We all have habits when it comes to accessing and sharing our data. And some of these habits have scary consequences…which is especially poignant as we wait for little creatures to come asking to get treats or tricks at our door this Halloween night.
We’ve all done it. You fill out an online form and share information – or place an order and hit send. And then you realize the information you shared was probably too intimate or detailed to be sent unencrypted over public wifi or to that certain retailer.
With some luck, nothing bad happened when you did that, but it served to reinforce bad behavior that will at some point bite you in the butt. Ultimately, until we all embrace more secure behaviors, nobody and no data is really going to be safe.
It was just this topic – in a related realm – that three of us debated this week on the #ITKESecurity Chat. We were talking about passwords and the common man (or woman). To that end, we pretty much agreed that we are not going to be able to change human nature and no matter how powerful or innovative an IT department is, they won’t be able to affect employees’ methods regarding passwords.
With an ultimate goal of keeping machines, facilities and data secure, IT has a whopper of a job to do. They need to provision users, allow data to flow freely to workstations and devices inside and outside an organization’s walls, and then promise the folks at the C-level that everything is compliant, safe and efficient. It’s a lose-lose proposition.
It can be over in an instant. Like the moment Mary in Accounting leaves a password on a sticky note under her keyboard; or when Jack in Sales uses speakerphone at the airport to help his admin log into his desk computer; or as Pat in Marketing logs into company files over the open Wifi in a hotel lobby.
What’s a smart IT department and progressive company to do? I don’t have all the answers, but the one I always give is to use common sense and think like a criminal. It’s not that devious and it will keep you on your toes…really.
In the same way you might evaluate your home or car if you’re trying to avoid thieves (walk around the house and look for ladders, open windows, basement door access and easy entry), use the same process with your office assets. See if you can log in to other accounts using simple passwords. See if people are actually writing passwords down and leaving them on LCD monitors or in unlocked drawers of their desks. And see how deep you can get into proprietary materials via the company’s public-facing Websites.
All this will help you tighten down access at your firm. In fact, once you do a little audit exercise like this, it will probably help you secure your personal info too. You might eve start using longer, character-variable passwords and setting up two-step authentication for your various online accounts.
The world isn’t such a bad place, there are just a few bad people out there. So, with Halloween at our doorstep, keep the evil at bay and make your data a little more secure. Let’s chat next week!
Luckily we still have power as I write today’s column. The winds have been gusting to about 55MPH and the rain is lashing the windows of my office. In some ways, it’s akin to being at sea without the added fear that we might capsize. Regardless, the power and Internet are still up and I’m typing as fast as I can because I need to share my thoughts on storm damage as it relates to data.
Not specifically what happens to data in a physical, rain, wind and destruction event. But what happens when your data is constantly at risk and possibly under attack from all the evil elements. I want to talk about keeping your data secure and I’m using weather as an analogy.
Therefore, what’s the first thing you do in a storm?
On a ship, you batten down the hatches. In an IT and data environment you either silo, sandbox or lock off your data from prying sources. To do this, you need to be adept at provisioning and recognizing possible threats. It’s easy to see the radar for rain, it takes a bit more perspective to identify hackers and other dangers. So, always keep your data hatches battened down and you won’t have to worry as much.
At home, you have extra supplies to ensure you can survive in a storm. In your office, you should have backups, protocols and other similar ‘supplies’ that will help you survive and relaunch in case of a data breach or other event. Having those resources in place NOW will make it much easier if (or when) your organization is targeted.
Finally, have an escape plan and a ‘go’ bag. Like all well-trained spies or any family that lives in the path of frequent bad weather, everyone should have a duffel bag packed with essentials and a plan for evacuating the home. Businesses don’t need to evacuate, but they do need a plan for any disaster…especially those that involve IP and customer data. First step is to establish a hierarchy for emergencies, then protocols, then a schedule where you practice these things.
Ultimately, data protection is a constant battle. We’re all under siege and have to have the right plan in place to protect us from the next storm. Even if that storm is a bunch of hackers or even a piece of software that crashes our systems.
Do you have your data protected? How?
The history of the password takes a few paths…none of which really makes sense if you’re focused on usability. But let’s jump in…
Once upon a time it was enough to be able to remember your first pet’s name and use that as your password for everything. Who would be able to crack the cryptic protection of the word ‘spot’ or the even longer and more secure ‘mittens’? Your online banking, MySpace account and Yahoo Fantasy Football team was perfectly safe. Then it fell apart.
Hackers breached a few online sites, blogs suddenly required more characters and variations to sign on, and email servers went over the top asking you to use special symbols, numbers and capitalization to make your password safe. As security increased, difficulty and barriers to use appeared. No longer was it enough to remember a keyword, people had to start writing stuff down.
That was the turning point. While IT folks and security pros realized the need for stronger encryption and data protection, users were the ones actually using their workstations. In the quest for continued productivity, passwords were a speed-bump so people started to ignore them. This made IT wring their collective hands and implement password requirements.
Not quite the immovable object and unstoppable force, users and tech support were at odds. As a side note, I think this is what has caused employees to perpetually treat IT folks with disdain. If tech support didn’t have all the power, users might act with more acceptance to their suggestions. But onward…
Passwords had to be long and complicated. Users needed fast access to their stuff to do their job. Passwords were then written down on sticky notes or computers were left on and users stayed logged in. Not a great way to keep stuff safe.
While it’s a running joke that the best way to crack a password at any large company is to flip over the keyboard and read the sticky note, it’s based in reality. And it’s not going to change until education and/or process goes through a wholesale change.
Maybe I wrote this today as a wake-up call. Maybe I wrote this to remind myself to choose better passwords for my stuff. And maybe I penned this column to let you know the discussion surrounding passwords isn’t going to end soon. In fact, Oct. 22 on Twitter, a few of us are participating in an online discussion about the power and/or futility of today’s password process.
Join me online to support, dispute or solve any of the password thoughts I’ve shared above. Maybe you can help make all of us more secure. I hope so.
See you next week! Watch this blog for details on the upcoming Twitter chat!
A news story just came across my desk touting the benefits of photos that expire. Just like a Mission Impossible assignment, the data shared expires after a short period of time. This reinforces peace of mind, keeps information and images safe from public consumption, and is probably where we’re headed in the next year or so.
This new app, from Microsoft of all places, is called Xim and can be used on Android, iOS and of course Windows phones. It let’s you share photos with folks who don’t have the app and it allows you to make photos vanish after a set period of time. While we can already do this with Snapchat and other ‘secure’ info sharing apps and sites, this is a little departure for the types of stuff MSFT brings to market.
Who still has that fabulous and functional piece of hardware, the Zune? See what I mean. Though Microsoft hasn’t always been short-sighted in functionality. Take their first mail systems that allowed for read receipt, recalling unread emails and more. Those functions are still only available on other platforms with third-party solutions.
The discussion today is whether we really need another app to protect us from ourselves. Isn’t there some point at which we’re going to let adults be adults and deal with the mistakes they make online? As I said in a piece about a month ago about the naked celebrity photos – this isn’t an issue of porn or exploitation, it’s an issue of common sense and prudent use of online access and tools.
What’s your take on all the apps that are coming out that let you effectively erase your mistakes? Do we need a Papermate pen for the Internet?
A new credit card came in the mail today. An actual card. Not an offer, not a temporary or fake card, but an actual, ready-to-activate credit card from a major financial institution.
What am I supposed to do with it? It feels great to be wanted, but I thought the days of banks sending out pre-approved cards was over. Didn’t we just have a little problem with a bunch of banks going under because of mortgage issues?
While I’m a bit befuddled, I guess the larger question I’m posing is what are the security ramifications of credit cards being sent out without anyone requesting them? And should I, as a consumer, start thinking like a tinfoil-hat person and wonder if a card was ordered for me by some thief and they didn’t have the chance to intercept it before I got it?
Turns out, JP Morgan Chase replaced existing cards with new ones as a result of a data breach they discovered. But how long have they known and why didn’t they also email and/or alert their customers?
Has this happened to you? With so many data breaches at banks and stores, is sending out a new card going to be the SOP? Is it something we should be concerned about?
After a little research, I figured out this was actually Chase being proactive and vigilant about security. They discovered a large security breach and revealed their findings this week – see the story in the NY Times.
So, what do you think now? Did you have a JP Morgan Chase account…do you still have one? How would you have responded to the news that your customers data had possibly been accessed?
In my eyes, they’ve done the right thing but there’s more to be done. Let’s work toward not letting breaches occur in the first place, shall we?
Talk to you next week!
On top of that, Home Depot hired a person who had been fired from another company for sabotaging their network. According to this article on ars technica,
Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating in Charleston, West Virginia—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.
Well, duh! Is it any wonder that Home Depot suffered a bigger breach than Target? Target’s was bad at 40 million credit cards stolen; Home Depot’s was worse at an estimated 56 million. The malware in both cases was the same, “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows,” says Brian Krebs.
From the ars technica piece: “…former employees contend that the company relied on out of date antivirus software—a version of Symantec’s antivirus purchased in 2007. And the company didn’t perform network behavior monitoring, so they would not have detected unusual network traffic coming from point-of-sale systems.”
Hate to say it, but they were hoisted by their own petard.
For the first time in a very long time, I’m not writing about a Windows vulnerability. Though Windows is infamous for its insecurity, there are other operating systems that also have have security holes, Unix, Linux and MacOS (based on Unix) being the top three. iMacs and MacBooks aside, most of the internet runs on routers and other devices that have embedded Linux/Unix operating systems at their core.
For those of you familiar with Linux/Unix, you know what Bash is. For those of you who are diehard Windows people, Bash is the Unix command shell that allows you to manipulate the operating system using text commands, similar to what you can do with the Windows command prompt (although Bash is more powerful).
Bash has a Remote Code Execution (RCE) bug and here’s what’s up with it:
“Everything from Unix, Linux and Apple systems, to servers, routers and network-attached storage devices are potentially at risk,” according to Alan Woodward (interviewed by Mathew J. Schwartz in Bank Info Security). If your company uses any of the previous platforms, you may be at risk. Those who use Windows systems are not affected.
Get more info about the exact details of the vulnerability here.
Again, if you’re running Windows systems, these are not affected. However, you should do the following on any other devices:
- Patch the Bash flaw by upgrading all Linux/Unix-related software;
- Disable remote log-in on all Mac OS X systems, until Apple patches the vulnerability;
- Check every device that runs or relies on an embedded version of Unix or Linux, to see if they’re susceptible to the vulnerability, and patch their software or firmware accordingly.
If you’re a profit-motivated cybercriminal willing to invest a couple of hundred bucks on some technology, you can easily steal anyone’s PIN at most retail card terminals.
“What?” You say. “That’s not news!” Well, it is when the cyber-criminals are your own government agencies. I’m just going to block quote this from Bruce Schneier’s latest Crypto-gram newsletter:
There’s a new story on the C’t Magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties.
The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they’ve completed port scans of 27 different countries and are prepared to do more.
The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: “2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible.” They’ve automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify “a list of 3000+ potential ORBs” in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected.
Slides from the UK’s GCHQ also talk about ORB detection, as part of a program called MUGSHOT. It, too, is happy with the automatic process: “Initial ten fold increase in Orb identification rate over manual process.” There are also NSA slides that talk about the hacking process, but there’s not much new in them.
The slides never say how many of the “potential ORBs” CSEC discovers or the computers that register positive in GCHQ’s “Orb identification” are actually infected, but they’re all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA.
Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks.
The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that. In this case, the reporters have said nothing about where the documents come from. I don’t know if this is an omission — these documents sure look like the sorts of things that come from the Snowden archive — or if there is yet another leaker.
No government agent or agency should be permitted to consider themselves above the law. What they are doing, you and I would be arrested and imprisoned for. I think it’s time we called these criminals to account for their crimes. Snowden did his part; it’s time for us to live up to our responsibilities as citizens and give these crooks the business.
The so-called “warrant canary” was first issued in Apple’s debut transparency report. Apple and other companies are not allowed to disclose whether or not they have received a Section 215 order under the Patriot Act, because the orders are classified.
Apple, however, preemptively asserted [it] “never received an order under Section 215 of the USA Patriot Act,” in November 2013.
That text has now been removed from its latest report, suggesting Apple has in fact received such an order.
BoingBoing reports this:
The premise of a warrant canary is that Section 215 of the Patriot Act can compel companies not to tell anyone about being served with a warrant, but that the law can’t compel a company to lie and say that it hasn’t received a warrant. This has not been tested in court yet.
It seems likely, based on the latest report, that Apple has now received at least one of the secret surveillance requests.