Hello neighbors. I know I haven’t written since Christmas, but in my defense, well, I don’t actually have any except that I’ve been busy. We spent Christmas with our daughters in Austin, TX, and have had a full calendar since. When we have some nice warm weather in the spring, I hope you can all make it over for cocktails on the back patio and catch up.
What does this have to do with $1,000,000,000,000, or was that just clickbait?
Not clickbait, I assure you. A trillion dollars is how much the Centre for Strategic and International Studies says was lost due to cyber crime, according to this 2020 article in Computer Weekly. Count those zeros.
We all need to take cyber security seriously.
Have you renamed your router’s SSID? Have you changed the default password that came with the router? Have you not only changed the password for WiFi access, but for admin access to the router as well? If you answered, “no” to any of these questions, your network may be ripe for a home security breach.
Why should I care if someone I don’t know uses my home WiFi?
Let me spin a tale.
Let’s suppose you have just purchased a brand-new WiFi router, the awesome Acme2000-LS/4x. It has a powerful signal, easily reaching to the back garden, where you can sit out under the trees and work in the morning as the bird Luftwaffe fills the neighborhood with its lovely song.
You are not a home network newb, so you changed the access password to a long and complex code phrase, say, “##burn$-L@n3-i$-th3-be$T##” You also add a guest account password and disable it, so you don’t have to worry about granting network access to visitors.
After an evening spent streaming video to your really huge flat-screen, and noting happily that your new router handles the data stream with nary an hour glass pause, you go to bed confident that your home network is secure.
But while you are sleeping soundly, BadAx sneaks around the neighborhood, looking for strong WiFi signals to hijack. BadAx sneaks up your driveway and smiles, noting your SSID is acme2k30322. A quick search on Acme’s website and BadAx has downloaded the user’s guide for your sparkling new router.
Of course, BadAx first tries the default password. Just a few years back nearly 35% of users never changed their default WiFi passwords. These days it’s down to 10% so BadAx is only slightly disappointed when he doesn’t get immediate access to your network. Only slightly, because, according to the user’s guide, the admin ip address for your router is 192.168.1.1 and the default password is “administrator123.” A few keystrokes later and he’s in.
For BadAx, some nights are better than others.
He removes the access restrictions on the guest account, enables it, and logs in as a guest, roaming through all of your network devices, backup drives, file systems, etc. Before leaving he reinstates the guest-account restrictions, disables the account, and leaves. You will never know he was there, and BadAx knows he can get in any time he wants.
And there on your network backup drive is a lovely pdf of last year’s tax return, with birthdays and social security numbers and everything a bad actor needs to know to take over your identity.
We all know how this story ends.
Why are you telling this tale of woe?
Tracy alerted the board about this article in the Peninsula Chronicle. The City of Williamsburg is offering cyber security training to a limited number of residents.
The course is offered by a company called KnowBe4, specializing in security awareness training. Williamsburg employees have been using this training for several years, with the city claiming a significant drop in simulated breaches.
The article makes no mention of any reduction in actual breaches, but I doubt the city’s CIO would make such information public anyway.
Simulated or real, the city believes the training is worthy to be shared.
“KnowBe4’s training has demonstrably reduced the risk of a cybersecurity threat reaching the city organization,” Williamsburg’s Chief Information Officer Mark Barham said in a release. “We want our residents to have the necessary information and awareness to protect their cybersecurity at home in much the same way.”
https://peninsulachronicle.com/2023/02/07/williamsburg-offering-cybersecurity-training-to-residents/
Is the training worthwhile?
I’ve attended a lot of cyber security training courses over the years. A lot. At best they are informative, engaging, accurate, and short. Very few fall into this category. At worst they are full of jargon, or are full of falsehoods, or are dull, or are too long, or are buggy. Sadly, most of the courses I’ve taken have one or more such fatal flaws.
I decided to take the course myself before issuing a recommendation, and was pleasantly surprised to find the training accurate, informative, not completely dull, not overly long-winded, and nearly bug free. While that may sound like damning with faint praise, it actually isn’t. I went through the entire course in about two hours, and not once did I have to get up, stomp around, curse, or lift my fists in rage.
So yes, this training is worthwhile and I recommend it.
Is it comprehensive?
I’m glad you asked. Actually, there is one subject the course does not address: smart homes.
I am not an expert, however I did attend a lecture a few years back by a W&M professor, whose name I sadly do not recall. He discussed security vulnerabilities of systems such as Nest and the Apple Home app. In a nutshell, the security of your home internet-of-things is only as good as the least secure “smart” item connected to your smart home application.
For example, assume you have a ‘smart’ lightbulb connected to your Home app. You can use the app to turn the light off and on, change its color, or even make it blink. But tell me, how much effort do you think the company making your light bulb put into security?
Right. Probably none.
So someone might be able to hack your light bulb and get access to your Home app.
I won’t write any more about it here because I am completely unqualified. I just wish KnowBe4’s course addressed the issue.
How do sign up?
You could click this link, although the security training will tell you not to click links in random websites taking you to sites asking for personal information. And this link will redirect you to a form asking for personal information to verify your resident status. What you should do is type the following directly into your browser: williamsburgva.gov/cybersecurity.
You will get a signup form, and after completion the city will send you an email from [email protected] with instructions.
The training is available to a limited number of residents, although I see no information about the exact number. When I checked the link to the signup form this morning it was active, so I’m guessing there are still slots available.
I took the course using my 2017 iPad, and I found the display to be just a bit buggy. I recommend either using a more modern notebook or phone, or perhaps your laptop.
Good luck with the course, and let me know in the comments if you want me to find someone to speak about smart home security.