Double double toil and trouble, fire burn and cauldron bubble . . .
–Macbeth (Act IV, Scene 1)
Those three Shakespearean witches chanted a series of familiar things—eye of newt, toe of frog, wool of bat, tongue of dog—but stirred them into a surprising context: a not-so-appetizing stew. Halloween is all about changing what we know into something it is not, tweaking our expectations with something out of the ordinary. No wonder Halloween is the perfect Internet Era holiday! Halloween is all about secrets, and spiders, and webs—oh my—and collecting goodies (mostly from strangers) with the stated promise to do no harm. Halloween is about benign deception, as is cyber security. Often, however, the benign deception for the latter starts with the tech expert using familiar words in an unfamiliar context. We revel in our not-so-secret desire to be perceived as wizard any time of year. So let’s look behind the curtain and decrypt some common cyber words (highlighted in bold) into Halloweenish (Halloweenese?).
Challenge/response—“Trick or Treat” is a challenge; dropping candies into an open sack is the expected response that meets Halloween protocol (a guideline for what comes next). Access control is based on challenge/response mechanisms. The latter might be simple (e.g., a password or badge) or it might be multifactor (e.g., a password and badge and/or a thumbprint scan).
Ghost—A Halloween staple for last-minute costumers. It’s also a term used for lurkers on social media sites who do not actively participate. Ghost accounts, organizational network access accounts maintained as “active” (even though the named user is no longer active in the organization) are serious security loopholes. One security analyst report that, on average, 26% of user accounts maintained by organizations are ghosts: “stale” and had not been used for at least three months.
Identity spoofing—Pretending to be something I am not. If I disguise myself as a flapper or go-go girl, it’s harmless; not so if I disguise myself as a senior executive and request a wire fund transfer or all employee W2 forms, or if I set up a mock Starbucks public WiFi hotspot for capturing login credentials and other useful communications. A 2017 identity fraud study reported that $16B was stolen from 15.4M US consumers in 2016.
Masking—Using something to cover the face to hide or make features unrecognizable. Data masking is the process of hiding or de-identifying original data with random characters, for example, when your screen shows asterisks rather than the password you just typed into the field. Masking may be used to anonymize confidential information (e.g., employee Social Security numbers or DoD supply chain test results). Subnet masking may be used to split your network into different segments with visibility limitations so that only those with appropriate credentials can see what is there.
Phantom—A figment of the imagination, hallucination, or ghost. In cyber terms, Phantom Secure was an international encrypted communication service used by criminals to facilitate murders, money laundering, and drug trafficking. The FBI took down the service in March 2018. Also in cyber terms, Phantom Cyber is a tool that uses network analysis and machine learning to respond to potential security breaches (acquired by Splunk in February 2018). Confusing? You betcha. Caveat emptor.
Shadow—A great Halloween costume onesie (not recommended for long, chilly trick-or-treating forays). Shadow IT refers to undocumented, unofficial, or unsanctioned organizational IT resources. Similar to ghost accounts, its components may be virtual machine (VM) instances that remain although no longer used, non-IT-department IT projects, software applications downloaded by end-users to organizational resources, and rogue wireless access points.
Vampire—Something that feeds off the lifeblood of another thing; difficult to locate because it prefers dark spaces. Vampire data includes data you might not even know exists, which is problematic in the case of a data breach or attack because it can create an unidentified liability under privacy laws and regulations. Examples include long-archived backup tapes, email messages downloaded to desktops, and material copied and abandoned to cloud storage.
And now that you’ve mastered some cyber vocabulary, here are a few more tricks and treats.
October is National Cyber Security Awareness Month. Here are just some cyber tricks reported:
- A Government Accountability Office (GAO) report published this month found that the DoD is seriously deficient with respect to securing weapons systems; surface attack areas have increased, meanwhile current passwords and encrypted communications between components of weapons systems are insufficient for the increasingly software-dependent and interconnected systems. Link here
- Google announced October 8 it would shut down its Google+ online social network—and also shared news about the network’s vulnerability that exposed personal information from at least 500,000 user accounts.Link here
- Facebook announced that detailed information on 14 million of its 30 million subscribers was hacked. Details included the last 15 people or things searched on Facebook and the last 10 physical locations checked into—as well as gender, religious affiliation, and connection information. Link here
- Cybersecurity agencies in the United States, United Kingdom, Canada, Australia and New Zealand released a joint report describing five of the most commonly used hacking tools. The report is intended to help system administrators and network defenders protect against the tools’ use. Link here
And for those who prefer Hollywood-type scares to those in real or virtual worlds, here are some recommended books, movies, and TV shows that incorporate cyber security activities:
- Chatter: Dispatches from the Secret World of Global Eavesdropping by Patrick Radden Keefe (2006). Deeply researched descriptions of how governments collaborate to understand citizen behavior.
- Blackout by Marc Elsberg (2012). Vulnerabilities in supervisory control and data acquisition (SCADA) systems are exploited by hacktivists, leading to cascading failures in critical infrastructures across multiple countries.
- The Stranger by Harlan Coben (2015). Social media trawlers conspire to wreak havoc and demand ransom for personal information held hostage.
- War Games (1983). Tech-savvy teenager hacks into school’s system to improve his GPA, then applies his skills to online gaming—and inadvertently launches a nuclear launch code.
- Superman III (1983). Trusted insider hacks the bank’s accounting system using the “salami-slicing” approach. Hilarious treatment of post-incident investigations.
- Jurassic Park (1993). In a prescient nod to diversity in cyber security, a young girl hacks into the island’s security system to reactivate controls against “terrible lizards.”
- Sneakers (1992). The black box containing global decryption tools is found, stolen, recovered . . .
- Hackers (1995). Black hat teenagers find romance and access to embedded systems.
- Antitrust (2001). Trusted systems and corporations are not what they seem when personal privacy and intellectual property are violated.
- TV Shows
- Mr. Robot (2015 through 2019). Peabody Award-winning drama that my Regis University grad students recommend highly. I borrowed the DVD for the first season from the library (but haven’t watched it yet).
- CSI: Cyber (2015 through 2016). FBI agents play central roles here.
Happy Halloween! Be safe out there . . .