A few security FAQs

Here are a few FAQs (frequently asked questions) about Internet security.  I should have put this together a long time ago.

Q: I don’t keep national security secrets inside my computer or cell phone. Aren’t all these so-called security products the real scam?

A: You probably don’t have any secrets anyone cares about.  But the game is not to steal your secrets.  The real game is to make you an unwitting drone in a scheme to steal somebody else’s secrets.  You spent money for your computer equipment and you spend money every month for Internet and cell phone service.  If you don’t care about somebody using you for criminal projects, then don’t protect yourself.  You are either part of the solution or part of the problem.

Q: Why don’t all those lonely teenage hackers get a life?  And why are the most powerful companies in the world at the mercy of a few evil computer genius hackers?

A: These are the wrong questions to ask.  The image of a lonely teenage boy in his bedroom stealing national security secrets for fun might play well in Hollywood, but it’s not real. So are the images of an evil computer genius threatening to destroy the world by guessing the secret password and typing a few commands, and the good guy genius who saves the world in the nick of time. Most of the bad activity these days comes from organized criminal organizations or nation-states, not any single individual. Those powerful companies are vulnerable because the people charged with keeping them safe did not do their jobs.

Q: If there are no evil computer genius hackers, then why do we see almost daily reports of cyber breaches?

A: I didn’t say there are no evil geniuses, only that the Hollywood images are wrong. There are plenty of evil geniuses in the world, but they are only a small part of an entire global criminal industry.  Just like legitimate industry, the shadowy Internet criminal industry has venture capitalists, inventors, markets, tech support services, and specialists for every conceivable discipline.

Q: Why are we all such sitting ducks on the Internet and why doesn’t somebody do something about it?

A: Just like humans developed an overwhelming advantage over other animals on our planet by developing language, bad guys currently have an advantage over good guys because bad guys collaborate better than good guys.  Business and government can erase that advantage by bringing security practices out into the open and giving them more than lip service.  We can influence policy by educating ourselves and using our market power to support organizations with good security policies.

Q: Is it true that my Internet connected baby monitor can destroy the Internet?

A: No, not by itself.  But combined with millions of other poorly designed IoT (Internet of Things) products, it can wreak plenty of havoc.  When you buy Internet connected devices, such as baby monitors, DVRs, security cameras, door locks, thermostats, ovens, you name it, make sure they have a mechanism for updates in the field.  Make sure you don’t use factory default passwords and make sure they don’t have default passwords or other back doors permanently baked into the hardware.  And put them all behind a credible firewall.

Q: Speaking of firewalls, since all my stuff is behind a firewall, doesn’t that mean I’m safe?

A: No.  Firewalls are one part of a bigger picture.  They stop unsolicited traffic.  Firewalls are worthless when you invite the traffic in.  That’s why it’s important to be careful about what websites you visit and avoid opening email attachments.  And that’s why you need antivirus software, even if nobody has a perfect antivirus solution.

Q: Today’s high tech is boring and complicated.  Why can’t they just make this stuff simple and usable?

A: They is really us.  Spend more time with security, where technology and psychology meet and the results are fascinating.

Q: Where can I find an entertaining story about how major data breaches play out?

A: One great perk about my own blog: I get to plant great lead-in questions.  Here is a shameless plug for my first book, “Bullseye Breach,” an educational book about data breaches disguised as a thriller novel about how the Russian mob penetrates Minneapolis retailer, Bullseye Stores, and steals 40 million customer credit card numbers.  Here is a six minute video about how that attack unfolds.

And stay in touch for information about book #2 coming soon.  This time, a nation-state really does mount an attack.  And the stakes are much higher than credit card fraud.

(First published on my Infrasupport website, Oct. 25, 2016.  I backdated here to match the original posting.)

Our political leaders set a sorry security example

I am constantly amazed by how much cyber-security effects our 21st century lives every day, and by how clueless our leaders on both sides of the political isle are about all of it.

Let’s start with Hillary and the Democrats.  I’ll dump on Trump and the Republicans in a minute.

First up is Hillary’s email server.  I’ve said over the years that I have no problem with Hillary running her own email server.  And, given what we’ve since learned about US Government security with stories like the OPM breach, I might have run my own email server if I were in her position.  One difference – I know more about running an email server than Hillary.

Whether or not what she did is criminal is still being argued, but we all learned she was, at minimum, wildly careless handling sensitive information.  A United States Secretary of State should know better.  Her reaction?  Double-down on ignorance.  Check out this piece from The Daily Beast here.  Another link to the embedded Youtube video here.  At around the 1:05 mark, the reporter asks Hillary about wiping her email server.  Her reply – “You mean, like with a cloth or something?”  Arrogant, ignorant, and proud of it.  A dangerous combination.  The FBI report came out this summer (2016).  I posted thoughts about FBI Director Comey’s announcement here.

Check out FBI Director Comey’s announcement, where he describes how an army of FBI professionals needed a year to painstakingly comb through that server hard drive to recover thousands of deleted messages.  Why were they deleted?  Only one explanation holds up: Hillary must have ordered her email administrator to uninstall Microsoft Exchange and delete the datastore, but nobody wiped the deallocated space.  A rookie mistake?  Or a bungled coverup?  How much would an enemy of the United States pay for a copy of the discarded hard drive from the Secretary of State’s email server?  So, yeah, wildly reckless is a charitable characterization.

Although there is no evidence Hillary’s email server was ever penetrated, apparently the Russians did penetrate the Democrats’ email server. And now the whole world sees a daily barrage of  embarrassing, private messages, courtesy Wikileaks.  And in the process, we’ve now legitimized Wikileaks, even though its leader is currently holed up in the Ecuadorian Embassy to block extradition for sexual assault.  Full disclosure here – I have personal experience with Wikileaks.  Here are details.

And that leads to Donald Trump, chief Wikileaks legitimizer.  The Donald, maybe our next President, who fires apprentices for making weenie excuses for failure.  So how did Trump Industries handle its data breach last year, when it exposed thousands of its own customers to credit card fraud?

Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

I added the italics for emphasis because it was a weenie excuse.  Read the July, 2015 krebsonsecurity.com story here, and the Krebs followup October, 2015 story here.

It gets worse.  Krebs reported a second data breach in April 2016.  Article here.

That’s right.  Anyone who stayed in a Trump hotel through most of 2014, 2015, and early 2016 should consider calling their bank and requesting a new credit card.

And now, the ultimate in irony.  “We’re so obsolete in cyber,” Trump told The New York Times. “We’re the ones that sort of were very much involved with the creation, but we’re so obsolete.”

Donald said that in March, 2016.  Now it’s October, 2016 and we all recently learned how right Donald was.  Although not in the way he intended.

The news broke on Monday, Oct. 17 when security researcher, Kevin Beaumont, did some simple probes of publicly available data and found that the Trump organization uses Windows 2003 with Exchange 2003 as its email server.  Here is a ZDNet article with details.  Here is a Vice News article with more.

IT professionals’ jaws should be dropping right now.  For the uninitiated, as of October, 2016, Windows 2003 really is 13, count ’em, 13 years old.  Which means today’s 7th graders weren’t born yet when Windows 2003 first became available.  Microsoft no longer supports Windows 2003 and no longer issues security updates.  Which means the Trump public facing email server is the Internet equivalent of a large rob me sign taped to the front doors of all Trump properties.  Which may explain why criminals were able to so easily steal thousands of customer credit card numbers from Trump Industries, not once, but twice.

And it gets worse.  Trump’s response is nonsense.

“The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”

Defending the choice to continue operating a hopelessly obsolete email server because it’s behind a firewall is like changing the car oil to compensate for bad tires.  The Trump response demonstrates an amazing lack of basic understanding about what firewalls do – and don’t do.

I wonder if Trump will still be a Wikileaks supporter when his private emails start showing up in newspaper headlines?

And finally, we learn that Republicans and Democrats do share some common ground in this divisive election year.  They’ve both been breached.  The Democrats lost emails and the Republicans lost credit card numbers.  Anyone who purchased anything from the Republicans between March 2016 and the first week of October should contact their bank and ask for a new credit card.  Details here.

If you’re a political candidate or an organization decision maker, listen up.  Based on what I’ve seen, you probably don’t know nearly as much as you think you know about cyber-security.  So accept my shameless book plug and consider buying a copy of “Bullseye Breach,” right here.  You’ll be entertained and you’ll learn how this stuff really works and what you can do to stop it.

I’m also looking for an agent and publishing partner for book #2, where a nation-state really does attack the United States.  More news on that as it gets closer to publication.

(Originally posted on my Infrasupport website, Oct. 20, 2016.  I backdated here to match the original publication date.)