Tagcyber hygiene

Stopping Russian Cyberattacks at Their Source [Published in Dark Reading]

Photo by Markus Spiske on Unsplash

In 2016, Lazarus, a notorious hacking group, aimed to steal a billion dollars through the SWIFT interbank communication system. How did the group do it? Social engineering.

Using an innocuous email purporting to be from a job applicant, the hackers gained entry into Bangladesh’s central bank system almost a year earlier. Once in, they learned how SWIFT (the Society for Worldwide Interbank Financial Telecommunication) worked and began to transfer a billion dollars from the Federal Reserve Bank of New York. The heist was accidentally discovered when a staffer at the bank staffer rebooted a hacked printer, which spit out the New York Fed’s confirmation messages in its queue. This stalled that hack, but not before $81 million was stolen.

Lazarus Group members were from North Korea. Its hackers, given the limited access to computing, aren’t the best. Russia’s are. They have developed some of the most potent malware we have seen yet. And if China were to team up with Russia, and there is evidence it is likely to, then we are in for some increasingly brazen attacks.

For context, every major hack in the past decade has origins in one of these nations. Russian hackers slipped malicious code into SolarWinds’ Orion program and got access to the Pentagon and the Cybersecurity and Infrastructure Security Agency (CISA), the DHS office responsible for protecting federal networks. Most ransomware also has roots in Russia. Estimates are that one in three organizations globally is a victim of these attacks, and they are enormously lucrative for hackers. Last year, the meat packer JBS paid $11 million in ransom; Colonial Pipeline paid $5 million. Some of it was recovered, but all of us paid through increased prices. And almost all of this involved social engineering.

Add to this the hacking prowess of China. Data stolen from sources as varied as from the Office of Personnel Management (OPM) to every major retailer can be traced to China. According to reports, sophisticated mining operations there are helping Russians craft highly persuasive social engineering attacks.

Growing Russian Hacker Threat
Once isolated and removed from banking systems such as SWIFT, it’s a question of time until Russia turns more sharply toward hacking. And if the country’s currency implodes further and it no longer cares about the rules-based global economy, there will be no way to hold it to account and disruptions will increase. We will end up paying through ransom payments, supply shortages, and higher prices. We have to stop this at its source by protecting users — all of us — the primary conduit through which malware gets into organizations.

While at long last two major cybersecurity bills mandating ransomware reporting are being considered by Congress, the defense of users is still being ignored. That’s because our cybersecurity defense relies on technology vendors. The tech sector’s motivation is to develop more technology. We today have more proprietary technology, with more licenses being sold, than ever before. Bank of America, which a decade ago was spending $400 million on cybersecurity, is now spending a billion dollars. And after all that, thousands of the bank’s California customers’ were still hacked last year.

How Do We Prevent Cyberattacks?
We need to change this paradigm. We need to invest in open source tools that are developed through private-public partnerships and make licenses available free of charge for at least the first five years to all organizations. This way, they can be applied widely, openly tested, and their value in organizational security can be ascertained.

The same extends to user training — one of the most widely applied, proactive cybersecurity solutions against spear-phishing. Almost all training today left to vendors, which offer many fee-based training programs. But how good is any of this? There is little data from cybersecurity firms on their effectiveness. The withholding of data has covered inefficiencies in training, which research studies repeatedly point out, and is extremely dangerous because the training programs give organizations a false sense of readiness.

Audits Are Needed
We need audits of organizational training, conducted by independent groups that aren’t motivated by the possibility of selling something more. CISA could set up such a team in the federal government that demonstrates how this can be accomplished. This can serve as a blueprint for IT managers in organizations, who are naturally risk-averse and less inclined to allow anyone to peer into their performance.

Finally, we need to get our netizens prepared for what’s coming. Like the civil defense drills we performed in the 1970s, we need to have cybersecurity drills that make everyone adept at dealing with social engineering. Everyone should have access to free security training and open source backup and threat-detection tools. Organizations should make multifactor authentication the default on all online services. The same goes for credit and identity protection. All of our credit should be locked by default, and credit monitoring, which is a fee-based service, should be free.

Stopping cyberattacks is no longer an option. It is an existential requirement. We may not be able to put our boots on the ground to fight the Russians, but we must ensure that neither our data nor our money help fund their war efforts.

 

*A version of this post was published in Dark Reading

Why do we still teach our children ABC? [Published in Medium]

“Why do you teach me ABC?” My precocious preschooler pointed to the virtual QWERTY keyboard on the tablet: “Why not ASD?”

As someone who studies the diffusion of innovations — how people learn and adopt new ideas and techniques — I wondered why indeed?

And not just the ABC sequence. Many preschoolers already know words like Xbox, Yahoo and Zoom than xylophone, yacht, and zebra we have them rote. Wouldn’t teaching children the words that hold more meaning to them help keep pace with their experiences?

Of course, the QWERTY sequence is itself a product of modern technology. The layout was engineered by placing commonly typed characters farther apart to reduce the chance of font-keys in early manual typewriters from jamming when stuck together. Although completely unnecessary on today’s electronic keyboards, it has resisted all attempts over the past 50 years at improving its design. Teaching the sequence would, therefore, also be practical because it is the accepted norm, appearing in every input device from ATMs to airplane flight controllers.

Many people, however, believe that the ABC sequence has remained somewhat fixed, while in actuality it has changed over time. Our 26 alphabets began sometime around the 15th century BCE in the Sinai as 22-characters, evolved with the Greeks into 25, and on through the Romans into Latin and the present set of 26. Z, which used to appear after F in Old Latin, was replaced with G, and transposed to its present placement. Here, too, technology and human development played a role. With migration and the expansion of people’s vocabulary, new inflections in speech arose, necessitation newer alphabets such as W. With the invention of writing tools and printing technologies came cursive scripts, lowercase letters, and the development of standardized font families. Thus, the ABC sequence is nothing more than a norm that people have overtime agreed upon — no different from QWERTY.

But there is an even stronger argument for teaching the newer sequence. Keyboards are tools for expression, no different from what pens are to writing or language is to literacy. And the sooner you are proficient with the tools, the better you can get at using it. Just as cultures with written languages, because of their ability to transmit knowledge with far greater accuracy, evolved to overtake cultures with spoken language, being adept as using the tools of expression sooner could lead to a higher quality of knowledge transmission. Thus, adapting to QWERTY sequence sooner would confer an evolutionary advantage for our children and likely even for all of us.

But that’s not all. Today, computing technology has also altered the way we write. Not only do we not use quills and fountain-pens, we rarely write by hand. And this has happened rather fast, even faster than the centuries it took for the evolution of alphabets and font families. Raised in the 1970s, I was taught to write in cursive, a skill which is seldom taught in US schools anymore. Instead, children in 3rd and 4th grade today “write” on computers where not just the writing style but also the process of writing is different.

Because you can only rewrite a document that many times, writing by hand, even on manual typewriters, required thinking before committing words on paper. Modern computers make writing innumerable drafts possible, which makes thinking as we write, without paying attention to style, spelling, or grammar in the initial drafts, possible. This has led to a change in how we write. As the renowned social psychologist Daryl Bem advocates in his oft-cited guide “…write the first draft as quickly as possible without agonizing over stylistic niceties.

Newer word-processing apps have altered this process even further. While the ever-popular Microsoft Word allows for a sequential documentation of thoughts, newer apps like Textilus and Scrivener encourage non-sequential writing, allowing authors to tackle different sections, simultaneously, in draft form. Adding to this are advances in voice-to-text programs and machine-learning tools that can capture spoken words and suggest intelligent responses. Many of these, accessible at literally the flick of a wrist on many smartwatches and phones, have changed not just how we write but also our role as writers.

Photo by Austin Distel on Unsplash

Finally, our idea of literacy itself is expanding. It’s more than just about knowing to write; it’s about being able to express information creatively. Children need to not only be adept at computing but also at finding information online, crafting persuasive content, and, while all of doing this, protecting their information trails. This requires two additional skills: digital literacy and cyber hygiene. The former equips them with information assessment skills, so they can find the right information and protect against disinformation. The latter instils digital safety skills, so they can’t be manipulated online and their information isn’t compromised. Both are essential for thriving in the virtual world where most of them spend their waking hours, even more so now since the pandemic.

Children are already familiar with an alphabet soup of online service before they step into a classroom. These skills are, thus, best introduced in their formative learning, not in middle school and college where they are presently taught. This will ensure that the next generation is equipped to transmit information with even greater accuracy and creativity all the more sooner — an advantage that will accrue to them and to our society as a whole. The first step towards this involves mastering the QWERTY keyboard.

  • A version of this post appeared here: https://medium.com/@avishy001/why-do-we-still-teach-our-children-abc-7f8cde35ec39
  • **Photo source