Sorry – I couldn’t resist. The title of this post makes sense when we examine a recent situation affecting our military. First, I’m a veteran, and I’m proud of our forces and of my past service. Today’s critique is made in the spirit of the necessity for (quick) improvements in the realm of security.
Also, for business and individual readers, please realize that if an occurrence like this can happen in the military, just what might be the vulnerabilities and possibilities within your organizations? At your desktop?
The military serves to protect us, and to win wars against aggressors and threats. They secure us. However, a very recent event made a significant breach to the military’s own security: Hence, insecure security. A virus infected the cockpits of two types of drones: Predator and Reaper. This virus, as the military is referring to it (I might prefer “malware” in this case) is logging keystrokes.
The virus is stubborn: “We keep wiping it off, and it keeps coming back. We think it’s benign. But we just don’t know.” This, according to a source familiar with the infection, according to Wired.com. But… how can a keystroke monitoring “virus” – which can’t be “wiped” – be “benign? It can’t.
Further, terms like “wiped” mean nothing to me. If you’re attempting to remove a virus, a term like “remove” might be a little more empirical – or at least, “attempted removal.” I wipe my windshield. Not to sound too critical – I just want to bring us all to best practices, which includes best communications, identifications, and solutions.
There is another very, very, disturbing situation regarding this occurrence, and it’s a good lesson for the “local” organization – that is, yours. Officials where the virus was impacting, Creech Air Force Base in Nevada, knew about it for weeks – but didn’t report it to anyone. Air Forcs cyber-security specialists therefore knew nothing, weren’t able to do anything, and further, other elements of the military were left at risk.
In 2011, that is beyond unacceptable – it is a manifestation of the highest risk and danger. The network specialists who defend the specific air force team affected learned of the virus from an online entity, Danger Room, according to Wired.com. Rather amazing.
The four-star general who oversees the Air Force’s networks has been briefed on the infection, thanks to Danger Room’s exposure, and a larger understanding of the problem by virtue of Air Force personnel stumbling on the report by Danger Room. Can anything be more ridiculous?
The lesson for the local organization? Survey for risk, malware, virsues, breaches, thefts… report what you find. For managers, directors, CXOs… get proactive monitoring in place, and exercise it. Revisit your Acceptable Use Policy – hopefully you have one – and update it. If you don’t have one, get a documented policy in place that tells folks what they can do with systems, what they cannot do, and what they should watch for. The AUP ties closely with the Security Policy – and both should make strong reference as to where anomalies should be reported, and when: That is, immediately.
Particularly for orgs with multiple locations, share your knowledge, and IT teams should leverage their collective knowledge. But even for simple, sole-location, orgs – please recognize that many formal policies often go lacking.
Get an updated set of policies and activities going for the rush of challenges to modern security.
NP: Hot Tuna, Final Vinyl, original LP. Found this a few days ago; real nice version of “Hesitation Blues” to open, and I like the entire album.
Back in my misspent youth, us kids used to ride our bikes as fast as we possibly could, trying to leave group members behind. The slowpokes invariably whined… “Hey!”… “Wait up!”… and if we could actually get someone to cry, so much the better! We’d laugh maniacally, looking back over our shoulders at our hapless slower counterparts. Oh, the inhumanity!
My father once saw a group led by me, leaving my little brother behind – and he heard my brother’s protestations. Upon return to home, I was punished – banished to my room for some measure of time – with the stern counsel of my father, “Never leave your brother behind.”
Some folks and organizations are pedaling pretty fast these days, in trying to stay up with, and ahead of, the pack in matters of security: Trying to keep up with best and burgeoning practices, and trying to stay ahead of new threats and potentials of harm. But many surprising entities are at the back, and if they ain’t cryin’ yet, they soon may be.
Consider this: “Cyber-cops” in the U.S. were surprised, caught off-guard, by a case of cyber-espionage thought to be unprecedented in scope and size. It’s been described as a five year hacking scheme (five years!), as mounted and exercised by a single “state actor.” The espionage targeted computer systems of the U.S. government, United Nations, defense firms and private industries. The state actor is thought to be China, but that info hasn’t been released.
Hmmm… did some measure of government agency discover the hacking? Perhaps some U.N. security expert? Or surely one of those leading defense or private industries had some proactive, forward thinking, cybercop scanning and discovering the breaches (after five years!)? Sorry to report, but it was McAfee. According to Fox News, McAfee’s vice president of threat research, Dmitri Alperovitch, said “Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators.”
Mr. Alperovitch’s report indicated 72 victims of the spying, 49 of which were American agencies and firms, during which massive losses of information occurred – there is potential for a huge economic threat. We must recognize too that state actors don’t rest – just because this five year effort has been busted, they’re constantly evolving their spying means and mechanisms. A U.S. official has confirmed the espionage and theft, and as pertains to McAfee’s report, told Fox “The report is fairly accurate.”
If McAfee’s report is correct, our government didn’t learn of a successful multiyear cyber-spying effort from its own internal cyber-police, but from McAfee. What’s embarrassing, and scary, is that Janet Napolitano, head of the Department of Homeland Security, became aware of the McAfee report – and large scale breach – only on the same day the report was released to the press. She further said, “We obviously will evaluate it and look at it and pursue what needs to be pursued.” Obviously. The White House has been briefed, so too has the U.S. Cyber Command at Ft. Meade, MD, and on and on… lotsa people pedaling on this block, you see.
Just not very fast: National Security Agency director General Keith Alexander serves as the head of the Pentagon’s new Cyber Command. He has stated that our military may not have the present capability to safeguard Pentagon networks from cyber-attack. “The Department has a shortfall of cyber force capacity to plan, operate, and defend its networks and ensure freedom of action and maneuver for our nation in cyberspace. Additionally, we are still discussing across the Administration how to best defend against a ‘Cyber 9/11’ that affects our critical infrastructure and beyond.”
Private industry is vulnerable too: Lockheed Martin was the victim of a cyber hack earlier this year, as well as others.
What does this mean for you? Beyond “state actors” (such as China), and dedicated teams targeting private industry (such as the insiders referenced in yesterday’s article), there are malicious hackers who are simply out for fun. They’re looking for websites and networks to hack just for the opportunity to wreak havoc. All of these levels are pedaling at a fast clip, looking to breach, steal, and harm – and likely… laughing maniacally with each success, at the expense of those at the back of the pack.
How fast are you pedaling?
On this day (Oct. 11th): The Juliana, 1st steam-powered ferryboat, begins operation in 1811.
Today, most organizations continue to think of security as an “us” vs. “them” proposition.
Outside breaching entities try to punch their way in to networks, websites, data stores, etc., and we have firewalls, encryption, evolving practices, and so on, to prevent intrusions and thefts.
This mindset no longer serves, and hasn’t for awhile. Of course, a long-standing “inside” threat has been that of human error, which can lead to breach. But there’s more – oh so much more…
Authorities in New York City have busted the largest identity theft ring ever. Members have been charged with stealing the credit card information over a period of 16 months of thousands of Americans and Europeans.
The insider threat here? Many of the stolen credit card numbers were stolen by company staff persons who had access to cardholders’ numbers: People employed at stores, restaurants, banks, etc., using skimming devices. Imagine going out to dinner, paying with your card, and finding all manner of unauthorized charges in the ensuing weeks or months… would you have associated those charges – that breach – with a particular dinner out? Not likely.
But further, for any business, whether restaurant, bank, lawn service – anything – recognize that vetting employees and their associated honesty now takes on another dimension. Not only do you have to monitor for theft of physical assets or cash at-hand, but you must monitor the ethical practices of employees regarding credit, and use of electronic systems. Many organizations do this, and have for years. Many, many, more do not – particularly in the realm of small-to-medium (SMB) business.
This particular ID theft ring also specialized in the creation and use of counterfeit credit cards. The counterfeit cards were dispensed to collusive shoppers, who used the cards to purchase high-value items for resale, sometimes over the ‘net.
Recognize too that the ability to replicate swipe strips, holographic authenticators, complicated engraving… is becoming more basic and affordable – and that is daunting.
To business, and individuals, I again say: View every activity through a security prism: Assess every activity, and every plan, from a security perspective. Run frequent reports and track accounting very closely.
NP: Cannonball & Coltrane, LP.
Oh oh – it turns out that Facebook has been monitoring and watching members’ internet use: tracking the websites they visit and use.
Facebook is up to about 750 million members – rather mind boggling when you think about it. It certainly represents a wonderful opportunity to connect; to make “friends.” As a slight aside, I put “friends” in quotes because I’ve always maintained a healthy skepticism about friendships and associations that are purely online; however, I also have solid friends and professional colleagues now that I’ve never had the pleasure of shaking hands with. I know of others who have met online, and transitioned to “real-world” friendships. But caution is definitely indicated in both the personal and professional realms.
That said, these 750 million members also represent wide opportunities for Facebook. Therefore, I doubt it was an accident that they were not only monitoring, but continuing to monitor, the sites that members visited even after they’d logged out of Facebook.
This represents a privacy breach. The scope? Well, anything that involves 750 million online users is huge. Breaches, thefts, invasions, etc., involving mere 100s of thousands are considered newsworthy, and… large. 750 million? That’s massive. Facebook says it was all a mistake, and that their software “inadvertently” sent user data back to the company. I’m not convinced – are you?
If we were to speculate on a motivation in the realm of deliberate monitoring by Facebook, it would be the ability to reap billions of dollars revenue by virtue of targeted advertising to users (based on browsing history).
If we are to take Facebook at their word, the problem has been fixed and they’ve thanked a tech blogger by the name of Nik Cubrilovic for pointing the monitoring situation out. He was the one who discovered the installation of monitoring ‘cookies’ by Facebook. These cookies still exist, and still send information back to Facebook – but only while you’re logged in to Facebook (again, taking their word for this). Supposedly the cookies do not transmit info after you’ve logged out.
The cookies can be manually deleted. However, I don’t presently know if they are installed anew upon next login to Facebook, or if the cookies are only delivered and installed upon initial sign-up to Facebook. I’d be interested in hearing your thoughts, and as to whether anyone knows if a manual delete of cookies will clear the problem of monitoring for subsequent Facebook visits.
It’s important to note here, too, that some people don’t mind the monitoring, and want the targeted advertising. However, they should recognize that internet monitoring by outside entities can have downsides… more to follow…
On this day: (Oct. 7th) On this day in 1868, Cornell University opens in Ithaca, NY.
As a consultant, I do most of my calls and writing in my home office. But occasionally I like to work outside the home, and usually journey to my local Starbucks.
A few weeks ago I was working there when I received a jolt (not from the coffee). A popup indicated that I had less than 10% (or thereabouts) of power left on the battery of my nice, new, HP laptop.
It suggested that I plug in if I wanted to continue working. Naturally my eyes tracked along my power cord to the wall outlet… yep, still plugged in.
I did what anyone would do – I pulled the plug and reseated it – still no power to the laptop… my systray battery icon did change to “Plugged in – not charging.” Hmmm.
So, I tried the other outlet on the double-plate. Same thing. I moved to another outlet altogether. No luck. I pulled and reseated the cable at the laptop – still no luck. I tried a reboot – I reseated the battery – everything. Ultimately, I wrapped things up, did a graceful shutdown, and went back to my home office, where a curious thing happened.
Upon bootup, my icon indicated that I was now charging! I was greatly relieved, as I had a lot of work for the day. However, I called HP to report the problem. After some measure of troubleshooting, the tech recommended sending the laptop in for warranty service. They’d send me a shipping box, and I’d have the laptop back in about 7 or 8 days from time of shipment.
I didn’t really want to do that: I do have a backup laptop, and a “whole-drive” backup to an outboard drive – but my other laptop is older, slow, and cranky (you know what I mean). Therefore, I resisted sending in the HP, and decided to monitor the situation.
Next visit to Starbucks, guess what? I was plugged in, and at 100% of battery: However, after about 30 minutes of work, I noticed I was at 92% power – wha…? I again had to wrap up earlier than usual, and come home.
Once again, I began charging immediately upon plug in.
Now here’s where it gets really interesting, and it involves a little nightlight: Upon my next visit to Starbucks, I verified that I was 100% charged – but after logging in to the laptop, I held off signing in to Starbucks’ network (for WiFi access). I went and got my coffee and chatted a bit. Upon return to my table, I was still at 100% power, and the systray icon indicated that I was plugged in. I logged into the network – and guess what? I immediately lost power –my battery began to click down, and my adapter lost its warmth – it went cold. My icon no longer indicated that I was plugged in…
I plugged the nightlight into the same outlet – and it lit.
Now, how is it that my laptop could not get power from an active outlet? A couple possibilities: Is Starbucks employing a measure of intelligent power management, and shutting power to laptops? This would require something like this, and I’m doubtful:
1. A laptop that occupies a wall outlet for some specified time is surveyed by Starbuck’s WiFi system: a machine code or other device ID is surveyed and captured, and then reported to the intelligent power management system. That system then shuts off the outlet. (Subsequent disengagement, and plug-in of a non-monitored device, returns active power to the outlet).
– Or –
2. There is a characteristic in standard power that must be in place for typical laptop adapters to work. Certain Starbucks locations could filter, alter, or “season” their power with something that creates a confusion, or a protection, in the laptop adapter – and the adapter enters a “protective” mode, and power is not passed to the laptop.
I only know this: I consistently cannot get power for my laptop at my local Starbucks. Each and every time – and it’s only upon access to WiFi. Everywhere else, I have no power problems.
I’d welcome readers’ thoughts on this, and reportage of any similar experiences.
Starbucks – are you listening? I may call Starbucks for comment… but business travelers may want to pack an extra battery… or go to an alternate location like another coffee shop or the public library.
NP: Jimi Hendrix, Axis: Bold As Love, vinyl. Perhaps Hendrix’ most cohesive, best, studio effort.
I saw an interesting report regarding the Idaho National Laboratory. Established in 1949 or thereabouts, the Lab’s earlier efforts include improvements to the means of combat and defense: Such as nuclear propulsion for the Navy, and improvements to armor for military combat vehicles.
Today, the lab is further involved in areas that will interest many here, and they include the Homeland Security missions of critical infrastructure protection, defense systems and technology.
Infrastructure and technology: The lab has three cyber centers, which are unmarked for security reasons. It is here that thought leaders, technicians and educators operate at the forward edge of security concepts and implementations. Of particular concentration and interest to business is their efforts regarding the securing of banking/finance; power (the nation’s, and any region’s electrical grid), computer networks, and basic communications systems: computer; phone; media; the emergency broadcast system, etc., and all collateral systems of support and enablement.
Examples of large liabilities that are considered are such things as an attacker’s mass theft of financial information, thus money, creating chaos in the banking system, and other things such as the potential for the shutting down of power in multiple states.
In one training session, awareness of liabilities was imparted by an instructor who exposed the fact that many chemical plants in the U.S. had control systems that were implemented in the ‘60s and ‘70s… their present condition makes them extremely vulnerable to attack. The lab helps these sorts of entities patch, bolster, and migrate to a better security posture.
In fact, 81 groups from the private sector have asked for the lab’s help in just the past year.
Today, the Department of Homeland Security has what are characterized as “cyber fly teams,” able to respond to major cyber events – similar to other Federal emergency response such as responders who go to flood or tornado ravaged areas to help.
So far this year, these teams have been dispatched to seven cyber events. I recommend a regular visit by business and IT readers to the site. Have a look at their top-right area, “Critical Infrastructure Protection” – and glean what you can for affordable ideas for your environment, in leading and beating threats before they manifest.
Again, that’s the Idaho National Laboratory.
Staying ahead of threats and potentials is the name of the game today… in the realm of risk, unmanaged possibilities become probabilities. Therefore, manage your security.
Cyber espionage, the unauthorized surveilling of data or outright theft of it, is a problem in virtually every part of the world utilizing computers and harboring electronic content.
However, what’s happening in China is quite another thing… and may even point to what’s coming to the U.S. and elsewhere. I hope not.
Security experts warn travelers to China that contents of smartphones can be ripped off in seconds. “I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, who is a former senior White House official for Asia.
In the matter of laptops, you must realize that the Chinese government owns all of the networks – making it very easy to monitor and capture everything going in and out of the country. Once you jump onto a transport for e-mailing and web browsing – you may as well assume you’ve been compromised. Many travelers to China have resorted to disposable phones and rented laptops – free of any sensitive data. Other folks store data on thumb drives, and only use that data on stand-alone computers, completely offline.
And yet, China’s embassy spokesman, Wang Baodong, says, “It’s advisable for all international travelers to take due precautions with their computers and cellphones. China is not less insecure than other countries.” I do think he meant to say ‘China is not less secure than other countries’… but the former may indeed be true.
Equal concern for networks and corporate data back home is evidenced by a 2008 incident where Chinese malware was inserted into visitors’ cellphones by remote means. The cellphones were then carried home, and subsequently infected servers in the U.S. Thus, there is enormous potential for danger of compromise to all manner of environments. Amazingly, but perhaps not surprisingly, intrusions have been discovered at the State Department and Defense Department, and those intrusions are alleged to have been from China.
When traveling, consider using a rented laptop devoid of sensitive info. Work offline with discreet data stored on thumbs. Consider a rented phone.
If you don’t feel you have particularly sensitive data on your own devices, feel free to take your chances. However, for corporate business travelers, be certain to protect your patents, ideas, and information.
And, it’s not just China that presents risks. For U.S. readers, I would advise that any travel outside the U.S. be done with circumspection.
On this day (Sep. 29th): Scotland Yard is formed in London in 1829.
A colleague recently made a cogent argument for timely – in fact immediate – application of all suggested updates as they pop up on various devices; desktops, laptops, smart phones, etc. He examines it from a security perspective, being that many of these updates address security issues. A week doesn’t go by that I don’t get at least one “recommended update” or another on my laptop from various software providers.
The colleague is not a fan of the “Remind Me Later” option/button – he claims that it’s “the most dangerous button you can push” (hmmm… my vote might go to the “Delete Permanently” option…). He likens “Remind Me Later” to discovery that your home alarm is broken, and then deciding to post a reminder to your calendar to look at it later. Another (false) analogy he uses is: Leaving your car unlocked, and asking someone to remind you later to go back and lock it. More on his analogies in a bit…
However, it’s now well-established that hackers and crafters of malware are providing their own “update” notifications: Spoofs of legitimate updates, that upon acceptance install viruses, keystroke monitors, collection of authentication info, website tracking, information relays, and other nefarious things you most definitely want no part of. Further, they employ various tricks in “legitimizing” the look and feel of their activies – one of which is an actual “Remind Me Later” option, figuring you’ll accept it at some point.
A little examination may be in order before reflexively clicking that “OK,” “Install,” or “Update Now” button. Look the popup over carefully: Its aesthetics (does it look typical? If you’re able to remember the last update, that is); the way it’s worded; and further, is it an update that corresponds to your environment (that is, is it for something you’re actually running)? If you receive an Adobe update, and you don’t have Adobe in your environment – don’t install.
Another consideration: Oftentimes updates will create a conflict between the updated application, and another one. There is published documentation of known problems and conflicts between resources, and frequently there is published counsel to forgo a particular update, because another non-conflicting one is due to be released by the software publisher, applications developer, plug-in provider, etc.
A really savvy user will know certain schedules. For example, if receiving a Microsoft operating system update, it would be useful to know if MS was actually sending one out. Googling around for this type of info can help. There are also some great message boards that discuss this topic, and subscription can yield solid info and protections.
But here’s today’s take-away for you: Just because you don’t update an element immediately doesn’t mean you’re completely unprotected (such as leaving your car doors unlocked, or home unsecured). Security elements are still in your environment, running, and protecting: A good provider will LEAD threats, so that you may indeed have a little room for a “Remind Me Later” – particularly if you suspect an update might be a spoof; a threat masquerading as a legit update.
When all is said and done, any specific user, and any specific organization, has to make its own decisions regarding notifications of updates. You’re tasked to know your environment better than anyone.
But keep in mind that “Remind Me Later” can be a legitimate buffer as you research and vet an update notification. It’s not just a procrastination tool.
NP: Soul Bird, Cal Tjader, jazz24.org
Should we migrate to the Cloud? I hear this question frequently, particularly from small and mid-sized business.
Cloud solutions can provide robust, internet-based, IT solutions absent the need for heavy capital investments in infrastructure. Too, there is the ability to scale according to business growth and change: necessity for new storage capacities and scales of processing; perhaps demands from personnel for sophistication in the handling of systems’ related process – things the organization may lack, and which the Cloud provider can offer.
Of course, the question must be asked: What of security? Anything in the Cloud is not within the “four walls” of the organization. (An org may, of course, have multiple locations – but here the “four walls” concept is a metaphor, vis-à-vis the fact that data and process are now harbored outside any direct physical location of the organization).
One bellwether worth watching is the banking industry. Banks, like any responsible organization, are constantly on the watch for means of enhanced productivity – and here the Cloud has ready offerings. Whether it’s infrastructure savings, operating expenditures savings, or new cloud-based business models, the goal is to best leverage the mix of private, public, and community-based resources that are in the Cloud.
Of course, banking is wary, because of data’s location, and the potential influence on steady availability, and the necessity for rapid recoveries in case of loss or corruption. Data’s integrity, related issues of confidentiality, and means of authentication are also concerns. Banks, and perhaps you too, are leery of outsourcing customer data to third-party Cloud providers and operators.
If you’re considering any measure of move to the Cloud, take a hard look at various providers. Assess their history, client base, and financial stability. Also examine their functionalities and services levels: Look into their ability to integrate data and process across various platforms and through a variety of cloud services.
On this day: Sep. 27, 1905, the first published blues composition goes on sale – W.C. Handy’s “Memphis Blues”
Many small businesses today are enamored of their technology – whether the possibilities engendered by social networking’s contribution to marketing, or smartphones and their ready tether to the ‘net, with the further grant of ready communication to co-workers, customers, business partners, etc.
But particularly in the case of start-ups, I’ve noticed something: Many young entrepreneurs seemingly have no clue on the successful setup and sustenance of a business: That of determining their market, best serving it, remaining competitive in securing it, and in the crafting of plans and policy that ensure their fledgling organization’s ongoing health and longevity.
It’s not strictly about automation and the ready availability to the world via the ‘net and allied social networking opportunities. Everyone is on the ‘net, in the Cloud, interconnected… but not everyone is a successful entrepreneur, nor are they mounting successful business.
Recognize the financial planning and forecasting that goes into a successful business of any size. Recognize the necessity for founding documents: A valid business charter; a mission statement. Have valid plans: One-year, five-year, disaster recovery, change management, etc. Have valid policies: Content management; privacy, acceptable use, customer service, billing, returns, etc.
Automation and tools are great: but when all is said and done, your business is about people serving people.
Make sure that the people you work with, who may work for you, and with whom you do business (vendors, solutions partners, etc.) understand that you’re delivering value to other people.
Want a great example? Ever try to access customer service at some companies that only provide online assistance – with no real human interaction? Many companies merely refer you through links of information, based on keywords of your particular problem or question.
Even “Live Chat” isn’t the same as a caring customer support rep on the phone.
Don’t let tools, bells, and whistles blur your focus: Get your small business on a solid footing in terms of fundamentals – then accent your possibles and potentials with the right tools.
NP: Decision, Sonny Rollins, jazz24.org