Benford’s Law

Benford_1Have you ever wanted to do a quick sanity check on a long list of numbers? It might be a budget, worldwide sales by country or product, or a marketing forecast. There is a cute little trick that can possibly tell you if the numbers might be manufactured instead of real: Benford’s Law.

Benford’s Law, which is not really a “law of nature” but the result of more than 125 years of observation, states that the first digit of many real-life sets of numerical data is more likely to be a “1” then any other first digit, and the probability gets successively smaller for “2” through “9”. Intuitively, one might expect that the probability of the first digit would be evenly spread: about 11% for each possible first digit 1 through 9. Zero doesn’t count as a first digit in this case. The law works even with a set of numbers with vastly differently sized numbers based on the number of digits in the number. In fact, the more orders of magnitude covered by the data, the more accurately Benford’s Law seems to apply.

Benford_2In other words, a list that spans numbers as small as 100,000 and as large as billions is likely to follow the law closely. For example, this chart shows how closely the population of the 237 countries in the world (red bars) match Benford’s Law (the black dots).

The American astronomer Simon Newcomb published a paper in 1881 based on the fact that in his logarithm tables the earlier pages were much more worn than the other pages, implying that he was looking up numbers starting with 1 and 2 more often than others. If you have no idea what I’m even talking about, check this out. He postulated the formula in Benford’s law for first digits of 1 and 2. In 1938, physicist Frank Benford tested the theory on twenty different sets of numbers and was thus credited with the law. His data sets included the surface areas of 335 rivers, the sizes of 3,259 US populations, 1,800 molecular weights, and 308 numbers contained in an issue of Reader’s Digest.

Benford’s Law is not a law, and will not apply to sets of numbers that are restricted in value, like the phone numbers in Philadelphia (since almost all will start with 2, 4, or 6). A set of numbers that does not match Benford’s Law is not necessarily wrong, but might be worth a second look. If someone is manufacturing numbers, they are likely to not match Benford’s Laws.

Why does this law work? It has to do with the distribution of numbers in a logarithm scale, and explains why the wear on Simon Newcomb’s logarithm tables led to his initial discovery of the relationship.

Some relationships do not obey Benford’s Lw, including distributions created from square roots or reciprocals. It does not apply to numbers that are the result of mathematics combinations, like quantity times price, or sequentially assigned numbers like check numbers.

At various times, evidence based on Benford’s Law has been admitted in criminal cases at US local, state and federal levels. It has been used as evidence of fraud in the 2009 Iranian elections, although experts tend to discount Benford’s Law as a indicator or election fraud.

Mark Nigrini, a well-known South African author of Forensic Analytics, has shown that Benford’s Law could be used in forensic accounting and auditing, which is how this post started.

The last word:

Benford_3As I was talking about this post, my wife said that this law should also apply to the number of children in a family. In her genealogical research, it appeared to her that there are a lot of families with just a few children and, especially in the past, families with large number of children, more than 9. I could not find any overall statistics to support or deny this claim; most government statistics talk about 1, 2, and “3 or more” children. However, I did find one family tree that had the statistics I wanted covering 344 families with up to 15 children in a family.

Comments solicited.

Keep your sense of humor.


London CabWhen you travel around in London you encounter three moving icons that help define the city: the Underground, the red double-decker buses, and the black London cabs. You do not want to drive yourself in the centre city for several reasons: there are a lot of cars and little parking, they drive on the other side of the road, and they have a “Congestion Charge” that, for the casual tourist, is up to £14 per day, with a £130 per day fine if you are caught without paying the CC.

Last year I predicted that by 2030, London will be the first large city to completely ban non-autonomous vehicles within the City of London. And by 2040 within the entire metropolis of London. I may have been too conservative.

Auto-MateMarcello Raeli is a young Italian designer who grew up all over the world, moving with his parents every 4-5 years. His father was an architect and a painter, and Marcello yearned and learned to be a Designer of things that solved real people’s problems. He also loved Isaac Asimov’s science fiction stories and predictions of the future. He designs shoes, including “running” shoes that can bring the same augmentation that some amputee runners have discovered to a full-limbed runner. He also designs cars, from micro-minis to high performance cars.

Auto-Mate interiorOne of his latest designs is Auto-Mate, an autonomous time-share vehicle specifically for London. It seats up to four adults in comfort. Taking inspiration from the iconic red buses, red telephone booths, and the London Eye, the giant Ferris wheel by the Thames, the Auto-Mate is a sleek, futuristic-looking vehicle the same size as the existing London cabs. These vehicles provide transportation-as-a-service to anybody at any time of the day or night, and in any weather. The number of cabs on the street can change automatically based on demand. Over a relatively short time, the system will be able to predict need based on day of week, time of day, weather, or special event and have sufficient vehicles available to meet real-time needs.

London cab drivers, usually, are well trained and know their way around. They speak a form of English, sometimes not easily understood by Americans. The Auto-Mate can speak and understand dozens of languages, and keep quiet when that is what you want.

Raeli’s Auto-Mate is just a design today, but at the rate autonomous vehicles are evolving, sometime soon you may see these as you walk by Parliament.

There are, of course, those who want to slow down the adoption of autonomous cars. The NHTSA (National Highway Traffic Safety Administration) is currently planning on having guidance for the deploying of autonomous vehicles by July 2016. Issuing actual regulations normally takes about eight years; by providing early guidance, the US government will be able to react more quickly to this rapidly changing technology.

It is very hard to stop new technology. Already, Tesla’s autopilot function will automatically drive your car on a highway, including changing lanes and adjusting speed in response to nearby traffic.

The last word:

In January, General Motors and Lyft announced an alliance to create a network of on-demand autonomous vehicles in the US. Lyft is a ride-sharing service, and this alliance plans to eliminate the driver.

Ford is also allowing some car owners to rent their car to a stranger for short periods of time. For example, 12,000 Londoners offer time slots in their cars to pre-screened renters. The plan is that they can earn enough money to cover their car payments, thus having a vehicle for their own use for free. This car-sharing and ride-sharing services like Uber and Lyft are starting a significant change in how we think about cars.

Cars are critical, especially for those of us of a certain age for whom a car represented freedom, a key disconnect from constant supervision by parental units and a means of getting where we wanted to go when we wanted. But, considering the cost of a car and the fact that most cars spend 95% of their time parked and unused, the significance of car ownership will probably decrease.

Maybe not for us over 30, but for the younger generations, the car is likely to cease to be a prized possession but just a means of getting somewhere, and it won’t have to be their’s.

Children born after 2015 will probably need a history lesson before they will understand what is going on in the Taxi TV show.

Comments solicited.

Keep your sense of humor.


MQ-9 Reaper

MQ-9 Reaper

We are used to the daily reports on the activities of military combat drones, and the accompanying public opinion both pro and con on their use. With the ability to control a drone from a long distance, the loss of a drone does not cause injury or death to the pilot. Since there is no pilot, the drone can be far lighter and have better performance since it does not have a provide an environment to support the pilot nor worry about subjecting the pilot to G forces beyond what a human can survive. According to Wikipedia, the first armed drone was flown by Iran in the late 1980s in the Iraq-Iran War.

QH-50DApparently, Wikipedia forgot about the Gyrodyne QH-50C DASH (Drone Anti-Submarine Helicopter) Drone. The unmanned remote controlled helicopter was used by the US Navy on destroyers beginning in 1962 as part of the Navy’s counter to Soviet submarine threats. The drone could carry two Mark 44 homing torpedoes or one Mark 46 torpedo, the current NATO standard torpedo. The program was cancelled in 1969, but they continued to fly from Japanese destroyers until 1977, and as late as 2006 at the White Sands test range to tow targets and calibrate radar systems. During the Vietnam War, a television camera was added so the DASH SNOOPY’s (as they were then called) could be used as airborne spotters for naval gunfire.

DSC_4570The DASH Drone had two counter-rotating blades on a single co-axial shaft to control torque, so did not need a tail rotor. Since there was no crew, the drone was viewed as expendable. It used off-the-shelf industrial electronics with no back-ups. About 80% of the failures were the result of a single-point failure in the electronics, with only 10% traced to “pilot” error, with the remaining 10% traced to engine or other mechanical failures.

It weighed about 1,200 pounds empty, with a max takeoff weight of a little over a ton. It cruised at 58 mph, with a maximum speed of 80 knots (92 mph), and a range of about 80 miles. While it usually operated close to sea level, it had a ceiling of 16,400 ft. In its fully operational mode, it could be flown from a destroyer up to 22 miles without providing any warning to a submarine, until it dropped its torpedo into the water.

By comparison, the MQ-9 Reaper, pictured at the top of this post, has a top speed of 300 mph, a range of over 1,100 miles, and weighs in at 4,900 ponds.

The DASH Drone had two controllers:

  1. A “small” one for takeoff and landings that was used on the flight deck. (See photo above left.) This is not a handheld control with a joystick, but attached to the structure on the fantail of a destroyer. The circle in the center is not a screen, but a compass
  2. DSC_4568The larger controller was housed in the ship’s combat information center (CIC). It would fly the drone to the target location and release weapons using semi-automated controls, directed by the ship’s radar. The CIC had no windows, so the pilot could not actually see the drone or even how high it was. Sometimes, this had bad results for the drone. The CIC controller was, not surprising, an early 1960’s era computer, probably with tubes. That era computers were not known to be overly reliable.

rotocycleRemote control communications were via multi-channel analog FM, so these communications were strictly “line of sight.” If the shipboard transmitter did not have a clear line to the drone, it could not control it. Darkness and fog did not impact its communication, but the curvature of the earth and its needs to operate close to sea level restricted its range.

The manufacturer, Gryodyne, had created a very small single-seat helicopter for the U.S. Navy in the mid 1950s. This “Rotocycle” won the prize for the most maneuverable helicopter at the 1961 Paris Air Show. Again under contract with the U.S. Navy, Gryodyne removed the pilot seat and manual controls to create the DASH Drone.

The last word:

If you would like to see one and are in the Philadelphia, PA, area, check out the Delaware Valley Historical Aircraft Association Wings of Freedom Museum near the old Willow Grove Naval Air Station. This museum has a number of interesting military aircraft, including a QH-50C DASH Drone with both controllers. Come check them out, and maybe help them move to a bigger facility that will allow all of their aircraft to be indoors.

Comments solicited.

Keep your sense of humor.


Invading Europe

On 15 January 2014, George Osborne stated at the Open Europe Conference, “Europe accounts for just over 7% of the world’s population, 25% of its economy, and 50% of global social welfare spending.” The Right Honourable George Osborne, MP, is the current Chancellor of the Exchequer in England, the equivalent to the Treasury Secretary in the United States. On the surface, this seems like a typical politician’s claim and subject to doubt. But it is likely true.

According to Eurostat, the 27 nations that make up the European Union account for around 7.2% of the world’s population. If you include European nations that are not part of the EU, then it rises to 10.5%. Also according to Eurostat, the EU nations make up 25.8% of the world GDP (about 30% if you include all European nations). So if Mr. Osborne really meant the EU, he is spot on for the first two claims. The last number is a lot harder to pin down. Mr. Osborne credits German Chancellor Angela Merkel for the claim, but fullfact.org has not yet received an answer from the Chancellor’s office. In 2012 the World Bank published a report that Europe accounted for 58% of the world’s social welfare spending. This number included 36 countries as “European,” which includes the 27 EU members. So maybe the 50% number is reasonable for the EU.

Is it any wonder that the millions fleeing from the Syria, Afghanistan, Iraq, Kosovo, Albania, Pakistan, Eritrea, Nigeria, Iran and the Ukraine head to Europe? They are certainly not heading for Africa or Russia, even though Russia has a lot of empty space to house hundreds of thousands of refugees. Just as for many of the people who cross into the US from Mexico and further south, many of these people steaming into Europe are really economic refugees. On average in 2015, each EU country had 260 applicants for each 100,000 in local population, but of course it was not eevnly spread among the EU countries. Hungary had 1,799 applicants for each 100,000 in population, while Spain had 32.

Clearly the majority of these immigrants are fleeing terrible conditions where their lives are at great risk. In my view, these people are refugees that the receiving countries have some responsibility to deal with. But we see in the daily pictures from Europe, many able-bodied 18-35 year old men and women with no accompanying children. These people have no pride in their own land; they are not willing to stay and fight for their country and their culture. How much investment will they have in their new country?

This war-fed migration pales when compared with the fleeing masses during and after World War II. Some estimates put the European component of fleeing refugees at 60 million, with over a million of them still trying to find a place to settle five years after the conflict ended.

Perhaps the biggest difference between then and now is that this war still goes on. ISIS and other organizations still want to take over the world by any means. This migration provides the perfect opportunity for ISIS to infiltrate hundreds of fighters and organizers into Europe, and no way for the European countries to verify the identity and background of any of these people.

Another importance difference between now and just after World War II is the ability of these migrants to communicate. In some cases, and for really good reasons, these migrants are being given smart phones. They are an easy way for the authorities to provide information on where to get help and what options are available, and for the migrants to communicate with family members already in Europe. It also provides a way for the few invaders to communicate among themselves and with any sleeper agents or groups already in place.

The last word:

The US government created the Transportation Security Administration, with an annual budget of more than US$7 billion. The main result of this expense is to inconvenience the more than 800 million passengers in the US each year, adding wait hours to every passenger just to get on the plane. Based on the absence of any “we stopped this attack” information from TSA, it seems that actual attacks are stopped by passengers or crew, not TSA. TSA does provide a weekly report that, on average, reads like found six “artfully concealed prohibited items,” about a dozen weapons (mostly small pen knives), and arrested about a passenger a day for “suspicious behavior” or fraudulent travel documents. There is no indication that any of these incidents actually posed a threat to passengers. Rather, the long queues at checkpoints create clusters of people that are prime targets for those wishing to do us harm.

Comments solicited.

Keep your sense of humor.


Over half of the emails I get are spam and potentially contain malware. A few CIO’s have told me that up to 80% of the email that is sent to their company’s email server is spam. Email is the most popular way for cybercriminals and cyber terrorists to get malware into your company’s IT infrastructure or your own personal computers.

MetLifeI recently received an email apparently from MetLife Insurance, complete with Snoopy and the same copyright notices and disclaimers that you would expect to see on a legitimate offer from the company. But it was from Romania.

How did I know it from Romania? The “from” field in the email said “MetLife – Life Insurance”, but when I checked, the actual email address ended in “.ro”, the Internet country code for Romania. Unless you know someone in Romania or do business in Romania, never open an email from there. Romania has many quaint villages and towns, among them Râmnicu Vâlcea. The economy of the 120,000 people who live there is centered around cybercrime, specializing in ecommerce scams (like this MetLife email) or malware attacks on businesses, like yours. The economy is good: lots of expensive BMWs, Audis, and Mercedes, new apartments buildings, gated bungalows, new nightclubs and shopping centers. The US Embassy in Bucharest estimates that Romanian cybercriminals steal US$1 billion from Americans each year.

emailaddressIt is easy to see the actual origin of an email. In most email programs, simply click on the “from” name. Usually to the right of the name will be a triangle symbol. Click on that and you should see something like this, showing the actual email address and giving you options like “Copy Address.” In this case, the email address belongs to linkedin.com so the probability of it being legit is very high. The Met-Life email I received ended with “.ro”.

Another automatically suspect country is The Netherlands (.nl). At least 75% of my spam emails come from either .ro or .nl. If you are curious about an Internet country code, just enter it with the leading period in Wikipedia (e.g., “.no”).

One country has legitimately cashed in on its country code. Tuvalu is a Polynesian island nation midway between Hawaii and Australia that gained independence from the United Kingdom in 1978.   It’s population is less than 11,000. It’s Internet country code is .TV. The domain is currently operated by dotTV, a subsidiary of Verisign. The Tuvalu government owns 20% of dotTV. The net result is that every quarter, the Tuvalu government receives US$1 million for use of the .tv domain. Verisign has been marketing the .tv top-level domain name for rich media content.

What does a very small relatively poor ($3,400 per capital GDP) country do with this predictable income? With its first quarterly payment, it paid the $100,000 it takes to join the United Nations.

But you can receive dangerous emails that look like they are from a friend and actually has your friend’s email address. If you get an email apparently from a friend that has just a link and something like “check this out” do not open it. Check first with your friend to verify that he or she really sent it.

If you are tired of receiving dozens of these emails every week, resist the temptation to respond or click on its “unsubscribe” link. If you respond you simply verify that your email address is valid, and the sender will give or sell that information to other cybercriminals. The “unsubscribe” link is likely to also be a malware installer, immediately infecting your computer. The only thing you should do with a suspect email is to delete it.

Be especially wary of business-like emails that come from generic email addresses like aol, Comcast, gmail, Verizon, or yahoo. For Verizon and Comcast, emails from the companies themselves come from Verizon.com and Comcast.com; emails from subscribers come from Verizon.net and Comcast.net.

If you get an unexpected email that seems to be from someone in your company or a partner that is asking for customer or employee personal information, financial information, or any proprietary information, verify who actually sent it. At a minimum, check the email address and make sure it came from a company email address. I recommend that you call or text the person to make sure the request is bona fide. No one will be unhappy that you “bothered” them to make sure you were not about to cause the company a serious and possibly very expensive problem.

The last word:

Remember that the IRS or Social Security will never ask you for any personal information in an email or over the phone. Unless you initiated the call, do not give Social Security numbers, account numbers, or any other personal or financially sensitive information over the phone. Never put them in an email. And never give passwords to anyone over the phone or in an email.

Comments solicited.

Keep your sense of humor.


The US Internal Revenue Service (IRS) is having a bad year. On top of a serious breach in 2015 that affected at least 330,000 and led to a class action lawsuit against the IRS, 2016 may turn out to be an even worse year for the agency. The lawsuit claims that the IRS knew its website was vulnerable to security breaches but did nothing to mitigate the problem. This is important, because the same systems are responsible for at least some of the 2016 breaches.

So far in 2016:

  • In January cybercriminals used malware to use 464,000 stolen Social Security Numbers to generate over 100,000 e-file personal identification numbers. These numbers along with your Social Security Number enable a cybercriminal to file a fraudulent tax form and generate a refund.
  • In early February, the IRS could not accept electronic filings (e-file) tax forms for at least one day. The IRS claims this failure was not related to the January attack.
  • In early March, the IRS revealed yet another problem: the system the IRS put in to protect those who were victims of the 2015 hack was itself hacked. What would be funny if this was some movie is that the same IRS online identity verification mechanism that was exploited in 2015 was used to verify the online identify of those who were supposedly protected by the new system. The IRS knew that this verification mechanism was the cause of the 2015 breach, and the pending class action suit alleges that the IRS knew of the problem even earlier. Yet, somehow, the IT security people at the IRS thought it would be a good idea to use it again. As of this writing, the IRS claims that this latest attack has resulted in less than 200 fraudulent filings.

If you are a victim of any of these cyber attacks do not expect a lot of help from the IRS. You should receive a letter in the mail indicating that you were potentially a victim. You might first find out when the IRS tells you that you have already filed your return. In any case, expect that it will delay any refund by weeks and will involve several phone calls with the IRS. It may even require that you go to an IRS office and file in person. If a fraudulent refund has already been sent out, the IRS is likely to claim they have already paid you.

The last word:

In fiscal year 2014 the IRS collected $3.1 trillion in revenue and processed 240 million tax returns. You should expect the IRS to be very careful with the information they keep on every taxpaying individual and corporation in the US. You will be very disappointed. The IRS used to take pride in its ability to protect taxpayer information, but that is clearly not even on their priority list. The 2015 hack enabled cybercriminals to steal $50 million of your tax dollars by using identity theft to file for bogus tax refunds. While $50 million is a very small percentage of $3.1 trillion, each fraudulent tax filing has a serious impact on an individual or company. Also, the stolen information can and has been used in other identity theft exploits.

Even if the IRS has not yet told you it has exposed your information, check your free credit reports periodically looking for new accounts or other fraudulent activity. You can check each of the three agencies (Equifax, Experian, and TransUnion) once a year for free. I recommend that you spread them out over the year, checking one every four months.

Comments solicited.

Keep your sense of humor.


If you want the full financial and operational value of Cloud Computing, then you want to use a public cloud. The advantages over private clouds include:

  • Low upfront costs.
  • Clear relationship between cost and benefit with pay-for-use model.
  • Easy to try new projects, easy to make change.
  • Flexible.
  • A wide choice of Service Level Agreement choices (SLAs).
  • Easy to provide a world-wide presence.

Of course, there are some public cloud disadvantages, the most critical being security, performance and availability. At this point in time, you can easily meet most performance and availability requirements from a variety of CSPs; security is more difficult. In a public cloud environment, you do not control physical access, and you have no control over who is sharing common infrastructure including networks, server hardware, and storage systems. But there is a way to secure your data both between your facility and your public cloud CSP and within the CSP’s infrastructure: combine Unisys Stealth with Amazon Web Services (AWS).

The basic principle behind Stealth is to only allow a device to communicate with another device if they share a Community of Interest, a COI.  A COI is nothing more than a group of people and servers.  Data can be shared freely within a COI, but must not be shared with any person or server not in the COI.  In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on.

If you are responsible for protecting your company’s proprietary information, your customers’ private information, or concerned with compliance you should at least look at Unisys Stealth. If you are responsible for a government database involving individuals’ information or classified data, you should also be looking at Unisys Stealth.

I have talked about Unisys Stealth before, Amazon Secure Storage Service (Amazon S3), and the combination in “Secure Public Cloud” back in 2013. What has changed are some significant “under the covers” enhancements to Unisys Stealth, the incorporation of Stealth into the AWS Marketplace, and additional operational facilities to enable you to easily extend your datacenter into the AWS cloud to handle expected, or unexpected, sudden increases in resource demand.

The combination protects communication between your AWS virtual servers even within the same physical server, encrypts all communication among the servers in your data center and the servers in the AWS cloud, and controls access based on roles. You control the security access policies that define who and what can communicate, allowing you to isolate applications within your environment for business or compliance reasons.

Stealth subscriptions are sold through the AWS Marketplace; you get one bill from Amazon for everything including Stealth. It is available in every AWS region. Suddenly you can open a presence anywhere quickly and inexpensively, and react to unexpected growth from anywhere.

One of the most important characteristics of Unisys Stealth and AWS is that there is no back door. Unisys, Amazon, and any network component between do not have your encryption keys. Your government cannot force Unisys or Amazon to provide access to your data; they do not have a way to break in. Even if you are OK with your government gaining access to your information at any time without providing notice to you, you should be very concerned. If your government can get in, then so can any other government, cybercriminal or cyberterrorist by using the same back door for access. Another important benefit of Stealth is that even if a cybercriminal as able to insert malware on one of your servers in the AWS cloud, that server would not be able to transmit anything back to the cybercriminals because Stealth will prevent your server from communicating to any device that is not part of a community of interest that you have defined.

The last word:

Unisys has been around since 1886, and is one of the few survivors of the initial computer revolution designing and building commercial and government computers since the 1940s, computer systems that continue to perform “bet the business” functions. Support is a key element of that environment, and no matter how big or small your company is, you still get that enterprise level support from Unisys. Sure, Unisys has the on-line self-help site with all of the technical documentation and discussion you might want, but you can always pick up the phone and talk to a real person who is knowledgeable on the product, and is probably located within one or two time zones of you.

Curious? Check it out with a Unisys AWS test drive.

Comments solicited.

Keep your sense of humor.



ransomwareRansomware is like the elementary school bully who steals your lunch and won’t give it back until you give him a quarter. Except in this case, it is all or most of the files on your computer’s hard drive, and the cost to restore your data is hundreds of dollars.

The first known ransomware attack was back in 1989. Widespread ransomware attacks started in Russia in 2005. By 2012 the attacks had spread outside of Russia, especially to Europe and North America. They work by either encrypting your files or locking access to your system via a variety means, from constantly putting pornographic pictures over everything on your screen to running a fake version of Windows that won’t do anything until you pay.

There are ransomware attacks for Windows, Mac OS, iOS, and Android systems.

Payment is almost always through some form of electronic currency like Bitcoin. These virtual monetary systems are anonymous and it is very difficult for authorities to track the destination of the payments. However, some ransom notes have you call a “toll-free” number to get a key to release your files or system, except the phone number is routed through a country with very high long-distance rates, and the operator “needs” to put you on hold for several minutes before giving you the code. You could end up with a several hundred dollar item on your next phone bill.

Sometimes the pop-up on your screen looks like it came from a law enforcement agency like the FBI in the US, Scotland Yard in the UK, or your local police agency. The notification page claims the agency locked your computer because they detected illegal files on your computer: usually porn or terrorism-related material. Once you get over the official looking notification with all the correct logos and badges and can read it calmly, it looks like a scam. Often the wording is awkward, and, really, is the FBI going to ignore your alleged terrorism-related activities if you Bitcoin them a few hundred dollars?

By the end of 2013, Security expert Symantec reported 600,000 ransomware attacks a month, and expects these attacks to increase substantially in 2016 across all platforms.

If you get a ransomware notification on your business or personal computer, tablet or smart phone, do not pay the ransom. They may give you the key, or they may not. These are cybercriminals, not necessarily known for their ethics. Once the malware is loaded, they can bully you again as often as they want until you clean it off of your system. Have a five-minute rant, calm down, reload a fresh copy of the OS and then restore your files from your latest backup.

The solution, of course, is not to be attacked by ransomware. While you can never be completely protected, here are four things that you should already be doing.

  1. Practice safe clicking. Always check the link in an email or on a website that you are not positive is friendly. Check out my last post for how to do that. Most ransomware comes in through a standard malware attack.
  2. Keep your software up-to-date. Cybercriminals and cyberterrorists are always looking for new vulnerabilities, and they are very good at it. Once they find one, they pass the information on to other cyber attackers. Fortunately, the good guys are also looking for vulnerabilities and making updates to their software to close vulnerabilities as they find them. But if you do not have the latest software, you still have those vulnerabilites.
  3. Use a good security software package that is more than just anti-virus.
  4. Often. No, even more often than that. Periodically, ask yourself when you or your automated backup mechanism made your last backup. Then ask how much grief it would be to redo everything you had done since then. Macintosh Time Machine and Windows 10 File History backup changed files every hour, but only if you have an external hard drive and the option turned on.

In one recent example, Hollywood Presbyterian Medical Center paid cyber-terrorists 40 bitcoins (about $17,000) to get the key to release the hospital’s data. I call this a cyber-terrorist attack because it put every patient in the hospital at risk of death or serious injury when doctors and nurses can no longer access the patients records or get access to diagnostic information from monitoring or diagnostic equipment. Hollywood Presbyterian Medical Center is a private hospital in Los Angeles with 434 beds. The hospital CEO, Allen Stefanek, said the paying the terrorists was the “quickest and most efficient way” to regain control of their data systems. The malware attack was first noticed on February 5, and was fully functioning until 10 days later. Clearly, this hospital IT department was not prepared for any kind of a disaster. I expect they will be attacked again, probably by the same terrorists.

The FBI is investigating, but I would not expect them to catch anybody.

The last word:

Packages like Time Machine and File History are great for automatically backing up in the background while you are working, and in general meaning you never have more than one hour’s worth of work to recover. They also make recovery easy, and can give you the file as it was yesterday or last week in case you really messed it up and do throw away the last change effort.

However, they are not very effective in two cases:

  1. If you have a building failure, they are likely to also get destroyed. A building failure is a case where you cannot get back into the building, perhaps because of a fire, earthquake, biological contamination, police or military action, or terrorist act.
  2. Some ransomware not only makes the files on your computer’s hard drive inaccessible, but will also destroy or encrypt the files on any attached hard drives, like your Time Machine or File History drive.

If you are paranoid, like me, you should also have an offsite backup. It is now fairly easy and inexpensive to do this with packages like Microsoft OneDrive, Apple iCloud, Carbonite, and a host of others.

Comments solicited.

Keep your sense of humor.


linkIn my last post I urged you to be careful when you click on a link in an email, in a blog or on a website. If there is anything strange or unusual about the website, blog post, or email, then either simply say “no” and move on, or carefully inspect the link. In case you are not sure of the danger I am worried about, I am repeating part of an earlier post.

I received an email indicating we had added a new payer to our E-Z Financial bank account. (Yep, it had a real bank name you would recognize, but that bank had nothing to do with this so I won’t mention it and use “E-Z Financial” instead.) The payer name was clearly a name we did not recognize, and it requested we click on a link if we had not done this. My wife was suspicious for several reasons, primarily because she didn’t know we had an E-Z Financial bank account.

A quick inspection of the email seemed to say this was a real email from E-Z Financial; the link back started out as http://online.EZFinancial.com, which certainly looks valid. We do not have an account with them. But that was not what triggered my concern, since someone could have opened an E-Z Financial account in my name, probably not to give me money. I went to the bank’s web site and sure enough on their security alert page was an example of this email. What was wrong with the link was a period instead of a forward slash after the EZFinancial.com. The link was actually


Please do not try this link in your browser. I have modified it some, but possibly not enough to make the scam fail.

URL, the “easy to read” address of a web site or page, can be quite long and complex, but is actually fairly simple to take apart. For example, if you go to Amazon’s web site and click on “Today’s Deals” you end up at


Scan after any leading “http://” to the first forward slash “/”. Then scan back past the previous period and then back to the beginning or next period to get the domain name. In this case the domain name is “amazon.com.” That is the web site. Everything after that first slash just means a particular page perhaps with parameters on the web site (“gp/goldbox” is a particular page on amazon.com, and “ref=cs_top_nav_gb27” is a parameter passed to that page).


On the scam link, the domain name is not “EZFinancial.com” but “is-an-account.com”. The stuff before that is called a subdomain, but is owned by “is-an-account.com,” not “EZFinancial.com.”   I tend to be suspicious of strange domain names.


When you go to a web page, it is a good thing to look up in the URL window at the top of your browser and see where it really is. Some browsers, like FireFox, actually highlight the domain name for you just for this reason. If it isn’t what you think it should be, close the browser window, make sure your virus check software is up to date and do a full scan of your system.

The last word:

Always practice safe clicking.

Pass the word to your children and your employees.

Comments solicited.

Keep your sense of humor.


VoteIn addition to being a huge source of interest, amusement, annoying commercials, robo-calls, and anguish to all of us in the US, the 2016 election cycle is likely to drive cybercriminal and hacktivist activity. The Forcepoint 2016 Cybersecurity Predictions Report describes some interesting possibilities.

As an individual, expect to be targeted. By the 2012 election cycle, social media was an important method of getting a candidate’s message out, gauging voter interest, collecting donations, and promoting engagement hopefully leading to a vote. For some candidates, social media is at least as important as the traditional new media. Attackers will use the intense interest in this election cycle to create highly effective email lures and misdirects to push malware to the unsuspecting public.

Some of these attacks will be advanced cyber attacks against specific organizations unrelated to the election, potentially including your company. The cybercriminals will target individuals pursuing election-related information, with the expectation that the cybercriminals can gain access to personal or company information for financial gain or negative business impact unrelated to the election.

The candidates themselves, as well as the news media, will become vulnerable to attacks on their social media sites. These attacks may be by opponents, foreign governments, or hacktivists with a specific political agenda. Expect to see these attacks used to spread inaccurate messages and information. Even if a candidate can quickly correct the information, the false information lives forever and may impact the outcome of an election. In the US political circus, the message is critical.

These attacks on a candidate’s social media could also impact the data the candidate is collecting on probable voters and donations. Corrupting that data could have a huge negative impact on a candidate’s ability to run or fund a campaign.

InfoSec Institute published “Which Top 5 Presidential Candidate is Most Likely to Be Hacked?” back in October, 2015. The only candidate with an “A” rating was Ben Carson (remember him?), largely because he outsources donation and volunteer services and does not have an on-line store; he has a very small attack server. Hillary Clinton and Donald Trump got a “B,” Bernie Sanders and Jeb Bush got a “C.” Several of these candidates are using unsecured or only partially secured WordPress sites that may leak internal usernames and other information, making them relatively easy targets. While she did get a “B,” Hillary has the largest attack surface based on a quickly built custom application. Her development team’s motto is “ship early and often; done is always better than perfect.” Security may not be high on the team’s priority list, and security testing is likely to be a low priority task.

As the Forcepoint report points out, “Technology decisions made by candidates during their tenure can expose them to data theft attacks (as seen by Clinton’s use of a private email server).” It is also likely true that technology decision made during a campaign may give a hint as to how that candidate will behave relative to data security when elected. If you see a candidate reacting to incorrect information on their web site or social media, then expect that their concern about data security is very low. Put that on your scorecard as one factor as you decide how you will vote.

It will not be just the candidates’ web sites and social media sites, but also those of the hundreds of issue-related websites that represent PACs and other special interest groups.

The bottom line is that you need to be very careful. Before you click on a link in an email or on a website, carefully look at it. Even if you know the sender of an email, if all it says is something like “check this out” or some other short message, be careful: the email may only appear to be from a friend or co-worker. The safest way is to copy the link (right-click on the link and select “Copy Link Location”) and then paste that into your browser’s URL line and make sure you recognize the web site.

The last word:

SEAIf you think it unlikely that a foreign government would attack a candidate, consider the Syrian Electronic Army (SEA), a group of attackers supporting Syrian President Bashar al-Assad. Beginning in 2011, the SEA targeted political opposition groups within Syria, western news organizations (including the BBC, Associated Press, and The Washington Post) and human rights groups. The SEA has managed to send false tweets from Twitter accounts for 60 Minutes, Reuters, Associated Press, ITV News London, and many others. It has defaced the web sites of Forbes, NBC, CBC News, and hundreds of other sites including the National Hockey League.

Of course, the SEA is only one potential government sponsored hacktivist organization, and in my view, not the most dangerous by far. There is a reason why the US and China agreed to a pact to not use cyberattacks to steal company records for financial gain. Of course, China does not admit to ever having done anything like that. A careful reading of the pact indicates that the pact does not bar cyberattacks for other reasons such as political.

Comments solicited.

Keep your sense of humor.