Another week brings yet another cyber security breach. This time the breach relates to company which encompasses the Currys, PC World, Dixons and Carphone Warehouse brands. 5.9 million payment card records and the personal details of 1.2 million people were involved in the breach which looks like one of the largest if not the largest in the UK to date.
For me this highlights the need for students to be aware that through no fault of their own their data may be leaked online if it has not been already.
In discussing this with students my favourite site continues to be Have I Been Pwned which allows students to enter their email address and see if their details have been involved in one of the many breaches for which the site has data. To date 1 in 3 of the students I have had enter their email have found out they have been part of a breach.
The key message which I take from this is:
Use strong passwords: Most sites hash their passwords for security reasons however a weak password can easily be resolved from a hash. As such a strong password is added security should your details including a hashed password be involved in a security breach.
Avoid using password across key sites: If your password is leaked and resolved from a hash or even worse the site stores it unencrypted, the first thing a hacker will do is try the same username and password combination for other sites. As such using the same password across sites represents a risk. Either use a password manager to allow for individual passwords for each site or make sure critical sites such as banking, your main email account, your amazon account, etc have different passwords.
Review your passwords: Although it is no longer advised that your change your password frequently it is still advisable to consider how long you have used passwords for and especially for where passwords have been reused across sites, to change these periodically.
I am sure it will not be too long before the next breach is reported on the news. As this pattern of an increasing frequency of breaches continues we all need to become more and more aware of the risks and of the precautions we can take.
Image From: https://www.bbc.co.uk/news/business-44465331
The internet of things is a big concern and should be one of students are very aware of as it potentially threatens our privacy and our security.
When discussing the Internet of things I focus on two issues; one being that these devices generally have default user names and passwords and that these are seldom changed by users and the second is the difficulty and also lack of regularity in terms of updating the software which runs on such devices.
When discussing passwords I focus on the 2014 reporting of 70,000 web cams across the world which an internet user had gathered on a single site. As these devices all had no default password set any users could effectively connect to the feed and view whatever the web camera sees whether this be a car park, a football ground, the inside of house or the pathway to someone’s front door.
A quick discussion with students as to how they would feel having their movements monitored by persons unknown and also the risks which such monitoring might expose them to quickly gets the point across as to the need to change password.
To illustrate the need to update operating systems I use the vulnerability which was identified in robotic vacuum cleaners. This allowed hackers to gain access to the video feed from such a vacuum cleaner as well as being able to control the device itself. The vulnerability was in the software which was then patched by the vendor following discovery of the issue.
Students were then asked about how they would know if devices they have purchased had identified vulnerability. Would vendors have a way to contact those that purchased their device? It became clear that generally the answer is no and therefore the only way to remain secure is in fact to keep updating devices so that they are using the latest and therefore least vulnerable software.
The internet of things will continue to grow as more and more devices are connected to our home network. As the list of devices grow so does the risk. As the risk grows it will become more and more important that students are aware of the risks and are aware of the basic security measures they can take such as updating software and changing default passwords.
There have been that many high profile data breaches over the last few years including the Yahoo breach which hit around 3 billion user accounts, the LinkedIn breach which around 160 million user accounts along with many other small breaches of services across the internet. I have often used the fact that these breaches have occurred as evidence that students need to take care as to the details they share with services, the strength of the passwords they use as well as the need to ensure they do not share common passwords across different sites.
Around 6 months ago I was introduced to the Have I Been Pwned website and it is now regular a part of my lessons with students in relation to cyber security and digital citizenship. The site contains a huge database of the details which have been leaked as a part of the many publicly reported data breaches. I ask students to volunteer and enter their email addresses into the service to see if their email account has ever been involved in part of a data breach. This very much gets students engaged as they wait in anticipation to see if they have been involved in a data breach. To date at least 1 in every 3 students who volunteer and enter their email address have been identified as having their account details “pwned”. This to me is worrying as those concerned are generally unaware that any of their details may have been leaked, and therefore now be accessible on the net, prior to accessing the site.
I would recommend the use of the site with students, as well as with staff and personally to check how exposed you are to past breaches. Speaking personally, the first time I accessed the site it flagged up the fact my own personal details had been compromised as part of a breach I wasn’t aware of. Having identified this I quickly was able to change my password and take other preventative measures.
In developing a series of sessions on digital literacy I thought a good place to start would be that of basic computer safety including password management. Ahead of this is an initial discussion with students in terms of identifying what the risks and implications of using technology where no consideration has been given for computer safety and security.
The areas which I consider to represent the basic elements of safety are:
- Password and account management
- Risk associated with website access
- Social media dangers
- The danger of the ubiquitous use of email
- Data loss from mobile devices, portable storage or storage failure.
In discussing each I use the CIA acronym as a structure for examining the risks and safety measures. CIA refers to Confidentiality, Integrity and Accessibility. In discussing password management confidentiality may lead us to consider how we keep usernames and password confidential such that our files remain confidential. It may also leads us to discuss accessibility in that as users we want easy access to our data and therefore shorter easier to remember usernames and passwords seem preferable yet this run contrary to the need for confidentiality. This conflict may leads to examine how password managers might assist in achieving both confidentiality and accessibility.
The main aim of the first session will be to get students to consider their technological safety in greater detail and depth than they may have done previously. It is also hoped that this first session will allow for in group discussion and debate, which will set the tone for the discussion and debate which will be needed on some of the more moral or ethically related discussions in later sessions.
You can access the basic PowerPoint (yes, I know, a PowerPoint! Have just used it to create a basic framework only and have no intention of death by PowerPoint) related to session one here.
I would welcome any thoughts or comments.