The Cyber Chronicles | Episode 5 – Cloudy With a Chance of Breach

Navigating ‘the Cloud’

Let’s talk about “the Cloud.” You know the Cloud, right? It’s a place to store your information on a bunch of other people’s computers that you don’t control. Oh, and you also have no control over whether your information is stored on the same hard drive as that of a Russian hacker, or a NSA toolkit, or perhaps just some company’s data, maybe like LinkedIn’s user database, or some other valuable information that makes the server where your data also happens to reside a frequently targeted environment.

AWARE

Let’s talk about how awesome the Cloud is … you don’t have to pay the electricity bill, you don’t have to upgrade the OS, you don’t have to do any administration at all, in fact. You just drag and drop your data and, presto, you’re using the Cloud!

Of course, you also have no way to confirm the OS is properly patched and upgraded, but we can certainly trust all these major corporations to be doing things right. Right? Hello? Ferris?

Anyone

If you’re an observant reader, you might be sensing that I’m suspicious of the Cloud. Well, yes, a little bit, but I’m trying to get you to be suspicious of the Cloud, because right now most of us spray data out into the Internet like I spray my kids with a hose on a 105-degree day – without a second thought! And with data, we don’t know where it’s going, whether it’s private or whether you can effectively get it back. I can delete a file today, but if you copied it yesterday, you still have my data. I bet Jennifer Lawrence wishes she had thought about that pesky reality.

There are so many issues with the Cloud I had a hard time deciding what to talk about. But true to form, I decided to tell you a story. It was a bit difficult to put together the pieces because they go back to 2011 — the Mesozoic era of the Internet. (That works out to 66 million Internet years … I’m not quite clear on the math, but why are you distracting me?)

I can delete a file today, but if you copied it yesterday, you still have my data.

CARE

So … back in 2012, Dropbox announced they were investigating a strange increase in spam being received by Dropbox users. Dropbox even hired third-party experts to check it out. Reassuringly (at least back when you could trust people on the Internet … wait, you used to trust people on the Internet?), they found no evidence of a security breach.

Dropbox posted the following on its customer forums:

Untitled 2

Now those would have been reassuring words, except that slightly less than a year previously Dropbox had to admit that it had accidentally published code to the company’s live, public site that allowed anyone to sign in to any Dropbox account without a password. (I imagine right about now you’re feeling really good about storing your tax returns on Dropbox.)

But let’s return to 2012. Dropbox had an outside party investigating the strange amount of spam, and that outside party concluded: “Move along! Nothing to see here …”

Except that on July 31, 2012, Dropbox sheepishly announced:

“We’ve been working hard to get to the bottom of this …”

And you probably know how this ends. Instead of “no intrusions and no unauthorized activity,” as previously announced, it turns out: “Our investigation found that usernames and passwords recently stolen from other websites [always pass the buck – it can’t be your fault] were used to sign in to a small number of Dropbox accounts” (emphasis and words in [brackets] are mine).

Fast forward to 2016, when it was revealed that the “small number” of Dropbox usernames and passwords stolen turned out to be 68,680,741. (Just to confirm, that’s 68.7 million.) Guess how we found that out? Four years later, someone posted them for sale online. Oh, minor point: That’s how Dropbox found out too.

PREPARE

So, full confession: I’m a Dropbox customer. It’s just so darned convenient. However, I take several precautions, which I’ll share with you in a moment here. Before we go there, I want to make sure you know I’m not picking on Dropbox (well, maybe a little), because I could have chosen any of several Cloud companies, and they would have looked equally bad. It’s just seeing the details of reality all up close like this that smacks us in the face. We could have focused on Cloud companies’ data utilization policies, their basically non-existent privacy policies or what happens to your data when a fledgling Cloud storage company goes out of business (who wipes those repurposed servers?), but I had to pick something, and this story wasn’t writing itself.

What should you do to keep your data safe in the Cloud?

  1. Never store anything online that you wouldn’t want your next-door neighbor to read.
  2. Always use a lengthy, complex password.
  3. Never use a password that you’ve ever used anywhere else. (Read this cautionary tale for a reminder of the “why.“)

Let’s give some specific examples:

  • Don’t back up your Quicken (or any other financial software) data to the Cloud
  • Don’t put your W2, your tax returns, your budget spreadsheet or any other financial information in the Cloud.
  • Don’t back up an entire old hard drive to the Cloud. Do you really remember everything you had stored on there?
  • Don’t put a list of passwords in the Cloud.
  • Remember when you had to scan in your driver’s license and upload it to someone? Don’t store that in the Cloud.

I think you get the picture. We’re all going to use the Cloud – that’s inevitable, but you’d better be paranoid about what you put up there. Information is a valuable commodity in this digital age, and the Cloud is really just a digital neighborhood with glass walls.

The Cyber Chronicles | Episode 4 – Pete, Tweet & Repeat

Social Media Safety.

Even though all of these articles cover serious topics, we’ve been trying to have a little fun with the process, but today I’m being very serious. The issue we’re going to discuss and the story I’m going to tell you are no joke.

On Monday we discussed the need to change how we think about information, so in a way this article is a continuation of that conversation, but we’re going to focus in on social media as a completely out of control information sieve that threatens our lives in multiple ways.

Let’s begin by admitting that most of us are not really up to speed on social media. We may think we know what our kids are doing, we may be really hip and use Facebook, Instagram and Twitter, but check out the following list of social media apps. How many did you even know existed?

AWARE

Untitled 1

 

CARE

Why should we be concerned about this? Let’s talk about Elizabeth.

So far as I can tell Elizabeth’s story was first told by the boyfriend of her sister, Amy, in a Reddit chat room about a year ago. Elizabeth was 13, her mom was an ER nurse at Grady Health System. They lived outside the Little Five Points neighborhood in Atlanta. Unfortunately, because of the nature of her job, Elizabeth’s mom was often unavailable via phone. One night the oldest sister, Amy, who attended the University of Georgia an hour and a half away in Athens, received a call from an hysterical Elizabeth. Here’s what had happened.

Elizabeth liked using the video sharing app Periscope, in fact, she had built up quite a few followers, and typically had 10-20 people watching her at any given time. She would broadcast for two to three hours a day, leaving the camera on to record her normal life: doing her homework or putting on makeup. She would frequently interact with her various followers, and while there are always creeps on Periscope, she could easily block them. One follower was always there but never said anything; this person followed no one else, and never broadcast any video of their own. If Elizabeth began broadcasting, however, within a minute this person would join her feed, but never commented, and never responded to any of her attempts to draw them out.

One night while broadcasting painting her nails, she was being watched only by the silent user. Once again, she tried to draw them out, sending messages of smiley faces, asking various questions, all to no response. Finally, she went to bed but kept checking Periscope, wondering if anyone else would join her feed. Suddenly, she received a message from the silent watcher:

“Is your mom still at Grady?”

Elizabeth’s Periscope username wasn’t linked to her Facebook or anything else, and location sharing was turned off. How could this person know where her Mom worked, and that she was at work tonight?! Feeling panicked, Elizabeth instantly ended her broadcast.

A few minutes later she received a notification. The silent watcher was broadcasting for the first time ever. Elizabeth clicked to watch and saw a shaky video feed of the outside of her house! With growing horror she saw the camera view shift downward and become not just creepy but indecent.

PREPARE

We’re not ready for the intrusive reality of social media. Few of us carefully monitor the information we unwittingly reveal on social media, let alone know precisely what our kids are doing on their smart phones, tablets, or Macbooks. How many of the above list of apps (and there are so many more I could have listed) is your child using? Do you have their username and password for each account? To their phone or tablet? Do you have an account on every social media platform they use, so you can monitor whether they’re safe?

If not, here’s where to start. Maintain a conversational relationship with your child, use your social media accounts as an example and discuss why you never mention that you’re “heading to McCall,” or that you can’t wait to attend the Owl City concert, etc. Discuss the difference between people we actually know, and people we only know through their online presentation of themselves.

10 Ideas to Help Keep You and Your Loved One’s Safe Online

  1. Stop thinking you have nothing worth a cyber-criminal’s interest.
  2. Stop your bad password habits.
  3. Use multi-factor authentication for all accounts.
  4. Put at least six-character pins on smart phones and tablets.
  5. Make sure you as a parent have the codes to your children’s device and their accounts.
  6. Educate yourself, your parents, and your kids on common scams.
  7. Review every app or platform’s privacy settings, and discuss the danger of connections from third-party apps (reference the recent Facebook and Google hacks, directly related to third-party authentication).
  8. Conduct intra-family tabletop exercises or “war games,” and attempt to theoretically compromise (hacking or physical breaches) each other on the basis of information revealed in each person’s online presence.
  9. Conduct True or False exposés where each member of the family gets to reveal whether a popular meme or “news” story is misleading or reliable.
  10. Limit children’s online “friends” to 200. Research focused particularly on middle school kids indicates that cyber bullying and other negative encounters rise exponentially after the accumulation of 200 “friends.” Consider limiting your child’s online friends to those who they have or would consider touching on the shoulder – this will likely be less than 200 people.

Wrestling with God’s Law as Ceremonial, Civil, & Moral

In light of recent posts that have touched on the overarching structure of Scripture and how the OT and the NT properly interact, I’m curious…how do you all feel about the traditional division of the law (moral, ceremonial, civil), and how would you say it’s proper to determine that something from the OT does *not* carry over?

While there is significant preceding evidence that God entered into covenantal relationship with humans, at Sinai he specifically and exhaustively made clear—in a manner intended to be received by all who heard it, and to endure for all to come—that he intended to relate to mankind in a covenantal manner. He thus promised to be faithful to his chosen (elected) people, and they in turn were expected to obey his law or Torah. The law dictated the lifestyle of the people and reflected how a human was to relate to God, to others, to self and to material things (see McGonigle & Quigley, A History of the Christian Tradition from Its Jewish Origins to the Reformation, pg. 34).

To the degree that these laws directly reflected the nature of God in universal and timeless application these laws have never and will never be annulled. Laws of this nature have sometimes, helpfully, been called the moral law of God. Those laws appear in seemingly random places throughout Scripture and are variously summarized in multiple places and ways, including the 10 Commandments, the 2 Great Commandments, Micah 6:8, and elsewhere.

It is impossible to ignore the observable reality that within the Sinai legislation are laws peculiar to the situation of national Israel within the Land of Promise, ruled by judges and magistrates constrained by the Sinai legislation as their national law, and in the presence of a functioning Tabernacle/Temple system. Christian men have therefore sometimes quickly summarized those laws which endure with universal application as moral, those which apply specifically to the Temple system as ceremonial, and those which specifically direct the nation-state of Israel in the Land and governing themselves as civil. This shorthand description can function as a helpful categorization in aid to the complex process of deriving healthy, biblical application in diverse times and places.

To the degree that so-called ceremonial or civil laws reflect the character of God in a universally applicable manner, these laws remain binding in every age, though they do not, necessarily, direct all men in every place with specificity. So, all men everywhere are required to acknowledge God and no god before Him (Ex. 20:2-3), yet it is also true that all men everywhere are not mandated to redeem their firstborn son for the price of five shekels, to be given to the sons of Aaron (Num. 3:40-51).

There are several Reformation-era statements on these matters that are very helpful, especially when read as summary statements, reflecting extensive underlying exegetical work. Here are two that I especially like:

I. As the ceremonial law was concerned with God, the political was concerned with the neighbor.

II. In those matters on which it is in harmony with the moral law and with ordinary justice, it is binding upon us.

III. In those matters which were peculiar to that law and were prescribed for the promised land or the situation of the Jewish state, it has not more force for us than the laws of foreign commonwealths.

(Johannes Wollebius [1589-1629]), Compendium theologiae christianae)

VII. OF THE OLD TESTAMENT

The Old Testament is not contrary to the New: for both in the Old and New Testament everlasting life is offered to Mankind by Christ, who is the only Mediator between God and Man, being both God and Man. Wherefore they are not to be heard, which feign that the old Fathers did look only for transitory promises. Although the Law given from God by Moses, as touching Ceremonies and Rites, do not bind Christian men, nor the Civil precepts thereof ought of necessity to be received in any commonwealth; yet notwithstanding, no Christian man whatsoever is free from the obedience of the Commandments which are called Moral.”

(39 Articles of Religion, 1562)

I’ve been giving this topic significant thought for several years now. In fact, I think I first mentioned it briefly in public at the 2013 New England Messianic Conference. I’ve been spending a lot of time on the topic recently because I think I’m finally making some progress in articulating something that will make sense to people. For a long time it was something I was intuiting, and I struggled to convey what I meant.

One thing I believe we should acknowledge is that the stereotypical response of pro-Torah people to this topic has not been well thought out, or sensitive to historical context. Among the Reformers and their early descendants (with some exceptions) references to the tripartite division of the Law were not meant to be rationale for how to escape the present applicability of God’s law, but used as a short-hand reference to figuring out how to apply God’s law. Unfortunately, being not well-informed on Reformation-era thought, too many have reacted against one sentence in the 19th chapter of the Westminster Confession (echoed in Chapter 19 of the 1689 London Baptist Confession), without being familiar with the broader context in which those statements were made.

I think we can all agree that figuring out how to apply God’s law to our contemporary situation is rarely easy. Just like “circumcision” had become shorthand for the proselyte conversion process in the 2nd Temple era, the division of the law into ceremonial, civil, and moral categories had become shorthand during the Reformation era and following for referring to the significant wrestling they had done to determine the manner in which God’s law should be applied in their time period.

But we read, “All which ceremonial laws are now abrogated, under the New Testament,” and we freak out. Forgetting how precise these folks were in their working out of these concise statements. See, for example, the two quotes above.

There are at least four items of background we need to be aware of when considering this topic:

  1. For the Reformers, the reference to a tripartite categorization of God’s law was not a way to escape keeping God’s law, but a shorthand reference to textual exegesis focused on the manner in which his law should be kept.
  2. Over time, however, at least in practice if not in theology, this idea became a justification for why, essentially, nothing more than the 10 Commandments applied to contemporary Gentile believers.
  3. Dispensationalists seized on the complexity of the problem and the inevitable resulting inconsistency and said, “See, you can’t do this, it’s a unified whole and you must acknowledge that the entire thing has been done away with.”
  4. In reaction against the Dispensationalist’s view, which had increasingly influenced the practice, if not the theology, of Reformed people in the pews, Pro-Torah folks (ironically) insisted that the Dispensationalists were right and the law could not be categorized into parts, but must be accepted as a unified whole, but then in practice continued to inconsistently practice only those things which might be described as moral, while ignoring all those things which might apply to our congregational life (ceremonial) or political scene (civil).

It is time for us to stop reacting and to continue proactively articulating historically sensitive, theologically mature, biblically defensible, and eminently practical statements of our own. These will correct but not reject the overwhelmingly faithful line of reliable saints who have preceded us.

The Cyber Chronicles | Episode 3 – Nothing is Free

Information in the Digital Age.

I’m sure you’ve heard the truism as often as I:

“Nothing is free…”

I wonder if you’ve heard the follow-up? Nothing is free; you will pay with either time, money or information. Increasingly in our digital age, information is the most valuable one of those commodities.

AWARE

Recall the ubiquitous crime board that appears in every television detective drama. Whether or not actual detectives use these, this idea accurately captures the essence of what hackers are doing in their ongoing attempts to build a robust profile on you or your organization.

Untitled 1

Why is information so valuable to a hacker? Because specificity conveys authenticity. Every bit of info increases the hacker’s chance of appearing to be an insider, and thus of securing your confidence.

“specificity conveys authenticity”

CARE

We drip information like my daughter’s ’97 Volvo leaks oil. It’s not pretty! (the leaking oil, that is, she’s awesome)

Untitled 2

Let me tell you a story that happened last week. Names have been obscured to protect the innocent.

A program manager I work with was giving a training on trauma to some firefighters who were joining remotely over Skype. This was a multi-day class, and the day before everything had gone swimmingly, but today a lone guy in a particular station was having trouble accessing the meeting. Ever the problem-solver, the program manager suggested she email him the PowerPoint, and he could follow along over the phone without video access. I love these “get ‘er done” kind of people!

Everything was hunky-dory till she was informed by Compliance that she had distributed the Protected Health Information (PHI) of more than 700 people. Freaked out by what she had never intended, and extraordinarily confident that there was no PHI in the PowerPoint, the program manager called Compliance to determine what on earth had happened.

Every bit of info increases the hacker’s chance of appearing to be an insider, and thus of securing your confidence.

As she related the story to me, right in the middle of asserting that there was no PHI in this PowerPoint, the Compliance employee on the other end of the line directed her to a particular slide, and within three clicks converted a summary graph containing no individual information to the entire data source from her original spreadsheet!

PREPARE

So, I’m telling this story at her request, as she wants everyone to know that if you need to put a graph in a PowerPoint or other Microsoft Office document, for Pete’s sake, please take a screen shot!  

Whatever you do, don’t copy/paste, insert or embed your Excel graphic into that PowerPoint.

I hope you will start thinking differently about information. It’s a valuable commodity we reveal constantly with precious little thought to how we are endangering ourselves or others.

The Cyber Chronicles | Episode 2 – Credible Credentials

It’s time to confess your cyber sins. It’s OK. I’m a professional.

Have you ever used the same password more than once?

Don’t be ashamed. We’ve all done it. Repeat after me:

“Hello, my name is __________ and I am a password re-user.”

“We love you __________.”

Was it Confucius (or was that Sun Tzu?) who said, “Know thy enemy.”  Corrie Ten Boom was a bit more descriptive, “The first step on the way to victory is to recognize the enemy.”

In the case of passwords, we need to be more specific:

“We have met the enemy and he is us.” – Walt Kelly

Perhaps your employer, like many responsible organizations, has quite a few requirements for the creation and management of our passwords — rightfully so! As I’ll describe below, our passwords are remarkably vulnerable, due of course, to human nature. (We have met the enemy …) 

AWARE

An acquaintance of mine was called in to gain access to a major manufacturing company in a “pen test.” So … he first went out to LinkedIn and gathered the profiles of 100 employees from Company B. He then proceeded to do a bit of research with Professor Google, and discovered the email domain and username format for Company B, along with how to access the company’s email online.

(Try this yourself: Open a new browser window, and search for “marriott email access”; what’s the first result?)

Now Company B had a policy that everyone’s password had to be changed every 90 days, or 4 times per year. This was a responsible company trying to do a good job, so, of course, they also locked people out after five incorrect password guesses. So guess what my friend did?

Knowing human nature, he turned to the first of his LinkedIn-collected employees and via the company’s browser-based access to Outlook he typed in jsmith@companyb.com with a password of “Autumn2018.” No luck. So he proceeded to the next employee and entered jdoe@companyb.com with a password of “Autumn2018.”

(See how that works. You have to change your password four times a year: Winter2018, Summer2018, etc. — easy to remember, 10 characters, a capital letter, a number, etc. “We have met the enemy …”) 

After trying 100 employee emails with the password “Autumn2018,” he had accessed the email of four Company B employees!

The next step was to begin doing strategic searches through the employees’ email. Before long he found a conversation revealing the existence of a legacy VPN site that didn’t require Multi-factor Authentication. In two shakes of a lamb’s tail he had inside access to Company B’s network. The rest of the story gets worse from there, but we’re focused on passwords here.

PREPARE

What can you do? Fortunately, the skills you develop in responsible password management will serve you just as well at home as they do at work.

Your employer probably requires several factors to be true of a password:

  • They cannot contain more than four consecutive letters of any dictionary word.
  • A password must include at least three out of four of the following characters: uppercase alpha, lowercase alpha, numeric and special characters.
  • Passwords must be a minimum of eight characters.
  • Passwords cannot be the same as the previous 24 passwords used for that account.

Need help creating good, satisfactory passwords? This article by lifehacker is very good. You will note that you basically need a Password Manager. I’m partial to Bitwarden, but there are also many other good ones.

The Cyber Chronicles | Episode 1 – SIM Jacking

The Skeleton Key to Your Life.

Your phone is Grand Central Station for confirming your identity. You can show the DMV your Confirmation of Insurance on the screen of your mobile. You confirm attempted logins to corporate resources via Microsoft or Google Authenticator on your phone. You receive Verification Codes for logins galore … on your phone. Needless to say, if your phone landed in the hands of someone unscrupulous, it could be a disaster.

AWARE

What if your phone was in your hand, but no longer viewed by the rest of the world as being yours? This nightmare is not imaginary. In fact, a Salt Lake City couple told the story of their recent experience to a journalist working for VICE.

According to that reporter, Rachel and Adam Ostlund were minding their own business one evening last September when Rachel received a strange text (see the image below) and suddenly lost all connectivity to the cell network.

Untitled 1

Puzzled, Rachel logged into her email via computer and noticed that many of her passwords were being changed. Long minutes later, Adam answered his phone only to realize he was talking to one of the hackers behind the hijacking of Rachel’s phone number.

The Ostlunds had fallen victim to an increasingly common scam called SIM Jacking or SIM Swapping. Cell phone providers call it a “port out scam.” Unfortunately, Rachel was the owner of a highly sought after, short and sweet Instagram handle, which hackers can sell for thousands of dollars.

None of the security measures Rachel had taken to secure the several accounts compromised, made any difference once the hackers seized control of her phone number.

CARE

Your phone has become the skeleton key to your life; the confirmation of your identity for dozens of accounts.

If you forgot the password to your personal email how would Google, Microsoft, or Yahoo contact you? Whether via call, text, or email, it would almost certainly be via your phone. What if you forgot the password to your bank account?

While it is good that an increasing number of organizations are moving to implement multi-factor authentication, the problem with using our phones as the central hub of confirmation is that they are remarkably vulnerable to comprise by external parties.

In June of this year the largest consumer marketing database in the world was exposed online, containing records on 230 million consumers. To put that into perspective, there are 240 million adults in the United States.

While the database did not contain social security or credit card numbers, it did have highly detailed information with entries on more than 400 variables, including address, phone number, religion, smoking status, number, age and sex of children, preference for plus-sized clothing, cat or dog-owner, etc.

If that kind of information is available online, how difficult would it be for someone to impersonate you to a customer service rep over the phone?

The technique behind SIM Jacking is incredibly simple. The scammer calls customer service asking to port their number over to a new SIM card. Only a trivial social engineering effort is required to “confirm” their identity as you, and you suddenly lose access to the cell network, and to your digital life.

The Mobile providers are aware of this trend, but reluctant to provide statistics on its frequency, though at least one provider has informed its customers of an “industry-wide” threat.

According to the VICE reporter, Rachel and Adam called the police, who seemed puzzled and said there was nothing they could do. The Ostlunds did manage to get Rachel’s number back by calling T-Mobile, and were able to reset and regain control of all her accounts except for Instagram.

PREPARE

Preventing SIM swapping is relatively simple and absolutely necessary. Call your cell phone provider and set an account PIN or password that must be provided verbally before any changes are made. Then never use that PIN or password anywhere else for anything else.

For more information check out the following links:

https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/ [digitaltrends.com] (with instructions for safeguarding yourself)

https://www.wired.com/story/sim-swap-attack-defend-phone/ [wired.com] (another, more recent article on protecting yourself)

Note: The story of Adam and Rachel Ostlund was originally told in an article for VICE and contains NSFW language, used by the hackers.