Security Corner

March 17, 2015  5:33 PM

Home and Business Security Similarities

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Business, Data, home, provisioning, Security

Everyone freaks out because their home might not be secure. They have belongings inside that have value to a thief – and of course them. And keeping the actual property locked up and safe is the struggle they face on a regular basis.

It’s similar to what businesses go through every day – though businesses have it worse. The materials inside their walls, servers and offices are so valuable that if lost they would cripple the company. That’s why it’s so important to have a plan and a few things in mind when locking down your facility (or your home).


As we’re going to discuss next week on our Twitter chat, you need the right people in place to keep your organization secure. Provisioning, common sense and education are the three best ways to keep the riff-raff out and your precious materials and data inside.

From top to bottom in your company, let people know what access they have; how they can request increased access to data and facilities; and the procedure to bring on new employees. In fact, if you don’t have a list of security procedures in place, that’s the first place to start.

Next up, set some guidelines for access. This means keeping regular operating hours where any visitors to your facilities outside of those hours raises a red flag. In one instance I was freelancing for a technology firm that required all contractors to be off-site from 5PM to 9AM. It ensured that ‘outsiders’ were only in contact with valuable services and data during business hours. The takeaway here is to supervise all visitors.

Finally, maintain regular security protocols across the enterprise. Keep passwords changing on a regular basis. Update badges semi-annually so photos are current and provisioning is accurate. And provide regular documentation of new security processes to all employees and departments.

The last thing you want to do is leave your door open to thieves.


While it might be a bit easier to implement in your home because you have a much smaller population to educate about locking down your property, it’s similar in scope.

Ultimately, keep an eye on how you keep your stuff safe and you’ll have to spend less time keeping your stuff in view all the time.

What’s the best security tip you can share about keeping data or facilities safe?

March 4, 2015  7:21 PM

Security faux pas: Hillary Clinton used personal email for government

Ken Harthun Ken Harthun Profile: Ken Harthun
Email, Email archiving, Government IT, regulatory compliance, Security

Crazy Girl Cross Eyed And Pulling Her EarsAccording to the WeLiveSecurity blog, Hillary Clinton, who–heaven forbid–is widely believed to be the next Democratic presidential candidate, used a personal email address while working at the State Department:

The New York Times has published claims that Hillary Clinton did not have a government email address throughout her four-year tenure at the US State Department, but instead used a personal email address.

This is crazy. Not only is it extremely dangerous from the standpoint of national security, who’s to say that it wasn’t designed to conceal certain actions she took as our secretary of state?  According to the Times, Mrs. Clinton has long been criticized for a lack of transparency and an inclination toward secrecy.

Federal law states that letters and emails written and received by federal officials are considered government records. They are supposed to be retained for use by congressional committees, journalists, historians, etc. can find them. Penalties for not complying with these requirements are rare, however.

We don’t know what, if any, encryption or other security measures Mrs. Clinton’s account employed, and it’s not clear why this was allowed to happen. Surely IT security staff at the State Department objected. Any self-respecting IT security professional would insist that an official’s communications related to their job be properly secured.

February 28, 2015  4:13 PM

Security – How Much is Too Much; How Much is Too Little?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
ATM, Data, Infosec, Security, social media

I’m regularly baffled by the incongruous nature of security in this country. We seemingly don’t have a set of standards – or even common sense – when it comes to locking down our valuable data assets and letting others remain accessible.

The event that brought this fully to mind was when I was watching Ocean’s Eleven for the fortieth time. Specifically when the group of thieves is able to get a cart with a person inside into the main vault at the Bellagio hotel and casino.


Yes, it’s fiction, but the similarities in security emphasis astound me when it comes to day-to-day activity.

Here are a list of scenarios that I’d like you to examine. At the end, I’ll tell you which ones actually occurred because security was so lax.

A Facebook page was created and the ‘person’ on the page was followed by news outlets and other fact-aware businesses.

Screen Shot 2015-02-28 at 11.01.01 AM

Thieves posed as real estate agents and were able to have unfettered access to homes in upscale towns near Boston at regular times during the week.

A car thief was able to steal an expensive vehicle just by standing around outside a luxury hotel and pretending to be a valet.


People were able to get medical services just by saying they were someone else at the reception desk at a doctor’s office.

Criminals were able to steal the credit card and ATM card data of dozens of people in a busy city just by putting a skimming device on a bank ATM.

Had enough? All of these – except the medical scenario actually occurred at one time or another in the past couple years. In fact, as security becomes more of a focus at the high end, more crimes will happen in situations where technology plays a much smaller role.

Take the valet car attendant, for example. That’s an easy scam. Just get some black sneakers, black jeans and a jacket and you can probably take any car you want from a person pulling up to a hotel.

The Facebook scam has been done hundreds of times and I actually use it as an example in my social media training sessions.

The real estate scam is an oldie but a goodie. Seldom to listing agents require you to show ID when you visit a broker or regular open house. You’re not going to run off with the entire property, so where’s the danger? It lies in figuring out the home security and coming back at a later date to clean out the house.

And skimmers are regularly found on all types of credit card machines all over big cities.

So, what are we to do if we want to remain safe and secure? Pay attention. Don’t allow yourself to get fooled by people, devices or situations. Have your wits about you and maintain good passwords for all your accounts – social and financial.


And most of all be skeptical. Keep your belongings secure, store copies of ids and credit information in a safe deposit box and in a secure online repository. Then ensure anyone you have as an agent for your stuff (home, car, social account, bank account) treats those things with the same care you would.

It only takes getting burnt once to make you wake up and pay attention. Why not do so before something bad happens?

What do you do to remain safe and secure in your daily life?

February 28, 2015  3:27 PM

Chatting about Security

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
chat, Data, Disaster Recovery, ITKE, Security, twitter

As you’ve probably noticed, we’ve been putting on a regular #ITKESecurity Twitter chat about once a month. The goal of the chat is to answer some of the questions you might have regarding security issues.

Screen Shot 2015-02-28 at 10.24.21 AM

This week we hosted a discussion based on Disaster Recovery and it went quite well. The questions – five of them – centered on your plans when disaster strikes and how you plan to recover your information and take control of your facilities in the event of an emergency.

It was a valuable talk and if you’d like to see some of the questions and responses, just visit Twitter and search for the #ITKESecurity hashtag. It should bring up the bulk of the tweets from our hour-long event.

Screen Shot 2015-02-28 at 10.24.35 AM

Join us next month for another security-focused chat and tweet along with us. Watch this space for an announcement as to date and time.


February 28, 2015  3:18 PM

Chips, Pins and Intrusive Medical Procedures

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Data, id, Security

When you read about someone getting pins in their body, you immediately think about a broken bone and the procedure needed to repair it. In the medical field, we’re now hearing about pins in another way…as a security device.


These pins aren’t the titanium ones that go into ankles and hips, they’re they ones that come with credit cards and are secured by the latest chip-and-pin technology. But why is this necessary? Has there been an issue around medical record security?

I ask that tongue-in-cheek, knowing full well that Anthem and other medical insurance and service providers are fully under attack. Our data in hospitals is no safer now than it was at Target or Home Depot. And the time has come for us to take note.


Some facilities are doing just that with the aforementioned technology. They’re making it impossible for you to share your data without a membership card that is as secure as any credit card you own. In fact, I was just in a health center for a minor procedure and it amazed me at how seriously the staff is taking this breach and the issue of info-security.

It makes you feel good when the administrative assistant at the reception desk asks you for your date of birth, full name AND photo id just to let you see the doctor. It’s a bit overkill when they request the same information at other time. For example, to ensure you’re the right person to go through an intrusive and embarrassing procedure like a colonoscopy.


Seriously, who is going to hack a medical record, forge an id and then sneak into a clinic to get a medical scope jammed up their backside. But I digress. The issue of information safety in the medical realm is one we could learn from.

They’ve responded fast, fully and effectively to lock down our data and keep us safe. Perhaps it’s time the credit card companies, places like eBay and services like Uber get their ducks in a row and protect their staff and customer data.


If they don’t work on this fast and properly, I’d certainly be in favor of sending their executives for a few embarrassing medical procedures just to get their attention.

What’s your take? Should all businesses take the strong tact medical and insurance companies have instituted?

February 24, 2015  8:56 PM

Edward Snowden regrets not coming forward sooner

Ken Harthun Ken Harthun Profile: Ken Harthun
Breech of my privacy, Privacy rights, spy, Whistleblower

Source: Graphic Stock“Citizen Four”, the documentary of Edward Snowden, won an Oscar. Director Laura Poitras, journalist Glenn Greenwald and Edward Snowden himself particitpated in a chat on Reddit yesterday. One question stood out. This from GCHQ – Graham Cluley’s Security Newsletter:

The NSA whistleblower, who now lives in Moscow, was asked if he would do anything differently in retrospect.

Mr. Snowden, if you had a chance to do things over again, would you do anything differently? If so, what?

I would have come forward sooner. I talked to Daniel Ellsberg about this at length, who has explained why more eloquently than I can.

Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:

Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back. Regardless of how little value a program or power has been shown to have (such as the Section 215 dragnet interception of call records in the United States, which the government’s own investigation found never stopped a single imminent terrorist attack despite a decade of operation), once it’s a sunk cost, once dollars and reputations have been invested in it, it’s hard to peel that back.

Don’t let it happen in your country.


February 22, 2015  6:36 PM

On security: Trust no one

Ken Harthun Ken Harthun Profile: Ken Harthun
AES encryption, cybercriminals, lenovo, Security
Leaked information concept

Trust No One

You’ve heard it before and you’re going to hear it again from me. When it comes to using the internet, TRUST NO ONE. For anyone who may be receiving this data in some way other than reading it with your own eyes, that mantra is written in red, all caps, bold, italicized and underscored text. If you are connected to the internet, you have to assume that everyone and anyone can see everything and anything originating from your computer or other connected device. We write about security all the time. We promulgate all sorts of techniques and tips about how to be more secure on line. Sure, these things may protect you from hackers and common cybercriminals, but they will never protect you from the largest criminal organizations on the planet: NSA, GCHQ and other spy agencies. Your operating system is not secure; your software is not secure; your email is not secure. It’s questionable that any commercial hardware you use is secure.

Read these articles and decide for yourself:

Lenovo slipped “Superfish” malware into laptops:

Schneier on NSA’s encryption defeating efforts: Trust no one:

Revealed: how US and UK spy agencies defeat internet privacy and security:

Got it?

February 21, 2015  7:01 PM

Criminal mischief: Sony gave us a rootkit, Lenovo gives us malware

Ken Harthun Ken Harthun Profile: Ken Harthun
Adware, cybercriminals, lenovo, malware, Security
I'm fed up with Adobe!

Really, Lenovo?

It’s a sad state of affairs when companies we trust turn out to be engaged in criminal mischief. In 2005, Sony BMG installed rootkits on the computers of anyone who purchased and played certain music CDs. As a result of that betrayal, I and many others boycotted Sony-produced products. Now, yet another huge  and trusted company, a supplier of quality computer products that many of us have in our organizations, has screwed the pooch. I didn’t join in the fray on Thursday when it was revealed that computer maker Lenovo has been shipping laptops with preinstalled malware that makes you more vulnerable to hackers — all for the sake of serving you advertisements. I like to step back and breathe a little before I react to such news. Well, I’ve breathed a bit since Thursday, looked it over, and have decided that I’m mad as hell. And, as in my personal boycott against all things Sony, I’ll do my damnedest never to buy anything made by Lenovo again.

At the college where I work I have a mobile computer lab comprising 20 Lenovo ThinkPad Edge notebooks. Lenovo says they didn’t install the malware on this model, but can I really trust them? I don’t think so. I’m thankful that when I initially took delivery of these notebooks, I wiped the Microsoft Windows 8 factory image and installed our own Windows 7 image. It contains no factory-installed software. Nevertheless, we won’t be buying any more of these or anything branded Lenovo despite their completely BS we-didn’t-think-we-were-doing-anything-wrong statement:

In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.  The goal was to improve the shopping experience using their visual discovery techniques.

. . .

To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any desktops, tablets, smartphones or servers; and it is no longer being installed on any Lenovo device.  In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better.  We will talk with partners, industry experts and our users.  We will get their feedback.  By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security.  We are confident in our products, committed to this effort and determined to keep improving the experience for our users around the world.

Be careful to wear high boots and proper protective clothing while you’re “digging in on this issue,” Lenovo, and consider this: Cybercriminals go to jail for doing what you did.

To any other companies looking to “enhance our user experience,” why don’t you just give us bug-free, secure products that do what WE want them to do and stop treating us like lemmings.

February 16, 2015  5:39 PM

Bird Security. Akin to keeping your office safe.

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Data, Security

Not rubbing it in, but I recently spent a little time where it’s warm. Specifically on the Gulf coast of Florida. That’s not a security topic, but what happened when I was on the island offers a lesson in keeping your eyes open if you want to remain safe.

The town of Sanibel Island, FL is – as the name suggests – an island. They have toll booths that keep track of the people who come over the bridge to vacation or work. And they have staff who are ready to lock down access to the island at a moment’s notice if there’s a crime or similar event in the town. That’s what keeps it pretty safe.


If you plan to rob a bank, steal a bike, take some merchandise, you’d better be prepared to swim your way to your lair. Getting away when the lock down the bridge is akin to be trapped on Alcatraz. But that’s neither here nor there. I wanted to talk to you about nature and how the professional park ranger keeps nature safe.

Seriously. Nature sometimes needs safekeeping from people who want to get too close, feed animals human food, and generally make themselves a nuisance. And on Sanibel Island, FL there is a national park called the JN Ding Darling Wildlife Refuge. AND in that refuge are plenty of examples of nature.

I told you all that back story to share a story and impart a lesson.

Here’s the lesson… If you keep your eyes open, you’re well on your way to keeping your company and facility safe. When your facility is safe, your data is likely safer. Then your entire organization is better off.

Here’s the story… I wanted a photo of an owl. I’ve been chasing owls all over the world (mostly the Northeast and Florida) for about 15 months. I had my chance with the JN Ding Darling Refuge as a backdrop for my photos.

During my mini vacation, I was informed that there was a certain nature trail where an owl liked to hang out.


I promptly made my way to that trail with my camera. Strolling along, I saw a mass of people looking up at an old palm tree that had a few holes in it. In one of those holes was a little screech owl. I waited until the crowd moved along and then steadied my camera to take some photos.

That was fine. I got some good photos, but as all humans are likely to feel…I wanted more. So I moved a bit closer to the owl, remaining on the path, and took some more photos. Then I realized I could get a photo that few other people had by lifting my camera above my head and shooting photos at eye level with the bird.

That’s when it happened. No, I didn’t get pecked or clawed or dive-bombed. I did get a sharp tap on my shoulder from a diminutive park ranger. She came up to me and sternly suggested I not put my camera in the face of the owl.

I looked at her quizzically because I was on the path, the plane where I had my camera held was in line with where I was standing and no closer horizontally to the owl. But from her perspective, the camera was starting to get too close to the bird. She told me so and explained that she was now on the lookout because another visitor had actually tried to put the camera inches away from the owl before he was warned away.

I understood. And it made me aware of how I could use the experience as a lesson. Because the ranger was vigilant and looking out for breaches in the protocol of the park, she was able to keep the animals safe. She was also smart enough to have set a perimeter so she could anticipate issues before they arose.

In my case, I was never going to get right next to the owl. He (or she) was 11-feet off the ground in the tree. I stand about five feet, ten inches tall. The physics don’t work. But when it comes to security and keeping thieves (or breaches) at bay, the approach works fine. Keep danger far enough away and you can ensure complete safety for your facilities and data.

That’s why having systems in place and setting up proven responses is paramount to good security. Think about the owl and photographer next time you’re in a meeting with IT or your CTO. Then come up with ways to keep the bad guys outside your own organization’s perimeter.

You’ll be safer and happier in the long run. Oh, I’m back north now in the cold and the snow. No danger of me bothering that owl anytime soon.

February 15, 2015  6:48 PM

Two good ways to make sure your email isn’t pwned

Ken Harthun Ken Harthun Profile: Ken Harthun
Data breach, Email, Hackers, Security, Security breaches

computer_thiefBreaches, breaches, breaches. It’s all part of the the daily news in IT security. It’s a good idea to keep tabs on your accounts, especially your email, to see if you’re relatively safe. I say “relatively” because no one is really safe on the internet anymore. I use two services: and to periodically check my email accounts. PwndList allows you to set up all of your email addresses and will send you notifications; will notify you about one account but requires you to manually check for others unless you make special arrangments.

PwnedList actively protects you by continually monitoring sites that host stolen credentials and other security data. If your data has been compromised we’ll notify you immediately—but that’s not all. You can check your online accounts and know with virtual certainty whether they’ve been compromised at any time.

Once you set up an account with them, you can add as many email addresses as you want. You will only be notified if any of them show up as being compromised.

[Troy Hunt, a Microsoft Most Valuable Professional] created Have I been pwned? as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.

To find out if any of your accounts have been pwned, you can visit, enter your email address (you can check as many email addresses as you want) and click the “pwned?” button. You’ll get one of two responses as shown below:


The one above shows you’re OK. No need to fret about it. If you get the one below, you had better take action: change your password immediately.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: