(This is another special posting by Suzy. I hope you enjoy it.)

One of the “mind candies” I enjoy each year is the Mindset List issued by Ron Nief and Tom McBride from the small liberal arts Beloit College in Wisconsin. Originally established to help their own faculty be aware of out of date references, it has now become a touchstone for many of us. We are a youth oriented society, so it is always good to see what the influences are on the current generation of young people, or what influenced you for which they lack any reference.

The current group of rising freshmen was born when our youngest son was preparing to go to college so I found this year’s list particularly poignant. Some of the items on their lists are a bit jarring while others are just a little evocative of our own benchmarks in life.

This incoming class was in kindergarten for the attack that caused the World Trade Center Towers to fall. They binge watch their TV shows generally on a devise other than TV. “Press pound” on the phone is now “hashtag.” Celebrity “selfies” are better than autographs. The water cooler is no longer the workplace social center; it’s the place to fill your water bottle. Women have always attended the Virginia Military Institute and the Citadel. Hong Kong has always been part of China. Students have always been able to dance at Baylor University. Bill Gates has always been the richest man in the U.S. If you wish to see this year’s complete list, or those of previous years, go to https://www.beloit.edu/mindset/2018/

As you read through the various lists for different years you can watch our societal norms shift. Electronics and how we use and depend on them is ever changing. The bit about binge watching TV was one of those. When we first married we didn’t bother to purchase a TV. Today’s young folks often make the same decision for a very different reason. We just had neither the intent nor time to watch any shows as we adjusted to our first year of marriage and full time jobs and graduate school all at the same time. Eventually, we got a television. It was color, but used vacuum tubes not solid-state electronics to put the picture on a large cathode ray tube. That is the large CRT screen most people sort of remember. Ours was a big nineteen inches diagonally on a rounded corner, dark taupe colored square. It lasted us well over a dozen years and only needed one repair because of the helpfulness of our oldest son when he was about four. One afternoon our home phone rang and I turned off the iron and ran upstairs to answer it. We had two phones, one in the kitchen and one in our bedroom, but they were both upstairs and hard-wired into the wall. Our son was watching Sesame Street while I was ironing in the downstairs family room. When I walked back downstairs from the phone call I noticed that the TV was quiet so asked him how long the sound had been off. I received one of those vague looks that children are so very good at giving you when they have no intention of answering. I tried another tact: had he turned the volume down and got a “no.” I then changed channels to see if it was just that one station, but there was no sound anywhere. Becoming somewhat suspicious due to the looks I was getting with no accompanying verbiage from our usually very voluble son, I asked him to recount exactly what had happened just before the sound when out. Seems he had taken my spray-bottle of water from the ironing board and attempted to “clean the TV” by putting the nozzle of the bottle to the very small hole in the center of the channel-changing knob. The cold water had reached one of the hot vacuum tubes. When Walt got home he turned the set around and saw which tube was out, and drove into town, purchased the correct tube, came back and fixed our set.

Ah, the societal changes in that one paragraph. Yes, we only had all of two telephones, that received calls to the house number and they were owned by ATT, which was affectionately known as Ma Bell. It was still a couple of years away from that monopoly being broken up and when we would be permitted to purchase our own phones. Those old phones were workhorses that rarely if ever wore out. Ours were newer and had push buttons even if they had no caller ID. Actually the keypad was the only thing they had. Then again, that was all any phone had. Who would do anything except try to talk to someone a distance away with a phone? At one point it was a fad to play a musical riff by tapping the keys, but it paled quickly as a form of amusement. We were still repairing many of the household appliances in our homes often by ourselves, but sometimes taking them to repairmen. There was some planned obsolescence, mostly in the expected three-year life span of a car. The man who sold Walt the vacuum tube knew what sort of TV we had and that our problem was lack of sound just because of which vacuum tube that needed to be replaced. Walt built many of our first electronic machines from kits. We became very familiar with the component parts. One evening he made a wrong connection that caused spectacular arcing of electricity in our kitchen. Today’s electronic toys are built with tiny silicon chips that require special labs to manufacture. Most washable clothing still required ironing, especially men’s business shirts, which took a fair amount of time each week. I no longer had to sprinkle everyday shirts with water and allow them to sit before pressing, but deep wrinkles released better with a light misting of water, hence the spay bottle on the ironing board. And we watched the show that was on at the time. Ergo, PBS was showing Sesame Street in the late afternoon, after most children’s naptime, and I could iron the clothes while I supervised what was being watched on TV. We also had to gather in front of the TV, not play something on an electronic device that we carry with us or have available in the car. Some shows were still an event that we would watch together or at least discuss near that social center, the water cooler, the next morning. Much of our slang came from tag lines in these shows. Things such as: “Where’s the beef?” which has come and gone from our vernacular. It did have the advantage of suppressing spoiler alerts as you watched a show only when it was on. We couldn’t time shift it for convenience sake.

None of this is a value judgment. It’s just fun to take note of how the times, they are a changing.

The last word:

These mindset changes are important to your company, the government, and even each of us individually. These mindsets will drive the future   There are now more millennials than baby boomers in the US. The millennials are a much more diverse group than the boomers, and a lot more accustomed to a world where everything is changing at an ever faster rate.

The only constant is change.

Comments solicited.

Keep your sense of humor.


A few weeks ago my wife and I went to the Clark Art Institute in Williamstown in the northwest corner of Massachusetts. This is a fabulous, small art gallery with many of the paintings you learned about in your Art Appreciation or Art History course. But from September 6 through November 2 it also has one of the four original copies of the 1215 Magna Carta. For the first time, one of these original copies was in the US – the copy in the National Archive in Washington DC is from 1297.

The document was copied by hand with very small letters made with a quill pen and dipped ink. The letters have faded and the cotton “paper” has discolored, and while my Medieval Latin is rusty making my ability to comprehend the script limited, the document is readable 799 years later.

In another case of amazing longevity for saved data, a friend of mine was able to get data from computer tapes from the 1960s. The story of finding the tapes, finding a tape drive that would read them, and a company that had the technology and process to make it all work makes that data recovery remarkable. If you have data on floppy disks (remember them?), try to figure out how you would access it.

Is it even possible to save today’s data for 800 years? Maybe, but not easily.

You need four things in order to save data for the long term:

  1. A digital copy of the data.
    For digital data, that is fairly easy; just copy it. For analog data, like vinyl records, magnetic tape, or paper, you need to first get it into a digital electronic form. In the case of the 1215 Magna Carta, the four existing copies are not identical. Since it was copied by hand, sometimes by monks who could not read, there are accidental differences among the copies. The same thing happens with analog data – every time you read it you damage it, and any copy is modified from the original.
  2. A media that will last for the time period you want.
    CDs and DVDs are probably good for up to 20 years, thumb drives for probably longer. The more critical factor is how many times you write to the thumb drive, not how often you read it or even how you treat it while stored. Even an inexpensive thumb drive will support 3,000 to 5,000 erase / write cycles. Potentially the weakest part is the physical connector that you plug into your computer: they are only specified to withstand about 1,500 insert / removal cycles. For the purpose of archive, these limitations are not significant.
  3. A device to read the media later.
    The latest Macintosh desktop I have has no optical drive. While I could still purchase one, it is likely that ten years from now it will be difficult to find a drive to read CDs or DVDs. At some point, USB ports will also disappear, to be replaced by some newer better faster cheaper connection mechanism. For a while there will be gadgets that will still accept that thumb drive, but quicker than you can image it will be very difficult, and expensive, to read a thumb drive.
  4. A program to read the data.
    Perhaps the most significant long-term risk is having some program that can interpret the data on the media. With the 1215 Magna Carta, all I would need is my eyes, a magnifying glass, plus a refresher course in old Latin. Try to find a program that can read a Microsoft Word document created in 1982, or worse a document created by a program published by a company that does not exist. I lost some drawings I had created in an extinct Macintosh program that does not run on existing hardware and operating systems. Fortunately, I didn’t really care, but it was annoying. For long term storage, I suggest not using the native program format (e.g., .docx) but create PDF files. I expect that PDF, standard picture formats like .jpg, and using iTunes compatible formats for music will still be readable for decades, or at least give you time to convert the file formats. If you do need to keep the native formats, plan on running a test before you completely move to a new version of a program, a new platform (e.g., Macintosh to Windows or vice versa), or a new major operating system release. If it looks like it may be a problem, convert to a newer or different native format before you make the jump. A good rule of thumb is to update the native format files at least every five years anyway.

In general, you should not expect to successfully get data from stored electronic media after ten years, and you should plan to refresh your long-term data storage every five years or so. So you could endow an organization to do the refresh every five years and have some expectation that your data would still be accessible in 800 years.

Or you could print a dozen copies on cotton paper and give one to each of a dozen monasteries or cathedrals in England.

The last word:

That monk who copied the Magna Carta would, other than language, be pretty much at home in England for the first 600 years of the document’s existence. After that, with the changes including the indoor plumbing that first appeared in England around 1890 in London, he would be more and more lost. He would however have to find a different line of work, maybe typesetting, after about 225 years.

He, like many of us, would be baffled by a world where almost everything changes every 20 years.

Comments solicited.

Keep your sense of humor.


Protecting Healthcare Data

Last time I wrote about The Need to Protect Healthcare Data, or perhaps more importantly the potential cost of not protecting it. This time I want to talk about how to do that in a non-disruptive way that will probably save your organization money while significantly reducing the chances of a major data breach involving hundreds or thousands of patient records.   Of course the same approach can be used to protect any kind of protected information from exiting en masse in any line of business.

The key is to protect the “crown jewels” – the database that contains the data that must be protected. Normally, these systems are implemented as three-tier environments. To keep the picture and words simple, in this discussion each tier has only one server but in a real implementation each tier is usually composed of multiple servers for redundancy or to provide the necessary performance.

  • The data tier contains the database server that actually contains the database. This server contains the software that manages all access to the data: no one can access the data without eventually getting to the database server.
  • The application tier that controls the business logic that uses the database. These are the programs that implement information retrieval and update for the medical staff, capture information from medical device controllers, and handle data retrieval for meaningful use and billing.
  • The presentation tier is what interfaces with the user or another application system. It is often implemented as web services so that any device with a web browser can access the same information.

For example, when a doctor needs to see a patients chart from her tablet, she can use a browser or a special tablet application to ask for the current chart for “John Smith DOB 04/23/1945.” The tablet browser or application sends that request to the presentation tier, where the doctor is authenticated if necessary, then sends that request to the application tier. There a program formats a query against the database and sends it to the data tier. The data tier retrieves the information and sends it back to the application tier, who formats the specific information for the chart and sends that to the presentation tier. The presentation tier then sends it to the tablet browser or application for display to the doctor.

While this may seem like a complicated process, it nicely separates the operation so that, for example, a different kind of user device with completely different display characteristics can be easily added by changing only the presentation tier, and usually just making a single change that will work independent of the specific kind of transaction. Similarly, it allows the application layer to perform additional validation on a specific transaction, such as verifying that the doctor is permitted by HIPAA to see John Smith’s information.

The purpose of this requirement is to limit access to the application and data tiers to only those specific devices that have a valid need to access those tiers. In particular, only the servers in the application tier should be allowed to access the servers in the data tier, and only the servers in the presentation and data tiers should be allowed to access the servers in the application tier. There are, of course, users called administrators that require access directly to the application and data tier servers. These are the people who are responsible for the management and operation of the applications and database. In most organizations, there are just a few database administrators and application administrators who must have direct access into those servers.

This solution described there uses the Unisys Stealth Solution. Stealth uses state-of-the-art encryption, but the key principle behind Stealth is that it only allows a device to communicate with another device if they share a Community of Interest, a COI. A COI is nothing more than a group of people and servers. Data can be shared freely within a COI, but must not be shared with any person or server not in the COI. In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on. If some device tries to access a Stealth-protected server or workstation without belonging to the same COI, then the Stealth-protected device is completely invisible; the Stealth-protected device simply will not respond to anything from that device.


The picture represents each tier by a single server and shows one database and application administrator. As stated before, there are usually multiple of each. The red lines show the communications paths protected by Stealth. The black line represents clear-text traffic coming from the organizations internal network or over the Internet. The Internet traffic should already be protected by some form of encryption such as IPsec or SSL. There are three Communities of Interest (COIs) in the diagram. The green dots represent devices in the DB COI, the blue dots represent devices in the Application COI, and the yellow dots represent devices in the DB Administrator COI. Only the database Administrator and the application tier server can access the data tier server. Only the data tier server, application administrator, and presentation tier server can access the application tier server. Any other device attempting to access the data or application tier servers would be completely ignored.

Since the individual administrator’s COI is determined at log on time, it does not matter which workstation an administrator uses. When an individual signs on with a database administrator’s credentials, he now has the DB ADMIN COI and can access the data tier server.

One Stealth implementation can protect multiple databases that are in the same network segment, i.e., are visible from each other in the network. Otherwise you can replicate the Stealth implementation as needed.

This solution has no impact on existing applications and is invisible to end-users and even to the database and application administrators. Capital savings come from not requiring as much network infrastructure such as firewalls. Operational savings come from not needing to reconfigure firewalls or other network security devices and applications. If an administrator is added or moves on, simply change your identity management system. Stealth then automatically permits or prevents the individual from accessing the database or application servers.

If you do not have a tiered implementation or have collapsed the tiers onto a single server, and therefore allow end users to directly access the server containing the database then this mechanism does not help. Then again, not much would be able to help in this situation. You first need to separate your environment into multiple tiers so that any security solution can control access to the database and application servers.

The last word:

This mechanism does not protect against the accidental or deliberate loss caused by inappropriate actions of individuals who are authorized to access the data. This includes the file clerk who walks away from a logged-on workstation in a semi-public area, or the doctor who foolishly loads a couple of patient files on her son’s laptop at home. There are ways to reduce the chances of these kinds of incidents, and in super-sensitive environments it makes sense to make those investments. But they are very expensive and usually not worth the cost. While these errors are regrettable they rarely lead to fines or the risk of losing accreditation, or the CIO needing to find a new job.

As always, the key is to have a good security policy document and provide annual security training emphasizing to employees and contractors that you are serious about data security.

Comments solicited.

Keep your sense of humor.


Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.


How Far Do You Go?

(This is another special posting by Suzy. I hope you enjoy it.)

Where did you set the boundaries of your child’s unsupervised play? Recently I’ve read a number of articles in magazines and newspapers purporting to guide parents of school age children about the type of limits they should establish over their children’s autonomous roaming. Many were spurred by the story of a single parent who had instructed her child to play in a nearby city park while she was at work. Childcare was too expensive, leaving her with a poignant dilemma. The reactions of the others triggered a few thoughts. They, the unnamed, invisible arbiters of social mores, castigated her for choosing to work rather and allowing the child to play in the park rather than making sure the child had someone with him constantly.

How parents arrange childcare evolves over time and geography. I remember reading a book in the early 80s: And Ladies of the Club by Helen Hooven Santmyer. It was a long book chronicling the lives of a couple of ladies living in Ohio from shortly after the Civil War to the years of the Great Depression. The concept that impressed me most from the book was how, with each subsequent decade, the children’s area of freedom to play, and play under their own recognizance, became more and more circumscribed. My own children were in elementary school at the time and I was constantly reassessing how much autonomy we should grant them. Like many parents, I thought back to what limits had been set for me and compared them to what had been set for Walt, factored in contemporary conditions, and hoped we made good decisions.

My limits to roam and what I was permitted to do changed with age and where we were living at the time. The more rural the living area, the greater the geography I was allowed. One of my favorite, and least restrictive, areas was living on Clairemont Mesa in San Diego in the mid 50s. Our neighborhood was still relatively remote from the city proper. We could drive down Clairemont Mesa Blvd. to our west and then down to the city or we could head eastward, over dirt roads between a couple of cattle ranches to Linda Vista. This was in a building boom era where ranch style houses were popping up faster than weeds could grow on freshly broken ground. For most of our time in that house one block of homes stood between us and miles of canyon to the north, and to the northeast was Miramar NAS.   Age wise, I’m on the leading edge of the baby-boomer generation so every house was guaranteed to have children who were potential playmates. During summer months and vacations from school, our mothers, for the most part, fed us breakfast, and told us to be home for lunch. After lunch we were told what time dinner would be and that we should be present. The latter was more than a suggestion and from the time I was eight I had a wrist watch to help me monitor my comings and goings. So off we went. My limit was to stay on the north side of Clairemont Mesa Blvd. We pedaled our bikes on every bit of paved road and into the areas that where new homes were being built. When just pedaling was too tame we rode handless. There were few cars to dodge as all our fathers were at work, and since most families still had only one car, our mothers were at home with housework or younger children or both. So how far we swerved across the street as we worked on our balance didn’t matter. If the construction men weren’t on the job, we would clamber over the work site to see how houses were developing. Sometimes we girls would play house in the framework of what would eventually be someone’s real home. We scrambled up and down the canyon walls. We caught horny toad lizards and snakes. We knew which were poisonous and which we could grab.   Parent rules stated that all critters had to be released at sunset. One of our favorite past times was to find a pasteboard box, large enough to sit it, take it to the edge of the canyon wall, and slide down. Was it safe? Probably not. Was it fun? You betcha! It was fast and relatively smooth until you bumped over a rock or couldn’t swerve around thick, dry shrub. Did we come out unscathed? Rarely. In the summer we all sported scabs from some minor injury. I also broke a couple of wristwatches a summer, which upset my parents more than the skinned knees. Skinned knees would heal, but watches cost money. We discovered that if we went just a little further we came to a valley that had trees and was green, and sometimes it had a tiny creek. We floated papers or leaves or seedpods. We kicked off our flip-flops, which we called go-aheads, and waded in the water as far as we could go. Our barrier was a chain link fence with a metal sign indicating that the federal government owned all the land on the other side of the fence. This was the far side of the Miramar Naval Air Base. One afternoon three of us stood there and stared at the fence. It really looked interesting on the other side. We didn’t see any people. We’d never seen any people there. The little creek was still trickling further into the valley on the other side of the fence, which did not protrude into the creek. For relatively small kids, it looked as if we could skinny underneath and continue our exploration. Dare we? The other two had civilian parents and felt it was no different than hopping a neighbor’s fence and going across a backyard. With a father in the service, I was familiar with going through guarded gates that required ID. I consulted my watch and decreed that there was not enough time to go any further than we could see beyond the fence and still get home by my time limit.   After some discussion we decided to wander back the way we had come. Even with the freedom granted by our parents, or maybe because of it, we generally made good decisions. At least ones that didn’t present too much danger.

I think that’s the key thing to keep in mind. We need to guide our children, not stifle them. Without practice none of us learns to make responsible decisions. Don’t you prefer to work for the boss who trusts you to do your job well? Without that sense of choice and discovery we tend to become indolent and resentful.

The last word:

I suspect there are bad side effects to reducing the time children have to play, imagine and explore at least apparently unsupervised. When we are overly protective or overly controlling we can negatively impact their futures in unexpected ways, including interpersonal relationships, love of learning, creativity, and even their health.

Comments solicited.

Keep your sense of humor.


This is the tenth year for the Verizon RISK Team study of incidents of cyber crime, and the fifth year I have written about their report (2010, 2011, 2012, and 2013). A set of what they call “eye-candy” begins this year’s report: beautifully simple charts mapping data breaches from 2004 through 2013. If you have any responsibility for securing the data in your company or have concerns over your own personal information I encourage you to at least admire pages 7-12.

Some of my key takeaways:

  • Cyber criminals are still looking for financial information with large-scale attacks on payment card systems and point-of-sale devices. 2013 was certainly a year of retailer breaches, and those are continuing into 2014.
  • Internal attacks increased slightly over last year’s report, but the main attack continues to be by external actors who are primarily attacking your servers.
  • While social engineering has increased as a threat action, hacking and malware continue to be the main ways the cybercriminals get into your systems.
  • The report shows a significant increase in Web Application attacks which take advantage of weak security and flaws in the programs that interface between the user and the data.
  • Point of Sale (POS) devices continue to be a target, with more sophisticated attacks each year. Whether you have one POS device in your single store or thousands scattered around the country or world, each needs to be protected.

Discovery and mitigation of a breach continues to be a real problem for most companies. Most attacks can compromise your data in a day or less. Most companies take weeks or more to discover the attack. What is far worse is that while companies as a whole are getting better at internal monitoring, the majority of breaches are still discovered by someone else including fraud detection by payment card processing companies and law enforcement, or other third parties. Over the past ten years the cybercriminals have gotten better at getting in and stealing data quickly, while companies have gotten worse at discovery.

The Verizon report contains specific recommendations for each type of attack. It is sad to note that these recommendations change little from year to year. In general, we are losing the war against the cybercriminals, especially as countries are actively using cyber-terrorism to support national issues. As just one example, the FBI is investigating a recent attack against five large US banks that may be instigated by the Russian government in retaliation for the US sanctions against Russia over the Ukraine.

If you are responsible for the security of PCI (Payment Card Industry) or HIPAA (health-care) information then you know you must be compliant. But that means more than just satisfying an internal or external audit. It means really embracing the business need to protect that data. Your company might not be able to survive the financial and reputation penalties of a significant breach, whether caused by an act of war, a criminal gang, or a disgruntled or unthinking employee.

The last word:

I do not often quote President Obama favorably, but his “Don’t Do Stupid Stuff” policy is right on in a number of areas, including data security. The vast majority of data breaches are enabled by someone doing something stupid. Do not let it be your company, or your personal finances.

On the other hand, President Obama’s “We don’t have a strategy [long pause] yet” statement really comes under that “stupid” category. He was referring to ISIS, but when your CEO asks you what your strategy is for data security, I suggest you do not repeat the President’s statement. ISIS formed in 2004, and by February 2014 al-Qaeda cut all ties to ISIS due to its brutality. Certainly by August 2014 the President of the United States ought to have a well-formulated strategy for dealing with them. Verizon has been making their annual data breach summaries freely available for ten years. You do not have any excuse for not having a well-formulated strategy for dealing with cybercriminals and cyber-terrorists.

Comments solicited.

Keep your sense of humor.


The Russians have stolen 1.2 billion Internet passwords! We are all doomed!

Probably not.

You can’t have missed the recent flurry from NBC News, The New York Times, USA Today, and almost every other news media about how a Russian crime ring has stolen 1.2 billion user name / password combinations plus over 500 million email addresses. These credentials were stolen from 420,000 different websites spanning everything from Fortune 500 companies to small companies across almost every line of business and all around the world.

The attack uses an old but still effective mechanism: introduce malware into the company’s network that looks for SQL databases, then use a technique called “SQL Injection” to steal data. SQL Injection takes advantage of bad code in application programs. When you sign into a website and enter your account number to get information such as your personal profile, the web site sends the request to an application program which then queries a database. Many of these databases are based on SQL, Structured Query Language, originally developed by IBM over 40 years ago. These databases now run on every kind of computer and are extensively used because of their reliability, scalability and relatively low cost. The application program sends an easy to understand query to the database. For example, it would send something like “give me the account information for account number 123.” The database returns the requested data to the application. If you ask “give me the account information for account number > 1” the database will return all of the account information for all of the accounts. If the programmer was not careful and testing was woefully lacking, you can fool the database into giving you a lot more information then intended or appropriate.

How serious is this particular attack? We don’t really know. The 420,000 hacked companies have not been identified. We don’t know how old the passwords are. Many critical systems require that you change your password periodically; many of the hacked user name password combinations may be months or years old. These attacks have apparently been going on for years, so it is not clear that this is really something new.

Surprisingly, and contrary to standard practice, Hold Security, who reported the breach, has not provided the victim companies sufficient information to verify the problem and identify specific individuals impacted. Hold Security has also announced a new service ($10/month) that will monitor your email address if it is one of the stolen emails. However, you must provide Hold Security with your email addresses and account passwords.

What should you do?

  1. Don’t panic.
  2. Monitor your financial activity frequently looking for unusual transactions. Especially look for small, often less than $10, transactions that you do not recognize. Many criminals use one or two small transactions to validate the information they have before they move to bigger transactions, and many are satisfied to pick up a few dollars from thousands of accounts and hopefully stay below the threshold to get government authorities interested in their activities. Some financial organizations, including Chase, actually monitor for these small transactions and will notify you to determine whether they are valid.
  3. Identify your important financial and medical web sites. While you probably have dozens of different accounts you access online, most of them would have little impact on you if they were compromised. Note which accounts are linked to a bank account or credit/debit card. For example, if you use Amazon one-click to make purchases, then Amazon is an important account
  4. Change your passwords frequently on those important web sites. To me, frequently means at least four times a year.
  5. Do not use the same password for more than one account.
  6. Do not use a simple password. Your password should be at least eight characters long, and contain at least one lowercase letter, one uppercase letter, one digit, and, if the site allows, one special character like $ # % !.

The top five passwords actually used in 2013 were 123456, password, 12345678, qwerty, and abc123. For a bad password, I prefer “what,” as in “what is the password.” You should not use anything remotely like these.

If you have trouble remembering dozens of strong passwords and would like to have help doing that, check out Sreenivas Angara’s Kickstarter project. He is working on a smart phone and tablet game called Drongzer to teach you to how to create and remember strong passwords by using procedural memory instead of declarative memory. Procedural memory guides the processes we perform, like driving a car. We know what to do while driving when we come to an intersection, even if we have never been there before. Procedural memory usually resides below the level of conscious awareness and tends to be automatically retrieved and utilized. Declarative memories must be consciously recalled. We use it for things like dates (1492, your significant other’s birthday, your address, …). There is no pattern to them; you just have to memorize them.

The last word:

Many if not most of the 420,000 companies are still vulnerable. Is yours? Meet with your IT and security managers and review your current security and audit practices. Most companies concentrate on protecting data coming into their site, looking for malware and denial of service attacks. These are all important. But also look at the data leaving your site; this is where you are really vulnerable to losing protected information. Are you looking for unusual patterns, like outgoing transactions that are thousands or millions of bytes instead of a few hundred, or large data transfers in the middle of the night? Do not forget to include non-electronic loss opportunities like storing unencrypted files on laptops, CDs or thumb drives.

Comments solicited.

Keep your sense of humor.



Get every new post delivered to your Inbox.

Join 109 other followers