Cybersecurity Focus: Medical Devices

ericcrichardson Leave a comment

In the last year we have seen the world ravaged by COVID 19 killing well over 2 Million people.  Modern medical solutions have been stretched to their breaking point nearly everywhere during the pandemic.  Something which has helped those on the medical front lines is technology.  Tele-medicine has allowed millions to converse with their doctor via a video call thus reducing risk for all the patients as well as health care providers. Digital prescriptions allow the doctor to directly contact a pharmacy so the patient can just walk in or drive up to and receive their prescription once again reducing COVID risk. The new frontier in medicine is technology.

Today I’ll speak to the connected medical world in which we live and potential risks that you can try to mitigate with planning and vigilance.  In many articles I have written I have spoken about Internet of Things (IoT), which are all those connected devices in your household.  They make life so much simpler and easier but there are risks, but you can mitigate risk with your connected household devices. See my article on Home cybersecurity risks here: https://ericcrichardson.com/2021/01/28/home-the-cybersecurity-dangers-within/amp/

Just like in home devices we have a class of connected devices which can help you manage your medical needs; these are called the Internet of Medical Things (IoMT). These range from more simple devices like pedometers (step trackers) to sports bands or watches up to much more complex devise which could monitor something like fall detection devices. The more complicated devices will generally need FDA approval in the US or other similar organizations in different countries such as Health Canada.  The good news is the federal agencies such as the FDA/Health Canada/Ministry of Health all are evolving and increasing their guidance on cybersecurity before a device even launches and then after it launches.

But there are always things which can be improved. Think about devices you may have in the home that serve medical purposes which a Doctor can read data on and possibly make updates. Things like implantable hart pacemakers or external insulin pumps come to mind. Some of these devices have Bluetooth connections which then communicates with a smartphone and then back to the doctor.  Some devices like CPAP machines use 3G technology to wirelessly connect to a mobile phone network to send data, these can also have Bluetooth connections to allow for configuring. 

Any time you have a connection you have risk, that is what you need to remember.  There have been documented cases of devices being hacked, just do a web search for “Insulin Pump Hack” and you will read about guidance from the US FDA on risks.  The risk is not super high but it’s very real.  If you have a concern the best way of course is to stay at home- why? Bluetooth only has a 30 foot/10 Meter range.

If you are overly concerned and must travel, there are some things you can do–you can purchase “RFID Blocking” clothing, to protect any implantable devices. these garments are designed to stop reading of RFID chips (Radio-frequency Identification) which is a technology to track tags which is a cheap sticker with a special metal on one side forming a small radio transponder. When you check into a hotel often the keycard you get uses an RFID, it is ‘scanned’ at the door.  Well RFID can be scanned at a longer distance depending on how it is configured so if you have anything with RFDI you can block it with these clothes.  RFID blocking apparel has a metallic material in it to block radio signals- it also means you will not be ab le to connect to whatever device you have implanted while you have the garment on but it’s a tradeoff. You can read about  tips you can consider while traveling being a Cyber Secure Traveler here: https://ericcrichardson.com/2021/01/18/the-cyber-secure-traveler/amp/

I’d recommend taking general IoT safety steps first which should help ensure you are already being safe with your connected devices. With a bit of work and planning you can reduce your risk profile quite a bit.

@ericcrichardson

ericcrichardson@gmail.com

Home: The Cybersecurity Dangers Within

ericcrichardson 2 Comments

Have you ever watched a horror movie where the hero finds out the bad guy is in the same lonely, house? The “threat within” theme is a good one as you cannot be sure you are safe. In the world of cybersecurity, the danger are all those smart little devices we happily invite into our homes to make our lives easier.  If they can be compromised, they the bad guys potentially access to your network, your devices, and your information.  Am I being a bit dramatic? Yes, but not much.

Internet of Things (IoT) devices are all the ‘smart devices’ you have in your house. There are so very many devices with connectivity built into them, here are the common ones you will potentially see:

  • TVs
  • Plugs
  • Lights
  • Appliances
  • Smart Speakers
  • Cameras
  • Kitchen devices
  • Doorbells
  • AC units
  • Thermostats
  • Some stranger ones you might see: Beds, BBQ Grills, Meat Smokers, Lawn sprinklers

If you have an app for a physical device, it almost positively is some sort of connected device therefore it is an IoT device.  I have literally been on a business trip thousands of miles away and ‘checked in’ at home by looking at the security camera from 10 time zones away.

The risk from the IoT deices is that a device can be compromised, if that happens then the bad guys can view devices on your network. If they can see devices, they can potentially access those devices.  That is how they can gain access to your private information.  If you can keep the bad guys out, you can increase your security. Layers of protection are great to keep the baddies out.  So, fear not there are many things you can do to really ‘raise the shields’ so to speak.  Here are a few things to keep in mind.

Your router is your first layer of defense- Ensuring you have a router that is built for security from a very reputable company. Honestly a web search for “Secure WIFI routers” is good start to educate yourself.

Patch, Patch, Patch– Ensure your devices, your phones and your computers are up to date with manufacturer updates- Do not forget to update your WIFI Routers as well.

Do not share nice- It is possible to share files on your internal network, just do not do that. Use the old fashion “Sneaker net”, that is just use a USB drive that you copy from one device and walk to the next.

Caveat Emptor- Buyer Beware applies for sure before you purchase any device of any kind you really should do the homework on it. Do the research, read up about the company who makes it, read about previous IoT devices they make and see if they have been involved in prior issues.

Monitor your network– Try to keep an eye on activity on your router or Wi-Fi unites

Use passwords for each device- Ensure you have unique passwords for each device, and service separately. Never ever use the default password on these devices, that’s the entry for so many bad guys.   You can read about my article here on passwords: https://ericcrichardson.com/2021/01/14/the-gist-of-passwords/amp/

Case Study: The Target Compromise

ericcrichardson 2 Comments

In 2015 and 2016 Target Corporation reached settlements of around $50 Million for customers and financial institutions due to an enormous data breach which occurred in 2013.  This breach affected 110 million individuals where the bad guys received Names, phone numbers, physical addresses, and E-mails of customers. This caused a massive follow-on wave of identity theft and bad actors impersonating other people for ill gotten gains.   Target later claimed that they suffered a total loss of nearly $300 Million due to this breach due to lost business, lawsuits, and compensation they had to pay.

How was so much damage done? In simple terms, the bad guys got in through the air conditioner! Technically it was an attack on the HVAC (Heating Venting and Air Conditioning) Units on the buildings to keep their temperatures comfortable, not an attack avenue you considered, did you?

What makes the internet amazing is how billions of devices are interconnected, what makes the internet extremely dangerous is that billions of devices are interconnected.  It is obvious your phone or computer are connected but there are classes of devices you would never think about.  In this case the big HVAC units which sit on the top of buildings are also commonly connected to the Internet, often via the standard network of the facility where they are.  This is so the devices can communicate diagnostic data with the manufacturer, which makes total cost of ownership far less as you can have a technician looking at data from potentially hundreds of units a day to diagnose what is going on versus sending people out to each location.  Better service which is less expensive. The problem is if it is not set up properly you have vendors with access to your network, that means they need to have a user ID and a password. If they do not secure your network login information, then your network isn’t safe.

In this case an attack focused on the HVAC vendor with what’s known as a Phishing attack, or an attack which usually comes disguised as an E-mail to an individual in said company or organization with a link or something to trick that individual to installing bad software (Malware) or to get them to divulge that information.   In this case they used a “Spear Phishing” attack where the bad guys send E-mails with links to malware to specific individuals in a company or organization.  The bad guys do their homework and you have to assume they are working very hard to take random success out of the equation and tie it to planning and execution. You can read up on attacks with regards to installing Malware here: https://ericcrichardson.com/2021/01/20/cyber-smart-the-malware-family-and-attacks/amp/

This information was then used to get access to the HVAC Vendor and they found, in their records, the logon information for Target.  Two hops later and the bad guys got access into the Target network and were able to drop sophisticated software which stole personal data from the registers which are also connected to the network.    For further reading about what you as an individual can do to react to or preventing being victimized see my article on Data Breaches  https://ericcrichardson.com/2021/01/21/planning-and-defending-against-data-breaches/amp/

Many of the more advanced, and therefore more potentially dangerous, attacks use a combination of attack styles and forms of possible malware.  But hackers are always  want more and more access and more and more data, it’s us vs them.

@ericcrichardson

Ericcrichardson@gmail.com

Cybersecurity Focus: Multi-factor Authentication

ericcrichardson Leave a comment

I bet most of the people reading this have at some point been asked to associate a mobile or cell phone number with an account, and for those of you who have you receive a text with a special Personal Identification Number (PIN) to be entered after you enter your user ID and Password.  Well, that is the hands-on part of a relatively new security feature called Multi Factor Authentication (MFA).

MFA is a process and technology which helps you take additional steps to ensure you are in fact you when logging onto a service, app, or website.  There are may forms which it comes in, but I’ll speak to the common types you might see.

-What you know: The notion of security for software and devices is based things a User Knows, that is usually the userID/Password combination. But of course, they can be stolen potentially so of course taking precautions is smart. See my article on Passwords here: https://ericcrichardson.com/2021/01/14/the-gist-of-passwords/amp/

-Who you Are: Security can be enhanced by adding layers to it, you will still need a user ID and Password, but you can add a fingerprint, retina scan, facial recognition etc. Windows/Android/Apple Operating systems all provide for one or multiple additional layers of security in addition to the

-What you Have: Almost everyone who is online has access to a smartphone, so a text can be sent to it to enter a website or service to add another layer of protection. Another example of this is the credit card CVV code- that three- or four-digit code printed on your credit card (Trivia check: “CVV” stands for “Card Verification Value”), that code is not part of your credit card number but can be verified with by a vendor.

Where you are:  Interestingly most devices, even computers, can give location data. Phones have GPS receives built into them but even a desktop computer can give an estimate where it is based on the internet service provider used. It is also possible for a transaction to check where someone is before approving it.  Now you can use something like a VPN to get around this, in fact see my article on using a VPN here: https://ericcrichardson.com/2021/01/15/the-ins-and-outs-of-using-a-vpn/amp/

MFA is simply an additional layer of protection for you.  My adage is if it is secure that means it’s at least a bit painful sometimes and there are extra steps. Some systems such as Google makes it a bit easier where you sign onto google and just look at your phone and there will be a question pop up on your screen asking if you want to sign in, just click yes. There is a text message being sent to your phone in the background, but it feels much more seamless. This way you are entering a user ID, a Password and you are also having to show you have your phone with you.  Now you phone can go missing- yes, but that is why you always must have a code to unlock your phone and it needs to auto-lock, again security being a bit of a pain bit trust me it is well worth it.

@ericcrichardson

ericcrichardson@gmail.com

Social Engineering And How to Stay Safe

ericcrichardson Leave a comment

Cybersecurity is not all about technology, many times the human factor is the weak link.   Social engineering is all about deception on one level or another.  Interestingly it has quite a bit to do with tactics Spies have used for centuries, somehow gaining trust or at minimum not drawing into question something or someone who then can perform a potentially nefarious act. In many cases the bad guy never uses technology.  

In the physical world, an example is entering a work building from a side door where you scan in a cardkey for access, but a bad actor will follow someone in- this is called “tailgating” an so many people don’t even think to check to see if that person which is walking in behind them is actually supposed to be there.  Basically, the bad actor in this case is trying to look like they belong, they will be dressed like an employee with a backpack and maybe looking distracted by faking being on a phone call as they walk in the door.   Now you are in the building and you can look steal things or snoop around, maybe take some pictures of strategy printouts on the wall etc.

In Cybersecurity it specifically means to use human skills to somehow manipulate a target individual into allowing the bad guy to do something bad.   When combined with technology we see this rampant, scammers will use pop up advertisements which look like legitimate Windows, Android, or Apple Operating System error messages which state there is some kind of urgent issue with the machine but just call this toll-free number and someone can help. Then you are connected to a scammer who pretends to be from Microsoft or Apple, and they walk you through a process to steal information.   

Another approach is something you have likely experienced, a phone call that somehow states something is wrong and an agent will help you but only for a “limited time only” or something like that to shift you away from thinking about it being fishy.   It is much like a shell game; distraction is the key.

With technology of course you can be attacked via text messages, direct messages on social media, E-mail, or phone calls.  There are many tips out there but some to keep in mind:

  • Caller ID should not be trusted, bad guys can make their phone numbers appear to be anywhere (this is called “spoofing”)
  • Training is huge If you are in business, ensure your teams are trained in security; if you are an individual read up on the attacks and be a bit wary
  • “Too good to believe” don’t trust offers of bizarrely discounted software or services where you just need to “install this small app.”
  • Know that tech support is not going to call you out of the blue, if you need tech support verify the number to call for a given company and use that number.
  • If you are the subject of an attempted messaging or E-mail attack, take a moment and really look at the link they are sending you to—In just about all cases it’ll be a website you’ve never heard of.
  • No one should ever ask you for your password.
  • No one should ever ask you to download software onto your machine.
  • In the workplace, be sure people ‘swipe’ their keycards to get access- it is fine to ask someone to is trying to tailgate to swipe in

May times social engineering is a way to get your to unwittingly install malware on your device, see my article on Malware here https://ericcrichardson.com/2021/01/20/cyber-smart-the-malware-family-and-attacks/amp/

Technology can be risky yes, but the human factor is so very often the tool of choice these bad actors use when attacking. Social engineering is often considered one of the very highest areas of risk to securing our technology.

@ericcrichardson

Planning for and Defending against Data Breaches

ericcrichardson 1 Comment

Data breach is a phrase which only recently came into the common lexicon of the world. The more connected the world gets the more data there is.  Your E-mail, your password are of course used to sign into thousands of websites or services. What is also potentially available is your financial records, your health records.  Imagine what bad actors can do if they get their hands on that.  They could impersonate you, steal your health information, or take money from you.

Bad Actors are always looking for new data.

What are some things you can do to help decrease your chances of a Data Breach?  Here is the news you don’t want to hear- in general you are dependent on others to protect your data, the world we live in today is one where you are not in direct day to day control of all of your data. With that said use reputable banks and hospitals as financial and health data are the most sensitive data we have.  Be aware about how to prevent Malware from impacting you, I wrote about this here in my Malware article https://ericcrichardson.com/2021/01/20/cyber-smart-the-malware-family-and-attacks/amp/  Something that you could consider is being sure you have a locking mailbox to prevent bad guys from swiping possibly sensitive mail.

There are some day to day ‘hygiene’ steps you can take to build up better defenses however, these are actually the same steps you would do if you are notified of a data breach.

  • Monitor you bank statements; credit card bills etc. for any ‘strange’ activity.
  • Consider putting put “fraud alerts” on your checking/saving account this will allow your banks to identify any strange patters of activity and prevent it from occurring- a real world example is your bank statement is stolen, someone uses your debit card a thousand miles from where you live. With that alert the bank will decline the transaction and notify you.
  • Consider ‘locking’ credit bureau queries, this way if a nefarious actor tries to get a credit card or loan in your name, they would be prevented. The credit bureaus are Experian, TransUnion, and Equifax.  Please note that there have been data breaches even from within the credit bureaus.

The big difference between just being cautious and reacting to a breach is if you are not already doing these things, if you find out you have been impacted by a breach then you need to do all those things I mentioned above and amazingly fast. And of course, contact law enforcement if you know you have had your identity stolen due to a data breach.  Be safe out there, there are threats about.

Cyber smart- The Malware family and Attacks

ericcrichardson 3 Comments

Cyber attacks are a truly clear and present danger which we all face. Yesterday I wrote about Malware myths here:   https://ericcrichardson.com/2021/01/19/malware-myths/amp/. Today I will spend some time speaking about some of the various types of Malware and Attacks which could impact you.  It is quite possible to write books about just about any of these individually- 11 years ago was one of the most complex viruses ever created was unleashed.  It was likely created by a nation state (likely the US and Israel) to target a specific type of programmable logic controllers for centrifuges used in refining nuclear material.   It’s a fascinating read, here is link to an Arstechnica article about it if you wish to read more https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/  Now the scope of this article is to educate about the breadth of types of attacks and not go into great detail.

Bad Actors Have Everyone in Their Sights

Malware

The Malware family are programs written by bad guys (i.e., “hackers” in popular parlance) to attack a computer to gain control of a computer or phone to either steal data or negatively impact you.  Below are some of the common categories you could potentially experience, all of them have can have extremely negative impacts on those impacted.

Spyware—This is a type of malicious software which gathers data about the user and send that information secretly to others for nefarious uses.  An example is spyware which gets installed and they copy ever key stroke you make, including passwords and user id’s on websites. This “key logger” then transmits the logs of all the keystrokes to bad guys who then try to identify the websites you are using and if they are successful, they can impersonate   you, think about the damage that could happen if someone gets access to your financial or healthcare records!

Ransomware—Has been in the news far too often lately, it is specifically malware which installs on your computer and then secretly encrypts your hard drive so you can’t use it. You then get a message saying you must pay money, or they will erase your hard drive.  If you back up your hard drive regularly you can reduce the damage, but the hackers sometimes threaten to dump your data to embarrass you as well.  We have seen ransomware used to target companies, oddly hospitals which has impacted patients being admitted and, in some cases, caused direct patient harm. Many high-profile companies have been impacted by Ransomware as well, you can look this up with ease.

Adware- This type of malware, when installed, pushes ads onto your web browser usually bundled with some sort of free download, it is the mechanism they seem to make money on free software. Good rule of thumb be incredibly careful when downloading free software.

Botnets— These are a type of malware which creates a net of internet connected devices which can be sued to steal data, send mass E-mailings, or steal data. The Stuxnet attack I mentioned above was a type of Botnet

Dangerous Macros – Macros are effectively ways to automate keystrokes or to do minor automation.  You see Macros often when using Word or Excel, most of the times they are useful.

Attacks

Malware must get on systems to impact them. This section will speak to the methods that the bad guys malware on our systems.

Phishing- Phishing (pronounced ‘Fishing’) is a type of attack which tries to catch as many people as possible with broad way to convince them to download malware. Very often it’s via a fake E-mail from a trusted institution (like a bank) that wants you to click on the E-mail to do something such as “reset a password” when in fact the link will start a download of malware.  It can be hard to spot but if you are on your guard you can see, usually by hovering over the link in the E-mail, that the link is not related to organization you think.  You often see this with banks. 

Spear Phishing– Spear Phising is a more refined version of Phising where an awfully specific organization or individual is targeted. The trick is the same but it’s much more targeted, there is a variant of this called “Whaling” which is going after someone very important within an organization.

DOS- A Denial of Service attack, or DOS, is an attack on something like a website or E-mail servers to simply overwhelm it thus shutting it down.  This is often done by sending websites far more data than they are expecting or badly formed data to trigger errors on the website’s back end software.  Many times, thousands and thousands of versions of the malware could be distributed via phishing attacks, so you have an attack distributed across the planet potentially. This variant is known as a Distributed Denial of Service attack (or DDOS).  

Website manipulation- Bad actors can also try to manipulate web site programming by doing things like passing commands into something like filling out a form. This is known as SQL injection. SQL is Structured Query Language which is the language database serves use and in some cases it’s possible to send in a set of database commands or  a SQL Query

Your best defense- Education!!! Do not click that click, be wary of anything even remotely out of the norm. Educate yourself on attacks and malware and new forms of attacks. Just like you have to lock your doors and windows at night for your house and your car, you need to be prudent for how you protect your computer, laptop, tablet, and phone.

Malware myths

ericcrichardson 1 Comment

We know there are bad guys out there who write nefarious programs and attempt to get them on our computers and phones via wide ranging methods.  This bad code is known generally as “Malware”, “mal” literally meaning ‘Evil’ or ‘Bad’ in Latin- and is at the root of words like “Malicious”.  It is indeed just that, evil code.  We know Malware/Viruses equals bad, but there are many myths around them which you should really be aware of. Read on for just a few of the myths which you should keep in mind.

Malware, like taxes, is inevitable.

Only Windows- The most written about computer malware myth is that it is just a Windows problem.  The root of that falsehood is that about 65% of all computers run Windows and Microsoft is historically a widely attacked company.  The bad guys are smart, and they will go after the largest target, which is Windows.  Apple’s MacOS and iOS have been the subject of many attacks over the years but at about 25% of the computers out there it just does not make the news. As for the rest it is basically UNIX and Linux of which there is not just one official version, which both helps and hurts.  If you are running a well-supported version such as RedHat Linux bugs are likely to be addressed fast but lesser-known versions (aka Kernels) might not ever be patched.  So, the lesson is the same here- patch your systems, use whatever automatic updates which are available as all the major operating systems: Windows/ Apple based/ UNIX/LINUX.     

It is just a new problem- Another myth about malware is that it is a new thing. Would you believe the first noted virus is 50 years old?  The forerunner to today’s Internet was called ARPAnet which was a way to connect via networked research institutions across mostly North America in the mid 1960’s.  In 1971 a programmer named Bob Thomas wrote an innocuous little program that simply displayed “I’m the Creeper, catch me if you can!” on the terminals of users of ARPAnet.  While never intended to do any harm, it was annoying, and Thomas was sneaky insofar as he wrote it that it would make copies of itself to run on different machines thus the first virus was specifically a Worm which is a virus which makes copies on different machines thus making it harder and harder to squash.  Creeper then gave rise to “Reaper” which was in a sense the first anti-virus software as its tarted Reaper to delete copies found.  Clearly viruses are not a new dance in the tech world.   For those who read the Michael Crichton book Westworld (of which the HBO Series and movie from the 70’s came from), it names the bad code acting like a “Disease of machinery”- Michael Crichton was in fact an MD before becoming an author.   As a slight side note I re-read “Andromeda Strain” as COVID-19 started to grip the world last year, scary and on point!

My phone is fine- Only computers are at risk is another huge misconception.  Phones and tablets are the new target of opportunity. As they are effectively small computers using variations of the existing operating system their “large siblings” use they are at risk of many of the same or variants. Unlike where computers have Windows as the most used Operating System, in the world of phones Android is the big dog.  From many embarrassing issues in the past Microsoft learned how to define world class patching and both Google and Apple have adopted much of the rigor to keep software updated.  Having worked in big tech, I can absolutely say the number of engineers working on current operating systems is huge. Everyone wants to work on the next big thing but the whole nature of “sustained engineering” is critical. Again, use reputable anti-virus/anti-malware software to protect them. Other devices such as security cameras, baby monitors, doorbells, lights, refrigerators or even beds can be connected to the internet to allow you to get useful information from them. They also become attack surfaces for bad guys. These “Internet of Things” devices (or IoT) are more and more popular.

I am working on a campion article to this one, focusing on a summary of the different types of Malware and attacks to keep in mind as well as a deeper discussion of IoT risk.  As a reminder always keep passwords strong – see my post on Passwords here:     

https://ericcrichardson.com/2021/01/14/the-gist-of-passwords/amp/  The big takeaway here is to not assume too much, plan on everything that touches the internet being attacked and take precautions as you cannot be overly careful.

@Ericcrichardson

The Cyber Secure Traveler

ericcrichardson 2 Comments

Looking forward we will hope a bit for a world when you are not locked down as much when things get normal. The world is struggling with the Coronavirus, we have lost at least 2 Million people due to it and traveling dramatically increases risk.  We will not be traveling for a while, but eventually we will. In 2021 will see the vaccines start to make a real impact for good.  With luck we will see people traveling around again. That means we will all need a refresher on cyber safe traveling.  So, with a bit of optimism about the future and trying to imagine a good place I am going to talk about travel and how everyone is trying to steal your data, infect your devices and be generally bad—ok so much for optimism.   Let’s talk about how to travel smart and things to consider when you do.

It can be a nice distraction to look out the window at the airport, but be sure to follow best practices

By keeping a few things in mind and taking several steps to prevent bad situations coming up you can travel quite safe.  It takes a bit of planning and actions to take beforehand, but you can be quite safe.  A bit of caution and planning goes a long way.  

Before you go:

  • Encrypt your laptop, your phone and ensure they are password protected and auto-lock after a short amount of time of inactivity
  • Get the most recent updates/patches for your system, up to the day you go if you can
  • Set ‘remote wipe’ for your hardware if it is lost you can at least wipe it/lock it
  • Back up all your files and leave a backup in a secure location (such as home)
  • Make sure you have an extraordinarily strong password on all your devices   — See my post on Passwords here:  https://ericcrichardson.com/2021/01/14/the-gist-of-passwords/amp/
  • Make sure, you are only taking any technology into a country what is allowed.  As a cybersecurity professional I cannot take certain software into China for example (Travel to China is literally its own article)
  • Make a digital copy of your passport, driver’s license, credit cards, document with contact info, flight information etc. and always keep it on an encrypted USB device on your person- literally keep it on you 24/7 (X-ray machine in the airport as the exception)

While you are traveling:

  • Keep your devices with you at all time- yes take your luggage to the bathroom/Toilet with you- yes, it is annoying, but your bags should be within reach every second when traveling.   There are other more general security reasons for this, but I am focusing on cybersecurity here. On the plane, keep your carry on directly above you and your laptop bag at your feet, which when you are in the air you can pull back towards your seat to help elevate your feet a bit for comfort.
  • Shut off Bluetooth unless you absolutely need it (computers and phones)   
  • This one may seem strange but never ever plug your phone into a public USB Charging station.  USB brings both power and data between devices. The data sharing is the risk here, it is possible that you may be the victim of what is known as “Juice Jacking” where you plug in for power and a nefarious entity is performing data theft or dropping a payload with malware on it. A bit more than 70% of the phones connected will be Android and most of the rest will be Apple based—so bad guys will know that and plan accordingly. Bring a battery to charge from.  Of course, if you just use an actual plug for an outlet that will remove the data risk, however I just use my battery as I an move about the airport or train station all I wish while charging, investing in a long USB cord is helpful for this as I usually keep my battery in my laptop bag and push the phone connector out of the headset pass through to my phone.
  • Lock everything you can in the safe in your hotel room, they are by far not the most secure safe you’ll ever find as management can override it, but it does provide a layer of protection.  Usually, a laptop will fit as well as your other electronics.
  • Try not to rely on free WI FI hot spots, they can be rife with hackers watching.  Using a VPN helps for sure, however. In fact, a rule of thumb is whenever you are traveling Always use a VPN when travelling—See my post on using a VPN here: https://ericcrichardson.com/2021/01/14/the-gist-of-passwords/amp/

If you want to be super secure you could get a burner phone which is a dumb phone via a pre-purchase for the country, you will be traveling to.   Also, you could bring a laptop with a less friendly operating system that is cheap such as Ubuntu Linux and just remote back to your main computer this way if you lose either the phone or the laptop your losses and potential data loss will be mitigated.  I will be honest with you, while I used to write and edit books about Linux, I prefer just using Windows- it is just easier.

By being smart and following prudent steps you can prevent possible attacks on your devices while traveling. One could literally write a book on steps to take but if you take nothing away from this be very aware there are bad guys out there trying to attack travelers.

@ericcrichardson

The weekend angle: Is being a Dungeon Master helpful on my resume? The answer may surprise you.

ericcrichardson Leave a comment

It’s Saturday so my weekend post is going to be off topic but one that many in business, technology, and cybersecurity might be familiar with. 

I am a geek; you may have noticed that. It’s been a life defining descriptor. Most geeky things fascinate me. Sci-Fi- yep, technology- absolutely, Dungeons and Dragons- heck yes! A bit of background for you.

I have been playing D&D since I was in 7th Grade in April 1979, a friend of mine invited me over to play a new game called Dungeons and Dragons and I loved it.  I hand copied some base rules and started playing with my brothers, we ended up being huge fans and we started to buy the books and create our own content.  You will see in the picture below I have D&D books from 1980 up to now in there.  You will see a computer on the left which is a TI-99/4A computer (it is an original I have had since High School—my brother and I wrote games in BASIC which we saved on cassette tapes then). On the right are original Kenner Star Wars toys- the Millennium Falcon and Bobba Fett’s awesome Slave I from 1979 and 1980—I kept them all these years.  I did warn you that I am a geek, it defines me and my family of the last five generations. Five generations of technology (Engineers, Computer Scientists and Cybersecurity Professionals) so I come by it naturally, it is in my blood.

One of my Geek shelves- has four decades of my D&D books which I kept with me my whole life and I’m always adding to it

How on earth can D&D help me get a job that has nothing to do with playing a great game? Let us talk about how under the right circumstance, your passion can help fill out a resume.  As you likely know Dungeons and Dragons is a fantasy tabletop game where players take on the personas of heroes or villains and the Dungeon Master (DM) manages the game.  Often the DM creates the content personally, manages the rules, sets expectations, keeps the game moving along etc.  It is a game of imagination where the DM’s ability to describe what is going on makes the whole process more enjoyable for everyone.

Here are just a few skills describing what a Dungeon Master exhibits which applies to work:

  • Leadership- Leadership is how you identify and nurture talent to blossom, be it in the workplace or the game space.  In D&D You are the referee, the judge, you are leading this happy party. Many DM’s are professionals, yours truly has been DM’ing 40 years but I only have 27 years professional experience after all.
  • Storytelling– Critical for communicating in every industry you could possibly work to articulate a vision of what is possible
  • Planning– Coming up with a plan to move forward and to get the team there is something every manager, program manager, project manager etc.
  • Conflict resolution– Anytime you have more than two people working towards a goal, conflict is nearby.  Keeping a team of people at work or a team of adventurers on track is critical.
  • Recruiting- Getting a group pf people together to play is 100% reliant on identifying and attracting people to the game table.  Obviously recruiting the right talent and being able to identify potential is the foundation of any organization
  • Run Management- All businesses have a nature of running- ensuring everything which needs to get done is a given, but it can be hard to do.  A DM keeps the game going, ensuring pacing is right and that everything which needs to happen does in fact happen.
  • Math Skills- Math shows up everywhere, you cannot run from it so you might as well embrace it. Each player at minimum uses seven die as their base dice set ranging from four sided to twenty sides. Most players use many more. Rolling dice often helps with quick summations, in fact the dice are jokingly referred to as “Math rocks”.  Work or Gaming- math shows up, at least in gaming you can get some very cool looking dice sets.

Dice- The click clack math rocks you love and hate

How do you work all of this into a resume/CV? Add a section for “Additional experience” and talk to the skills you demonstrate being a DM.  I do not recommend counting it as actual work experience unless you are one of the few paid DM’s – yes that is an option.  Having this listed as additional experience gives you a jumping off point to connect those skills to how you can add value to an organization.

Would I lead with being a DM? Well, if you are talking to Chris Cocks from Wizards of the Coast or anyone from Critical Role yes, but if you are talking to someone in an interview about executing data science and your needs for hydrating a data lake, I would not necessarily lead with “I’ve been a DM for Decades.” but it’s great when establishing some broader traits. So have fun playing a great game and remember there is an opportunity to demonstrate business skills from a pastime, it’s all about how you approach it.

@ericcrichardson