Security Corner


May 11, 2015  11:22 PM

Football Security – Deflategate and its Lessons

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
football, Game, information, Security

A few moments ago the journalists on ESPN announced that Tom Brady – quarterback for the New England Patriots – has been suspended for the first four games of the 2016 NFL season. This is a result of the #Deflategate investigation and the penalties handed out by the league. Added to the penalties were the loss of two draft picks – a first rounder in 2016 and a fourth rounder in 2017. Further, the team has been fined $1Million.

IMG_3583

What’s this mean to anyone dealing with security issues? Actually a lot. In fact, if the NFL had been better at protecting the tools of the game, this situation might not have occurred at all. If the powers that control the game and regulate the pressure of the footballs used in the games was watched closer, one of the icons of the game wouldn’t have even had the chance to cheat to gain an advantage.

But that’s the big issue. In competition – as in business – companies and players are always looking for a competitive advantage. In this case, it seems that Tom Brady was trying to get an advantage by letting a little air out of the footballs that his team was using during the season. What this does – a softer football – is offer the quarterback an easier ball to handle and running backs and receivers a much easier ball to catch and carry.

In fact, it was said on ESPN tonight that a deflated football is almost impossible to lose control of. Which means fumbles are eliminated and any football fan knows how big a factor fumbles and takeaways are in whether a team wins or loses.

So, let’s talk about this as an analogy to business processes. How can we learn from this?

Essentially, we need to have better security at all levels. From front-line security and reception (akin to the ball boys and equipment managers), we need to ensure that only properly provisioned and approved personnel get onsite and have access to company data.

Then our inside staff – IT and technology personnel – should follow up and keep systems and facilities as safe as possible. This is similar to what the referees did when they found underinflated footballs in possession of the New England Patriots.

Ultimately, the stigma that will follow Tom Brady and the New England Patriots may leave an asterisk on all their successes – because nobody can truly know if they were deflating footballs as far back as their first Super Bowl win. And this type of stigma might manifest itself as loss of business when it comes to technology companies.

The lesson to be learned? Don’t be like Tom Brady when you look for a competitive advantage. Cheating is wrong, integrity is right, and we should all focus on security as much as possible. What’s your take?

How are you going to make your company more secure?

If you were in charge of the NFL, how would you punish cheaters and those who didn’t keep the game secure and clean?

April 30, 2015  8:18 PM

NCIS New Orleans – Smuggling Information

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
computer, Data, PC, Security, Thumb drive

In a plot twist worthy of Back to the Future, X-Men and Mission Impossible, a recent NCIS New Orleans show dealt with data encryption and smuggling and kidnapping. That’s not the coolest part. All of it was done using some real terminology and tools – not just movie magic or TV smoke and mirrors.

Screen Shot 2015-04-30 at 4.17.48 PM

Yes, this is the second recent post that’s come from my love for TV mystery or cop shows. Yes, it does tie directly to data and information security. No, I don’t know why TV gets such a bad rap from parents all over the world. But back to data security and encryption.

In the episode they were following a theme that has been brought up before and explained away poorly. They were using images and the data embedded in images to give bad guys a handle on where drugs and other illegal substances would be exchanged. On other shows, it hasn’t quite worked because the way the decryption was shown was clunky. Now it actually makes sense.

But it makes me a little concerned. If the folks on TV can dumb down security challenges like image data encryption to the point that even I can understand it, is it an indicator that data thieves and other technology criminals will be upping their game soon? It’s akin to the media playing up incidents on the news which then results in copycat crimes of the same nature occurring.

Do you think the tech they’re showing us on cable is detailed enough to spur a whole generation of cyber criminals into action? Or should I take my worries elsewhere and just keep writing about how to keep facilities and data safe in the enterprise?


April 30, 2015  8:06 PM

Are You Driving an Easy Target? Car Security.

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Computers, Data, keys, Security

The television show Sherlock got me thinking about automotive security. While lots of folks are moving to cars with keyless entry and key fobs in their pocket and not in the dash, are thieves finding easier technological ways to boost your car?

Screen Shot 2015-04-30 at 4.03.41 PM

According to an article in BBC News, computers are being used more to steal high-end cars.

I bring up the Sherlock show because on the show – SPOILER ALERT – Sherlock is friends with a former car thief and helps provide him an alibi in a recent episode by stealing about 20 Ferraris and Lamborghinis. The discussion turns to automotive security and it seems that even the most high-tech systems are easy to breach.

The article concurs. Here’s a snippet…

The thieves are able to bypass security using equipment intended only for mechanics, the Society of Motor Manufacturers and Traders (SMMT) said.

Manufacturers are trying to stay ahead of the thieves by updating software.

It has been reported that some London-based owners of Range Rovers have been denied insurance over the issue.

The warnings echoed those made by the US National Insurance Crime Bureau (NICB), which earlier this year said it had seen a “spike” in car thefts involving equipment to spoof keyless entry.

What are drivers to do? Likely just hope their car doesn’t get chosen. Since the early 2000s, keys with chips in them have been used to thwart thieves. But now that actual keys aren’t needed, who knows what’s next on the road to vehicle security?


April 30, 2015  7:11 PM

Five steps to avoid webcam spying

Ken Harthun Ken Harthun Profile: Ken Harthun
Security, spy, Webcams

If you recall, last year, Miss Teen USA, Cassidy Wolf’s, computer was hacked and the hacker then attempted to “sextort” her by threatening to post nude photographs of her on various social media sites. The hacker employed the notorious Blackshades RAT malware on her laptop to do his dirty work. Here’s a clip of her CNN interview:

Most all laptops, tablets, phones and other mobile devices these days have built in cameras. All Apple iMac computers have them.

What can you do to prevent being spied upon? Here’s my short list of five preventive measures.

  1. Cover the camera when you aren’t using it. A sticky note or a piece of masking tape works just fine.
  2. Turn your device off when you aren’t using it. Not only will the camera not work, you’ll save a little on your energy bill.
  3. Close the lid. I keep my MacBook Pro closed when I’m not using it. A hacker will see only black if they have any access to it.
  4. Run good anti-malware software and keep it updated along with all your applications and your firmware as well. Scan for malware regularly.
  5. Don’t use your computer when you’re naked. (I had to through that one in there…lol)


April 28, 2015  7:15 PM

(Warning: NFW or kids) Hilarious Edward Snowden video

Ken Harthun Ken Harthun Profile: Ken Harthun
Edward Snowden, Security, Video

From Last Week Tonight with John Oliver: Government Surveillance (HBO)

You won’t believe what they talk about! Not for work or if any kids are around…


April 28, 2015  7:01 PM

I never thought it would happen to me

Ken Harthun Ken Harthun Profile: Ken Harthun
Cybercrime, cybercriminals, cyberscams, phone call, Security

So, I was working away trying to recover some lost data for one of my students when my cell phone rang. It came up “Unknown” on the caller ID. I normally don’t answer calls I can’t identify, but I was irritated and frustrated and I answered it in hopes I’d have someone to launch a tirade against (I have been on every “Do Not Call” list with every phone number I’ve ever had, but it’s a useless regulation, since no telemarketing firm ever honors it. I usually give them an ear full and threaten all sorts of legal mayhem, but it rarely does any good).

“Hello, this is Ken.”

“Hello, Ken, I am calling about your computer.” (Heavy Indian/Pakistani accent)

“What?” (Pretending not to understand)

“Your computer.”

“What?”

(A bit agitated, now) “We have been receiving many errors from your computer.”

I play along for a second, “Really? What kind of errors?”

“You have many system errors and viruses on your computer.”

“Oh, really? How are you getting these errors?”

“We monitor all computers for errors. We want to help you fix your computer.”

At this point, I lost my desire to play games “Look buddy, I’m a computer security expert and you are full of s… and a con artist.”

Before I even finished the sentence, I began hearing a stream of “F… you, F… you.” I told him if he called again, I would trace it and he hung up with one last expletive from me, this time.

In hindsight, I probably should have played along, let him into one of my spare laptops and recorded the session and his IP address so I could report it properly, but I was just too preoccupied with other matters.

If I get another call like this, I’ll do that. I just didn’t think it would ever happen to me.

 


April 24, 2015  1:19 PM

A Tale of Wallet Security

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
id, Lost, retail, Security

Break out your tissues because you might get a little misty after hearing my tale. I’ll tell it simply and quickly. But you’re sure to take a few things away from reading this post.

First, you’ll believe people are better than you first thought.

Next, you’ll be impressed at how much information one person can dig up on the Internet in the span of five or ten minutes.

Lastly, you’ll be A LOT more careful with your IDs and wallet for fear of losing your entire identity – and $25.

Screen Shot 2015-04-24 at 9.17.34 AM

Here we go…

Thursday, April 23, my wife went shopping at Old Navy in Hingham. I’m assuming it was to buy gifts for me because my birthday was this week and because she usually shops at high-end boutique stores. While she was there, she found a wallet.

Instead of leaving the wallet with the Old Navy personnel, she decided to take responsibility for the wallet and the items inside. The fear – and what would also motivate me – was that if you turn in an item to retail workers you lose control of what happens to the item. Essentially, if you find something you either get to keep it or you shepherd it to its rightful owner. That’s the moral law of the universe…according to me anyhow.

Moving on…she brought the wallet home, did a bit of research to find the address of the owner (simply looking at the license was enough – so no black arts of the Internet yet). Then she took $20 from the wallet (there was only $25 inside) to pay for shipping and insuring the wallet back to its owner. I then arrived home.

Once told what had happened, I took to the ether of the ‘net. In about seven minutes I had found the owner’s husband’s LinkedIN account and sent him a note. I also found the owner’s Facebook account and sent her a message. And for good measure I dug around for a phone number, but these days most people only carry a cell and those are seldom listed in WhitePages.com.

Then I went to bed.

Today, I woke up and looked at my phone. I had a phone call and a message from a number I didn’t recognize. It was the owner calling about the wallet. Now follow this chain of events…

My LinkedIN note got to her husband in CHINA. He and his wife (the wallet owner) have not spoken in a while, maybe years. But the husband is still in touch with their son and therefore told the son about the wallet being found. The son told the mother. The mother called me.

As I type this, I’m sitting in a coffee shop near that Old Navy store waiting for the woman to show up and get her wallet. I put $20 back inside because we didn’t have to ship it. 20 minutes from now I’ll know if this entire exercise has worked and I’ll hopefully see a smiling face on a stranger’s face.

Screen Shot 2015-04-24 at 9.18.10 AM

Satisfied? The world is a scary place, but there are good people in it. What I’d like you to do is imagine if the wallet had fallen into the wrong hands. Imagine if it was your data laying on the sidewalk outside Old Navy. Imagine that your data IS always on a sidewalk somewhere and the world has access to it.

If you’re at least aware of these facts, you’ll likely be much more careful with your data and the data of others. Just a heartwarming tale for you today. Next column will be much more sinister!


April 23, 2015  4:59 PM

The Marathon – Tracking the Runners…and the crowd

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, holiday, police, Security, Video

Each year I write…or I should say I have written…a post about the Boston Marathon. For my entire life I have attended the race and the Red Sox baseball game that takes place the morning of the marathon. But this year was different.

I wasn’t feeling it. Two years after the bombs exploded on Boylston Street, I decided it was time to change up my traditions and not rush into Boston to see some freezing baseball and 15,000+ runners. I decided to spend time watching both events via social media and other channels. And it was great.

Screen Shot 2015-04-23 at 12.57.14 PM

I had friends running this year and for the first time I had my eyes opened to the glory of actually tracking someone virtually as they travel 26.2 miles. I hardly got tired at all.

But this online tracking of runners and the social media updates and posts from Fenway Park and Kenmore Square got me thinking about how well-tracked we all are these days. While security had dozens – if not hundreds – of cameras in place the length of the course, the runners had chips on their bibs or on their shoes, and the populace was monitoring it all via their smartphones via Vine, Meerkat, Periscope and other live-streaming apps.

One of my friends even set up shop in the Breather space on Boylston and did a live stream. His name is Steve Garfield and I can’t remember the service he used, but it was interesting and informative. And it was LIVE as the action happened.

Does it mean we’re being monitored too closely? I’m not sure. But it certainly proves that we as a nation have the capacity to track whatever it is we want to track. In a way that makes me happy.

Screen Shot 2015-04-23 at 12.57.02 PM

I’d like to think my local police can use their high-tech devices to track gunshots via sound (and they can).

I’d like to think my government can actually track heat signatures of people trying to smuggle drugs into this country (and they can).

And I’d like to think more companies can endeavor to keep our data secure with the right methods and strategies (and they can…but when will they).

Technology allows us lots of cool advantages and access to information. Let’s make sure the companies we trust with our data know how to use this technology to keep our stuff out of the hands of the bad guys.

What do you think of the latest tech? How would you like to see tracking, video, surveillance and other technologies used?


March 31, 2015  2:04 PM

Site Hackers – Not a Friendly Bunch, Perhaps

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Blog, Code, Coding, Data, FILES, Hack, Security

My Website is down. I mean crushed and down. Nothing shows up except for a few Greek characters and there’s no way I can recover it. I know because I’ve tried, my hosting service has tried, and I’m not as technically adept as I’d like to be.

Instead of wallowing in my despair – as I did enough of that earlier on the weekend – let’s look at a few takeaways from this experience and maybe learn something. If nothing else, it will be cathartic for me and help me let go as I create a whole new site.

Screen Shot 2015-04-01 at 10.03.16 AM

1 – Contrary to what everyone warns you about, the stuff you put online is not ‘forever’. If it were, my site would still be up.

2 – Anything can be hacked. My passwords were superlong hashes of random characters. The hackers got in because on my site I also had a few old – I mean OLDE – wordpress installs that I wasn’t using any longer. The hackers accessed those blogs and then found a way to get into my current site as a whole.

3 – Coffee, Jolt soda, other stimulants will not help you think through the problem clearly. Only when I started to accept that my site was borked did I have an ephiphany. I have the files backed up to before the hack. I have some time to work on this. I might as well use this as a learning experience.

4 – All your tech friends and colleagues like to seem really busy. I’ve put out a number of calls to WordPress experts who might help get my stuff back functioning. Nobody is available. It’s not as if I ever did anything to wrong them, but it seems that nobody wants a boring challenge. It will be a challenge to go through and clean my code up. It will be boring because there’s a LOT of crap on my blog.

5 – You’re only as good as your most recent article. As nobody can read my posts or updates or recounts from my latest adventures, the only thing people can see about me now is on my Twitter page, my YouTube videos and here on the Security Corner. Until I get something back up – yes, the databases were safe – on my site, I’ll just go back to being some writer who sometimes cries about security issues.

Since I have a newfound appreciation for the troubles people can get into, I welcome your sob stories and hopefully your stories of successfully putting your sites and life back together. Ping me on Twitter or leave a comment on this blog if you have ideas on how to resurrect my stuff.

Thanks for reading! This is not an early April Fool’s joke.


March 30, 2015  1:51 PM

Easier to Break Into Your Company or a Conference Event?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Business, Data, provisioning, Security

It occurred to me at a conference in Louisville that security isn’t an issue specific to businesses. In fact, most businesses are less secure than large conferences because of one simple reason – the staff at conferences are trained to examine the credentials of every person at their event.

_MG_1878

Let’s compare and contrast the conference check-in table and room-proctor structure to the doors at your everyday business.

High-Security
The conference check-in desk requires name and often an id for you to pick up your badge. In most cases the staff at the check-in desk knows many attendees personally. In both cases, this keeps interlopers from attending an event without paying.

Low-Security
Employees at your basic company hold the door for anyone dressed in business apparel who is heading into the facility. IDs are seldom checked and folks usually are more than willing to just point to the department or person mentioned by the burglar.

High-Security
Try and get into a session at most technology conferences and there is a person at the door scanning bar codes. It’s akin to most events at the South by Southwest Festival in Austin, TX. If you don’t have a badge with a valid barcode, you can’t even get into a building to use the restrooms.

_MG_1914

Low-Security
Stroll into any lobby at any organization – even the State House in many states – and ask to use the restroom. Usually it’s behind the security desk or out of sight of security personnel. If a tech columnist like me knows this, you realize that the best thieves and data criminals know how to get past the first line of defense at the front desk.

What are we to learn about this? First, it’s a good thing that there are usually multiple lines of defense within large data-dependent organizations. Second, you best prepare a really good fake ID and cover story if you want to attend AdobeMAX, SXSW, CES or other large conference. What’s your take?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: