Feeds:
Posts
Comments

Archive for the ‘Cybercrime’ Category

VoteIn addition to being a huge source of interest, amusement, annoying commercials, robo-calls, and anguish to all of us in the US, the 2016 election cycle is likely to drive cybercriminal and hacktivist activity. The Forcepoint 2016 Cybersecurity Predictions Report describes some interesting possibilities.

As an individual, expect to be targeted. By the 2012 election cycle, social media was an important method of getting a candidate’s message out, gauging voter interest, collecting donations, and promoting engagement hopefully leading to a vote. For some candidates, social media is at least as important as the traditional new media. Attackers will use the intense interest in this election cycle to create highly effective email lures and misdirects to push malware to the unsuspecting public.

Some of these attacks will be advanced cyber attacks against specific organizations unrelated to the election, potentially including your company. The cybercriminals will target individuals pursuing election-related information, with the expectation that the cybercriminals can gain access to personal or company information for financial gain or negative business impact unrelated to the election.

The candidates themselves, as well as the news media, will become vulnerable to attacks on their social media sites. These attacks may be by opponents, foreign governments, or hacktivists with a specific political agenda. Expect to see these attacks used to spread inaccurate messages and information. Even if a candidate can quickly correct the information, the false information lives forever and may impact the outcome of an election. In the US political circus, the message is critical.

These attacks on a candidate’s social media could also impact the data the candidate is collecting on probable voters and donations. Corrupting that data could have a huge negative impact on a candidate’s ability to run or fund a campaign.

InfoSec Institute published “Which Top 5 Presidential Candidate is Most Likely to Be Hacked?” back in October, 2015. The only candidate with an “A” rating was Ben Carson (remember him?), largely because he outsources donation and volunteer services and does not have an on-line store; he has a very small attack server. Hillary Clinton and Donald Trump got a “B,” Bernie Sanders and Jeb Bush got a “C.” Several of these candidates are using unsecured or only partially secured WordPress sites that may leak internal usernames and other information, making them relatively easy targets. While she did get a “B,” Hillary has the largest attack surface based on a quickly built custom application. Her development team’s motto is “ship early and often; done is always better than perfect.” Security may not be high on the team’s priority list, and security testing is likely to be a low priority task.

As the Forcepoint report points out, “Technology decisions made by candidates during their tenure can expose them to data theft attacks (as seen by Clinton’s use of a private email server).” It is also likely true that technology decision made during a campaign may give a hint as to how that candidate will behave relative to data security when elected. If you see a candidate reacting to incorrect information on their web site or social media, then expect that their concern about data security is very low. Put that on your scorecard as one factor as you decide how you will vote.

It will not be just the candidates’ web sites and social media sites, but also those of the hundreds of issue-related websites that represent PACs and other special interest groups.

The bottom line is that you need to be very careful. Before you click on a link in an email or on a website, carefully look at it. Even if you know the sender of an email, if all it says is something like “check this out” or some other short message, be careful: the email may only appear to be from a friend or co-worker. The safest way is to copy the link (right-click on the link and select “Copy Link Location”) and then paste that into your browser’s URL line and make sure you recognize the web site.

The last word:

SEAIf you think it unlikely that a foreign government would attack a candidate, consider the Syrian Electronic Army (SEA), a group of attackers supporting Syrian President Bashar al-Assad. Beginning in 2011, the SEA targeted political opposition groups within Syria, western news organizations (including the BBC, Associated Press, and The Washington Post) and human rights groups. The SEA has managed to send false tweets from Twitter accounts for 60 Minutes, Reuters, Associated Press, ITV News London, and many others. It has defaced the web sites of Forbes, NBC, CBC News, and hundreds of other sites including the National Hockey League.

Of course, the SEA is only one potential government sponsored hacktivist organization, and in my view, not the most dangerous by far. There is a reason why the US and China agreed to a pact to not use cyberattacks to steal company records for financial gain. Of course, China does not admit to ever having done anything like that. A careful reading of the pact indicates that the pact does not bar cyberattacks for other reasons such as political.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Cash is a pain. If you are a retailer, you have to go to the bank and get change every business day, count the cash drawer at every teller change and at the end of the day, and secure the cash until you get it back to the bank. In the meantime, you have to be concerned about it being stolen, or accepting counterfeit bills. After all, if you accept a counterfeit bill, you have lost that money.

Paper money does need to be laundered: it is filthy. A 2002 report found pathogens on 94% of the dollar bills tested, and paper money can and will transfer disease from a previous handler to you. Paper money can transport a live flu virus for two weeks, and one report found that a majority of US bills are contaminated by cocaine, directly from the coke-covered hands of drug makers and traffickers, and further distributed by the rollers in ATMs. Restaurants should have signs saying “employees must wash hands after handling cash,” and it is a good rule for everyone.

If you are a government, you like cash even less. You have to design money that is hard to counterfeit, securely manufacture it, distribute it to the Federal Reserve banks and branches (in the US), and they have to release them to the commercial banking system. This is all very expensive. Then you have to have a large infrastructure to investigate and prevent counterfeiting; in the US that is the Secret Service. Just the process of deciding how much money to print is an expensive effort. Worse, cash is untraceable. The government does not know how much is really still in circulation, and can only monitor transactions that are done through a commercial bank, and currently the US only monitors transactions of $10,000 or more.

As an aside, the day that President Abraham Lincoln established the Secret Service, July 5, 1865, was the day that he was assassinated. Congress immediately began to think about adding Presidential Protection to the list of Secret Service duties, and after only two more Presidents were assassinated (Garfield in 1881 and McKinley in 1901) Congress did actually add that protection.

Think how much easier it would be to handle sales and income taxes if all transactions went through financial institutions. The taxes could be automatically taken at the time of the transaction. Tax filing would be a breeze; in fact you really would not need to file anything. The government would send you a summary of all of your contributions to its good works. A federal, state or local taxing authority could change tax rates at any time and have them take effect immediately. Tax evasion becomes much more difficult. Countries like Greece and Italy with huge tax evasion problems might consider this approach. Governments will like these improvements in their cash flow.

Sweden is moving quickly to a cash-free future. More than half of the branches of the country’s leading banks no longer accept or dispense cash. Banks are dismantling ATM’s by the hundreds.

While largely a bottom up phenomenon in this very tech-savvy country, the government is not at all trying to stem the trend or even slow it down. Nonetheless, the Riksbank (Sweden’s central bank) predicts that some cash will still be circulating in 20 years. Cash now represents just 2% of Sweden’s economy, compared with almost 8% in the US and 10% in the Euro Zone. The amount of cash in Sweden’s bank vaults dropped from 8.7 billion kronor in 2010 to 3.6 billion kronor in 2014, a decline of over 60%.

KollektomatEven street beggars accept credit cards or SMS donations in Sweden. At a Filadelfia Stockholm church service, worshipers use cellphones to tithe through a Swedish bank app called Swish to a bank account projected on a huge screen, or line up at a Kollektomat card machine in the church. Last year, only 15% of their donations came in cash.

All of this only works with the Cloud, with all of the “works from anywhere at anytime” benefits and potential security issues.

However, there may be some bad side effects to this cashless society.

  • Older adults or others who are not tech savvy may be at a disadvantage, finding it difficult to ride public transportation or even buy newspapers or food.
  • When you can’t see the cash flowing out of your pocket, it is much easier to fall into a debt hole. It is a lot harder, I think, to pull a $100 bill out of your pocket then swipe a little piece of plastic or click a box on your smart phone.
  • Of course, the cybercriminals are paying attention. The number of financial cybercrime cases has more than doubled in the last ten years in Sweden.

But the biggest social change that will accompany the cash-less world will be in the rise of other forms of anonymous and non-traceable tradable items. Bitcoin is one such decentralized virtual currency, and identified as such by the US Treasury Department. Like most currencies, the value of a bitcoin can vary, but its value is not under the control of any government. Unlike regulated transactions, bitcoin transactions are not protected by any laws.

Some of the earliest adopters of bitcoin were criminals who found it a convenient and “safe” online marketplace for contraband. Allegedly ISIS is using bitcoin to help fund its activities.

The next step will be the expansion of “smart contracts.” A smart contract uses software to monitor and manage a contract, replacing third-party humans like lawyers, and allowing two parties that may not trust each other to have a contract that will “pay off” when and if something happens. This could be something as common as the transfer of real property, or criminal acts including cybercriminal activity or even physical acts including murder. Usually based around bitcoin, payment is anonymous and untraceable.

Criminals and law-abiding citizens will find ways to get around what they perceive as an overpowering or overly intrusive government.

The last word:

I wish you all a happy, peaceful and prosperous 2016. Remember that the world is fair; it just does not care about you.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

I am not a fan of Microsoft, especially in the area of security. As of the end of November, Microsoft had released 112 Security Bulletins in 2015. Yet many of us are absolutely dependent on Microsoft products, including Word, Excel, PowerPoint, Outlook, and SharePoint. Even if you do not run on Windows, you still likely use these Office products. Since 2010, Microsoft Office 365 provides Cloud-based software plus services subscriptions to Office products plus storage space in Microsoft’s OneDrive.

While Microsoft does not provide sales figures for its Cloud business, adoption of Office 365 and SharePoint workloads has been rapid, with over 80 million users, and could be Microsoft’s “fastest growing product in history.”

While many customers do not put highly sensitive data into OneDrive, Office 365 is compliant with the ISO/IEC 27001 security standards, the European Union’s Data Protection Directive, the US Health Insurance Portability and Accountability Act (HIPAA), and the US Federal Information Security Management Act (FISMA). On the other hand, Microsoft has admitted it will hand over OneDrive data stored on European servers to US authorities under the Patriot Act. So anything stored in OneDrive is vulnerable to access by the US government without notice or recourse.

OneDrive is not compliant with PCI (Payment Card Industry) standards, so it is never appropriate to put personal finance information in OneDrive.

Microsoft Office 365 is also priced like the Cloud: pay-for-use. You pay a set amount for each user each month depending on which options you choose. There are benefits to this payment model:

  • The costs are expense, not capital budget items.
  • The cost of the service directly corresponds to the number of users, making clear correlation between benefit and cost.
  • You have the full support of Microsoft behind these products, including those far-too-frequent security bulletins and patches. For Cloud-based applications, these security updates are completely handled by Microsoft in the background requiring no effort by your IT department or users.

The bottom line is that Microsoft Office 365 provides, in my opinion, the best environment for collaborative from-anywhere access to documents, and provides security that is probably better than what most small and mid-sized businesses provide in their own environment. One important issue is the management and control of your Office 365 environment. It is critical for the security of your data to manage your users as their roles change and especially when they leave your company, whether your data is in the Cloud or in your own data center.

A few weeks ago, I wrote about Metalogix ControlPoint, a way to monitor for suspicious behavior in SharePoint. Tomorrow, Metralogix will announce a new version of Essentials for Office 365 to optimize the migration, management, and security of collaborative data in the Cloud and on-premise. This new release of Essentials for Office 365 provides:

  • Comprehensive backup and data protection for Exchange Online, alongside the existing OneDrive and SharePoint functionality which allows IT to quickly create, manage and restore backups of site collections, lists, libraries, content mailboxes, and individual OneDrives to local or cloud storage.
  • Seamless restoration with zero downtime for business continuity.
  • Management of all user attributes including license, permission and content.
  • Flexibility to migrate to multiple Cloud services.
  • Enhanced Diagnostic Manager, including email alerts on Office 365 service status.

The last word:

You may have noticed that this post came out Monday morning instead of the usual Sunday morning. That is because the new version of Metalogix Essesentials for Office 365 will be announced on Tuesday, 8 December 2015, and information on the release was embargoed until 7 December.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

If your IT security folk tell you they need to strengthen your network perimeter, they are probably right. If they tell you that is all they need to do, they are probably wrong. Far too many companies are being hacked because someone stole valid credentials from an employee or a partner’s employee. As I mentioned earlier, in 2011 Lockheed Martin suffered a serious data breach of confidential defense and proprietary information because Chinese government hackers were able to steal credentials from an employee of a partner’s parent company.

Your own employees and contractors are also a security risk. After all, you have given many of them access to your sensitive information, including information protected by laws and regulations. As you move more to the Cloud and BYOD (bring your own devices), you have wittingly or unwittingly opened your network to devices and locations you cannot monitor nor control. Either by intent (e.g., Edward Snowden) or by accident, these employees or contracts could suddenly expose your information.

You can’t tell whether the credentials are used by the person you gave them to, or are being used by someone who has stolen them. In any case, if they are doing something strange, you better find out about it quickly.

The bottom line: securing content with access controls alone is not sufficient in the current threat environment.

Microsoft SharePoint is a web application platform in the Microsoft Office suite that combines content management, document management, business intelligence, workflow management and an enterprise application store across local, wide-area, and Internet-based networks. SharePoint is used by many mid-sized companies and large departments within larger companies. As of 2013, 80% of Fortune 500 companies use it, and Microsoft was adding 20,000 users every day.

If you use SharePoint either in the Cloud or just within your own datacenter, you should look at Metalogix ControlPoint. Announced on November 2, 2015, ControlPoint 7.0 adds real-time situational awareness into suspicious SharePoint user activity. ControlPoint 7.0 introduces a learning detection engine that analyzes user behavior for suspicious activity, and automatically takes action when it finds suspicious activity patterns.

Consider an employee who works primarily from the office and sometimes from home largely during normal business hours, and who looks at about a dozen sensitive documents on an average day. You might like to know if it appears like that employee is downloading hundreds of documents at 2:30 in the morning from what looks like a Chinese IP address. Actually, any of the attributes of that access are suspicious. This is the kind of activity that ControlPoint 7.0 is looking for.

ControlPoint 7.0 features and benefits:

  • Mitigates the risk of data loss due to unauthorized access to content, whether by an employee, contractor, or through the use of stolen credentials.
  • Provides audit trails of content access.
  • Provides details of content growth and user activity.
  • Provide automation of governance policies.
  • Minimizes security breaches.
  • Meets compliance requirements for access control.
  • Anticipates future IT needs for growth.
  • Eliminates human error with policy driven security across SharePoint farms.

Right out of the box, ControlPoint 7.0 will provide significant security benefits. It will take it probably two or three months to learn the behavior of your users; the sooner you start the lower your risk.

Metalogix is a Washington DC-based software company founded in 2001. Metalogix provides a unified platform to manage the entire lifecycle of SharePoint users and their collaboration content centered around optimization, security and management. In 2013, it acquired Axceler’s SharePoint business including ControlPoint for SharePoint. MetaLogix continues to put significant resources into enhancing and supporting ControlPoint; ControlPoint 7.0 follows the release of 6.0 just seven months earlier.

The last word:

The Cloud has moved on to the hybrid cloud. Get the latest insights on how to use it from top leaders (like me) in the industry.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

I recently posted a series on driverless vehicles, including long haul trucks, farm vehicles, and taxis. Is anything happening in the field? The short answer is a resounding “yes.”

I mentioned the Freightliner “Inspiration Truck” in my earlier post. Freightliner Trucks is headquartered in South Carolina and is the largest division of Daimler Trucks North America. But they are not alone in developing autonomous long-haul trucks. In Europe, a standard Mercedes-Benz Actos with their intelligent “Highway Pilot” system travelled about nine miles on the Bundesautobahn 8 motorway in southern Germany. Like the Freightliner autonomous truck, there was a human driver behind the wheel, but he did not touch the wheel or other controls.

MB Autonomous TruckAutonomous car development is moving forward at an ever-increasing pace. Right now, there are dozens of companies working hard on achieving a real driverless car. Here is a brief look at current trends at a few of them.

  • Google is probably in the lead, with a goal to not build cars but to provide the software necessary for others to manufacture the production vehicles.
  • QNX is a Canadian software company specializing in on-board systems to provide infotainment, movies, music, and control your car. Probably more than anyone else today, they understand the requirement that the software system cannot crash, because if it does, so does the car.
  • Delphi is known as a one of the world’s largest parts suppliers, which realizes that car components, including smart car control and software solutions, must be cost effective. Delphi is working on ways to reduce the complexity, cost and weight of these systems.
  • Cisco Systems in known for its network products, and is working with Continental Automotive on producing the security software and message routing hardware that are required to deliver connected autonomous car services.
  • Continental Automotive is a large European parts supplier similar to Delphi in the US. It announced in 2013 that automated driving is the core of its long-term business strategy, and is working on connecting cars to provide better real-time traffic and navigation, entertainment features, and hazard warnings.
  • Covisint is a Detroit-based company that is developing a secure communication and collaboration system to enable autonomous cars to communicate with traffic lights, emergency vehicles and other external factors.
  • Codha Wireless designs hardware and software that will allow to vehicles to form ad hoc networks while on the road. Cars and trucks within those networks will be able to share critical information including their speed, direction, whether they are braking or accelerating. The result could be a a larger Cloud-based intelligence that will allow each vehicle to see danger around a corner and what is ahead of that big truck they are following.
  • Autotalks is an Israeli company in the same space as Codha. It has produced the world’s first automotive-grade chipset ready for mass production. This technology analyzes the data transmitted by the on-board systems in nearby vernicles to, initially, warn drivers of any imminent danger and communicate with external transportation infrastructure such as traffic lights. Eventually this becomes part of the roadway control infrastructure.
  • Mobileye is another Israeli company that provides inexpensive monitoring technology that uses a single camera to warn cars of dangers such as pedestrians, leaving your lane, or a forward collision, plus provides intelligent high-beam lights, recognizes traffic signs including speed limits, and adaptive cruise control.
  • Nvidia is a California chip manufacturer that has specialized in game controllers. Their experience in crunching real-time images and spatial data makes their chips ideal in driverless car systems. One of their biggest aims is to make car systems upgradeable.

Most current cars and trucks contain computer systems were designed at least two years before the vehicle goes into production; driverless technology has moved on in that time.   Today, an “upgrade” requires a trip to the dealer. This is unacceptable when a safety upgrade needs to be done “NOW!”

None of these companies actually build cars. Car manufacturers will take all of these technologies working together to get to the goal of safe driverless vehicles. I would bet it will all happen sooner than the experts expect.

The last word:

The future driverless vehicles are dependent on the cloud. As these companies have proven, we either have or are close to the connectivity we need. My biggest concern is security. So far, car control systems are extremely vulnerable to attack, as was recently proven on a Jeep.

I am looking forward to self-driving rental cars: no more getting off a long cramped airplane flight in a strange city trying to figure out how to get to you destination.

With the near-universal adoption of autonomous vehicles, bars will be happy. MADD should be happy and may be able to disband in a few decades.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Cybersecurity experts will tell you there are two kinds of organizations: those that have been hit by cybercriminals, and those who do not know they have been hit. This is not a joke. Cyberattacks will continue to grow in volume and sophistication. Anyone or anything that is connected to the Internet is vulnerable. When your customers’ data is compromised, you are responsible. If your physical building is compromised or your IT infrastructure is destroyed, your company may be out of business. No masked man on a white horse nor the Seventh Calvary will come riding over the ridge to save you.

Why can’t the government do something about this? One would expect that the natural reaction of governments to national security, financial and privacy attacks would be to militarize cyberspace and police the Internet with centralized bureaucracies and secret agencies to protect us and themselves.

That won’t work, and we unfortunately have an example of this: the War on Terror. The United States government vowed in 2001 to destroy the responsible terrorist organization, long before it had a clue what the enemy really was. Other powerful nations have joined the fight. Where are we after more than a dozen years? We have proven that the most powerful military force in the world can clear out terrorists from a specific physical area at unreasonable cost in dollars and lives, only to have the terrorists return as soon as the US forces leave. But they cannot stop an attack in Europe, the Middle East, or the US.

The bottom line: governments have demonstrated that they cannot win the War on Terror. They cannot even define “winning.”

If the US, or UN, tried to apply the same logic to the Internet, they would of necessity fail, but as Keren Elazari’s TED talk and Scientific American article demonstrate, just trying could actually make things worse.

One of the problems with the War on Terror is that there is no single entity that controls “the other side.” There is no geographic definition of a “front line.” The terrorist organizations keep morphing, recombining and dividing, with new ones appearing in the news with disturbing frequency.

Wait, that sounds like the Internet. The Internet is not like a public highway, or even international waters or a wilderness area. It is not even a collection of territories that governments could control, or even locate. Most of the physical components of the Internet are owned and operated by hundreds of multinational for-profit companies. The number of components is growing at an incredible rate. Cisco systems forecasts that by 2020 over 50,000,000,000 devices will be connected to the Internet. Every one of those devices is a target, and many of these are part of industry, military, and utility operations. The more devices that are interconnected, the more ways there are to gain access. For example, in 2011 an employee at RSA’s parent company EMC opened an innocuous-looking Excel file in an email. The resulting malware compromised RSA systems, enabling hackers to steal Lockheed Martin’s security tokens, thus giving access to the defense contract’s data including highly sensitive product information. The hackers were part of the Chinese government. RSA has been in the encryption business since 1982, and was acquired by EMC Corporation in 2006. Since 1979, EMC has been a global leader in IT and business transformation. Both of these companies take security very seriously, yet still had a serious breach that impacted one of their customers and sensitive national security data.

Which brings up another reason why governments can’t fix the problem: they are conflicted on whether they should. Organizations like the Department of Homeland security have a real interest in protecting US companies and individuals from cyber attacks. That part of the government recognizes the serious national threat a successful attack against the electric grid or the financial infrastructure could be more disastrous than Pearl Harbor and the 9/11 attacks combined. No one on the attacking side even needs to be in he US.

However, other components of the US government, like the National Security Administration and certain other defense organizations, have a vested interest in using the Internet as a weapon, and invest millions of dollars in finding, managing, and perhaps creating flaws that they could use. Remember Stuxnnet, a deliberate and successful physical attack against Iran’s nuclear weapon program done entirely with malware? That was a government attack, probably with US assistance if not direction. Governments, including the US government, participate in the worldwide hacker market, buying and selling information about security flaws. Edward Snowden believes the NSA spends more money on offensive cyber research than on defensive cyber research.

To further complicate the problem, new vulnerabilities are introduced every day. Intense market pressures push technology companies to produce new products and new features at an increasing rate. As these products become more intertwined and interdependent, the probability of introducing flaws increases. “Time to market” pressures reduce the testing that companies feel they can afford to do. As one company executive told me, “that’s what beta testers are for.”

Cybersecurity is like public health. The Centers for Disease Control and Prevention have a very important role to play, but they cannot stop the spread the disease by themselves.

Who can help? According to Ms. Elazari, hackers can help and have been helping. Back in 1995, Netscape Communications created a bug bounty program. It paid independent researches to report security vulnerabilities. If you are trying to remember why “Netscape” sounds familiar, it was the name of the web browser introduced in 1994 that was giving Microsoft’s Internet Explorer a real run for market share.

Largely spurred by significant leaks like those of Edward Snowden, the technology industry and the hacking community are actively working together. Hundreds of companies now have similar bug bounty programs, and are finding it to be a cost-effective way to reduce security vulnerabilities. In addition, private and public communities of security professionals now share information about malware, threats and vulnerabilities. The goal is to create a distributed immune system for the Internet.

What should you do?

  • Expect things to get worse over the next few years, with more targeted attacks, more breaches, and attacks that do physical damage initiated by other governments or terrorist groups.
  • Demand that companies make the software and hardware products your company depends on more secure. Yes, hardware products, too. There is more processing power in the average new car then in a multi-million dollar computer 20 years ago. As recently demonstrated, most if not all of these systems are vulnerable to cyber attack with the possibility of injury or death to the vehicle occupants and others nearby. I suspect a cyberterrorist attack that took over 100 cars scattered on LA freeways in rush hour would be interesting.
  • Demand that the penalties for failing to report a data breach involving personal or proprietary data are increased substantially, with jail time for executives who fail to consistently use best practices to secure that data.
  • Protect yourself and your company. Wash your hands and get vaccinated. If you don’t take care of yourself, you cannot expect anyone else to be able to help.

The last word:

My wife and I met Jim Murray and his wife on a dance floor in Valparaiso, Chile, in 2008. Since then we have managed to get together on a dance floor somewhere about once a year. Jim Murray writes a blog about the intersection of murder and medicine, which I have referenced before. He has just published Lethal Medicine, a thrilling tale of international intrigue, murder and deceit. The hero, Jon Masters, is a well-established pharmacist in San Antonio with a growing statewide company that provides medicinal injection services for people in their homes as they recover from illness or injury, or are under hospice care. When he discovers that the investigational drug study he is managing is a cleverly disguised scam, he finds himself in trouble with both local and federal authorities. One step ahead of the law, he races to Mexico and China to uncover the international conspiracy that threatens to destroy his business, his reputation, and his life.

Early on, Jim told us a scary story about one rainy night when he worked as the midnight shift pharmacist in a mid-city pharmacy. That story is now a short story “Cuffed” which is available in a collection of short stories Unforeseeable Consequences. The collection includes another story by Jim and a story Jim edited from each of five other authors.

I recommend both books, and they are available in Kindle editions on Amazon at the links with each book title above.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

We live in a transparent world; it is almost impossible to keep secrets. Last time I wrote about The Half-Life of Secrets, and I defined a secret as something that if revealed to the wrong entity could cause harm. The secret could be in a document, or could have been something you did or did not do. The “entity” could be a specific individual (e.g., spouse), a group of people (e.g., your customers), a competitor, an organization that provides services (e.g., your insurance company or health care provider), or a government organization.

The Cloud is the primary enabler of the severe reduction in the half-life of your company’s secrets. If you put your business process applications in the Cloud, then your employees, contractors, partners and maybe your customers can access the critical data they need to do their job or buy your products or services from anywhere at anytime.

Unfortunately, that same information is potentially available to cyber-criminals.

You can reach potential customers via Facebook, Twitter, LinkedIn, text messages, email, or a dozen other social media mechanisms. You can target a specific customer, a class of customers, or reach out to a tailored set of prospects. It all happens “now!” and at small fraction of the cost of doing it via putting a physical letter in a mailbox.

Years ago I had a secretary. Don’t yell; that is what they were called back then. If I needed to send a letter to a customer, I could dictate it to her (and it was always a “her”). In an hour or so I would have a letter for my review and signature. Frequently, she had made changes to my letter, and almost always these changes made it better. More importantly, the process provided a time cushion for me when I reread the letter. For reasons of cost and time, very few people have that option anymore. We just type the email or text message or tweet and ship it. How many messages have you received that contained inappropriate information (i.e., secrets), an inappropriate tone or went to the wrong people (often the “reply all” mistake)? Every such message, once you throw it out there, can be forwarded to anyone anywhere. With a great marketing message, these forwards provide a positive multiplier effect along with an implied recommendation. If the message exposes a secret, it just magnifies the problem.

Just like Las Vegas, what happens in the Cloud, stays in the Cloud. Forever. But, unlike Las Vegas, it remains vulnerable to attack.

In his 2004 book In the Blink of an Eye Andrew Parker describes how about 543 million years ago, the chemistry of Earth’s shallow oceans and the atmosphere suddenly changed to become more transparent. Parker’s theory is that this increased transparency led to the Cambrian explosion, a relatively short (20-25 million years) evolutionary event that produced major diversification in life including most of today’s major animal phyla. Increased transparency led to eyes to see prey or predator, which led to new means of locomotion to chase or escape, claws, jaws, shells and other defensive and offensive body parts. Those species that did not evolve fast enough went extinct.

In a Scientific American article and TED talk, Daniel Dennett and Deb Roy talk about how companies must adapt to today’s new transparency, or go extinct. By analogy, organizations must adapt their external body parts to not only take advantage of the new transparency (e.g., FaceBook, Twitter, text messages), but also must create defensive capabilities. A successful organization must create information-handling organs of control and self-preservation as integral parts of its public relations, marketing, and legal departments.

These defensive organs cannot behave like they did ten years ago, or maybe the way they still do today. Your company must join the conversation on your distractors’ terms. You have to respond intelligently, honestly, and in a conversational way. You can’t deny, obfuscate, or preach. The whiff of a secret, and the carnivores will swarm until they dig it out, make it up, embellish it, and sell their story, not yours. In particular, you cannot let your legal department delay your response by weeks or months while approving a communication strategy, nor can your marketing or PR department spend days or weeks trying to figure out how to respond. You need to respond today.

Thus a significant part of your defensive evolution must be proactive: you have to do everything you can to prevent secrets from escaping in the first place.

  • Protect your company data not only in the Cloud but also within your own datacenter. Mostly that means keeping careful track of who should be allowed to access specific types of data, updating each person’s access right every time their role changes, and periodically auditing to ensure that the process works as required.
  • Take advantage of any security options that your Cloud Service Provider(s) can offer you. It is far less expensive and usually more effective to rely on them than your own IT department. As part of that, make sure your contract with any CSP includes what they must do to completely remove old archives according to your documentation life-cycle requirements, and audit that process at least annually.
  • Write, update frequently and publish your security policy. This policy should cover everybody with physical access to your datacenter(s), everybody who has electronic access to your data. It must cover your own computer equipment and your employee, contractor and partner equipment including personal devices. Everyone with non-public access to your data should be required to review your security policy, pass a test, and certify that they reviewed it at least annually.
  • Define who is permitted to “be the voice” of your company through any and all mechanisms. These are the people who can participate in external conversations. Ideally, there should be someone reviewing everything that goes out. This doesn’t have to be a long process, just make sure someone else is looking over the “voice’s” shoulder with the authority to say, “Hold on one minute.” You probably already have such a process for discussions with the press.
  • Set guidelines for different types of situations ranging from annoying to disastrous. You will have to define these terms based on your company’s situation, but it might range from an unhappy customer who posted a bad review to a partner leaking that your next major product is facing a significant delay due to a technical glitch. For each type, decide the ideal response time, who has to approve any message, and what documentation should be kept so the event can be reviewed.
  • Often, one situation will change its severity over a short period of time. You will not get it right everytime, so give the “voice” people the authority to raise their hand to get help. When things go wrong, the first response should not be to fire the “voice,” but to get the message back on track and learn from the situation.

Don’t count on the government for help – they are fairly helpless themselves, and react far too slowly. Country laws are also way behind the times, not able to even keep up with phone technologies.   Even further behind is the ability of a government to prosecute anyone, TV shows like CSI: Cyber aside.

Just like during the Cambrian explosion, it is a jungle out there. Make sure your company survives.

The last word:

NextGen Cloud recently named my blog as one of the 50 Top Cloud Computing Bloggers for IT Integrators. My thanks go to NextGen Cloud, and many thanks to all of my followers and readers.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

A “Half-Life” is the amount of time required for the amount of something to decline to half its initial value. Those of us of a certain age remember that from the discussions of how long the fallout from nuclear explosion would be dangerous, and rest of you get periodic reminders of that from events like Fukushima. When we were in Norway this summer, there were radioactive reindeer; seems they were eating moss still radioactive from clouds that had drifted over from the 1986 Chernobyl accident.

Secrets have half-lives also: how long does it take for half of your secrets to become known to others. Countries have millions of secrets, companies thousands of secrets, and people maybe dozens of secrets. Each secret represents a fact that if revealed to the wrong entity could cause harm. Countries “classify” documents or even individual facts, and establish large organizations and complex processes to protect those secrets. Countries usually also have large organizations whose sole purpose is to steal the secrets of others. Companies have trade secrets, often about exactly how their products or services are created or delivered, but also about their internal financial processes and contracts with partners and customers. People have secrets about things they have done, or didn’t do, that they would rather their spouse, employer, doctor, or tax collector never found out.

Patents are not secrets. Patents are published in the one or more country’s Patent Office and are freely accessible. International law protects, to some extent, the owner of the patent. In order for the patent owner to reap the financial benefits of the patent, the patent must be shared.

Secrets also have time limits. The foreign travel plans of high-ranking government officials are often classified to enhance the safety of the individual but often so as not to reveal where or why the individual is traveling. Consider the case of National Security Advisor Henry Kissinger’s visit to Beijing in 1972. These kinds of secrets are only secrets for a specific period of time, often measured in days or weeks.

But many secrets need to be kept secret for years or decades. One such trade secret is the formula for Lena Blackburne’s Rubbing Mud that is used to fix the feel of baseballs for major league play. That formula, and the location of the mud hole, has remained a secret for over 75 years.

The half-life of secrets used to be measured in decades. A person could designate that their boxes of papers would not be opened until their death or longer. That worked for Mark Twain and his autobiography, which was not published until 100 years after his death. That did not work for Harper Lee. She kept her first novel locked up saying she did not want it published. Go Set a Watchman was published this year while she is still alive.

With todays cybercriminals, including government and organization sponsored cyberterrorism, the half-live for secrets on computer networks is measured in months.

Almost always, secrets must be shared. Lena Blackburne is not the only person making that NBA Rubbing Mud, especially since he died in 1968. Every trade secret is shared with those in the company that need to know the secret in order to actually build the product. The trick to keeping a secret is to minimize those who know the secret and pay attention to each of those people.

One of the biggest dangers to a secret is sharing-creep, the phenomenon that occurs when you add just one more person to the “need to know” list, or someone who knows tells someone else. At the highest levels of government classified documents, security agencies try to keep track of every individual who has the right to know the secret and the places where the secret is stored at all times. This is why, for example, that one of the Department of Homeland Security’s jobs is to know where every computer system containing government classified information is physically located, determine what secrets are on the system, and check that the system is protected by appropriate physical and network security mechanisms, and that everybody who has access to that system is also cleared for the information on the system. Companies with critical trade secrets have similar processes. One of the key activities for a government or commercial organization after an identified data breach is to determine exactly what information was compromised.

A related issue for secret loss is the velocity of the loss. In 1750, a secret could not move more than about 20 miles in a day – the speed a man or a horse could walk. If you discovered that a secret was stolen, you could often literally run down the culprit in a day or two, and severely limit the damage. With the Internet and the Cloud, it takes your secret less than a second to get anywhere in the world, and to dozens or millions of individuals. A single misdirected email or text message, or a singe disgruntled employee or contractor (e.g., Edward Snowden) or employee or contractor not following your security policy (e.g., Hillary Clinton) can put a significant number of secrets at great risk.

Figure out what your company’s critical secrets are, and pay attention to whom those secrets have been shared. Remember that any meeting, whether in a conference room or virtual, that has a smart phone or tablet present is a potential leak. You cannot tell what is being recorded and what will be done with the recording.

The same is true in your personal life. Any stupid thing you do can be on YouTube in seconds, and the more stupid the more likely. Of course, the same is true if you do something great, like the passengers who subdued the Islamist terrorist on the train in Belgium. Video of the attack was on YouTube before it appeared on breaking news announcements.

The last word:

The biggest example of sharing-creep is your Social Security Number. Originally implemented in 1935 as part of the New Deal, it was solely used to track individual’s accounts with the Social Security Program. In the original law it was illegal to use the SSN for any other purpose. In the late 1970’s, Virginia was using your SSN as your Driver’s License number, and that use was struck down as illegal in Federal Court.

In addition, the IRS was prevented from sharing information with other agencies. Decades ago I worked with someone whose father was a Bookie (i.e., worked in the numbers game for organized crime). He always indicated on his Federal Income Tax form that his occupation was Bookie, and reported every cent he illegally earned. He did not want to get in trouble with the IRS over his taxes, and knew that the IRS could not pass that information on to law enforcement at any level.

But now, thousands of individuals have access to your SSN; it is your key identifier for almost all financial relationships, and, thanks to Obama Care, all health care related activities. The United States uses the Social Security Number as the identification number for every member of the Armed Forces. All of this information is stored on the Internet, which varying degrees of vulnerability

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

TV shows like CSI: Cyber and others talk about the Dark or Deep Web. What is it?

They are actually two related but different things.

The Deep Web, aka Deep Net, Invisible Net or Hidden Web, is that part of the Internet that is not indexed by standard search engines. When you do a Google or Yahoo search, for example, you will never see anything located in the Deep Web.

The Deep Web is several orders of magnitude larger than the searchable part of the World Wide Web. We only skim the surface of total available content. This surface metaphor is why it is called the Deep Web. What is in the Deep Web?

  • Websites that are not registered with any search engine. This could be deliberate as a company is building their first web site. They want to be able to view it and make sure it is working as desired, but do not want just anyone to stumble across it. It could also be an accident: the web builder forgot to register it with search engines.
  • Dynamic content or pages returned in response to a query or accessed only through a form. Some process creates dynamic content web pages at the time the page is displayed in the browser, usually based on information provided in a user request or information stored about the user. One example that you often see is the current view of your shopping cart for an online purchase.
  • Unlinked content, pages that are not linked to from any searchable page. Search engine web crawlers usually cannot find those pages.
  • Scripted content, pages that are accessible only through links produced by JavaScript and similar mechanisms.
  • Pages that contain encoded data or special file formats that are not recognized by search engines.
  • Web archives.
  • Private web sites that require registration and login.

The Deep Web itself is not evil but a natural result of the development of the Internet. A significant number of web sites deliberately have content in the Deep Web to control access to sensitive or proprietary information, or as part of their ability to provide custom information tailored to specific visitors. In general, you cannot tell if you viewing something from the Deep Web.

The Dark Web is part of the Deep Net that exists on what are called darknets. A darknet overlays the public Internet and requires specific software, configurations or authorization. Dark Web sites often use non-standard communication protocols and ports.

Protocols are the rules that allow two or more network devices to communicate. There are dozens of network protocols, several you have used. TCP (Transmission Control Protocol) is the basic communications protocol used to support Internet communication. Other protocols often run over TCP, like IP (Internet Protocol), FTP (File Transfer Protocol) or HTTP (Hypertext Transfer Protocol). A port is the logical construct of one end of a communication. The first 1,024 port numbers (0 through 1,023) are defined. For example, port 80 is used for the HTTP protocol used for the World Wide Web. There are over 65,000 possible port numbers. Most firewalls block unknown ports unless individually overridden.

Primarily for security reasons, Darknets were originally implemented in the 1970s to be isolated from the ARPANET, which was the origin of the Internet. By 2002, the Dark Web was used for multiple and often illegal purposes:

  • Protect information from targeted and mass surveillance.
  • Protect dissidents from political reprisal.
  • Support whistleblowing and news leaks.
  • Support computer crime.
  • Provide a market for restricted or illegal items.
  • Support file sharing, often in violation of copyright laws.

You will probably never see anything from the Dark Web. Because of the special programs required to access it, it is very difficult to get to the Dark Web without meaning to.

The last word:

The Deep Web is a normal part of the World Wide Web. You are often accessing information from the Deep Web without even knowing it.

You should, however, be concerned about the Dark Web. You, your employees or your children cannot accidentally access the Dark Web. It requires specialized software, not just your favorite browser. That software is, however, available on the searchable web and often free.

For your business, the best defense is a strong network defense strategy and policy. You should limit the protocols and ports available in your internal network to only those necessary for to run your business, and audit those defenses at least once a quarter. Your security policy should require any BYOD (Bring-your-own-device) must also be similarly protected, and prohibit any employee from accessing the Dark Web from any device that is also used for company business.

As for your children, as with many subjects the best defense is conversation. Make sure that they understand the danger of the Dark Net. It is not a safe place to play.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

While the US government has never been very good at protecting our personal information against cyber attacks, the Obama Administration has set records for incompetence in the area of data security. The current score: F.

Here are just some of the breaches that have occurred under the current administration. I am sure I have missed some.

  • Individual rogue employees and contractors, including Edward Snowden, have made public information on more than 2.4 million government personnel available to the media.
  • Tricare, the US military health program, had 4.9 million records stolen from unencrypted backup tapes (Sept. 2011).
  • Stratfor, a global intelligence firm serving the US Government, had 860,000 records stolen by the hacktivist group AntiSec (Oct. 2011).
  • The US Navy Criminal Investigative Service had a breach involving 220,000 military personnel from the database that managers transfers of service members for all branches of the US military (June 2012).
  • The National Oceanic and Atmospheric Administration (NOAA) had a data breach in 2013 that they have not investigated because the data was stolen through a contractor’s personal computer. As of a July 2014 report, NOAA does not know what data was stolen and whether it involves any personal information.
  • The Department of Energy had 104,000 records from their Employee Data Repository database (July 2013).
  • USIS, a company that conducts background checks for the Department of Homeland Security, reported a cyber-attack that impacted 25,000 people (Aug 2014).
  • The U.S. Postal Service had a breach involving the loss of names, Social Security numbers, and addresses that impacted more than 800,000 personnel (Nov. 2014).
  • The State Department has shut down its unclassified email system (Mar. 2015) because of a cyber-attack linked to a breach at the White House (Oct. 2014). This on top of the illegal actions of Hilary Clinton and her staff while she was Secretary of State and after she resigned.
  • The Internal Revenue Service had a data breach that involved the detailed tax-return information on 104,000 taxpayers (May 2015).
  • The Office of Personnel Management, which keeps track of every US government employee and contractors, has had two breaches since July 2014 involving at least 21.5 million individuals. Also potentially impacted are job applicants for federal jobs. Because this database was used for background checks for individuals, spouses and co-habitants, immediate family, close contacts and references could also be impacted. If you may be impacted by this OPM data breach, there is more information here.

Many of these attacks appear to be “practice” attacks. Cybercriminals started by seeing what they could attack and what data they could access. It was only after their success at that stage did they advance to turning a profit from these activities. It did not take them very long to go from “well, that worked” to full-scale general attacks and, more recently, to more focused attacks.

But the larger concern is that stealing the data may not be the real objective. The access to our government’s sensitive data that our enemies have demonstrated with these attacks also gives our attackers the ability to change or remove the data. Image the impact of an attacker deleting around 100 million individual and company records from the IRS databases. Such an attack would be quickly identified, but the fix would not be quick. Even worse would be the impact of making random changes to the data, for example changing filing dates or the amount of tax paid. Those changes would be exceedingly difficult to identify and correct. Image the damage such unauthorized changes could make to FBI, Department of Defense, or other security-dependent databases.

These attacks are not isolated and unusual events. Many of them appear to be organized attacks by other governments, especially China. As such they are acts of war. Our current administration has demonstrated a complete lack of concern and ignorance of the implications of these attacks. President Obama consistently appoints people to high positions who are either totally ignorant of data security or do not care about the welfare of the citizens of the United States, or both. OPM was not monitoring the security of their networks and data and were not encrypting data as required by federal regulations. These people, like Katherine Archuleta, the formal director of the Office of Personnel Management, should not be allowed to simply resign and seek another government job. They should be immediately fired and lose all government pensions, medical coverage, termination bonuses or any other government benefit. In some cases, and Ms. Archuleta is one such case, these so-called leaders should be tried for violating federal data security laws and fined or jailed as specified by those laws if convicted. It is past time for Congress to act to make the punishment fit the crimes these “leaders” commit.

The last word:

What do you do if you believe your personal data has been stolen or, worse modified? You are pretty much on your own. Unlike companies, government organizations do not have to provide any support or even notify you that your data has been compromised. OPM has stated they have notified impacted individuals, and you can request a suite of services including free credit reports. As always, you should be checking all of your financial accounts frequently, more often than once a month since in some cases you only have 30 days to report a problem. Consider using one of the “identity theft prevention” services. I use LifeLock Ultimate Plus, which monitors financial accounts. I get notification of a financial transaction that meets criterion I specify within 48 hours.

At the first hint of a problem, notify the government organization involved. If you do that online or over the phone, make sure you get a “claim number” so you can prove that you did notify them. If you do not get quick resolution, consult your financial advisor or lawyer and notify your Congressional representatives.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

« Newer Posts - Older Posts »