Home Tech: Some security tips

Yesterday I sat the ISACA Cybersecurity Fundamentals exam as part of my programme of continual professional development.   This got me thinking about what tips we might give our students in making their home technology a little bit safer.     As such I came up with the points below:

  • Passwords: This is an obvious one!   Make sure all devices connecting to your network have appropriate passwords set.    The longer the passwords are the better.    Also avoid using passwords across multiple devices and/or web services.
  • Network Devices: Any accessible devices such as Wi-Fi printers, network web cams, etc. represent a possible intrusion point.    It is therefore very important that you check the default settings for devices, especially in relation to the security settings and also any default access passwords, which you should immediately change.
  • Wi-Fi SSID: Make sure your SSID doesn’t give any info away about your router.   By default the SSIDs are usually something like SKY35735 or DlinkWD501 or similar giving hackers a starting point in that they now know the make and possibly the model of the device they are seeking to compromise.    As such it makes sense to change the default password when initially setting up your router.
  • Router Admin Password: The default admin password and username are often set to simply “admin”.  This means once in, a malicious actor can easily take admin control of the router and leave themselves a permanent back door to your network, resources and data.    Another key tip therefore is to change the admin password or both the username and password.
  • Web Admin: By default web admin is usually enabled meaning a user can access the administrative interface of the router via Wi-Fi.    Disabling this means that to access the admin interface a user would need to be physically connected your home network or router thereby reducing the possible access and the associated risk.
  • Wi-Fi Security: Make sure that you have either WPA or preferably WPA2 enabled in your Wi-Fi security settings.   This is all the more important if you have an older router which may still be using WEP or even worse a router where the default is set to Open and therefore no security is applied.

The above are just a couple of tips, of which many more could be added specific to different types of devices, operating systems, manufacturers, etc.    Hopefully the above represents a useful starting point.

 

Progression of classroom tech: Remembering the OHP

When I first trained as a teacher the main teaching aid was either an overhead projector or more commonly a roller blackboard.    I remember taking an LCD Panel to a school during school placement visits as a trainee teacher.   This device sat on top of a OHP and was connected to a laptop, allowing me to project whatever I had on my laptop screen.  The staff loved this new piece of tech as did the students.  This device was the precursor to the now common data projector which combines the OHP, and its light source, with the LCD Panel, into a single device.

So why the reminiscing?   A recent article in the TES titled “The pedagogic perfection of the overhead projector – and why interactive whiteboards alone wont ever match it” got me thinking back.

The article highlights the importance of facing a class when interacting with them and how the Interactive Whiteboard isn’t supportive of this.    I agree with this point which is no surprise given my general dislike for the interactive whiteboard as a classroom technology.   I have always found the whiteboard as a fixed focal point at the “front” of the class to be limiting.   I also find the fact it is stuck in place as a restriction.    My preference for some time has been towards mobile devices, such as the iPad, a data projector, a screen sharing setup and a writeable board surface.    With this you can accomplish everything you can with an interactive whiteboard and more, at less cost, assuming we are only first looking at issuing a teacher device.  It is also a portable solution which can be taken around the class as a tool to work with individual students as well as being taken to the staff room and home to prepare lessons.    It’s also a method of recording student progress and building a portfolio through taking photographs…..and that’s before we look at its benefit as a productivity tool in helping teachers in managing tasks, calendars, email, etc.      Student devices, either BYOD or school issued add further to this setup and even more so where a 1:1 student:device ration is achieved.

The author of the article goes on to identify digital ink as the next progression in the technology and I have to agree.    With digital ink we have the ability to annotate, draw, sketch, highlight, etc. all with a high degree of accuracy, with students instantly having the resulting resources at their fingertips, with the ability for them to add their own contributions.    You may be thinking you can do the same with an IWB but the accuracy with inking is higher as has been attested by students.   Also you retain the ability to face the class as opposed to having your back to them, plus you can take it with you to a students desk as opposed to it being bolted to the wall at the front.

In thinking back I can now see the evolution of the central classroom tech during the period I have been teaching.   Chalk boards then OHPs, Whiteboards, LCD Panels, Data Projectors, IWBs, iPads and Digital Inking bring us to where we are now.    Each step has seen improvements, new facilities and developments however often supporting old approaches.   Digital inking seems a lot like the annotations I used to draw on my OHPs during lessons, something also identified by the writer of the TES article.   The question I now wonder is what the next evolution will be?

 

 

image from wiki commons by mailer diablo (Creative Commons BY-SA 3.0)

The internet isn’t working!!

“The internet doesn’t work”

A statement heard in my home the other day as my wife tried to access an app on her mobile phone.    I am sure the very same statement may have been uttered in households across the UK and beyond.   In itself it seems like a simple enough statement.    The issue is that it is a gross over simplification.

So let’s work through some possible issues.   First of all the issue could have been with the specific app which my wife was trying to use.   The issue may instead relate to the operating system of the phone, which in this case was Android, or to the physical hardware of the phone.   Maybe Wi-Fi was turned off on the phone or it was in aeroplane mode.   If the issue isn’t in the software or hardware of the phone it could relate to a weak wireless signal due to interference or just poor reception relating from distance or from obstructions between the device and the wireless access point or router.   The issue may relate to the Wi-Fi password and/or the security settings for the wireless network.   This brings us to the wireless access point or router which may represent an issue in terms of its functionality or its configuration.    At this point there are already a large number of things which might account for the issue being so vaguely reported however this is only a small number of the overall possible causes.

Other issues could be an issue in relation to DHCP within the router, assuming we are looking at your average home network.    It may be that the router is blocking traffic possibly.  Another option is the actual connection between the router and the ISP.    This may be incorrectly setup or there could be a physical issue in the line.   Maybe I haven’t paid the bill and the ISP has cut my home off.    Issues with the Domain Name Server (DNS) are another possible issue as are issues with the actual server with which the app is trying to communicate.

And the above only represents some of the possible causes, with other options and combinations of options being possible, and yet for all the possible causes the issue is simply presented as “the internet doesn’t work”.

Technology has become a necessity rather than a luxury.       We need it for banking, accessing council services, accessing government services and communication among many other areas.    As such we expect it to work, and that is simple; it either works or it doesn’t.     So when it doesn’t we make simple statements, which I believe highlights our generally simplistic understanding of technology, and yet we bring more and more technological devices into our home.    Do we truly understand how this tech works?   Do we understanding the implications of using it?    Do we know how to use it in a safe and secure manner?

I would suggest the answer to the above questions is No and yet we worry about the lack of understanding of our students.   How can they hope to understand and be safe with technology when we adults, the ones who they are taught by, parented by and their role models generally don’t.   Lets stop using these concerns for limiting and blocking technology use, and instead lets explore technology use with our students and children, making mistakes, and learning as we go.

IT Support Issues

At the front line in the classroom the concerns around technology use have focused on issues such as phone addiction, privacy settings, screen time and fake news to name but a few of the issues reported in the press in recent months.     I decided during my presentation at King Edward VI earlier this week to try and get some input on what the concern areas are for those behind the scenes, from the IT support or IT Services leaders of a number of schools.

As such the question I asked was “What is the worst thing that could go wrong?”

During my 2 sessions two very evident themes seemed to come out from the responses I received.

Only one response indicated that IT and Safeguarding was an issue.   I found the fact that only one person gave this response despite a keynote presentation specifically on online safety earlier in the day, to be a surprise.    I have to admit that in creating my presentation on IT support issues I omitted safeguarding however on reflection it should most definitely have been included.   I believe the issue here is that support staff spend most of their time with the systems including software and hardware, plus the users.   As a result, they focus on these areas as areas where things will go wrong.   This is due to these areas coming easily to mind whereas safeguarding doesn’t quite come so easily to mind.

Two responses referred to loss of staff skills and knowledge following staff leaving.   Personally I think this issue could be expected to arise in any domain, aside from education, where there is a technical skill requirement.    Losing staff and their skills, experience, knowledge, etc. is of concern.

A lack of documentation was raised by one person.     I think this relates partially to the above either in terms of a staff member leaving or to a staff member being ill or otherwise absent where their activities have not been documented such that others cannot pick up their tasks.

The first of the two main themes among responses relates to a disaster event such as a fire which impacted on all or key systems, or a technical failure of key systems.    These represent quite significant disaster events in that they would most likely impact on a number of school activities including access to files for teaching and learning, lesson registration, finance and payroll and general communications.     I believe these responses related to people imaging the perfect storm of a number of minor issues joining to become a major issue or a major event such as a site fire, etc.    It is no wonder given the complexity of systems that such an incident with such a wide impact is of concern and commonly was raised by those who provided responses.

The second of the two main themes related to data loss or data breach.   This doesn’t surprise me as schools and other UK organisations prepare for the introduction of the General Data Protection Regulations in May of next year.    The conference event itself included a session on data retention and destruction including a number of references to GDPR.      There has also be a large amount in the press as of late, on data breaches again helping to make such data loss or data breaches take centre stage in the minds of the attendees who responded during my sessions.

I would say the responses received were generally as I expected especially in relation to data.   With GDPR being implemented in May and so many data breaches reported in the press it is no surprise that this area is of concern.     A wide spread disaster is also a predictable concern as it involves considering the worst that could happen and this usually would involve multiple complex issues combining or a disaster event such as a fire.       The fact that safeguarding didn’t figure so highly however is a little of a surprise and maybe something we should consider carefully.    I suspect this is due to safeguarding not coming easily to mind.     As such we must make efforts to bring it to mind more often, to consider it more often as a concern for IT support as much as it is for teachers.    How can we make students safe without suffocating them in filters and blocks?    How can we support and guide then to make the correct choices?    How can we better educate them in relation to the technical issues especially around privacy, safety and security?

Above all staff, both IT Support and also teaching staff, should work in partnership to prepare our students to thrive in this ever technological world.

Kings ICT Conferenece 2017

On Monday I was involved in the King Edward VI ICT conference where a number of interesting presentations and workshops were put on.   This is the 2nd time I have attended the event, this time being involved in presenting as well as listening.

I found the talks on offer to be both topical and interesting starting off with the keynote on Online Safety, previously known as e-Safety, by Karl Hopwood.    I have now seen Karl present on a number of occasions.   As always his focus on the “how students are using technology” as opposed to the “what” comes through clearly.   It doesn’t matter which app students are using, whether it is Facebook, Twitter, Snapchat, Yellow, etc.   What matters is the purposes and the method of use.    He also explained using personal anecdotes the reasons why students may not raise issues with the adults who may be able to assist them through fear of losing their access to technology and to personal devices.    This represents a key challenge in opening up channels of communication with students such that they both know who they can speak to and also feel comfortable in doing so.

The presentation by Cal Leeming on hacking was a very interesting session in terms of Cal’s frank discussion of the risks associated with hacking plus his view on how students should be supported where they are beginning to experiment and explore technology.    I found he made a lot of sense in his comments around making vendors “criminally responsible”.   If a vendor is processing another organisations data and a breach occurs, and where the owner of the data has carried out all required due diligence, should the vendor not be considered liable?   Where a vendor suppliers hardware which has poor security capabilities should they not be considered responsible.   I think this makes a lot of sense, and it aligns with some of my thoughts as included in previous postings.   The new GDPR regulations will help move us in this direction in some respects however there is further work to do especially in relation to hardware vendors of IOT devices and other home network devices.

On a related topic to Cal, Christopher, the director of IT at Harrow, presented on Data Retention and Records Management.   Given the impending introduction of the GDPR rules in May of next year this presentation was very well timed.     It was useful to hear the process which Chris and his team went through as they looked to move towards a paperless record system with a clear policy and processes around data retention and destruction.   This will be key area on which I will need to work over the coming months.

Overall the day was a worthwhile event, and it was even sunny for the drive home.   I left with plenty of ideas and areas to work on between now and next years event.     I am sure time will fly, and before I know it I will be preparing to attend next years event.   I look forward to it.

Big brother?

Big brother is truly watching us.     This week already I have read two articles in relation to devices we are now bringing into our homes to make life easier, however where there are other considerations which may be overlooked.

The first of the two article related to the Amazon Echo device (Amazon hands over Echo ‘murder’ data, BBC).   The Echo is one of a couple of voice activated devices which is designed to make life at home easier.     The idea is that you can control home internet enabled devices via voice commands and the Echo.     The recent adverts for the Echo include people using voice commands the help locate their mobile phone which has been humorously swallowed by the users dog, to turn on the lights at home and to change the volume on music which is being played as just some examples.    Google offer a similar device called the Google Home.

The issue here relates to privacy in that these devices are always listening with at least some of the data uploaded to a cloud server somewhere.    The purpose of gathering the data is to help in generating better and more accurate understanding of natural language so that the software within the devices can more accurately respond to human instructions and queries however the issue is not in the intended use, but in other possible uses.

An article on the BBC website refers to a murder case where the accused has consented to allow data gathered from an Echo device to be used in the case.    This clearly wasn’t the intended use of the data gathered by Echo.     In this case the outcome should hopefully be positive in helping to prove either guilt or innocence but other uses may be less than positive.      Would we be happy about the government, spy services, police, etc. spying on us using this data?    Would it be acceptable for this data to be used in user or home profiling by marketing companies?     Would it be acceptable to use this data in relation to identifying peoples political allegiances in the approach to an election?      These are just a couple of possible uses where the ethics are a little questionable.   There are likely to be many more possible uses with new uses continuing to emerge with new technologies.      Is the benefit of the device comparable to the risk or sacrifice?   Also, surely this data constitutes personal data so how is its sharing and processing controlled in relation to Data Protection and the soon to be implemented General Data Protection Regulations (GDPR)?  Is the info in relation to this buried in difficult to understand and seldom read terms and conditions statements?

The second article related to the CIA and the recent leak of hacking tools which they had including tools designed to compromise Smart TVs (WikiLeaks says the CIA can use your TV to spy on you, Guardian).    Similar to the issue around the Echo, again we have an always listening device however in this case it is also always watching too, as it searches for gestures as part of its gesture control functionality.     Here the benefits are never losing your remote control down the side of the sofa, however the drawbacks seem to include the CIA being able to hack your system and watch what you are doing.     This also goes to show that although the purpose for the data was clear an outside actor, in this case the CIA, found a way to gain access and make use of it.   If they can do it, and given it is now public knowledge that it possible, it is highly likely others can or will also achieved this.   Again another internet enabled device brought into the home however again a risk.   Is the benefit of the device comparable to the risk or sacrifice?

The world loves its gadgets with people quickly adopting the next thing.    Vendors such as Google, Amazon and Samsung play to this while constantly striving to make their devices as secure and safe for their user base as possible.    The issue is that these vendors also want these devices to be easily installed and configurable by end users with limited IT abilities which limits the security options available.   It also tends to mean that a system of simplistic defaults is used meanwhile we have hackers and government sponsored agencies trying to compromise these devices.

I wonder whether as the Internet of things continues to take off we will see a growth in home infrastructure security devices.   I also wonder whether there is now a greater need to have discussions with students in schools in relation to these issues, including discussing specific incidents like the ones above.    We need the adults of the future to be able to judge and balance benefits against risks, in order to make informed decisions about the increasing number of internet enabled devices making their way into our homes.    We also need them, as they become the government officials of tomorrow, to understand the implications of technology.

 

Online safety and home infrastructure

Technology has become an important part of the life we now lead.    Social media, games consoles, smart phones and voice recognition systems like Amazon’s Echo are now all part of normal life.    This technological change has brought many benefits however there are already some indications of the implications of technology use.

We have already seen discussions about technology addiction.    We have also seen discussions around unforeseen implications arising from technology use, such as the impact of parents posting their children’s every move on social media; How do they feel when adult photos of their every childish endeavour and mishap are easily found on Facebook?

Then we have the issue around cyber or online safety.   This is an issue that I find of particular interest.  There has been a particular focus around being careful in relation to passwords in particular, and to the information shared on social media, however this seems to take for granted that the infrastructure we are using our technology to access is secure.

In the home will have a Wi-Fi network connected to which there may be a wireless printer, a laptop, a couple of phones and maybe some other internet connected devices.    But have sufficient security precautions been taken?

Maybe the Wi-Fi network was setup straight from the box it was supplied in, with little adjustment of its configuration.    As such the default Wi-Fi SSID may give away the make of the router which would help anyone wishing to compromise the network.    Has the default admin password for the router been changed and has Wi-Fi access to the administrative interface been disabled?    If not then malicious access is all the easier.      Has WPS been disabled and has the appropriate security features such as WPA rather than WEP been enabled?

The games console has fathers credit card details entered in it for purchasing and downloading games, however the password is shared with his Gmail account, Facebook account and a couple of other services.       As such should any service be compromised then all services are likely to be compromised given the common email address and password used across accounts.

A new wireless printer has been set up, but again has been left configured as it was in the box it arrived in.   As such the admin password is set as the default.    Should someone gain access to the network they can therefore easily use this device to gain a permanent foothold within the network.

The laptop doesn’t have any anti-virus software on it and the windows firewall is turned off.  Also windows updates haven’t been carried out in over a year leaving the operating system seriously out of date.

The growth of technology in modern life is very much related to its ease of use, however the technology itself is far from simple.    Although the default configurations and setups get things going, they are generally not the best solution in terms of safety and security yet the majority of users neither have the understanding or the skills necessary to make the required changes.   With this in mind I think it is important to not only teach our students about safety in relation to end client devices and apps, but also about the safety aspects of setting up and maintaining your home infrastructure.