.g., one for school, one for finances, one for email, one for social and one for everything else. Your passphrase for each can be aspects of the movie theme, or whatever works for you.

For example, my finances passphrase may be; “M0ney.the.r00t.0f.all.evil.i$.” which is pretty Yoda-like and is super-strong because you can see how it implements all three of the strength qualities.

Second, you can customize the password for each separate login site by adding something from the site.  For example, your Oregon State Credit Union (OSCU) login may be “OSCUM0ney.the.r00t.0f.all.evil.i$.” and your US Bank (USB) login may be “USBM0ney.the.r00t.0f.all.evil.i$.”

All you need to do now is remember the base passphrase and look at the site title for your add-on clue.

Crafting secure passwords is an indicator of practical intelligence.

If you follow these principles consistently, you can make many unique and strong passwords which are always available to your powers of recall.

If the examples given here seem overly complex to you, then go back and break down the steps which taken individually are quite simple. You can make shorter base passphrases and still get super-strong passwords if you follow the principles outlines here.

According to the Dashlane password strength testing site, “OSCUM0ney.the.r00t.of.all.evil.i$.” would take 20 quindecillion years for a computer brute force attack to guess. That’s a 1 followed by 48 zeros.

1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

I think getting somewhere we are.

yoda from star wars

Wisdom is strength.

 

Work out your own system based on these principles and leave yourself some hints that will jog your memory but be obscure to others, such as; “What would Yoda do?”

Whatever you do, please do not leave your passwords in a weak, exposed condition. You have enough stress and do not need the hassle of identity theft and data loss.

When you do create those super-strong passwords, resist the impulse to share them with your friends to show how cool they are.  Bask instead in the glow of secret satisfaction.

The next great move that you can make in identity and data security is to use a password manager, such as Dashlane and LastPass.

That, my dear Padawans, the topic for next week’s column will be.

 

Image Acknowledgements

strong-310874_960_720.png
https://pixabay.com/en/strong-arm-muscle-muscles-310874

Grumpy-Cat.jpg
https://commons.wikimedia.org/wiki/File:Grumpy-Cat.jpg

Yoda_Empire_Strikes_Back.png
https://en.wikipedia.org/wiki/Yoda#/media/File:Yoda_Empire_Strikes_Back.png

dangerous-software-1200_croppedImagine that you are working to meet a midnight paper submission deadline.

Suddenly your computer freezes. Reboots don’t help. The Engineering major down the hall can’t help. Midnight passes helpless. The next day the repair specialist tells you that a wicked virus trashed your machine and only a total reformatting of the hard drive will save it. It is expensive.

Even worse, all of your data including your paper, drafts, research and earlier works are just plain gone.

This heartbreak is a genuine possibility, but the odds against it can be radically shifted in your favor.

“OSU is subject to 16 million hostile network attacks every day of the year.”

To understand how we may ward ourselves against digital catastrophe at OSU I spoke with Lois Brooks, Vice-Provost of Information Services (IS), and Dave

lois_brooks

Lois Brooks


Nevin, Chief Information Security Officer for the Office of Information Security.

These guardians of our networked community had two salient calls to action for you: be aware and compute safely.

dave_nevin

Dave Nevin

 

Being aware means paying attention to the daily changes in our network ecosystem in order to take appropriate action.

For example, are you aware that this week OSU Information Services is recommending an Apple computer patch and device update in order to address new security risks to the Apple OS?

If you are not aware of this current threat, then you are not network secure, no matter what operating system you use.

“Criminal hackers seek to access your personal information (e.g. SSN) and sell sell it to high-end information identity thieves.”

Nevin is blunt about the risks to the inattentive; “OSU is subject to 16 million hostile network attacks every day of the year. The hostile attacks are from criminal organizations seeking personal information and intellectual property. OSU can prevail against this assault only if students, faculty and other members contribute by safeguarding their computers and devices against the hostile hackers.”

I was like; “Did I hear that right? 16 million attacks per day? Why would anyone even do that?”

The answer is that your Social Security number and other personal information is stored digitally at OSU which criminal hackers can immediately sell it to high-end information identity thieves.

Nevin observes; “It’s tough. We’re out-numbered. The people we’re fighting against to protect that information are smart, and have a lot of resources available to them. But we have smart people too, and we’re working together to do everything we can to prevent t1hat from happening.”

norse_map

NORSE Attack Map

To see a live display of network attacks around the globe, see the NORSE Hack Attack Map (do check this out because it is amazing!)

Brooks is OSU’s chief information officer and is ultimately responsible for the University’s information technology (IT) policy and budget.

She explained to me in detail the delicate balance between security, safety and privacy at the large scale of the university enterprise.

“All OSU members participate in a social compact with one another to ensure a secure community of trust and shared resources. It requires that every individual take personal responsibility to meet that overall aim.”

Do your part by keeping all of your devices fully patched using current anti-virus and anti-malware available to you for free from Information Services.

Sometimes safety goes beyond network hacks and enters the realm of physical threat.

Brooks and Nevin affirm that OSU cooperates with law enforcement to protect public safety.

osu_recommended_software

On occasion this involves accessing information from the accounts of individuals.

Brooks emphasizes how extraordinary such instances are; “Even though we need to be able to respond when there is a problem, we at OSU go out of our way to not look at people’s data unless necessary.”

Ours is a culture of respect and I speak from experience to vouch for the integrity of our university leadership in upholding these values.

For you, dear reader, there follows from this balance of privacy and safety a principle based in the wisdom of discretion.

That is: do not use OSU network resources to post information that potentially puts you and others at risk.

Create your own balance of safety and privacy by keeping your machines full patched against hacking and by maintaining intellectually responsible content.

This is what it means on Overheard at OSU when someone posts; “Keep it classy Beavers.”

“We at OSU go out of our way to not look at people’s data unless necessary.”

Here are two simple steps that you can take to do your part in upholding safety and respect at OSU.

Be Aware: Build your expertise about the OSU’s security ecosystem at “Be Aware!”

is.Oregon State.edu/accounts-support/be-aware

Free Software: Turn your computer and devices into a personal anti-hacking fortress by installing the free and essential software at:

“Anti-virus is a requirement while you are at the university as it is part of the Acceptable Use of University Computing Resources agreement.”

Nevin invites all OSU members to contact him about network security and privacy issues: Dave.Nevin@oregonstate.edu.

Brooks has an open door policy concerning all OSU IT matterantivirus-icon[2]s: Lois.Brooks@oregonstate.edu.

You can always write to me about anything.
drtech@oregonstate.edu

I promise to make sure that your comments get to the appropriate people and I will write you back.

Have a great start to Spring term, invest some time in your network awareness and safety and keep it classy, Beavers.

Resources

OSU Office of Information Security

OSU Antivirus Software

OSU Campus Civility and Inclusivity Campaign

 

Image Acknowledgements

dangerous-software.jpg
http://is.oregonstate.edu/office-information-security-created

Dave_nevin.jpg
https://www.linkedin.com/in/david-nevin-a9a9b2

lois_brooks.jpg
http://is.oregonstate.edu/adminserv

norse_map.png
http://map.norsecorp.com/#/

osu_recommended_software.png
http://oregonstate.edu/helpdocs/security-and-tuning/computer-viruses/antivirus

antivirus_icon.gif
http://oregonstate.edu/helpdocs/security-and-tuning/computer-viruses/antivirus

This morning my bleary eyes focused on the top email in my inbox with the subject; “Immediate Action: Your Mailbox Size Notification.”

The email was simple and to the point.

“Your email account has used 23.7 GB (95%) of 25 GB.

Spear-PhishingYou will be unable to send and receive messages if you do not reset your account storage space to a higher limit.

Click the link to reset and validate your account.

http://oregonstate.edu/amiladministrator

Sincerely, OSU Mail Desk Administrator

This is a phishing attack and if I took the bait by clicking on the link, I could compromise my identity, my money and my data.

Phishing is the use of fraudulent messages disguised as coming from legitimate entities to acquire privileged information.

Phishing exploits trust, worry, and desire to trick people into giving up their up their sensitive credentials such as passwords and credit accounts.

A grim finding from an Intel Security survey shows that 97% of people globally are unable to identify phishing emails. Now that is scary.

The most powerful tool for computer hacking is social engineering which is the larger category of human manipulation into which phishing falls and there are numerous sub-categories of phishing.4894714911_42f0f50f72

Spear Phishing is targeted at specific individuals or groups and may contain familiar graphics and Web addresses to trick you.

Whaling is like spear phishing but aims at very large fish, such as a university president or corporate vice president.

Clone Phishing reuses a legitimate email and modifies it to contain the malicious url.

False Friend is email from someone that you know whose contacts have been hacked or spoofed and used to generate phishy emails.

Tab Nabbing exploits Web browser tabs to open a tab to a fake page.

Evil Twins are bogus wireless networks that mimic public networks in airports, libraries, coffee shop, and hotels in order to harvest credit cards and other personal information.

Phishing and social engineering are confidence games or confidence tricks and c7bc35f579799a5973f2b66937bcd3afcan also occur in text messages, phone calls, Web pages, social media posts, Skype calls and snail mailConfidence games are very old; read the Iliad for some prototypical instances.

Given that phishing is based in deception and some of the fakes are very convincing, how may time-stressed individuals such as yourself protect against the ruses? The solution comes in two parts: know what to look for and alter your online habits accordingly.

In his book The PrinceThe Prince Machiavelli gave advice that rings true when protecting oneself against phishing; be like the fox and the lion, the fox to discover the traps, the lion to frighten the wolves – be both smart and strong.

Here are some clues to watch for in order to detect predatory messages.

Asks for too much: computer system administrators never require your username, password, credit card or social security number. Even if sensitive information is needed online or by voice you are better off taking an alternate path to double-check the source.

Mismatched links: Don’t click on email links, but do examine them by mousing-over and you will see that phishing emails include linked text that is different from the Web address linked to.

You did not ask for it: a warning, threat or offer comes to you without you having initiated the contact – beware.

Threats and promises: fear, greed and pride are the nuts and bolts of confidence games and when you detect those elements in a message your phishy antennae should perk right up.

Poorly constructed: some phishing messages are expert but most are barely literate and would end up in the reject folder at crappypasta.com. You should know enough to reject them as well. This is one reason why advanced literacy is a practical part of your education.

“97% of people globally are unable to identify phishing emails.”

Cultivate smart habits to protect yourself against predatory messages (see my earlier columns for techniques of habit change) including the following practices.

Slow Down: most phishing threats can be disarmed by separating action from feeling. Phishers rely upon the impulsive actions of their victims and so when an email or related message gives you feelings of urgency, take that as a sign that you need to step away from the mouse and give clarity time to emerge.  Much of what feels like an emergency in life – for instance a midterm – is not as big as it seems.

Analyze before evaluating: Judging something as bad, dangerous, desirable or important are evaluations that will benefit from analysis. Learning to discern the relevant facts of situation before evaluating those facts is a fundamental critical thinking skill that will save you from confidence games. It is like looking both ways (analysis) before crossing the street (judgment).

Research the claims: What is the message seeking from you? What does it claim to be? What evidence do you have for these claims? A great way to check any message for phishing is to copy the message text and paste it into a Google search. It took me less than ten seconds to do so with the email that I receive this morning (see above) and my search returned hundreds of posts identifying the fraud. This method directs analysis to a safe and useful action.

Never link from an email: Once when I was little I put my finger in a stapler just to see what would happen. Once I clicked on a link in an email just to see what would happen. I have not done either of those things ever again.

Never reply with personal information: Todd Davis is CEO of Lifelock, a personal identity protection company. To promote his product Davis give out his social security number on television and the Web claiming that Lifelock will prevent identity theft. Within months his identity was compromised 13 times including fraudulent loans, credit cards, and gift basket purchases. Don’t be like Davis and do not give out your social security number, passwords, credit card information, and other personal information unless you are very sure about whom you are giving it to.

Be network selective: be very careful about using personal information on public networks such as coffee shops and airports because you may expose it to an evil twin or wifi sniffer.

Do not reply at all to suspects: do not reply to phishing or spam messages because even selecting the unsubscribe link will verify your email address and invite more malicious attacks.

Use your junk mail, spam filters and security programs: get familiar with7557181168_91f4af2d99_b your self-defense tools and use them effectively. Look into Google Safe Browsing for Chrome and Firefox. The OSU Computer Walk-Up Help Desk in the Valley Library and the OSU Computer Help Desk at 541-737-3474 will help you become an internet ninja.

Report phishing: the OSU Helpdesk has a feedback form by which you may report phishing messages. See jondorbolo.com for resource links. Reporting helps the community address phishing and makes you more aware because you become an active participant.

Stay informed: security specialists like McAfee Labs, Symantec and Norton are reliable sources for phishing threats and defensive strategies. Being aware of the threat environment and current protective measures is a source of personal power. OSU Computer Helpdesk has extensive online resources on Phishing including effective breakdowns of actual examples plus no-cost security software and help in using it.

Don’t be paranoid: be smart and safe but please do not let this information make you more fearful or cynical. With reason, knowledge and habit adjustment you can be cyber-secure. The key to a better life is learning to see a better world.

For more depth on phishing and other malicious hacking phenomena consider two sources which I drew from for this column.

Phishing Dark Waters, Christopher Hadnagy (2015, Wiley).

The Art of Deception, Kevin Mitnick (2007, Wiley).

Please send your experiences with phishing to me at drtech@oregonstate.edu.

Image Acknowledgements

Spear-Phishing.jpeg
https://blog.knowbe4.com/tech-firm-ubiquity-suffers-46m-cyberheist

4894714911_42f0f50f72.jpeg
https://www.flickr.com/photos/35484468@N07/4894714911

c7bc35f579799a5973f2b66937bcd3af.jpeg
http://www.amazon.com/The-Prince-Dover-Thrift-Editions/dp/0486272745

7557181168_91f4af2d99_b.jpeg
https://www.flickr.com/photos/61423903@N06/7557181168