Last time I wrote about The Websense 2015 Treat Report and my key takeaways. One of those takeaways was that cyber attacks are more focused. Attackers are moving from being focused on an industry, like health care, to focus on a specific company, like Anthem. We are starting to see attacks that are aimed specifically at one organization within a company, targeting the people in that organization who are likely to have access to something the cybercriminals want.

Here is one interesting example from last year involving hacktivists. Hacktivists are cyber-criminals who attack a company not to gain monetary value but to impair the operation of the company. In this case, their targets were the few people in the company that managed the building security and environmental controls. From far away, these hacktivists locked the doors to the main server room and disabled the emergency override controls, then turned off the air conditioning and turned up the heat. The end result was a room full of physically destroyed computers.

How is this kind of specific attack done? Websense describes the seven stages of advanced threats.

  • Stage 1: Recon
    The first step is to determine at least one individual who has the access to the information you want. They start by using professional websites (like LinkedIn) to determine who works at the company and might be in the area in which they are interested. Then, through the use of personal and social media sites, determine others who might have the information they seek. They are also looking for the kinds of lures that might work with these selected individuals.
  • Stage 2: Lure
    Using the recon information, the cybercriminals create lures that can fool users into clicking on a link. These lures are dangled in emails and social media posts that appear to be from trustworthy sources.
  • Stage 3: Redirect
    When the lure works and the user clicks on the link, they are redirected to sites with malicious content such as exploit kits.
  • Stage 4: Exploit Kit
    An Exploit Kit will scan the user’s workstation looking for vulnerabilities which allow the delivery of malware including key loggers or other tools to enable further infiltration of the network.
  • Stage 5: Dropper File
    Once the Exploit Kit has discovered a path to deliver malware, the cybercriminal delivers a “dropper file.” The dropper file contains software to start finding and extracting data, and often includes additional capabilities to deliver other malware in the future, even after the existing vulnerabilities have been fixed. The dropper file may remain dormant for a period of time to avoid detection.
  • Stage 6: Call Home
    Once the Dropper File has infected the target system, it “calls home” to the hacker’s command-and-control system. Now the dropper file can download additional programs and tools, and get instructions. Now there is a direct connection between the cybercriminal and the infected system.
  • Stage 7: Data Theft
    At this point, the cybercriminal begins to collect the data. The data could be anything: intellectual property, financial, health or other personally identifiable data, or data that will enable additional attacks.

Not every advanced threat uses all seven stages. These same stages are also used in more general, less focused attacks.

Each of these stages provides a place to stop the attack. A prepared company has a kill chain against these advanced attacks that monitor and defend at every stage.

These attacks may be directed at the victim’s personal accounts, accounts with less protection and where the victim tends to be less careful. Also a victim’s personal computer may be more vulnerable to attack than the IT-controlled office workstation, but that personal computer may be used by the victim for work-related activities and thus may contain information useful to breaking-in to the office network.

The last word:

Today, you have the ability to use your smart phone to control your home thermostat and lock or unlock your doors. Just like the hacktivist example above, somewhere there is a group of hackers attacking you and the company that manages the communications with these devices. That company might be your Internet Service Provider (Comcast or Verizon, for example), or your home alarm company. If not already available, it will soon be possible to buy the access codes to a house or company or more likely subscribe to a BIaaS (Break-in as a service). For $1,000 the hackers will turn off the alarm, disable the video cameras, and unlock the back door at 2AM, then relock the doors, enable the video cameras and turn on the alarm at 5AM. They will know that you are away that night because they hacked into your newspaper’s database and noted your stop delivery request on your daily newspaper.

Welcome to our brave new world.

Comments solicited.

Keep your sense of humor.


Websense Report

I recently attended a very interesting 2015 Threat Report seminar from Websense titled “8 High-Risk Lessons.” Like many of the webinars and reports I have written about, while Websense has security products they would like you to license, the report provides important analysis of the current state of cyber attacks. I highly recommend that you read this 30-page report.

Websense, Inc., with headquarters in Austin, Texas, is a global leader in protecting organizations from advanced cyber attacks and data theft. Behind those products is the analysis of up to five billion security event inputs every day from around the world. Their analysis expertise interprets those events with respect to the context of the attack activity and their potential impact.

My five key takeaways:

  1. Cybercrime is getting easier.
    Cybercrime is a huge business with huge profits. As I reported earlier, the cybercriminals who engineered the Target attack received around US$53 million of income from that attack. The cybercrime industry provides an efficient marketplace to exchange tools and stolen information, plus get trained on the necessary skills. This is the age of MaaS, Malware as a Service, where a budding cybercriminal can rent an exploit kit form $800-$1,500 a month. In 2014, Websense tracked three times the number of different exploit kits as compared to 2013.
  2. Cybercrime is constantly adapting.
    Today’s cyber criminal is more likely to be attacking a class of users or systems instead of just throwing out an general attack. That may be a line of business, a specific application, an individual company or organization, or even a few employees in one department. If your IT department successfully defeated last year’s attacks, tell them “thanks” and remind them that this year’s attacks may be different. Some of today’s individual attacks are often very small and harder to detect. All the cyber criminal wants to do initially is gain a foothold, an entry into your systems somewhere. Then use that foothold to find exactly where in your organization is most vulnerable or most valuable to the attacker. Then attack that specific server or group of users.
  3. The Internet of Things will make security even more interesting.
    The Internet of Things is exponentially growing number of gadgets that are getting connected to your home or office network, or to the Internet itself. Do you have a thermostat at home that allows you to monitor or change the temperature in your house from your cell phone? Then so can, potentially, anyone else. As a real example, consider a cyber terrorist who gains access to your office control system. They might lock the doors to your server room and deny access to anyone, then set the thermostat in the server room to 100 degrees. In a few hours you will have a pile of nonfunctioning servers, physically destroyed by someone a few feet or a few thousand miles away. The fear of BYOD (bring your own devices like smart phones or tablets) is justified, but maybe not for the reason you believe. Cyber criminals are not stealing information from the BYOD, but using it to gain access to your internal corporate network.
  4. Don’t try to attack the attacker.
    Some companies try to determine where the attack came from and attack them back. Bad idea. It will take a lot of time to determine the real source of the attack. The “obvious” answers are often false, with the attackers using a series of links before it gets to you. I find the CSI and NCIS type of television shows entertaining, but not very instructive. There is no Nell and Eric who can track a cyber attack back to the originator in 4.5 seconds. Don’t waste your time and possibly attack an innocent party. Let law enforcement handle it, and cooperate with them.
  5. More focused attacks.
    You may see fewer attacks in the future. Websense observed almost four billion security threats in 2014, down about 5% from 2013. Considering the serious breaches that made the news, and the even more that did not make the news, the threats are higher than ever. You can bet that you will be attacked. If your IT tells you that your company has never been attacked, be very scared. It more likely means that your IT department is not detecting the attacks.

Security is a distraction. The real task of your IT department is to make data readily available to your employees, your partners and your customers. IT wants to be the land of “yes!” Security tends to make it the land of “No!!” The trick is to set up your infrastructure and IT department to get as close to “yes” as you can while protecting the company’s and your customers’ assets.

As part of your annual internal user training on ethics and security, make sure you include how to detect and avoid phishing attacks and how to use WI-FI safely (and where not to even try). I personally receive 3-5 phishing mails a day from a set of seemingly related places telling me I have a commission payment, or there is a question on an invoice, or a friend has gifted me with a book, program or some other item. Many of them have a “Go ahead and download it here!” link. Make sure your users know to always hover the mouse over the link first. This will display the actual URL. If it is not something the user recognizes, they should not click on it.

The last word:

Looking for a job in IT with a huge need, or do you have a child or grandchild thinking about the IT field? There is currently a worldwide shortage skilled security practitioners, expected to grow to more than two million by 2017. It takes about eleven years of training and working in the field to become really skilled, but these skills are needed now and companies are hiring now to bring new people into this arena. I don’t see the need diminishing anytime soon.

Comments solicited.

Keep your sense of humor.


Target Got Off Easy

TargetEarlier this year I posted about the cyber attack in which Target allowed at least 40 million credit cards to be compromised, and watched as cyber criminals stole the personal information from about 110 million people. This breach occurred during the year’s biggest shopping season between Thanksgiving and Christmas in 2013.

Last month, Target agreed to a settlement: a maximum of $10 million, or $0.25 per compromised credit card. Individual victims may get up to $10,000 in damages.

This settlement requires final federal court approval, but is, in my view, a settlement favorable only to Target.

In order to claim any damages from Target, victims must prove:

  • That unauthorized charges were made to their credit card.
  • That they invested time in addressing the fraudulent charges.
  • That they incurred actual costs from correcting their credit report, paying higher interest or fees because of the impact to their credit rating, paid fees to replace identification cards, or hired identity protection companies or lawyers.
  • That the Target breach was responsible for their loss.

Matthew Esworthy, a litigation partner at Shapiro Sher Guinot and Sandler, said that many victims would have trouble proving that they lost money because of a specific data breach.

A friend had her purse stolen in a museum. She discovered the theft within a couple of minutes of its occurrence. By the time she got to a phone and called her debit card company, the thief had drained over $5,000 from her bank account, and that money was gone. That debit card was just one of the items in her purse. A maximum benefit of $10,000 may not cover an individual’s lost.

One reason that it took so long to get to this ridiculous settlement is that Target argued in court that consumers lacked standing to sue because they could not establish any injury.

If you have a problem, report it as soon as possible at the web site Target sent you.

Fortunately, this is not the only cost to Target. By the end of January, Target estimated that it had already accrued $252 million in expenses related to the breach, including this settlement. That will be partially offset by up to $90 million in insurance payments to Target. Target also faces claims from three of the four major credit card companies, and probably also from the fourth, as those companies try to recoup their loses due to this data breach. In addition, the Federal Trade Commission, the Securities and Exchange Commission, and several state attorneys general are also investigating and may impose fines.

Target was instrumental in this data breach. Target’s computer security systems alerted IT to suspicious activity after cybercriminals had infiltrated its networks, but Target decided to ignore the alert. The settlement also revealed that Target had no written information security program and no chief information security officer.

They also had a 46% drop in year-over-year profits for the quarter when the breach occurred.

Don’t let this happen to your company.

The last word:

How did the cybercriminals do? Pretty well, probably. Krebs on Security estimated that between one and three million credit cards stolen from Target were sold on the black market and successfully used for fraudulent purchases before the credit card companies managed to cancel the rest. That likely generated over $53 million of income to the cyber-criminals. That number is interestingly close to the $55 million that the ousted CEO Gregg Steinhafel will get in executive compensation and severance benefits from Target.

So the cybercriminals, lawyers, and the shamed CEO win. Meanwhile, Target as a company and millions of its customers lose.

Comments solicited.

Keep your sense of humor.


Save That Data

1000-year-old-recipeA writer friend posted a blog about Ancient Remedies Resurrected. He blogs mostly to help other writers use medicine correctly in their fictional murders. This particular post discusses the surprising success of a medieval recipe in killing specific troubling antibiotic resistant bacteria.

  • Who would suspect that a thousand-year-old Anglo-Saxon recipe to vanquish an infected eyelash follicle could do that?
  • Who even tried the recipe on something different than its original documented purpose?
  • Why was the recipe still around?
  • Who could read it?

Babylon-recipeThe first two questions are relatively easy. Some ancient remedies actually work. They were created over hundreds or even thousands of years of experimentation in the real world. Many experiments failed, with the expected unpleasantotherresults. Some worked and were passed down orally from “doctor” to “doctor,” often from parent to child. Often the “doctor” was closely associated with the local religion. One recipe for curing fever occurring in the brain is on an eight century BC tablet. The particular poultice is attributed to oral medical lore dating back to around 1860 BC. The tablet itself cites “mythological sages from before the Flood.” It is hard to argue with such authority. Enough of these old recipes work that it is well worth the effort to test them. Government agencies, pharmaceutical companies and universities all spend some effort searching ancient texts and experimenting. Looking at what the recipe does from a scientific viewpoint may point out some other possible uses of the drug.

The last two questions are the really important ones.

The survival of any particular ancient text is more due to luck than good data management. There is so much that can go wrong. The document first of all has to avoid being broken into a thousand pieces, sunk in the middle of the ocean, cleaned and reused, or being damaged by the ravages of nature with floods, fire, mold, or rot. But perhaps the most danger to old documents is man. Opened in the third century BC, the Library of Alexandria was one of the largest and most significant libraries in the world of its time. The library was destroyed, first by Julius Caesar when he conquered Egypt in 30 AD, and finally by Coptic Pope Theophilus in 391. Pope Theophilus was very thorough. Not only did he complete the destruction of the main library, but also a smaller version, the Serapeum, located elsewhere in Alexandria. Perhaps the first recorded case of a backup failure.

Maya-CodexMaybe as significant for the preservation of possible ancient medicinal cures was the destruction of all but four of the thousands of Maya codices by Spanish conquistadors and Catholic priests. Why were they destroyed? According to Bishop Diego de Landa in July 1562, because “they contained nothing but … superstition and lies of the devil.”

Unfortunately, this organized destruction of the past continues to this day as the result of conquest and religious fanaticism.

We recently visited one such ancient document, and it was only 800 years old. If was both surprisingly readable and very hard to read, and it was a language we had some rusty familiarity with. Image the difficulty of even deciphering an ancient text and then determining its meaning. We do not have a Rosetta Stone for most ancient languages. I am referring to the multi-language stone found in Egypt during Napoleon’s conquest, not the language instruction company – although the statement applies to both. Often even the structure of the language as well as the meaning of individual characters or symbols had to be coaxed out of many documents by many people over many years. Only after that can other researchers begin to search for specific snippets of interest, like medical recipes.

In trying to recreate the recipe that began this post, researchers had to figure out what the ingredients really were, and hope that modern garlic is similar enough to 1,000 year old garlic to actually work. In most cases an ancient text will not describe exactly how hot or long to cook something, or even how much of each component was to be used.

As a discussed earlier, it is perhaps as difficult to keep data for the long term in today’s electronic age as it was in ancient times.

The last word:

Save the data, especially if you have no idea what value it might have in the future. Pictures, movies, personal history stories whether written or currently only oral could be important. Talk to older relatives and friends and get their stories saved. Do it now while you still can.

If you save oral recordings, go back and make transcripts that can also be saved. A hundred years from now there may be no one who can understand what was said.

If your family knows a language that is little used, work to preserve it so its oral and written legacy can be saved.

Even mundane business records can have historical value in a distant future. Kyle Harper used ancient purchase records to reinterpret the end of Roman slavery by determining what slaves were eating in Rome around 300 AD. This kind of information can help fill in the gaps about a civilization and the well-being of its people, whether wealthy citizens or slaves.

As I have said before, keeping data on paper only is not the best idea.

Comments solicited.

Keep your sense of humor.


No matter what you think about Hilary Rodham Clinton’s past accomplishments and future potential, she has provided us an example of bad behavior that can be a learning experience for all of us.

To remove the positive or negative association of Madam Secretary Clinton, I will use “Anne Chamberlain” as the name of a potential employee of your company. Anne held a very high position in your company for many years, with intimate access to your most sensitive proprietary and confidential information including product plans, marketing strategies, competitive analysis, and your internal decision making processes. After she resigned from your company, you find out that the entire time she held this high position she was using her personal email account for most of her business emails, both within your company and with customers, partners, and even competitors. She used her own personal servers under her own physical control to manage and handle that email account. The result is that you have no access to any of those emails she sent or received.

When your CSO (Chief Security Officer) approached Anne, she said it was more convenient for her to use her own smart phone and her own email account. Her final response was “What difference at this point does it make?”

It makes a big difference.

While your company does permit BYOD (Bring Your Own Devices) to be used for both personal and business purposes, you do have strict security and data life cycle management policies. Your Life Cycle Management policy covers the rules about the creation, update, storage and destruction of all corporate records, including emails. These policies protect your company by enabling it to quickly and accurately find information to meet compliance, tax and other governmental requirements, efficiently run your business, manage contractual obligations, and respond to court discovery orders. Since you have no record of Anne’s emails, either sent or received, you will not be able to include them in support any such activity. Since Anne has refused to allow your IT department access to her personal servers, if a court ever found out that she was storing required documents on those servers relevant to some court or government request, the court could confiscate and search the servers. Since Anne’s servers are probably not following your data life cycle management policies, there are likely emails on that server which should have been deleted that may now be publically exposed as a result of the court action.

You also have a concern about the security of Anne’s emails. You have seen some reports that surmise that her server was hacked, perhaps by a foreign cybercriminal group, and that some of her emails may have been sold to your competitors. Again because you have no access to her servers, you have no way to determine if they were hacked and what, if any, damage it may have caused. You do know that her servers were not maintained to the same security levels as your own email servers.

Anne has promised to give you all of her business-oriented emails. Since there are thousands of these emails, you are concerned about how long it will take her to complete what is to her a low priority task. Worse, she is deciding what is a business-oriented email. While she may get 95% of it right, she will likely miss some emails that may be critical to your company later. A court may decide that you failed to disclose some emails and your company, not Anne, will face the consequences of that.

What do you do?

You really can’t outlaw personal devices for business use. It won’t happen; your employees and contractors, and probably you too, are really dependent on smart phones and tablets. Providing a corporate device is expensive and, like Anne, most people do not want to carry two devices that perform the same functions. But you can require some fairly simple procedures:

  1. Require all business-related emails to be done on your corporate email account. It is really easy to set up a second email account on a smart phone or tablet. On my iPhone and iPad I have a personal email account, my own company’s account, and separate accounts for each company I am working with at any time.
  2. Require that your company’s email account have your approved email signature block on each outgoing email. Again, it is easy to set up a separate signature for each email account on a device, including logos and the “fine print.” If you have a very complex corporate signature block, your IT department can set up a single image for the majority of the signature area and provide simple instructions for the common smart phone environments. If nothing else, this provides a clear signal to the person writing the email that they have the correct email account.
  3. Require that all outgoing emails on your corporate account are automatically forwarded to the employee’s corporate account. This ensures that you have a copy of all of those sent emails. In general this also makes it easier for the employee; they don’t have some outgoing emails on their tablet, some on their desktop, and some on their smart phone.
  4. Require that all emails be deleted from personal devices after a relatively short period, probably thirty days. They are still available to the employee through your email server, but it is one less place you need to search for necessary documents and it reduces the possible loss if a personal device is lost or stolen.
  5. Update your security and life cycle management policies to include personal devices.
  6. Include a section on the importance of protecting and managing company data and your email policy in your new employee orientation, and as part of your annual training session on security and ethics.
  7. Why did no one notice and report Anne’s behavior? Everybody should be looking for internal emails that come from an employee’s personal account. The easy thing to notice is that the signature block is “Sent from my iPhone” instead of your corporate signature. It is also easy to note that the sending email is from Anne.Chamberlain@me.com.

This stuff is, unfortunately, important. Email is one of the main vectors for cyber attacks. In today’s environment, most corporate communication is done through email. If you lose control of your email traffic you have lost control of your company.

The last word:

The US Federal Records Act at the time Madam Secretary Clinton served as Secretary of State did not categorically prohibit federal government officials from using personal email accounts. The Act applies to all federal agency employees who are not within the White House itself and requires the comprehensive documentation of the conduct of official business by regulating the creation, preservation and disposition of agency records. If an employee used her personal email account, she was required to forward that communication into her agency’s official records system. Secretary Clinton could have done that by having her personal device automatically forward all outgoing emails to her US DOS email account, and having her personal server forward all incoming emails to her US DOS email account. She did neither.

By coincidence, Anne Chamberlain was the name of the wife of Neville Chamberlain, Prime Minister of the United Kingdom from May 1937 to May 1940. Prime Minister Chamberlain’s reputation is largely damaged by negotiating with Adolf Hitler to sign the Munich Agreement, and for failing to prepare his country for war. The Munich Agreement permitted Nazi Germany’s annexation of portions of Czechoslovakia, although, strangely enough, the Czechoslovakia government was not invited to the negotiations. The majority of inhabitants of these areas were German-speakers, so it is clearly logical that Germany should take over their control.

An argument someone else may be using today.

Comments solicited

Keep your sense of humor.


WS2003Windows Server 2003 (WS2003) was first released in, surprise, 2003. It replaced Windows Server 2000. Microsoft has released several derivatives including Windows Compute Cluster Server 2003, Windows Storage Server 2003, Windows Small Business Server 2003, Windows Home Server, and Windows Server 2003 for Embedded Systems.

WS2003 mainstream support ended in July 2010. On July 14, 2015, Microsoft will officially end extended support for WS2003. Microsoft will not release any updates, including security updates or patches, after this date.  At that point you can pay Microsoft for security fixes for WS2003, but it is very expensive and not delivered promptly. Most antivirus solutions will not be supported on WS2003 after 7/14/2015 meaning that there will be no signature updates for new vulnerabilities. Considering the rate at which new malware opportunities are discovered in all flavors of Windows platforms, any WS2003 systems you have in production will quickly become vulnerable. As one data point, there were 37 critical updates for WS2003 in 2013, 10 years after the product’s release. WS2003 will not pass any further security or compliance audits. Expect stiffer fines and other penalties if you experience a data breach where a WS2003 system is part of the application environment.

This should not be a surprise. Microsoft has published its support policy and product end of life chart on its web site for over ten years. There are a lot of servers still running WS2003 out there. A Microsoft survey in January 2014 showed about 22 million WS2003 systems in use. A large number of those are in small and medium sized businesses. Many of these SMB companies do not have large IT staffs or budget to make any kind of a migration.   There are probably at least 10 million WS2003 systems still in use today. Even many Fortune 500 companies are still dependent on WS2003, and most will not have migrated by the deadline, especially as it seems to take about six months to make the migration off WS2003.

Microsoft introduced Windows Server 2008 in 2008 as the successor product to WS2003. However, Windows Server 2008 is not the best destination for your WS2003 systems. Microsoft will end mainstream support for Windows Server 2008 on the same day that it ends all support for Windows Server 2003, July 14, 2015, while extended support ends in January 2020. If you need to move off Windows Server 2003 in any of its flavors, you are better served to jump to Windows Server 12. Windows Server 12 was generally available in September 2012 and released R2 in October 2013. Mainstream support for Windows Server 12 is scheduled to run until January 2018.

Microsoft provides assistance. Perhaps as an indication of their sense of urgency, the first thing you see on that Microsoft page is a count down clock telling you, down to the second, how long you have. Microsoft is, not surprisingly, pushing migration of your WS2003 servers to the cloud powered by Microsoft Azure. In some cases, that may make sense, but only if you want to make a significant change in your operations and procedures. Moving to the Cloud should be a business decision, not a technology decision. Like a lot of things involving cloud computing, the end point is often a better place to be, but getting there under a deadline can be risky. You should at least look at the material Microsoft provides to help in discovering which of your applications and workloads are running on WS2003, assess those applications and workloads by type, importance, and complexity, and choose a migration destination for each. For some of those workloads and applications, moving them to the Cloud may be the easier and less risky solution.

Your IT department probably has some good reasons for not migrating:

  • Your current server hardware may not support Windows Server 12.
  • Some of your mission-critical applications may not be supported on Windows Server 12.
  • You do not have sufficient financial or IT resources to make the migration while simultaneously keeping your IT environment running.
  • Unfamiliarity with Windows Server 2012.

The second may be the most serious, and may take the longest to fix. In the worst case, you may need to migrate to a different application.

In the meantime you may be able to mitigate some of the risk by restricting access to your WS2003 servers. Products like the Unisys Stealth Solution may help. It can completely isolate your WS2003 systems from the outside world, allowing communication only from the specific systems and users you permit. Since the protection is based on user identity, not specific network location or device identity, the rights of an individual change automatically when their role changes. As Unisys says, “You can’t hack what you can’t see.”

If you do not have the resources, get help. There are many companies out there with experience in migrating off WS2003. You do not have to go it alone.

The last word:

Windows Server 2003 is potentially as serious a security problem as Windows XP. Hopefully you are well past getting rid of that OS from your entire IT environment as have all of your business partners who share any proprietary, financial or customer protected data.

If you are running Windows Server 2008 you should start planning to move them to Windows server 12.

The keys to a successful operating system migration are planning and testing. These exercises can feel like a huge drain on your resources, and each migration can itself cause new problems. But you have to do it; you cannot afford to be vulnerable.

Comments solicited.

Keep your sense of humor.


New Shoes

(This is another special posting by Suzy. I hope you enjoy it.)

Today Mother was taking her to get a new pair of shoes. She was a petite, fine boned girl who looked younger than her seven years. Mother kept her hair in a short bob with deep bangs framing her ocean blue eyes that today were sparkling with excitement.   A new pair of shoes was a very important event. Her feet were very narrow so that her shoes had to be specially ordered, making them expensive, and her family didn’t have much money.   Her father had a job, but was often sick so there were many payless weeks. Today Mother and Lois would take the trolley to 69th Street to get her shoes, then the subway and el to visit with Aunt Louise so she was wearing her good navy blue dress and a fluffy sweater MomKate had knit.   She slipped on the coat her mother had made and put the muff string under her collar. She liked her muff on these very cold days. It looked like a drum made of bunny fur, open on both ends so that when she put her hands in the muff, the cuffs of her coat sealed the ends from all the cold. She twirled around to show how pretty she looked. Well, except for the very worn shoes, but she would have her new ones soon.

They walked a block down to the Pike then several blocks to the trolley station. She kept dancing around on the platform, which annoyed Mother who thought she should stand still, but the cold was coming up through the cement and into her shoes. Her feet were too cold to stand still. When the trolley arrived Mother gave her little help up to the first step. They moved to the middle of the car. Most of the seats were still empty because this was only the second stop. They chose a bench and sat facing the direction they were going. Mother didn’t like to ride backwards. She got to sit next to the window where she could brace her feet on a small ledge while watching the houses go by. The closer they got to 69th Street the fuller the car became until there was only one seat left. Mother made Lois take her hand when they got to the Station because there were so many people, some going to other trains or trolleys or out to the shops like they were. They crossed the street and walked half way up the hill to Mother’s favorite store, Lit Brothers, where they had ordered her shoes. As soon as they got inside, Mother almost dragged Lois through the first floor to the shoe department. Mother was in a hurry so that they could catch the next subway train and have as much time as possible with Aunt Louise. The clerk brought out the box and carefully unwrapped the shoes. Nestled inside the tissue paper was a dark brown pair of maryjanes. Lois hopped up on the chair and the clerk sat on the special stool in front of her. After removing her worn, right shoe he gently slid the new shoe onto her foot and asked how it felt. It was so pretty with a bit of room for her toes to grow, but the side of the shoe hugged her foot around the arch and heel. He repeated with the left shoe and helped her off the chair to walk a short way to confirm the shoes fit well. Both Mother and the clerk pushed down on the tip of the toe to be sure that there was some grow room. Lois was all smiles as she looked at her feet in the mirror to see how pretty the new shoes were. Mother pronounced herself satisfied, paid the clerk, and they left. Lois carefully watched where she put her feet. There would be no scuffmarks on these shoes or dark spots from stepping into something on the sidewalk.

They just made it to the subway and seated themselves when it began to move. They were looking forward to seeing Aunt Louise, who wasn’t really her aunt, but her godmother. Her mother and Aunt Louise had lived on 2 Street and gone to school together. They and their husbands had dated as a foursome before both men had gone to the Great War. When the men came home Aunt Louise had married Uncle Ed, moved northward in the city. Mother, Katherine, had married Ted, and they found a house in a southwestern suburb. The foursome still enjoyed each others company and got together whenever they could, which was less often than Mother and Aunt Louise would have liked. Lois always liked to be with Aunt Louise with her constant smile and jolly laugh. Everything at Aunt Louise’s house seem to be fun while her own home was more serious, especially when her father was sick, which he was more and more often. The only problem at Aunt Louise’s house was Jimmy, her son. He was three months older than she and believed that meant he could decide what they would do when they played together. He was always teasing her about something, often until she wanted to cry. But she would never give him that satisfaction.

The warmth of Aunt Louise’s kitchen was welcoming after the walk from the bus stop in the cold wind. The aroma of the hot lunch Aunt Louise had made drew them in as well. First thing Lois did was to pirouette before Aunt Louise to show off her new shoes. Aunt Louise liked them a lot, which pleased Lois. As soon as the tea was ready they all sat at the kitchen table. Aunt Louise always made her fell so grown up. Today she had made a cup of half hot tea and half warm milk and sugar. Lois sat up straight and tall the way Mother liked and tried not to make any crumbs. Jimmy seemed to be eating as fast as he could and urged her to hurry. He had made plans to go ice-skating and didn’t want to make his friends wait.   Aunt Louise said how Jimmy should take Lois with him, to which he made a face.   Lois tried to beg off. After all, she hadn’t brought skates nor was she dressed for skating. Actually, she had didn’t own any skates and she was dressed for visiting not playing.   Aunt Louise would have none of it. She insisted that Jimmy take her with him and even had a spare pair of clamp on ice skates Lois could use. It would also give the two mothers a chance to visit without the noise of the children. Aunt Louise found an old pair of Jimmy’s trousers for Lois to slip on under dress. The mothers made sure that the children were all bundled up and shooed them out the door.

Jimmy took off at a run to get to the corner where he told the other kids he would meet them. Lois had to run to keep up. It was an up hill walk to the pond. They all put their skates on and Jimmy took the time to be sure that Lois had hers on properly. The others had skated before and raced all around the edge. Lois gingerly skated in little circles as she learned to balance and turn, speed up and slow down to a stop. Soon she began to feel comfortable and began skating in larger and larger circles. By then the others were just about back to where they had started and began yelling at her. She couldn’t make out what they were saying, but she knew she was getting better and skating more surely. Then she felt as much as heard a cracking sound and there was nothing under her feet. Everything was dark and murky. Next thing she could see was a hand, then an arm, and Jimmy’s face. He was urging her to grab his hand. The other kids had his feet. All the clothes had trapped enough air that she had a little buoyancy. That would soon disappear as her clothes absorbed the cold water. She stretched as hard as she could and managed to reach Jimmy’s hand.

Soon she was free of the water and on the ground next to the pond. Two sets of hands were removing the ice skates. Then they were pushing her up and telling her to run. She didn’t want to run. All she wanted was to get rid of the wet clothes and get warm. They were all shouting at her so she began to edge away. Jimmy began pushing her. Turning she tried to get away from all the shouting and pushing. She couldn’t run fast enough to escape. Jimmy kept pushing. She tripped and fell, so he began to roll her down the hill. The snow stuck to her wet clothes till she began to look like a snowman. When they needed to cross the street several sets of hands pulled her up and shoved her across. Then they began to chase and shove her again. Jimmy was shouting for Aunt Louise before he even opened the back gate. As they reached the porch Aunt Louise and Mother had appeared at the kitchen door.

They grabbed her. Mother began pulling off her wet clothes while Aunt Louise ran for towels. As the big warm fluffy towels were wrapped around her she saw her pretty new shoes were now all wet, stained, and wrinkled. All she could do was cry because she knew they would never be pretty again. Jimmy kept telling her to stop bawling while he stuffed her shoes with newspaper. She seemed to be the only one upset about the once pretty pair of maryjanes. Both mothers were busy praising Jimmy for getting her back so quickly and it was all his fault. He was the reason they had been ice-skating, that she fallen through to the cold water that soaked her beautiful new shoes. He was the one who had pushed, shoved, and rolled her all the way back to Aunt Louise’s house. And here she was crying in front of Jimmy. What had begun as a joyfully entertaining day was now in ruins as were her lovely new shoes.

The last word:

Moma-1929Dad-S-1930This story is part of Suzy’s family lore. The girl Lois is Suzy’s mother, and Lois and Jim married in 1942, literally the night before he left to fly off US Navy aircraft carriers in the Pacific Theater.  These pictures are from approximately the time of the story.

Comments solicited.

Keep your sense of humor.



Get every new post delivered to your Inbox.

Join 120 other followers