Word comes that more than 500,000 Macintosh machines are potentially infected with a virus – one that is specifically targeting Macs: It’s called Flashback Trojan. The virus is a variation on one that is normally aimed at PCs – typically powered by a Microsoft (MS) Windows operating system. The PC virus has been re-engineered to slip past typical Mac defenses.
A Finnish-based computer security firm, F-Secure, first spotted and noted the virus, followed quickly with qualification by a Russian anti-virus program vendor, Dr. Web.
“All the stuff the bad guys have learned for doing attacks in the PC world is now starting to transition to the Mac world,” according to McAfee Labs Director of Threat Intelligence Dave Marcus.
Flashback lets hackers steal passwords and financial account numbers. Mac users are tricked into opening this specific vulnerability: The virus’ designers have made its installation look like a routine update to Adobe Flash video viewing software.
Once upon a time, people who labored in the Mac realm had a rather smug view of security: Macs escaped specific targeting, it seems, and nefarious malware creators seemed to concentrate their deeds to the world of the PC. No more. While Mac’s position in the past seemed to be that they weren’t vulnerable to PC malware (true, in a specific sense), they are now vulnerable to Mac malware – as adapted to, and specifically created for, that environment.
Malware developers concentrated on Windows PCs because they dominated the market. This allowed Apple to claim that PCs were more prone to hacking: True, technically, but perhaps not so much due to any particular superiority of security of operating systems; rather, merely the luck of being a smaller target. Now that Macs are increasing in popularity, the Apple operating system is becoming a much more attractive target.
The IT field, like any, is rife with people who talk a good game. Some walk like they talk – some don’t. The average candidate for your IT department will appear conversant in technical matters, they will profess a belief in quality of service principles, and of course they are brought on board with high expectations. We know that many people fall short of these expectations – in all fields and areas of endeavor. But in cases of flat-out bad IT hires, we have an enormous drain on resources. In the IT department, a sub-optimal hire compounds across the organization in a very detrimental way, since IT supports virtually the entire organization and almost every effort within.
We also know how much time and effort it takes to dismiss an employee. Often an employee must be left within a performance arena in order for us to record and document poor performance. For IT, this is a cruel irony and a ticklish game – trying to maintain security and solid support while leaving job duties in the hands of a poor performer. The associated inefficiencies brought about by increased oversight, double-checking, and counseling are their own drain – in addition to the lack of results. There is also the impact to staff morale. For these reasons, you need an IT leadership that can smoke out the true candidates worthy of hire, investment, and promotion.
These things make it imperative for your IT leader to understand something about most areas of IT technical endeavor. This person does not need to have a deep background in all areas or even specific areas. This person just needs to have a solid understanding of the principles that guide areas, and a good familiarity with the higher-level best practices for managing each area. Much of the vetting of personnel falls to the managers just under the top leadership. Therefore, top leadership needs to qualify in making those managers the best possible investment that your organization can make, as those managers groom the rest of the department.
Image credit: digitalart
Gary Chaplin was a top executive at a “headhunting” firm (emphasis on “was”) when he received an e-mail from Manos Katsampoukas. Katsampoukas had e-mailed, rather incredibly, 4,000 people a copy of his curricula vitae (CV) in seeking a finance or marketing position.
Unfortunately, Mr. Chaplin was less than professional in his response, telling Mr. Katsampoukas to “Please f*** off – you are too stupid to get a job, even in banking.” There were a few other choice words, but you get the idea. That response is enough to get sacked, in my opinion, but the reply went back to all 4,000 people Katsampoukas e-mailed initially. (Source: The Sun, UK). Oops.
Gone is Mr. Chaplin’s job of 5 years for Stark Brooks, which would seem to be a top destination for any recruiter. They handle the needs of the largest firms, such as Heinz, Kellogg’s and Bentley, in recruiting and delivering top executive talent.
And that brings us to some sage advice that’s been profiled here in the past: View every activity through a security prism. Here specifically today, consider carefully what you’re saying in an e-mail, and be sure to read it through the recipient’s eyes before hitting Send. Also, review the recipient list: Are you accidentally invoking Reply All when you really only mean to send as a Reply? Are there folks you’re copying who might be bettered served with a BCC?
Beware of BCC too: Sometimes people, particularly senior ones, view a BCC as something furtive on the part of the sender. Be certain you’re using discretion for positive communications in service to the betterment of something. Don’t junk up the inboxes of folks with BCCs that are relatively low-level beefs or petty issues. Where possible, wait a day on some e-mails – if it still seems important next-day – send it then.
When in a professional setting, be professional and remain professional. It’s hard some days (I know), but secure your job.
Security includes appropriate communications: In securing your organization’s reputation, in securing your own personal business reputation, and in securing your very job.
View every activity through security’s prism.
NP: I Hear You Knocking, Smiley Lewis, original Imperial 78rpm (on an Esoteric Sound Restoration turntable).
Small-to-Medium Business (SMB), and in many cases large enterprise environments, faces a burgeoning challenge. Namely, how to train, monitor, discipline and, in some cases, make allowance regarding employees’ use of non-work applications.
First, the plethora of temptations: Gmail (and other free-mail); Facebook (and other social networking sites); instant chat agents/direct messaging; Dropbox and other fileshares; 3G cards, Flickr, Skype, Youtube, comment areas, unauthorized websites, smartphones, and on and on…
While these and other elements can have some measure of sanction in some organizations, there is also a “Wild West” situation in others, whereby unregulated use leads to unbridled time-wasting, and the opening of avenues of risk.
In fact, some employees labor to skirt all manner of domain policies, inhibiting anti-virus/malware controls, and flaunt Acceptable Use policies where utilized.
As far as avenues of risk and temptation: It’s only going to get worse, with ever-more extraneous endeavors available, and plenty of employees will inhabit non-productive, risky, activies.
It’s important to set expectations right up front. Policies for security and the acceptable use of systems should be published quarterly, and again upon significant update. All new employees must be apprised of the organization’s position regarding non-work applications and areas.
In many cases, there will be outright bars to use of social networking or random surfing. However, in many cases there will be official work accounts for Facebook, as example. Here, it’s important to state whether there is allowance as well for personal Facebook time. Be aware that employees have been documented as forgetting which social networking account they’re inhabiting, and have made inappropriate communications/postings regarding either work or personal statements to the wrong account.
No matter your organization’s mission, size, or tolerance of various non-work items: State a policy for all areas of concern. Educate employees so they know what they may and may not do. Discipline those who break rules.
Don’t wait for the inadvertent, or even deliberate, exposure of sensitive company assets to the wrong forum. Don’t wait for a debilitating decline in productivity. Make certain that HR and IT address the “do”s and “don’t”s in your regular staff meetings, and that those departments are current and questing in the case of managing non-work apps and enablements. Maintain policies with a forward eye.
JOTD: Two horses and a dog are in a barn. The older horse says to the younger horse, “Hey, tomorrow is my last race, and if I win, my owners are likely to put me to pasture and I’ll enjoy my last days in the sun. However, if I lose, they may be unhappy enough to send me to the glue factory. I think I can best all the other horses with the exception of you. Will you let me win tomorrow? It’s only one race, after all…”.
The younger horse thinks for a moment, and says, “Well, I don’t know. I’ve won all my races thus far, and I have an unblemished record. I don’t want to ruin that – plus, if I lose the race to an older horse like you, I may never recover my reputation. No, I don’t think I can do it.”
Just then the dog, who has been listening in, speaks up and says to the younger horse, “Listen to yourself! Your friend has asked you for one simple favor: To lose to him tomorrow, in order to possibly save his life. You only have to come in second for one race; you can still beat all the other horses. How about it?”
The younger horse turns to the older horse and says, “Hey, look at that… a talking dog!”
We’ve discussed password liabilities before: Consider that many people use the same password (and often User ID) for multiple accounts. This can include online bank credentials, work accounts, social networking sites, other critical sites such as ebay and PayPal…
A breaching entity can hack one account, gain credentials, and then spin them through all other associated user accounts they identify.
Of course, password liabilities also include easy-to-guess things, which are subsequently hacked – either by manual human activity, or password-breaking softwares that simply tumble random words/characters, through authentication mechanisms. This morning, while having my auto serviced, I tried “password” in trying to gain access to a couple wireless networks in the vicinity – alas, no luck – but worth a try. Consider: About 5 years ago, Slovak hackers gained access to Slovakia’s National Security Bureau (NBU). The NBU maintains a huge body of classified information, which is supposed to enjoy strong security. However, the hack and breach wasn’t particularly sophisticated: The respective login ID and password was nbu/nbu123.
Might want to put a little thought into your organization’s passwords and their associated strength: Set a minimum amount of characters, and consider making some measure of required special characters (!@%, etc.). Also, see the four basic requirements at the bottom of this article for maintaining a solid password security posture.
Here are PC Magazine’s worst passwords of 2011:
Finally, remember to employ four basic, yet critical, practices for maintaining secure passwords:
1) Use unique passwords for each account.
2) Change your passwords on a schedule. How frequently is up to you, but anything from monthly to semi-annually.
3) Don’t share your passwords.
4) Avoid common passwords.
NP: Hi Lili, Hi Lo, Bill Evans, jazz24.org
Well, I guess it already has. But an interesting opinion was rendered recently regarding the United States’ position regarding cyber crime. According to Trend Micro’s global CTO, Raimund Genes, the US’ lax security standards are facilitating cyber crime in the public cloud.
Cloud adoption and loose standards regarding online banking show serious security flaws, according to Genes. In fact, he states, “The US has no sense about data security, and I could be very brutal there.”
This isn’t particularly good news for those individuals and organizations who harbor their content, and even processing, in the cloud, by virtue of various solutions providers. Often, these folks have no idea exactly where their information is – relying on the providers’ discretion and standards… and whether those standards comport with current and best practice can be anyone’s guess.
When security lags in one area, it often creates a lax situation in evolving and debuting areas. For example, a looming vulnerability involves Near Field Communication (NFC) – a brief description about NFC and then an example:
NFC allows simple transactions and data exchanges between wireless devices in close proximity. It will likely support regular use of smartphones for making payments. Already many of the smartphones on the market contain NFC chips; the chips are capable of containing credit card information, and a simple wave of your phone near a retail cash register’s reader, for example, will be a fast and effective way of making payment. No more digging for, and swiping of, a credit card.
However, Genes warns of this arena too: The use of NFC by credit card companies, again in view of lax security standards and measures, is a “security disaster,” in his words.
As individuals and organizations grapple with rapidly changing IT issues, such as cloud computing and storage, and NFC communications, be certain to examine and qualify your providers and procedures. Update security policies, and update your security checks. Remember: You must lead threats, in closing vulnerabilities, and in thwarting crime.
When hiring service providers and solutions partners, be certain they’re on the most responsible security edge possible.
NP: Soul Burnin’, Red Garland, jazz24.org
The Washington Post is reporting that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use policy: Make certain people in your organization are not opening security vulnerabilities. They shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.
They also shouldn’t be posting comments to non-work-related boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism. Make everyone in the organization a security officer.
NP: Purple Passages, Deep Purple.
Today, any organization is dead without its technical supports. Even an attack on content – information, business intelligence, data – can put business at risk.
By “business,” we mean the doing of the doing – your “busy-ness” in furthering and delivering within your mission: Whether you’re a for-profit private-sector endeavor; a non/not-for-profit org; a government agency; or sole-proprietor. You have business that needs to be conducted on a daily, ongoing, basis.
Any business can go out of business if it loses any measure of its technical enablements, and/or corresponding content. Lose it all, and it most definitely will go out of business.
And now comes word of cyber-terror. What the heck does the local organization do about that?? Eugene Kaspersky is a Russian math genius who founded an internet security apparatus that has been characterized as having a global reach. He’s a thought leader as regards emerging perils. According to Sky News, Kaspersky believes “…we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists – and then… oh, God.”
That doesn’t sound too hopeful. Further, Kaspersky, while attending the London Cyber Conference, told Sky that he believes cyber-terror to be the biggest threat to nations such as China and the U.S.
“There is already cyber espionage, cyber crime, hacktivism (whereby activists attack systems and content for political ends) – soon we will be facing cyber terrorism,” he said.
So – what’s the local organization to do? There is a need to protect yourself. With ever-more power and knowledge being available to individuals and small groups, imagine: Imagine a disgruntled ex-employee wiping out your organization’s assets, for example. But further: Can the average organization make a contribution to the larger, surrounding, public security?
I propose a business/tech roundtable in given locales, that meet semi-annually, or perhaps quarterly in high-risk areas (Washington, DC, for example). Here, business and technology folks, from all levels of diverse organizations, can brainstorm and share ideas of protection, prevention, and where necessary – recoveries.
It’s going to become a necessity: Already, the Pentagon is on record to state that the U.S. reserves the right to retaliate with military force against any cyber attack. In a 12-page report to Congress, made public, the Pentagon said:
“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”
The vulnerability is large, being that the Defense Department alone operates more than 15,000 computer networks, with 7 million computers worldwide.
But, again, what of your locale? What if simple everyday “hacktivists” decided to take down some service providers that were key to you? It would be awfully uncomfortable to live without e-mail, your online presence, and the services of any other providers such as Cloud hosting, processing, storage, and communications.
It’s something worth thinking about… at least start to think about it – and where effective, efficient, contributions by your org might be made.
NP: Black Sabbath, We Sold Our Soul for Rock ‘n’ Roll, original vinyl LP.
— H.G. Wells
Dear Readers: The Business-Technology Weave blog has 800+ readers at present. I’d like to increase readership and thought I’d ask if you’d be willing to forward BTW’s URL –
- to a few colleagues and friends. They can also simply Google “The Business-Technology Weave.”
As thanks, I’d like to recommend one of the coolest sites I’ve stumbled upon in a long time: FutilityCloset.com. This site is a treasure trove of fun and interesting things. In their own words, “…a collection of entertaining curiosities in history, literature, mathematics, language, art, and philosophy. Each item is self-contained and written as concisely as possible…”. Their database has almost 6,000 items.
Check out the video “Both Sides Now,” (scroll down to it) where a Bach piece is rendered as a Möbius strip. It’s just over 3 minutes – let it get to the 1:45 minute mark – here’s where it gets really interesting.
Have fun! And… if you could blast out a recommendation for The Business-Technology Weave (only to those you’d feel would benefit, of course), I would much appreciate it – how about to 10 of your closest friends and associates?
Tomorrow: Back to business with an article regarding a top security expert’s warning about cyber-terror. To close, here’s a great quote I picked up from FutilityCloset:
“I have never thought much of the courage of a lion tamer. Inside the cage he is at least safe from other men. There is not much harm in a lion. He has no ideals, no religion, no politics, no chivalry, no gentility; in short, no reason for destroying anything that he does not want to eat.”
— George Bernard Shaw
The U.S. Government made 5,950 requests on 11,057 user accounts, according to the most recent report: In comparing to last year’s corresponding report, we can note an increase of 4,600 requests – or, a 29% increase. Users should know that Google complied with 93% of these requests “wholly or partially.”
The government also makes requests to remove content: There were 92 such requests involving 957 items. Google complied with 63% of these requests. For comparison: The Canadian government made 50 requests involving 75 accounts; the Mexican government made 48 requests involving 73 accounts – of course, the populations of these countries, volume of content, and nature of the computing population, does not provide for a uniform comparison other than raw numbers.
Most of the requests involve a desire to take down info that is incorrect – at least in the government’s view – or offensive. Some requests are for personal info that the government would like to use in criminal investigations. As a matter of policy, Google complies with requests that comport with legalities, and its own Terms of Service. You can see the reports here.
Companies should be on the lookout for what individual users are doing with company resources: In some environments, there is a loose mix of “friending” while “businessing.” Users hop between personal accounts (while utilizing company resources of equipment and time) and official business accounts. There have been many instances of people posting negative items to an official company marketing Facebook account, for example, while believing they were yet in their personal Facebook account.
Mainly, organizations of all types need to make certain that employees are not engaged in illegal or questionable activities on work time, on work resources. Organizations face their own regulatory burdens and adherence to business ethics, of course, but now here is a door whereby an employee in a conventional, personal, “user” status can bring potential harm to the org.
Update Acceptable Use policies and other relevant policies for the environment we’re in.
NP: Led Zeppelin III, on original first-issue vinyl LP: Thorens TD-125 turntable; Shure v15v xMR cartridge; Carver C-1 pre-amp; B&K ST-202 amp. Peerless speakers.