My Website is down. I mean crushed and down. Nothing shows up except for a few Greek characters and there’s no way I can recover it. I know because I’ve tried, my hosting service has tried, and I’m not as technically adept as I’d like to be.
Instead of wallowing in my despair – as I did enough of that earlier on the weekend – let’s look at a few takeaways from this experience and maybe learn something. If nothing else, it will be cathartic for me and help me let go as I create a whole new site.
1 – Contrary to what everyone warns you about, the stuff you put online is not ‘forever’. If it were, my site would still be up.
2 – Anything can be hacked. My passwords were superlong hashes of random characters. The hackers got in because on my site I also had a few old – I mean OLDE – wordpress installs that I wasn’t using any longer. The hackers accessed those blogs and then found a way to get into my current site as a whole.
3 – Coffee, Jolt soda, other stimulants will not help you think through the problem clearly. Only when I started to accept that my site was borked did I have an ephiphany. I have the files backed up to before the hack. I have some time to work on this. I might as well use this as a learning experience.
4 – All your tech friends and colleagues like to seem really busy. I’ve put out a number of calls to WordPress experts who might help get my stuff back functioning. Nobody is available. It’s not as if I ever did anything to wrong them, but it seems that nobody wants a boring challenge. It will be a challenge to go through and clean my code up. It will be boring because there’s a LOT of crap on my blog.
5 – You’re only as good as your most recent article. As nobody can read my posts or updates or recounts from my latest adventures, the only thing people can see about me now is on my Twitter page, my YouTube videos and here on the Security Corner. Until I get something back up – yes, the databases were safe – on my site, I’ll just go back to being some writer who sometimes cries about security issues.
Since I have a newfound appreciation for the troubles people can get into, I welcome your sob stories and hopefully your stories of successfully putting your sites and life back together. Ping me on Twitter or leave a comment on this blog if you have ideas on how to resurrect my stuff.
Thanks for reading! This is not an early April Fool’s joke.
It occurred to me at a conference in Louisville that security isn’t an issue specific to businesses. In fact, most businesses are less secure than large conferences because of one simple reason – the staff at conferences are trained to examine the credentials of every person at their event.
Let’s compare and contrast the conference check-in table and room-proctor structure to the doors at your everyday business.
The conference check-in desk requires name and often an id for you to pick up your badge. In most cases the staff at the check-in desk knows many attendees personally. In both cases, this keeps interlopers from attending an event without paying.
Employees at your basic company hold the door for anyone dressed in business apparel who is heading into the facility. IDs are seldom checked and folks usually are more than willing to just point to the department or person mentioned by the burglar.
Try and get into a session at most technology conferences and there is a person at the door scanning bar codes. It’s akin to most events at the South by Southwest Festival in Austin, TX. If you don’t have a badge with a valid barcode, you can’t even get into a building to use the restrooms.
Stroll into any lobby at any organization – even the State House in many states – and ask to use the restroom. Usually it’s behind the security desk or out of sight of security personnel. If a tech columnist like me knows this, you realize that the best thieves and data criminals know how to get past the first line of defense at the front desk.
What are we to learn about this? First, it’s a good thing that there are usually multiple lines of defense within large data-dependent organizations. Second, you best prepare a really good fake ID and cover story if you want to attend AdobeMAX, SXSW, CES or other large conference. What’s your take?
Hillary Clinton puzzles me. She seems really smart – in the same way her husband/president was smart. But maybe she’s missing that gene that gives some smart people common sense. It’s a theory that the more books you read – and the more degrees you have – the less common sense you have.
So should anyone who is a Masters candidate or above be limited in their security clearance? Perhaps Hillary should go through a remedial “how to keep the United States’ information safe” course. Because so many companies, both large and small, have actually figured out how to adopt a BYOD policy and keep their information safe.
It goes beyond the hardship of carrying an extra phone – see the Jon Stewart piece from earlier this month. It actually cuts to the core of whether the information you’re sharing is supposed to be vetted via existing security systems or if you want to skirt those systems.
Like me, I’m sure you have at least two email addresses. I actually have seven or so, but that’s because Google refuses to use its power for good and can’t find a way to consolidate accounts. With these multiple email addresses, you probably have a way to keep your notes sorted and safe. It seems that Hillary went a few steps beyond this and actually had a server – a physical server!! – placed in her house to house her private email conversations.
But these conversations weren’t actually private because they concerned public business and the United States. So what are we to do? What are we to think? How should anyone respond to this? It goes beyond politics and right into security. Here’s my take…
1 – If you have the resources to put the hardware necessary to run your own email in your home, you have the resources to ensure the data and discussions shared on that network/server are secure. If you’re working for the government and the info you’re sharing is government related, you should also be prepared to share that data with the public.
2 – If you understand the machinations of email servers, technology and classified communications, you should also not play dumb when asked about how many devices you carry, how many devices you can carry, and if it’s a hardship to send email from your government issued phone/device.
3 – There is no way, if the emails and communications that took place on the BYOD phone and the private server were related to running the government, that Hillary should be allowed to decide what info is destroyed and what info is kept.
Think about this as if it were Wal-Mart or Ford doing these things. The public outcry would be large and loud. And the request for better security for public (or shareholder) communications would also be deafening.
What’s your thought on what Hillary allegedly did with her technology? How would you fix it from a security standpoint? How would you fix it from a political standpoint?
Finally, do you think political officers should have different security rules than executives at large public organizations? Aren’t they similar in how they operate and the communities they serve?
Everyone freaks out because their home might not be secure. They have belongings inside that have value to a thief – and of course them. And keeping the actual property locked up and safe is the struggle they face on a regular basis.
It’s similar to what businesses go through every day – though businesses have it worse. The materials inside their walls, servers and offices are so valuable that if lost they would cripple the company. That’s why it’s so important to have a plan and a few things in mind when locking down your facility (or your home).
As we’re going to discuss next week on our Twitter chat, you need the right people in place to keep your organization secure. Provisioning, common sense and education are the three best ways to keep the riff-raff out and your precious materials and data inside.
From top to bottom in your company, let people know what access they have; how they can request increased access to data and facilities; and the procedure to bring on new employees. In fact, if you don’t have a list of security procedures in place, that’s the first place to start.
Next up, set some guidelines for access. This means keeping regular operating hours where any visitors to your facilities outside of those hours raises a red flag. In one instance I was freelancing for a technology firm that required all contractors to be off-site from 5PM to 9AM. It ensured that ‘outsiders’ were only in contact with valuable services and data during business hours. The takeaway here is to supervise all visitors.
Finally, maintain regular security protocols across the enterprise. Keep passwords changing on a regular basis. Update badges semi-annually so photos are current and provisioning is accurate. And provide regular documentation of new security processes to all employees and departments.
The last thing you want to do is leave your door open to thieves.
While it might be a bit easier to implement in your home because you have a much smaller population to educate about locking down your property, it’s similar in scope.
Ultimately, keep an eye on how you keep your stuff safe and you’ll have to spend less time keeping your stuff in view all the time.
What’s the best security tip you can share about keeping data or facilities safe?
According to the WeLiveSecurity blog, Hillary Clinton, who–heaven forbid–is widely believed to be the next Democratic presidential candidate, used a personal email address while working at the State Department:
The New York Times has published claims that Hillary Clinton did not have a government email address throughout her four-year tenure at the US State Department, but instead used a personal email address.
This is crazy. Not only is it extremely dangerous from the standpoint of national security, who’s to say that it wasn’t designed to conceal certain actions she took as our secretary of state? According to the Times, Mrs. Clinton has long been criticized for a lack of transparency and an inclination toward secrecy.
Federal law states that letters and emails written and received by federal officials are considered government records. They are supposed to be retained for use by congressional committees, journalists, historians, etc. can find them. Penalties for not complying with these requirements are rare, however.
We don’t know what, if any, encryption or other security measures Mrs. Clinton’s account employed, and it’s not clear why this was allowed to happen. Surely IT security staff at the State Department objected. Any self-respecting IT security professional would insist that an official’s communications related to their job be properly secured.
I’m regularly baffled by the incongruous nature of security in this country. We seemingly don’t have a set of standards – or even common sense – when it comes to locking down our valuable data assets and letting others remain accessible.
The event that brought this fully to mind was when I was watching Ocean’s Eleven for the fortieth time. Specifically when the group of thieves is able to get a cart with a person inside into the main vault at the Bellagio hotel and casino.
Yes, it’s fiction, but the similarities in security emphasis astound me when it comes to day-to-day activity.
Here are a list of scenarios that I’d like you to examine. At the end, I’ll tell you which ones actually occurred because security was so lax.
A Facebook page was created and the ‘person’ on the page was followed by news outlets and other fact-aware businesses.
Thieves posed as real estate agents and were able to have unfettered access to homes in upscale towns near Boston at regular times during the week.
A car thief was able to steal an expensive vehicle just by standing around outside a luxury hotel and pretending to be a valet.
People were able to get medical services just by saying they were someone else at the reception desk at a doctor’s office.
Criminals were able to steal the credit card and ATM card data of dozens of people in a busy city just by putting a skimming device on a bank ATM.
Had enough? All of these – except the medical scenario actually occurred at one time or another in the past couple years. In fact, as security becomes more of a focus at the high end, more crimes will happen in situations where technology plays a much smaller role.
Take the valet car attendant, for example. That’s an easy scam. Just get some black sneakers, black jeans and a jacket and you can probably take any car you want from a person pulling up to a hotel.
The Facebook scam has been done hundreds of times and I actually use it as an example in my social media training sessions.
The real estate scam is an oldie but a goodie. Seldom to listing agents require you to show ID when you visit a broker or regular open house. You’re not going to run off with the entire property, so where’s the danger? It lies in figuring out the home security and coming back at a later date to clean out the house.
And skimmers are regularly found on all types of credit card machines all over big cities.
So, what are we to do if we want to remain safe and secure? Pay attention. Don’t allow yourself to get fooled by people, devices or situations. Have your wits about you and maintain good passwords for all your accounts – social and financial.
And most of all be skeptical. Keep your belongings secure, store copies of ids and credit information in a safe deposit box and in a secure online repository. Then ensure anyone you have as an agent for your stuff (home, car, social account, bank account) treats those things with the same care you would.
It only takes getting burnt once to make you wake up and pay attention. Why not do so before something bad happens?
What do you do to remain safe and secure in your daily life?
As you’ve probably noticed, we’ve been putting on a regular #ITKESecurity Twitter chat about once a month. The goal of the chat is to answer some of the questions you might have regarding security issues.
This week we hosted a discussion based on Disaster Recovery and it went quite well. The questions – five of them – centered on your plans when disaster strikes and how you plan to recover your information and take control of your facilities in the event of an emergency.
It was a valuable talk and if you’d like to see some of the questions and responses, just visit Twitter and search for the #ITKESecurity hashtag. It should bring up the bulk of the tweets from our hour-long event.
Join us next month for another security-focused chat and tweet along with us. Watch this space for an announcement as to date and time.
When you read about someone getting pins in their body, you immediately think about a broken bone and the procedure needed to repair it. In the medical field, we’re now hearing about pins in another way…as a security device.
These pins aren’t the titanium ones that go into ankles and hips, they’re they ones that come with credit cards and are secured by the latest chip-and-pin technology. But why is this necessary? Has there been an issue around medical record security?
I ask that tongue-in-cheek, knowing full well that Anthem and other medical insurance and service providers are fully under attack. Our data in hospitals is no safer now than it was at Target or Home Depot. And the time has come for us to take note.
Some facilities are doing just that with the aforementioned technology. They’re making it impossible for you to share your data without a membership card that is as secure as any credit card you own. In fact, I was just in a health center for a minor procedure and it amazed me at how seriously the staff is taking this breach and the issue of info-security.
It makes you feel good when the administrative assistant at the reception desk asks you for your date of birth, full name AND photo id just to let you see the doctor. It’s a bit overkill when they request the same information at other time. For example, to ensure you’re the right person to go through an intrusive and embarrassing procedure like a colonoscopy.
Seriously, who is going to hack a medical record, forge an id and then sneak into a clinic to get a medical scope jammed up their backside. But I digress. The issue of information safety in the medical realm is one we could learn from.
They’ve responded fast, fully and effectively to lock down our data and keep us safe. Perhaps it’s time the credit card companies, places like eBay and services like Uber get their ducks in a row and protect their staff and customer data.
If they don’t work on this fast and properly, I’d certainly be in favor of sending their executives for a few embarrassing medical procedures just to get their attention.
What’s your take? Should all businesses take the strong tact medical and insurance companies have instituted?
“Citizen Four”, the documentary of Edward Snowden, won an Oscar. Director Laura Poitras, journalist Glenn Greenwald and Edward Snowden himself particitpated in a chat on Reddit yesterday. One question stood out. This from GCHQ – Graham Cluley’s Security Newsletter:
The NSA whistleblower, who now lives in Moscow, was asked if he would do anything differently in retrospect.
Mr. Snowden, if you had a chance to do things over again, would you do anything differently? If so, what?
Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:
Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back. Regardless of how little value a program or power has been shown to have (such as the Section 215 dragnet interception of call records in the United States, which the government’s own investigation found never stopped a single imminent terrorist attack despite a decade of operation), once it’s a sunk cost, once dollars and reputations have been invested in it, it’s hard to peel that back.
Don’t let it happen in your country.
You’ve heard it before and you’re going to hear it again from me. When it comes to using the internet, TRUST NO ONE. For anyone who may be receiving this data in some way other than reading it with your own eyes, that mantra is written in red, all caps, bold, italicized and underscored text. If you are connected to the internet, you have to assume that everyone and anyone can see everything and anything originating from your computer or other connected device. We write about security all the time. We promulgate all sorts of techniques and tips about how to be more secure on line. Sure, these things may protect you from hackers and common cybercriminals, but they will never protect you from the largest criminal organizations on the planet: NSA, GCHQ and other spy agencies. Your operating system is not secure; your software is not secure; your email is not secure. It’s questionable that any commercial hardware you use is secure.
Read these articles and decide for yourself:
Lenovo slipped “Superfish” malware into laptops: http://money.cnn.com/2015/02/19/technology/security/lenovo-superfish/
Schneier on NSA’s encryption defeating efforts: Trust no one: http://www.pcworld.com/article/2048268/schneier-on-nsas-encryption-defeating-efforts-trust-no-one.html
Revealed: how US and UK spy agencies defeat internet privacy and security: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security