Technology, Terrorism and Modern Conflict

Standard

The following was published in today’s Seacoast Sunday.

I attended two meetings this week that highlight the dark side of technology. The first was the monthly FBI InfraGard meeting of the New Hampshire Chapter and the second a technology industry gathering at which Frank Abagnale, of “Catch Me if You Can” fame, delivered the keynote.

The FBI InfraGard is a partnership between the FBI and private industry designed to ensure timely information sharing to help protect the public and critical infrastructure like hospitals, public safety agencies and the electric grid. This month’s meeting was held in conjunction with the Cybersecurity Days program put on by the Manchester Community College.

A detective from the New Hampshire State Police Intelligence Division gave a presentation on digital forensics, the science of collecting digital evidence related to the commission of crimes. These may be financial crimes, crimes against children or others or related to terrorism.

There was also a presentation on electromagnetic pulse. An EMP is a burst of electromagnetic energy that can be focused on a specific target in a narrow or wide field of impact. EMP is often associated as an outcome of a nuclear detonation. Air Force One, as an example, is widely believed to be hardened against the effects of EMP as are many military installations.

We were shown EMP demonstrations to understand how it works and its impact. The impact could wipe out the electric grid in a radius as wide as the Mid-Atlantic, up through New England into southern Canada and the Midwest. One of the experts who presented suggested the real concern with the current situation with North Korea is not so much about it being able to deliver a nuclear weapon via an intercontinental ballistic missile to the continental United States, but the far more probable risk it would be able to put a nuclear weapon onto a low-earth orbit satellite and detonate it over the United States, delivering an EMP that could knock critical infrastructure offline.
Abagnale shares these concerns and others. This is the second time I have heard him speak. The first was approximately 10 years ago. His personal story remains captivating and impressive. If you are not familiar with his story, visit www.abagnale.com and Google his name. I think you’ll be fascinated by his story. Check out the free resources he makes available as well. There are valuable recommendations, checklists and information resources to help you protect your personal identity and credit from fraud.
Abagnale shared his belief that we are in a transitional time. Transitional in that cybercrime is shifting from financial crimes to terrorism and cyber warfare. One reference point for his concern is the data breach that hit the U.S. government’s Office of Personnel Management. Abagnale has worked for the FBI for more than four decades, so his comments have significant credibility and are based on what he is able to speak about. Specifically, he noted the OPM breach was carried out by the Chinese military. It is his belief this was an exercise to test its offensive cyber warfare capabilities and it is now in possession of more than 21 million OPM records and some 10 million fingerprints of federal employees, including members of the military and intelligence services.

He also talked about testing the FBI has completed where it was able to shut down or alter the speed of a pacemaker from a distance of 35 feet. Using similar technology, it also successfully shut down a moving vehicle, deployed its airbags and locked the operator inside the vehicle. This was done at relatively close distance. His concern is that we are a few years away from these same acts being possible from thousands of miles away, thus becoming a terrorist weapon and method of modern warfare.

Technology brought incredible advances for humankind, but not without serious risk. Examples like these and data breaches point to the most pressing need we have as a nation, education. We must find ways to better prepare our younger generations while protecting our older ones. Technology is an amazing tool, but if not used properly, it may expose you to unintended risk.
Eight years ago, I testifies to a sub-committee of the U.S. House of Representatives on a panel discussing information security. I had a tense exchange with a congressman from California about the fact there is no technology that can prevent a human being from making an error that could cause a cyber security event. Let’s just say he did not agree with my position. Eight years later, I heard Abagnale say technology will never be able to defeat social engineering online. He contends, as do I, that only education can defeat social engineering.

Technology users must understand the risks and realize the data they handle, personally or professionally, must be treated with utmost care. You cannot trust every email you receive or every website you visit. You must use robust defenses and more importantly, educate yourself on risks you will be exposed to and understand what you should do to avoid them and how to quickly and thoroughly respond if needed.
I love technology and it’s unfortunate there are forces at work to use it to inflict harm on innocent victims. Sadly, this is true of many advances in human history. My hope is that this will help you avoid falling victim to cyber criminals and understand the new threats we face as a nation. As I often say, stay safe online!

Advice from Frank Abagnale to Protect Yourself Online

Standard

If you don’t know who Frank Abagnale is, go to his website at www.abagnale.com and read his bio.  If you’ve seen the movie Catch Me If You Can, you know who he is.  Leonardo DiCaprio played him in the movie, which was released in 2002.

I had the pleasure of hearing Mr. Abagnale speak for the second time yesterday, at an ASCII Group Success Summit.  I first him speak around 10 years ago at a CompTIA Breakaway event (now CompTIA ChannelCon).  He was as engaging and moving yesterday as he was when I first heard him speak and I would gladly take the opportunity to hear him speak again in the future.

He started his talk yesterday with an overview of his life and his experience that the movie documented.  As I said at the outset, go to his website and read his biography.  If you ever have the opportunity to hear him speak, take it.  You’ll be glad you did.

What was different from the first time I heard him speak was that I got the opportunity to speak with him before he went on stage and grab a quick photo.  What was more importantly different, was what he shared about cyber threats in the present day.

Frank Abagnale

Here are some of the highlights of what he spoke about.

  • There will never be any technology that defeats social engineering.  Only education will defeat social engineering.
    • What this clearly points out is the need to have effective and continual training in every business, that addresses the risks that employees will encounter and how to spot them.  This is not simply one time training, it has to be ongoing and address the current threat landscape.  It’s the only option to have any chance to protect your business against phishing attacks and other means of hacking in to a private network.
    • This also highlights a real deficiency in our educational system.  We don’t prepare our students to properly understand the risks that technology introduces into their lives and society as a whole.  If we want to have any change to combat cyber crime, cyber bullying and more, we have to educate our youth and our older population to the threats.
    • The data that employees have access to is the most important thing they touch.  Do they realize this?
  • The breach that hit the federal Office of Personnel Management (OPM) in 2015 was not the first breach the agency had experienced.  The prior breach was not made public, nor was the fact that after investigating that breach, recommendations to address the agencies ongoing exposure were not acted on, which lead to the 2015 breach.  Worse, that breach exposed over 21 million records of federal employees and of those, 10.6 million fingerprint records were breached.  This data, according to Mr. Abagnale, is in the hands of the Chinese military, as this breach was conducted as an offensive cyber warfare exercise.
  • Cyber fraud has garnered billions of dollars from the federal government.  Consider these examples that were shared:
    • Over $100 billion in fraud was paid out by Medicare and Medicaid.  Most was paid to foreigners leveraging technology.
    • The IRS has paid out billions in losses to fraudulent tax returns and has stated they will continue to do so until new technology is in place in 2020.
    • There have been $7.7 billion in unemployment losses and over $10 billion in welfare fraud.
  • Russian cyber gangs bring in over $20 billion a year.  India, Russia and China are the main sources of the money trail that comes from cyber crime.  Some of this money makes its way back into the US in form of drug trafficking and other crimes.
  • Mr. Abagnale contends that cyber crime is transitioning from crimes of financial opportunity toward black cyber.
    • Black cyber would encompass threats like being able to shut down or alter a persons pacemaker or shut down a moving vehicle while deploying its airbags and locking the occupants inside.
    • The concern about black cyber could also be thought of as cyber terrorism and it’s a clear and present danger to us all.
    • He believes that warfare of the future will be cyber warfare, attacking critical infrastructure, financial networks and more.
  • On the personal front, over 1 billion identities have been stolen worldwide.  In the US, one identity is stolen every second!  Here are some recommendations from Mr. Abagnale for protecting your identity:
    1. Use a shredder and shred anything that has personally identifiable information.  He recommends a secure micro shredder, as opposed to the more common strip or cross-cut shredders.
    2. Use a credit monitoring service.  Be sure the service shows soft hits on your credit score, not just hard hits, like when you apply for a credit card.
    3. Speaking of credit and debit cards, he advises to never use a debit card.  He recommends paying for everything with a credit card and paying it off every month.  It will not only safeguard your money, it will build your credit.  He even contends that it is worth paying the fees to get cash with your credit card as those fees will pale in comparison to the cost of having your accounts breached from a debit card.  He said that the people who have been hurt the most by data breaches are those whose debit cards were involved.
    4. He advises to be very careful about what information you put on social media.  By sharing the location of your birth and your birth date, you are providing 48% of the information needed for identity theft.
    5. He recommends never taking a social media picture of your face straight on.  Always have something else, like another person or a pet in the picture, so facial recognition will not identify you.  I’m not sure about that one.
    6. Go to his website and visit the resources section and read the treasure trove of helpful information he shares.

Most of all, Stay Safe Online!

 

Why a Hybrid Cloud Strategy is Critical

Standard

I thought I would share a real world example of why hybrid Cloud is the right strategy for almost any business.  For years, backup and disaster recovery has been the buzz, but what if something accidental happens, that could knock one of your most important people offline for a day or more?  How would you deal with the interruption?  Would you be OK with one of your company’s key people being idle without warning?  Consider the following, which has happened to me over the last 24 hours.

Hybrid Cloud

Yesterday, Webroot, one of the leading anti-virus/anti-malware software companies inadvertently released an update that caused havoc with some of their customers.  To make a long and complicated story short, the updated flagged legitimate Windows operating system files as malware and quarantined or potentially deleted them.  Needless to say, this caused a lot of disruption for millions of users yesterday.  Webroot identified the issue within 15 minutes and immediately pulled the problem update.  While their response was rapid and appropriate, some users picked up the update, with catastrophic consequences in some instances.

Here is what I experienced yesterday.  I was working along and suddenly, I could no longer open a spreadsheet I was working on.  Within minutes, my PC, a Microsoft SurfaceBook running the latest pre-release Windows 10 update, started to crash.  Every reboot resulted in a blank screen and an eventual “Green Screen of Death” (the latest successor to the infamous “Blue Screen of Death”).  This has been the most reliable PC I have ever owned, so I knew this was not a normal issue.

Enter our hybrid Cloud infrastructure to the rescue.  I was able to jump on an available computer and work in multiple web browser windows like nothing happened.  I was in Outlook Online, part of Office 365.  I was able to open and work with Word files, my Excel spreadsheet and others, all from the browser.  I rely heavily on OneNote to organize my day.  Enter OneNote Online in the browser and was working away with my most updated notes as they sync to OneDrive almost as soon as I have updated whatever notebook I am working in.

Our Line of Business applications, those pieces of software that are specific to the work we do, all run from our data center, which is also geographically redundant and backed up.  In short, with about 8 browser tabs in use at any point in time, I was back to work in no time, while recovering my damaged SurfaceBook without losing any productivity.

I had access to everything I needed, because my entire world, personal and professional, is made up of Cloud hosted applications along with applications hosted in our corporate data centers.  I lost nothing and was easily able to reload the operating system, application software and data while I busily continued on with my day.

One personal hint I will share, is that I maintain a list of all my current software applications and registration information, which makes it easy to reload everything, by stepping through my list.  Amazon Drive is my go-to Cloud storage for my personal data and I use GoodSync to keep it synchronized in real time.  My corporate data is all in my Office 365 email and our corporate databases and file shares.  I lost absolutely nothing, no data, no settings and customizations.  Everything worked exactly as designed.

I hope this little unexpected real-world business continuity exercise will help you understand the value of a hybrid Cloud infrastructure for your personal and corporate applications and data.  It’s always nice to have a well designed strategy.  It’s incredibly rewarding when it works as designed and allows you to deal with an unexpected event that could have had a catastrophic impact.

Amazon Echo’s Red Ring of Shame

Standard

In follow up to my post last week titled Alexa, Should I be Worried about You?, I wanted to share a few updates that may be helpful.

In my house, we’ve had a few more issues of Alexa coming to life when she shouldn’t have.  This has some of my family members very worried that Alexa is listening and recording us when she shouldn’t be.

Amazon is very explicit that the Echo only comes to life and records when you say theAlexa Settings.png word “Alexa” or an alternate “wake word” that you may have set.  When Alexa is wrong, you can easily figure out what happened by using the Alexa app on your smartphone or tablet.  In the app, go to Settings and then General, then History.  Here you will find a list of everything that woke Alexa up.  You can see the words that woke Alexa and when you click on an entry, you can also play back the phrase that woke Alexa up.  From here you can delete the recording of the phrase.  Echo only records what it hears after the wake word.  You also have the option to tell Amazon if Alexa got it right or more importantly, got it wrong.  If Alexa got it wrong, you can send a note to Amazon and even ask to have them contact you to learn more.  Anything you send in will be used to tune Alexa to make the device more accurate and reliable.

I tried this over this past weekend, when Alexa picked up an inaccurate phrase that did not include our wake word, which is Alexa.  Amazon got back to me almost immediately and I had the option to call or chat with the Echo support team, to explain in detail what went wrong, so they could work to improve the overall accuracy.  The reason I had to call or chat is that Amazon does not allow access to anything recorded from your device.  They have to “speak” with you to learn more.  They can digitally review what took place to tune the Echo, but they cannot directly access anything that the Echo has recorded in your home.  I’m impressed with Amazon’s responsiveness and commitment to make Echo better and not intrusive.

All of this said, if you want a fool proof assurance that Alexa is not listening to you when you don’t want her to, simply press the microphone button on the top of your Echo device.  The button will turn red and the ring that glows blue when Alexa is actively listening, also turns red.  I’m calling this the Echo’s Red Ring of Shame.  When you want the Echo to listen, press the button again and the red ring goes away.  I’m betting when I’m not home, the Echo will be dejectedly showing it’s red ring of shame.Small-winking-face

EchoRedRing

Microsoft Authenticator App-The New 2FA Kid on the Block

Standard

In yesterday’s post, I talked about two factor authentication and why it’s important and supported virtually anywhere you logon.  I did not mention Microsoft’s Authenticator app, which is a newer option and one that is gaining momentum and support.

Last night, I came across an article that highlighted some of the new capabilities of the Microsoft Authenticator and this has prompted me to post this update.

The Microsoft Authenticator is quite similar to the Google Authenticator app.  And in true rival fashion, Google and Microsoft continue to one up one another and right now, it appears Microsoft has moved into the lead.

Microsoft AuthenticatorThe latest features available in the Microsoft Authenticator allow you to use your Microsoft Account without having to enter your password and then the Authenticator code that is generated.  Instead, when you enable muti-factor support for your Microsoft account, you have the option to set the default logon action to notify you via the Authenticator app on your smartphone and approve the logon from your smartphone.

Especially if you have multiple Microsoft accounts, this is a huge time saver as well as considerably more secure.  With more people using Office 365 and other Microsoft Cloud services like Azure, this will make navigating the Microsoft Cloud ecosystem considerably more efficient.Authenticator Notification

This type of push notification for logon approval is becoming more common.  Like other authentication apps, you can scan QR codes to enable the Microsoft Authenticator as your 2FA choice on sites like Facebook and yes, Google.

With all these developments in the 2FA space, you can expect to need to use multiple authenticators to secure your accounts.  Myself, I use three.  Four if you consider receiving authentication codes via text message another authentication method, which it is.

My current 2FA apps include AuthAnvil, Google Authenticator, Microsoft Authenticator and text message OTP’s (one time passcodes).  What are you using?

2 Factor Authentication Should No Longer be Optional

Standard

If you want to keep yourself protected from the majority of hacking attempts, you should be using 2 Factor Authentication (2FA).  You may also see this referred to as Multifactor Authentication (MFA) or One Time Passcode (OTP).  For the purpose of this post, I’m going to refer to 2FA.  There are many different ways to implement 2FA and they are not as inconvenient as you may think.

2FAThe fundamental premise behind 2FA is that in addition to your username and password, you have to use a second factor along with your password, to be authenticated and complete your logon.  While in the past, 2FA was mostly confined to large corporate enterprises and the financial industry, this has rapidly changed in recent years and 2FA is available just about everywhere.  If you’re not using it, you’re leaving yourself at risk.

Do you know someone who you have received an email from, alerting you that their email account has been hacked and to ignore unexpected email from them?  How about a friend request on Facebook from someone you are already friends with?  Chances are, you will also see a post from that person letting all of their friends know that their profile has been hacked and not to accept a friend request from them.  Sound familiar?  I’m sure it does.

The fundamental premise behind 2FA is that it comprises “something you know” and “something you have.”  The “something you know” is typically a PIN, like the code you use with your credit/debit card.  The “something you have” is a single use code that is generated by a device or app that you have in your physical presence.  These one time use codes may be alpha numeric or just numeric.  These codes used to be generated by physical tokens that were a fob that most people carried on their keychains.  These days, most are now generated by what is commonly referred to as a “soft token”, which is an app that lives on your smartphone.  When you login to a system that is protected by 2FA, you enter your username and password, and then on either an additional field that asks for your code or a prompt that shows up after you enter your username and password, you enter your PIN (that only you know) and your one time code (that you have).  The combination is authenticated against your 2FA system and you are logged in.

Most web based systems support this type of authentication as well.  Google’s Google Authenticator has become a standard for many.  You just have to enable it and follow the simple directions to set it up.  Another option many web based services offer is a one time code that is sent as a text message or email.  I don’t like receiving these codes via email, as that is too easily open to interception.  A text message is more secure, though with the right tools, to clone a smartphone SIM card, these could be intercepted.  It’s far less likely to be a security concern for most people.

There are differences in 2FA technologies.  The “token” based systems, that require a PIN to be combined with the random code are the most secure.  Again, this is because of the “something you know” and “something you have” combination.  Systems that only require a OTP generated by an authenticator app or from a message you receive are another.  These do not require the “something you know”, meaning a private PIN that only you know.  Instead, they only require the OTP as the second factor.  This is still 2FA and it is still far more secure than not having any 2FA in place.  In corporate networks, you will typically find the combination PIN + code systems.  For public web based systems like email services and social media sites, you will find their implementation of OTP’s.

Regardless of the underlying technology, 2FA helps defeat the most common source of hacking, weak passwords.  Most hacks are accomplished by guessing a users password.  2FA prevents this and provide a level of identity assurance, matching the logon to the actual person.

There are more an more 2FA solutions coming to market and the best also offer something called Single Sign On (SSO).  If you are interested in learning more about 2FA and now to use it in your workplace, check out one or more of the following companies; Duo, AuthAnvil by Kaseya, Okta, RSA.  To learn more about how web based systems make 2FA available, check out these pages to learn how to secure yourself on these systems; Facebook, Google, LinkedIn, Twitter.  I am not endorsing any of these companies, though I will say that I respect each and have worked with them throughout my career.  Any time you have to login to a system, including your bank, search two factor authentication and see what they offer to help you further secure your account beyond your username and password.  The links above are good examples and solutions that will serve you well.

If your company does not presently offer 2FA, expect them to require it in the not too distant future.  It’s becoming a standard and how I have worked for many years now.  For any web based systems that you use, search their help system to see if they support 2FA and if they do, enable it.  Before you know it, you will not even mind the extra step to complete your logon and you will have taken the easiest and most important step that you can to safeguard your accounts and your identity.  As the Nike slogan so aptly states, “Just Do It!”

Alexa, Should I be Worried about You?

Standard

The following was published in today’s Foster’s and Seacoast Online.

Echo“Alexa, what time are the Red Sox playing today?”  Are you hearing things like this around your home?  If you have an Amazon Echo, it’s likely that you are.  Not to be left behind, Google Home is another popular device and it answers to “Hey Google.”

Artificial Intelligence (AI) has hit the mainstream.  Apple started the Google Homeinnovation with Siri, the voice activated digital assistant on the iPhoneMicrosoft didn’t wait too much longer to follow on with Cortana, the digital assistant build in the Windows 10 and available as an app on iOS and Android.  Not to be outdone, Samsung introduced Bixby, which will be featured heavily on the newly introduced Galaxy 8, though there appear to be a few snags with its initial release.

What all these systems have in common, is that these are primarily consumer focused AI technologies that allow you to interact with your device using your voice.  What is unique with Amazon and Google’s systems is that they are entirely voice driven.  Amazon is leading the pack with Alexa, which is also available on other Amazon aware devices like their Fire TV Stick remotes.  They also have the larger family of Alexa enabled devices.

Many homes now have one of more of these devices installed.  Focusing primarily on Amazon and Google, the idea is to have these intelligent voice assistants throughout your home and interconnected with any smart home devices that may be installed in the home.  In addition to asking these devices for todays weather, the latest news, to play your favorite music or to retrieve and inform you about a host of other information, they are also able to control lights, temperature, drapes, locks and more.  New connected technologies are coming to market every day.

This type of AI relies heavily on massive data stores from the Internet to quickly search and present the information that you have asked for.  In my own home, we’ve had a bit of an issue over Alexa’s presence, which is something you may want to consider.

The way these devices work is that their microphones are in a constant passive mode of listening for their “wake” word.  You can customize these words to a certain extent, but for the purpose of example, the devices only actively listen when you say the “wake” word.  For Amazon, the default is to say “Alexa.”  For Google Home, the default is to say “OK Google” or “Hey Google.”  I recently had two instances where my wife was talking on the phone and the Amazon Echo we have, inaccurately heard the wake word “Alexa” when in one case, what was actually said was “forgetting to feed the dogs” and the Echo heard “Alexa forgetting to feed the dogs” so Alexa responded trying to determine what was said.  This raised a valid concern about devices like this listening and saving information that is not intended.

Privacy advocates have raised concerns about these devices, but so far, companies like Amazon and Google, as well as Apple, Microsoft and Samsung, have all stated that they will never use any gathered information for any other purpose than what the user intended.  They have also, so far, successfully pushed back against law enforcement requests for anything a device may have recorded.  As these concerns come to light, you can expect the manufacturers to improve control over what the devices hear and store.

Like all technology, with every new advance also come privacy and other concerns that may not have been fully considered during development and initial release.

While voice activated AI like the ones I have mentioned have been focused on the consumer applications so far, the business applications are there and growing.  Amazon’s Echo lets you place Amazon orders by just telling Alexa what you want to order, in some cases.  Because this carries the obvious risk of someone in your home ordering a few dozen of something you really don’t want, Amazon has built in appropriate controls to prevent unauthorized ordering or to simply disable the ordering function.  This is a smart application of appropriate controls.

Technologies like Siri, Cortana and Bixby, which presently exist primarily on mobile devices, are making inroads to business applications.  Hotels chains are evaluating these technologies as a way to improve the guest experience, allowing you to request more pillows or check out, just by speaking in your hotel room.  Cortana, which is heavily integrated into Microsoft’s Bing search technology, is building out what Microsoft is calling the Cortana Intelligence Suite, as a way to mine the ever growing amount of data that a business collects on its operations to make the nosiness more efficient and competitive.

Voice technology has primarily been limited to dictation solutions in the commercial markets of healthcare and legal.  All of these new technologies promise advances that may one day make us feel like we are on the Starship Enterprise, talking to our homes and workplaces and getting things accomplished with the power of our voice.  This is just another technological evolution that will be interesting to watch and hold a lot of promise to improve our lives and our world.