I have recently posted about autonomous vehicles replacing the long haul trucker and on the farm. The next place I see autonomous vehicles making a disruptive change will be in big city taxis. In 2014 there were over 51,000 licensed taxi drivers in New York City and just under 14,000 licensed cabs, each driving an average of 180 miles per shift. Over half of these cabs are hybrid vehicles.

The taxi industry is currently under attack by companies like Uber, which provides a trust-based TaaS (Transportation as a Service). If you want a ride in a city where Uber operates, use your Uber app and call for a ride. A nearby Uber driver can drive to your location and take you to your destination. Since the drivers rate the passengers and vice versa, each builds up a trust score, enabling each party to determine if they want to deal with the other before actually agreeing on the ride.

But autonomous vehicles will be a greater disruption to the taxi industry. Let’s fast-forward ten years and see what it will be like to get a cab in New York City.

Using your cab-app, which works almost everywhere in the world, you indicate the number of people, your destination, accessibility requirements, and whether you have a lot of luggage. In most hotels and major transportation hubs like airports, train stations, and bus terminals there will be kiosks that provide the same “call” service. You will get a receipt, printed by the kiosk or an image on your smart phone, that indicates where and when to meet the cab along with the cab number.

Based on what you asked for, you will get an appropriately sized vehicle up to as large as a 24-passenger van, with wheel chair accessibility, baby car seats, and luggage space as requested. Based on the destination, you will likely get an electric vehicle. The “standard” cab will be a small electric car with two seats and a space behind the seats for luggage. Simply scan your receipt at the cab door to unlock the cab.

On my first business trip to Mexico I noted that the taxi drivers in Mexico City were just like those in New York City: they drove crazily and didn’t speak English. Your autonomous cab “driver,” a disembodied voice, will speak and understand over 100 languages. Based on your desires, the driver can provide site-seeing information as it takes you to your destination, music of your choice, news updates, conversation on a topic of your choice, or blissful silence.

The cab system will be integrated into the public transportation system, providing the “last mile” connections to where you live or work. Your cab receipt could include your “ticket” for public transportation, with another cab waiting at the end of the subway or bus ride to take you to your destination.

Since they carry no money, these cabs cannot be robbed, nor can they be hijacked. The cab can only be accessed by someone with a receipt for that particular cab. Because they are linked through the Cloud and using GPS, the cab operating company always knows where all of their cabs are. The company can instantly, and probably automatically, react to changing load demands, putting more cars on the streets or bringing some home. The cabs themselves will automatically come “home” if they need to be recharged. It can go into any neighborhood, providing balanced coverage over the different areas of a city. As a rider, you know the driver is not under the influence of alcohol or drugs, or being distracted by texting or personal issues. One hot summer lunchtime, I took a cab in New York City. Every time the driver saw a pretty lady, he stuck his whole head out the window and said “Hi, beautiful!” There are a lot of pretty ladies in New York City. Somehow he got me safely to my destination.

These autonomous cabs provide an inexpensive, reliable way for people without cars to get to work, school, or health care facilities. I was a little surprised at a Pew Research Center report that smartphone dependency “is up sharply nationwide, particularly among lower-income households and those with fewer years of education.” Especially for those without broadband in their home, the smartphone is their only connection to online resources. Considering the importance of the Internet in finding a job and doing almost anything else today, I would hope that organizations, public and private, who are trying to help the unemployed or underemployed would consider providing a low cost smart phone plan for each client.

Of course it also provides the government the ability to see where you have gone. Our privacy laws need to be updated to account for all of the new and emerging technologies, from E-ZPass to RFID enabled credit cards to automated public transportation.

In this same ten-year timeframe, I also expect to see a sharp decline in car ownership or leasing in major cities. Autonomous cabs make intra-city transportation convenient and flexible, and eliminate the need to find parking spaces. It can take days for the city to clear all the minor streets in a city after a major storm. With significantly fewer personal vehicles in the city, it will be easier for the city to get the streets clear and maintain the roads.

The autonomous cab companies will also offer special weekend or longer rates, and will probably partner with major car rental companies to provide one shop service for everything from pickup for the weekend move to a large drive-yourself vehicle for that two week vacation to the mountains.

By that time, we will have companies providing complete Transportation as a Service (TaaS).

Like everything else in the Cloud, TaaS provides economies of scale for the large providing companies, and less expense for individuals and small companies as the TaaS providers take over every aspect of maintaining vehicles. I also expect many government agencies at all levels will opt-out of the expense of owning their own vehicles.

The last word:

Five years ago you were probably surprised when a perspective employer asked permission to check out your credit report as part of the employment process. Companies believed that your credit report might give them some different perspective into their risk of hiring you. This trend is dropping due to the Fair Credit Reporting Act restrictions on what they can actually see in a credit report. For example, a hiring company cannot see your credit score, and they can’t force you to provide permission to access it, although there is no way to determine what will happen to your application if you don’t. Ten states have outright bans or severe limits the ability of a perspective employer to access your credit report.

However, the next time you apply for a job, don’t be surprised if you are asked to provide access to your trust report. Today if you buy or sell things on Amazon, use Uber or any other trust-based Cloud service, you are creating a trust score within that company. Expect that within a few years there will be Trust Reporting companies like the current big-three credit reporting companies (Equifax, Experian, TransUnion). These companies will combine the trust information from all of the organizations you deal with and create your personal Trust Score.

If you think it is tough to get rid of an inaccurate entry in your credit report, imagine the experience of dealing with one in your trust report.

Comments solicited.

Keep your sense of humor.


Last time I wrote about autonomous trucks disrupting the business of long haul trucking. But many of you may not be aware of the similar revolution in large-scale farming: what I call UFVs (unmanned farming vehicles).

We were a little ahead of schedule on a recent Midwest road trip. Since we were near Moline, Illinois, we stopped in at the John Deere Pavilion. John Deere was a blacksmith and general repairman in the village of Grand Detour, Illinois. He also made small hand tools for farmers like pitchforks and shovels. In 1837, John Deere created a self-scouring steel plow. Prior to his plow, a farmer would have to stop his horse every few yards to remove the stuck-on rich Midwestern soil; Deere’s plow eliminated this build up and was a key factor in the migration into the American plains in the nineteenth century. Deere also did business differently: instead of building his products when they were ordered, he built up a stock so his customers could see the plow, and load it up on their wagon and take it back to the farm. For 175 years, John Deere has been making state-of-the-art farm equipment for farms of all sizes and is now the largest agriculture machinery company in the world. You have probably seen a green and yellow tractor busily mowing one of your neighbor’s lawns.

The John Deere Pavilion we visited was for the other end of spectrum: the business or corporate farmer with more than a few hundred and up to more than 2,000 crop acres. As a point of reference, 640 acres is a square mile. For that size enterprise, a single tractor can cost about a quarter of a million dollars, with a combine coming in at over $500,000. But what you get with that today is pretty close to a UFV. With advanced GPS controls, the tractor can navigate the farm pulling cultivators and other equipment, overlapping rows by just six inches without the farmer touching any controls. The equipment will test the soil every few yards so when planting it knows exactly how much of what fertilizer to put down with the seed, significantly reducing the amount of fertilizer needed. This saves money, but more importantly reduces the environmental impact of farming by only using fertilizer where it is needed.

At harvest time, the up to forty-foot wide combine will cut the crop, again overlapping by six inches as it goes back and forth across the field. When one of its hoppers is full, it calls a tractor pulling a large wagon. The tractor runs alongside the combine and the combine unloads the full hopper into the wagon, then the tractor heads back to the storage area. All this while the combine is harvesting, and without the farmers on either vehicle touching anything.

These vehicles do not have the old metal seats of the nineteenth century tractor, or even the relatively comfortable seats of a lawn tractor. These vehicles have an air-conditioned cab, a seat that is as comfortable as any you might have in your office or even your living room, satellite radio, two touch screens to control the major activities and monitor the equipment, and a refrigerator. The equipment is designed to run 24 hours a day, with shifts of farmers on board for eight to twelve hours at a time.

JohnDeereThis picture is of a combine with a relatively small header (the cutting and gathering attachment at the front). This one is only 22 feet wide. The orange dome on the top of the cab is the GPS unit. If you look carefully, you will see that the farmer is sitting back in the seat with his arms on the arm rests of the chair; he is doing nothing to control the combine. You might also note that the cab is level even though there is a slight slope on the ground.

Today there must be someone on board, primarily to monitor the equipment status but also for safety reasons like watching for rogue animals. The Pavilion had a prototype of a fully autonomous tractor: no cab, no seat. I expect we will see fully autonomous farm equipment working in the fields in the next couple of years. This equipment will be able to prepare, plant or harvest a large field without someone onboard. Eliminating the farmer on board saves a lot of weight and cost for the cab and environmental, safety, and manual control systems. It would also eliminate the need to have the cab held level for the comfort of the farmer.

riceHarvestLike with the autonomous long haul trucks, there will be an app to allow moving into and out of the barn, or onto a trailer for transport.

At the John Deere Pavilion was a much smaller harvester: a rice harvester, made exclusively in China and only sold in China. I was told that was the only one of its kind that was not in China. It is designed for the smaller rice fields in China. Notice the cab is not nearly as fancy, but the design is based on the needs of the Chinese rice farmer and will enable them to increase their productivity without the hard manual work of rice harvesting.

The last word:

Why does this matter? The United Nations’ Food and Agriculture Organization believes that food production must increase by 60% to feed the expected nine billion humans who will be alive in 2050. With today’s technology, one farmer can accomplish in one day what it took six or more farmers a week to do just twenty year’s ago. See a six-minute movie on how John Deere uses big data to help farmers improve productivity here.

I think John Deere’s vision is helping. The day before we got to Moline, a farmer came in to pick up two of their big harvesters, and would be back in a week or so to pick up the other four he ordered.

We literally would starve in the US without the improvements companies like John Deere have made since a single horse pulled a single plow blade at about 2 miles per hour.

Comments solicited.

Keep your sense of humor.


Long haul truckers move a lot of America’s goods. You see the eighteen wheelers on the Interstates and you know those guys, and ladies, have been driving hours every day to get their load from point A to point B over distances of up to 3,500 miles. Often, when you are outside of a major metropolitan area on an Interstate, 75% of the traffic is long haul trucks. The U.S. Bureau of Labor Statistics estimates that there are 1.5 million long haul truckers on the road today, expected to go over 1.8 million by 2020. There are about 200,000 job openings nationwide for long haul truckers right now.

Why aren’t unemployed or underemployed folk flocking to these jobs? The median annual wage is almost $38,000, with some long haul truckers making more than $58,000 a year. That’s not bad for a job that does not require even a high school diploma. One hurdle is getting a CDL (commercial driver’s license). It can take eight weeks and $6,000 to earn one. Then the job is not for everyone. Many drive by themselves most of the time, and they often live for weeks at a time in the back of their truck in a space the size of a closet.

But I believe we are coming to the end of the long haul trucker. I predict that in ten years there will be virtually no long haul truckers, except for moving vans. Why? The first place autonomous vehicles will really take off is in long haul trucking.

We are in the very early stages of autonomous vehicles that can safely get themselves to a destination with no human intervention. Remember how long it took before there was reliable air travel. The first scheduled fixed wing air service started in January 1914, flying from St. Petersburg to Tampa, Florida, ten years after the Wright Brothers flight in December, 1903. That might not have been considered reliable transportation by everyone. We are almost to that stage with autonomous vehicles. The first real demonstration of an autonomous vehicle in the 2005 DARPA Grand Challenge. At this point, four states and two cities allow autonomous vehicles on the highway (Nevada, Florida, California, Michigan, Washington DC, and Coeur d’Alene, Idaho). There are still lots of hurdles to overcome, including cost, liability laws, and public confidence before autonomous cars are common.

The lack of confidence is caused by just thinking about all the things that can go wrong in an urban environment: children playing, pedestrians, bicycles, and manned cars going through red lights, making strange turns, trying to park, or just being distracted. Over a recent six-month period, Google’s self-driving cars have gotten into four accidents in California where there were only 48 autonomous cars. Google claims that the autonomous vehicles were not the cause of any of them. If we ever get to Google’s end point of no drivers in any car at anytime, then in theory there would not be any accidents, and certainly a whole lot less than there are today. Getting there will not be easy.

InspirationBut back to the long haul trucker. Almost the entire route is on the Interstate. Most of the distractions and dangers are removed by the design of the Interstate itself. No red lights, pedestrians, bicycles, cross traffic, parking, …. The first autonomous vehicle license plate for a self-driving big rig went to a Freightliner “Inspiration Truck” in Nevada. It still requires a driver to handle turns at red lights and parking, so there must be a person in the cab.

But I view that as a short-term situation. I believe that within five years there will be thousands of autonomous big rigs on the Interstates, each pulling up to three trailers, and driving 24 hours a day at 65 to 75 miles per hour depending on the specific stretch of highway. No drivers, no one in the cab, and in fact no cab at all. Local truckers will take the trailers to a special lot near an Interstate on ramp, where an autonomous truck will be assigned to take that trailer to another special lot outside the destination city. There, another local trucker will pick up the trailer and drive the last ten to fifty miles.

In ten years there will only be autonomous long haul trucks on the Interstates. Near major metropolitan areas, those trucks will be shunted to the far left lane leaving the rights lanes for cars to jockey for space and exits without the trucks being the way. Imagine a line of trucks, each with up to three trailers, zooming long I80 south of Chicago at 70 mph and about 10 feet apart. When another long-haul truck pulls on the Interstate, the line of trucks will make space for the new truck.

The benefits to the trucking companies are obvious: no drivers to pay, no down time for the truck due to required rest breaks, and safer highways. The trucks will also be lighter, not having to have a cab with comfortable seats, air conditioning and heating, driver safety engineering and expensive manual controls. It will also be almost impossible to hijack an autonomous long-haul truck.

How do you back it up to pick up trailers, move it into a service bay for maintenance, or move it off the highway in an emergency? There’s an app for that. Someone can walk beside the truck for close in maneuvering using a tablet. The trick will be so that it only works when the person is close and has the “keys” to the truck.

But not moving vans. They will, I believe, still have actual drivers, if for no reason other than the families like to see a familiar face when the moving van pulls up to their new house.

The last word:

The impact will be on more than the over one million long haul truckers. Major truck stops along the Interstate will see their business change from servicing drivers to the rare servicing of an autonomous truck with a problem. It won’t be selling fuel: the trucks will be filled up before the journey with enough fuel to get to the destination point. You should expect to see many of these truck stops go out of business.

Along with the adult stores that also serve the truckers along the Interstates, like the Lion’s Den chain of 40 shops along the Midwest Interstates, some with gas stations.

Comments solicited.

Keep your sense of humor.


Google has created contact lenses that can monitor your glucose levels for diabetes control. Fitbit and Jawbone’s Up monitor functions like heart rate, calorie intake and sleep patterns. MC10 created BioStamp, a digital tattoo to collect data on body temperature, hydration levels, UV exposure and more. Proteus has developed a pill with sensors that work with a patch on the skin to measure a range of bodily functions. Or it can tell your doctor that you forgot to take your medicine.

All of this data can be uploaded, hopefully only to someplace you trust.

RFID-chip The next obvious step is already in use in Sweden: a chip implanted under your skin to allow you access to your office building, a cup of coffee, or the copier. Wave a hand to get entry, pick up your phone or tablet to unlock it, wave at your bicycle to unlock it, and soon pay for lunch in the cafeteria.

The implant is an RFID chip the size of a grain of rice. The chip has no battery: it is powered by the radio energy transmitted by the reader. All it contains is a unique number. The building’s servers are told which chips are allowed to open each door, make a copy on a particular copier, or what checking account to debit for lunch.

The Swedish Biohacking Group BioHyfiken manages this particular experiment at the Epicenter building complex in Stockholm. They view this office building as the start of something big. As Hannes Sjoblad, Epicenter’s chief disruption officer and a member of BioHyfiken said, “We want to be able to understand this technology before big corporates and big government come to us and say everyone should get chipped — the tax authority chip, the Google or Facebook chip.”

The Epicenter systems require that the chip be virtually touching the reading device, which sometimes means getting your wrist twisted to just the correct angle. But the range of these passive RFID chips can be up to 12 meters (almost 40 feet). For practical access control and security reasons you probably want to only read chips that are very close to the reader in order to only open a door you are really going to enter, not just because you walk by down the center of the hall. These chips are very inexpensive, currently about US$0.15 each. Expect that price to drop by at least 50% over the next couple of years.

But RFID is the technology that works with E-ZPass, the northeast US gadget that lets you drive under a road sensor at 65 miles per hour to pay road tolls without stopping, or the more complicated transponders used for PrePass to allow trusted truckers to bypass the long lines at weigh stations.

The uses of this kind of technology are as wide as your imagination. I once worked on a school attendance recording and reporting system that had to keep track of student’s attendance down to the tenth of an hour. If each student had an implanted chip, we could have easily captured when he entered and left the room, eliminating a lot of manual and error-prone effort by the teachers or aides. It would also have been difficult for a student to cheat by having someone else attend in his place.

For health care, having an embedded chip would allow any health care provider to immediately access that individual’s health care data even if the patient had no identification and could not respond to questions. This could eliminate the check-in process, whether for a normal office visit or a ride in an ambulance, and help in correct administration of medicine and procedures.

US Passports, along with those of many other countries, now contain a chip that is really a computer with its own storage of biometric and other identification data. A chip-enhanced passport goes by many names, including “biometric passport”, “e-passport” and “digital passport”.

It is reasonable to assume a future where every child is implanted with a chip at birth, and that chip becomes the driver’s license, voter registration, credit card, and health record for the individual until they die.

What do you think of this future? Oh, and by the way that future is probably less than 10 years away.

The last word:

Security is a big issue, especially with simple RFID chips like those used in the Stockholm Epicenter building. It would be trivial to capture the id number from your chip with a reader hidden in the pocket of someone just walking by on the street. You would never know it happened, until the criminal created a duplicate chip and started using it. Suddenly, you can be placed at the scene of a crime when you were sleeping miles away, or have you bank account drained. It is possible to have fairly good security, comparable with what biometric passports have. But that comes at a higher price, and can still be compromised.

Speaking of passports, if you have a digital passport make sure you keep it in an RFID shielded sleeve except when actually in use. You are already doing that with any smart credit cards you have, right?

Comments solicited.

Keep your sense of humor.


Last time I wrote about The Websense 2015 Treat Report and my key takeaways. One of those takeaways was that cyber attacks are more focused. Attackers are moving from being focused on an industry, like health care, to focus on a specific company, like Anthem. We are starting to see attacks that are aimed specifically at one organization within a company, targeting the people in that organization who are likely to have access to something the cybercriminals want.

Here is one interesting example from last year involving hacktivists. Hacktivists are cyber-criminals who attack a company not to gain monetary value but to impair the operation of the company. In this case, their targets were the few people in the company that managed the building security and environmental controls. From far away, these hacktivists locked the doors to the main server room and disabled the emergency override controls, then turned off the air conditioning and turned up the heat. The end result was a room full of physically destroyed computers.

How is this kind of specific attack done? Websense describes the seven stages of advanced threats.

  • Stage 1: Recon
    The first step is to determine at least one individual who has the access to the information you want. They start by using professional websites (like LinkedIn) to determine who works at the company and might be in the area in which they are interested. Then, through the use of personal and social media sites, determine others who might have the information they seek. They are also looking for the kinds of lures that might work with these selected individuals.
  • Stage 2: Lure
    Using the recon information, the cybercriminals create lures that can fool users into clicking on a link. These lures are dangled in emails and social media posts that appear to be from trustworthy sources.
  • Stage 3: Redirect
    When the lure works and the user clicks on the link, they are redirected to sites with malicious content such as exploit kits.
  • Stage 4: Exploit Kit
    An Exploit Kit will scan the user’s workstation looking for vulnerabilities which allow the delivery of malware including key loggers or other tools to enable further infiltration of the network.
  • Stage 5: Dropper File
    Once the Exploit Kit has discovered a path to deliver malware, the cybercriminal delivers a “dropper file.” The dropper file contains software to start finding and extracting data, and often includes additional capabilities to deliver other malware in the future, even after the existing vulnerabilities have been fixed. The dropper file may remain dormant for a period of time to avoid detection.
  • Stage 6: Call Home
    Once the Dropper File has infected the target system, it “calls home” to the hacker’s command-and-control system. Now the dropper file can download additional programs and tools, and get instructions. Now there is a direct connection between the cybercriminal and the infected system.
  • Stage 7: Data Theft
    At this point, the cybercriminal begins to collect the data. The data could be anything: intellectual property, financial, health or other personally identifiable data, or data that will enable additional attacks.

Not every advanced threat uses all seven stages. These same stages are also used in more general, less focused attacks.

Each of these stages provides a place to stop the attack. A prepared company has a kill chain against these advanced attacks that monitor and defend at every stage.

These attacks may be directed at the victim’s personal accounts, accounts with less protection and where the victim tends to be less careful. Also a victim’s personal computer may be more vulnerable to attack than the IT-controlled office workstation, but that personal computer may be used by the victim for work-related activities and thus may contain information useful to breaking-in to the office network.

The last word:

Today, you have the ability to use your smart phone to control your home thermostat and lock or unlock your doors. Just like the hacktivist example above, somewhere there is a group of hackers attacking you and the company that manages the communications with these devices. That company might be your Internet Service Provider (Comcast or Verizon, for example), or your home alarm company. If not already available, it will soon be possible to buy the access codes to a house or company or more likely subscribe to a BIaaS (Break-in as a service). For $1,000 the hackers will turn off the alarm, disable the video cameras, and unlock the back door at 2AM, then relock the doors, enable the video cameras and turn on the alarm at 5AM. They will know that you are away that night because they hacked into your newspaper’s database and noted your stop delivery request on your daily newspaper.

Welcome to our brave new world.

Comments solicited.

Keep your sense of humor.


Websense Report

I recently attended a very interesting 2015 Threat Report seminar from Websense titled “8 High-Risk Lessons.” Like many of the webinars and reports I have written about, while Websense has security products they would like you to license, the report provides important analysis of the current state of cyber attacks. I highly recommend that you read this 30-page report.

Websense, Inc., with headquarters in Austin, Texas, is a global leader in protecting organizations from advanced cyber attacks and data theft. Behind those products is the analysis of up to five billion security event inputs every day from around the world. Their analysis expertise interprets those events with respect to the context of the attack activity and their potential impact.

My five key takeaways:

  1. Cybercrime is getting easier.
    Cybercrime is a huge business with huge profits. As I reported earlier, the cybercriminals who engineered the Target attack received around US$53 million of income from that attack. The cybercrime industry provides an efficient marketplace to exchange tools and stolen information, plus get trained on the necessary skills. This is the age of MaaS, Malware as a Service, where a budding cybercriminal can rent an exploit kit form $800-$1,500 a month. In 2014, Websense tracked three times the number of different exploit kits as compared to 2013.
  2. Cybercrime is constantly adapting.
    Today’s cyber criminal is more likely to be attacking a class of users or systems instead of just throwing out an general attack. That may be a line of business, a specific application, an individual company or organization, or even a few employees in one department. If your IT department successfully defeated last year’s attacks, tell them “thanks” and remind them that this year’s attacks may be different. Some of today’s individual attacks are often very small and harder to detect. All the cyber criminal wants to do initially is gain a foothold, an entry into your systems somewhere. Then use that foothold to find exactly where in your organization is most vulnerable or most valuable to the attacker. Then attack that specific server or group of users.
  3. The Internet of Things will make security even more interesting.
    The Internet of Things is exponentially growing number of gadgets that are getting connected to your home or office network, or to the Internet itself. Do you have a thermostat at home that allows you to monitor or change the temperature in your house from your cell phone? Then so can, potentially, anyone else. As a real example, consider a cyber terrorist who gains access to your office control system. They might lock the doors to your server room and deny access to anyone, then set the thermostat in the server room to 100 degrees. In a few hours you will have a pile of nonfunctioning servers, physically destroyed by someone a few feet or a few thousand miles away. The fear of BYOD (bring your own devices like smart phones or tablets) is justified, but maybe not for the reason you believe. Cyber criminals are not stealing information from the BYOD, but using it to gain access to your internal corporate network.
  4. Don’t try to attack the attacker.
    Some companies try to determine where the attack came from and attack them back. Bad idea. It will take a lot of time to determine the real source of the attack. The “obvious” answers are often false, with the attackers using a series of links before it gets to you. I find the CSI and NCIS type of television shows entertaining, but not very instructive. There is no Nell and Eric who can track a cyber attack back to the originator in 4.5 seconds. Don’t waste your time and possibly attack an innocent party. Let law enforcement handle it, and cooperate with them.
  5. More focused attacks.
    You may see fewer attacks in the future. Websense observed almost four billion security threats in 2014, down about 5% from 2013. Considering the serious breaches that made the news, and the even more that did not make the news, the threats are higher than ever. You can bet that you will be attacked. If your IT tells you that your company has never been attacked, be very scared. It more likely means that your IT department is not detecting the attacks.

Security is a distraction. The real task of your IT department is to make data readily available to your employees, your partners and your customers. IT wants to be the land of “yes!” Security tends to make it the land of “No!!” The trick is to set up your infrastructure and IT department to get as close to “yes” as you can while protecting the company’s and your customers’ assets.

As part of your annual internal user training on ethics and security, make sure you include how to detect and avoid phishing attacks and how to use WI-FI safely (and where not to even try). I personally receive 3-5 phishing mails a day from a set of seemingly related places telling me I have a commission payment, or there is a question on an invoice, or a friend has gifted me with a book, program or some other item. Many of them have a “Go ahead and download it here!” link. Make sure your users know to always hover the mouse over the link first. This will display the actual URL. If it is not something the user recognizes, they should not click on it.

The last word:

Looking for a job in IT with a huge need, or do you have a child or grandchild thinking about the IT field? There is currently a worldwide shortage skilled security practitioners, expected to grow to more than two million by 2017. It takes about eleven years of training and working in the field to become really skilled, but these skills are needed now and companies are hiring now to bring new people into this arena. I don’t see the need diminishing anytime soon.

Comments solicited.

Keep your sense of humor.


Target Got Off Easy

TargetEarlier this year I posted about the cyber attack in which Target allowed at least 40 million credit cards to be compromised, and watched as cyber criminals stole the personal information from about 110 million people. This breach occurred during the year’s biggest shopping season between Thanksgiving and Christmas in 2013.

Last month, Target agreed to a settlement: a maximum of $10 million, or $0.25 per compromised credit card. Individual victims may get up to $10,000 in damages.

This settlement requires final federal court approval, but is, in my view, a settlement favorable only to Target.

In order to claim any damages from Target, victims must prove:

  • That unauthorized charges were made to their credit card.
  • That they invested time in addressing the fraudulent charges.
  • That they incurred actual costs from correcting their credit report, paying higher interest or fees because of the impact to their credit rating, paid fees to replace identification cards, or hired identity protection companies or lawyers.
  • That the Target breach was responsible for their loss.

Matthew Esworthy, a litigation partner at Shapiro Sher Guinot and Sandler, said that many victims would have trouble proving that they lost money because of a specific data breach.

A friend had her purse stolen in a museum. She discovered the theft within a couple of minutes of its occurrence. By the time she got to a phone and called her debit card company, the thief had drained over $5,000 from her bank account, and that money was gone. That debit card was just one of the items in her purse. A maximum benefit of $10,000 may not cover an individual’s lost.

One reason that it took so long to get to this ridiculous settlement is that Target argued in court that consumers lacked standing to sue because they could not establish any injury.

If you have a problem, report it as soon as possible at the web site Target sent you.

Fortunately, this is not the only cost to Target. By the end of January, Target estimated that it had already accrued $252 million in expenses related to the breach, including this settlement. That will be partially offset by up to $90 million in insurance payments to Target. Target also faces claims from three of the four major credit card companies, and probably also from the fourth, as those companies try to recoup their loses due to this data breach. In addition, the Federal Trade Commission, the Securities and Exchange Commission, and several state attorneys general are also investigating and may impose fines.

Target was instrumental in this data breach. Target’s computer security systems alerted IT to suspicious activity after cybercriminals had infiltrated its networks, but Target decided to ignore the alert. The settlement also revealed that Target had no written information security program and no chief information security officer.

They also had a 46% drop in year-over-year profits for the quarter when the breach occurred.

Don’t let this happen to your company.

The last word:

How did the cybercriminals do? Pretty well, probably. Krebs on Security estimated that between one and three million credit cards stolen from Target were sold on the black market and successfully used for fraudulent purchases before the credit card companies managed to cancel the rest. That likely generated over $53 million of income to the cyber-criminals. That number is interestingly close to the $55 million that the ousted CEO Gregg Steinhafel will get in executive compensation and severance benefits from Target.

So the cybercriminals, lawyers, and the shamed CEO win. Meanwhile, Target as a company and millions of its customers lose.

Comments solicited.

Keep your sense of humor.



Get every new post delivered to your Inbox.

Join 119 other followers