Frederic Pons' 2012 blog

We think we know it all: Do this, do that, do not send credit card numbers in emails, do not wire money to unknown vendors, have an anti-virus software, etc.

However, these (and other) common sense measures are seriously insufficient in today’s cyber warfare environment. They have, of course, to be followed, but it’s not enough, by far, to keep you safe.

Here are a few practical tips, that you might have already heard, but that you should (must) implement as soon as possible, i.e. do it today!

1. UPDATE: Have a fully patched operating system and browser. This is not difficult, go either to the windows update web site (windowsupdate.microsoft.com or have the Automatic Updates turned on) or check "software update" to be found by clicking on the apple menu in the top-left corner of your Mac. The same applies to your mobile devices! Update (or turn-on auto-update) your anti-virus. Turn-on your firewall (get one if you don’t have one). Have an antimalware/spyware (once again get one if you don’t have one).
2. SMART: Do NOT surf to suspicious websites (illegal content, suspicious domain names or far-away country, offering free stuff that you would normally expect to pay for, etc.) and do NOT fall for scams! You have NOT won a lottery or game (especially if you did not play), and no dormant account with 22 million$ will ever be transferred to yours.
3. PASSWORDS: Change ALL your passwords to strong (mix of uppercase, lower case, special characters and digits, no dictionary words, no date-of-birth, etc.) and long (length of 10 characters or more), and treat yourself to a good password vault application to store them: do NOT store them on your desktop or on a piece of paper! The same applies to your banking credentials and your credit card pin-codes! Do NOT share the same password (or pin-code). Do NOT use your credit card’s pin-code as your smart phone’s unlock code!
4. KIDS: If your home computer is shared with your children, consider storing it in an open place. Make the rules clear: no disclosure of private information, no controversial or offensive postings on Facebook (force your children to be friends with you), no deletion of the browser’s history allowed.
5. BACKUP: Backup your data on separate physical devices (DVDs, USB-Hard drive, etc.)
6. WIFI: Use WPA2/AES encryption with a strong pass phrase on your home wifi. Have a good admin password on your router/box
7. SAFE: Shut down your computer if you don’t use it.(consider shutting down your wifi network too for extended periods of non-use)
8. LOG: Some online accounts do tell you when the last successful login was. Make sure you read and verify. Check your bank accounts regularly
9. PUBLIC: Do NOT access your online banking or other sensitive data when browsing from public places (or use a VPN / Proxy). Also be aware of shoulder surfing…
10. Stay informed!

If, like me, you get confused by some of the terms reported in the press, then you are in for a shock…: does tabnabbing, wabbit, vishing, phlashing, phreaking, bluesnarfing or mockingbird mean anything to you?

The good news is that the cyber defense culture is progressively deciphering these terms and therefore improving the vocabulary at your disposal, even without your knowledge. Nobody would think of cookies as being biscuits, and terms like bugs, worms, honey pots, Easter eggs, link farms, meat puppets, phishing, whaling, sheep dipping, fork bomb are not associated with food either, but you may know them.

Even more interestingly, the association between these words of wisdom can even create brand new words: adware comes from advertizing-supported software, bluejacking is the sending of unsolicited messages over Bluetooth, cyberpunk is a portmanteau of cybernetics and punk, and was originally coined by Bruce Bethke as the title of his short story "Cyberpunk," published in 1983 (i.e. in the year 15 B.G.¹…). Not to forget the all famous malware-the-malicious-software…

So will Jailbreaking result in the hacktivists going to jail after they are skiptraced? Well the stuxpocalypse may not be so far, at least in our dictionary.

¹: Before Google

As every year for the last 40 years (since the very first “Creeper” virus in 1971), the evolution or IT thread is a major concern for us all, mostly because nobody knows for sure what’s going to hit us hard.

1. Attacks directly targeting NATO, as our involvement in multiple theaters of operation may energize even more black hats, from script kiddie to Nation state…
2. As social networking becomes increasingly popular, attacks taking advantage of web users’ behavior and weaknesses are likely to overcome the good (bad) old email attachment scare.
3. Stuxnet was a first, but certainly not a last. It was like flying an F-15 over a WWI battlefield. Suddenly our most protected, air-gapped networks (not only office business) feel at risk from trouble-makers.
4. Cell phones: our most beloved smart phones, tablets, and even the precious iPhone will be, or already are, victims of their own success. The famous XIXth century prediction, made by a city mayor in the American Midwest when first seeing Graham Bell’s new invention – the telephone - : “One day every town in America will have a telephone”, reminds us how risky the business of seeing into the future is. Shall we dare to predict that one day, our coffee machines and apartment thermostats will run their own AVs¹ and IDSs² ?
5. Two words: Advanced Evasion Techniques. Will these flatten our IPSs³ and IDSs²?
6. Wikileaks (or Facebook or Gmail, etc): They demonstrate that technology isn’t enough to help protect our secrets. The human factor, through company & security policies, education & training, knowledge management, etc. is all important.
7. Vulnerabilities: They are around but we don’t see them. It’s a bit like the story of the guy that invented a bullet-proof jacket, and, at the same time, the special bullet that could pierce it. We have more and more security, more passwords, updates and downloads, but are we safer?
8. Security – whatever the cuts…
9. IE9⁴! Information technology is unique in the way vendors trick you into spending valuable resources in order to change perfectly working products : Could you name one thing wrong about IE7⁴?
10. And now the worst one: the thread nobody expects because it does not exist yet, but somebody is working on it…

We think of computer science as a 3-tier storyboard: First was the hardware time (security: lock the door!), followed by software time (Microsoft, Oracle, etc.) and now the Information time with its need-to-know, need-to-share, one-way diodes, security forests, etc. But, because of the malware, crapware, zombie PCs, etc. our information super-highways are unfortunately very unsafe, and just like the real road, it’s our behavior “at the wheel” that will make the difference.

¹: AV: Anti-Virus
²: IDS: Intrusion Detection System
³: IPS: Intrusion Protection system
⁴: IEX: Internet Explorer version X