Top Secret Tinseltown

So this is a city with a lot of secrets. 

I’m not talking about just the run-of-the-mill, non-disclosure agreement (NDA).

This is Top Secret Tinseltown!

And even the stuff that comes out in the news–whether it’s clandestine transfers of $1.7 billion to the Ayatollahs in Iran or the Uranium One deal with the Russians, there is plenty of dirty little games going on. 

What was hilarious is when when saw this huge industrial shredding truck in the parking lot:

Paper Shredding * Electronic Destruction * Medical Waste Disposal

And there were a line of cars waiting to get rid of their little secrets.

I kid you not when I say that on a Saturday morning, there were at least 25 cars in line to dispose of their “stuff.”

Now who do you know in what city that waits 25 cars deep in line for an industrial shredder on a Saturday morning.

And the cars are pulling up, the trunks are popping open, and boxes and boxes of paper and electronic files are being handed over. 

Gee, I hope the Russians or Chinese aren’t getting into the shredding business…and inside the truck isn’t a large shredder but a bunch of analysts waiting for you to hand it all over. 😉

(Source Photo: Andy Blumenthal) 

In The Know or Dark

So here is one way that some people can (try to) manipulate you–positively or negatively. 

They can help either to keep you “in the know” or “in the dark.”

As we all know by now, information is power!

When you’re in the know–you are a trusted agent and a valuable resource; you have more dots and more connections between the dots to make; you are able to analyze what’s happening and make better decision going forward; you can lead with knowledge, wisdom, and hopefully understanding. People come to you for advice, guidance, and because you are a true asset to the team, your superiors, and the organization. 

When you’re in the dark–you are untrusted and unvalued, you may actually be seen as the enemy who needs to be marginalized, put out or taken out! You are kept out of meetings, uninformed or misinformed, and so you become more and more intellectually worthless. Further, others are implicitly or explicitly told that you are poisonous and not to get caught up in the pending slaughter.  A colleague of mine put it this way: “Don’t get between a man and his firing squad.”   

So with others, there can be information alliances as well as information warfare. 

To a great extent, you are responsible for keeping yourself in the know. You need to build relationships, bridges, and networks. You need to read, observe, and talk to lots of people. You need time to digest and analyze what you learn.  And you must build your information store so that it is ready and actionable. 

But to another extent, there are others–superiors, competitors, bullies, abusers–who just might seek to keep you in the dark and bring you down. Not everyone is your friend…some maybe just the opposite. (Wouldn’t it be nice, if we all were just friends!) But showing you the intellectual ass of the group is a powerful nut that once superimposed as an image, cannot be easily distilled. There is plenty of groupthink to go around. And taking out a perceived enemy diffuses their power to everyone else.  What a lousy coup by some nasty f*ckers!

Why some friend and others foe you–who the heck knows. Perhaps some is chemistry; some is tit for tat; some is personal bias and bigotry; and some just the crapshoot of fate. 

In the end, keep doing your part to enhance your value, your friendships, and your integrity. The rest, you have to be vigilant about and realize not everyone wants the lights kept on. 😉

(Source Photo: Andy Blumenthal)

Why Can’t We Keep Our Secrets

Well after the now notorious email scandal and other information security mishaps galore, this advertisement in Washington, DC is really quite the rage. 

“Keeps classified data classified.”

As parents tell their children about keeping private things private:

“If you can’t keep it a secret, then how do you expect the other kids to keep it to themselves?”

There are lots of secrets in DC, but there are also a lot of big mouths, security negligence, and even corruption. 

This gives our adversaries the opportunities they need to get our countries vital information. 

We work too hard to develop the best intellectual property for national security and our economy as well as the critical policies for advancing human rights and democracy around the world to let it just be easy fodder for others to help themselves too. 

Technology won’t solve the gap in certain big mouths and sloppy Joes around town. 

Only vigilant, smart people can protect the nations vital information that is the fuel for our success and survival. 😉

(Source Photo: Andy Blumenthal)

The Federal Island Of Insanity

So a colleague at work was supposed to get something done. 

Well it didn’t happen, and someone else got left holding the bag–not really very fair.  

Too make matters worse, the guy sort of unapologetically and clouded pops in my door and says to me, “What are we doing here?”

Taken aback and not sure what this guy is talking about, I say “Excuse me?”

He looks up into space for a moment, and turns back toward me and repeats emphatically, “I mean, like what are we e-v-e-n doing here?”

Getting more than a little frustrated at this point, I ask quizzically and with some sarcasm, “You mean on planet Earth?”

Again, turning and looking oddly away and then back my way, he says, “In this building!”

I must’ve been looking at him at this point like is he on drugs, and I say, “We’ll there are important laws that we’re fulfilling here (implicitly referring to FOIA, Records Act, Privacy Act, E.O. 13526, etc.).”

Unbelievably, he continues, now shaking his head, “Well that’s what I mean…why we need that?”

Having too much work to play out whatever this toxic game was any longer, I’m like, “[if you don’t believe in transparency and safeguarding/security of information,] Maybe you should write your Congressman,” [smile!] and with that went back to the million and one serious work things I still had waiting for attention.

In retrospect, I can’t help but think that incredibly, there are people coming to work here in D. C. that either don’t know why they are there in the first place (but should know!) or don’t believe in the mission or meaning of what they are doing.  

In the private sector, I certainly don’t think this conversation would’ve even gone on as long as it did…the consequences there seeming more pronounced, abrupt, and in a definite way connected with reality. 

With more than 16 years into the Federal sector, I still can’t believe a lot of what goes on–both good and hopeful, and bad and more than a little disappointing. 😉

(Source Photo: Danielle Blumenthal)

My Ashley Madison

So Ashley Madison is now a well-known adulterous website, particularly after hackers stole 37 million records on the site participants, and have released that information to the public.


These tens of millions of users seek companionship for loveless or sexless marriages or perhaps are just plain liars and cheaters–who knows? 


But yikes, now everyone knows!


Huffington reports that divorce lawyers are anticipating a deluge of new clients seeking divorces. 


And BBC reports that two people have already taken their lives in Canada as a result of the release. 


What is incredible as well are the 15,000 people who used their .gov or .mil accounts presumably to hide their infidelity from their spouses, but now are in potentially huge trouble with their government agencies.


I assume that Ashley Madison prided themselves on their discretion in handling their clients accounts, but lo’ and behold the discretion is for naught compliments of some very naughty hackers. 


Privacy is becoming a very lonely and meaningless word whether you are faithful or a cheater–it’s all open fodder on the net. 😉


(Source Photo: Andy Blumenthal)

Snapchat, Eat Your Heart Out

As so many of you app users know, Snapchat allows you to send texts, drawings, photos, and videos, but with privacy, knowing they will disappear in a few seconds.

Disappearing messages is certainly not a new idea–in spycraft or for kids. 

Remember the disappearing ink (or maybe you’ve forgotten because it disappeared)?

Well, this is a photo of disappearing-disappearing ink!

Someone apparently stole the disappearing ink right out of the packaging in the store–it has truly disappeared. 😉

(Source Photo: Rebecca Blumenthal)

Keep ‘Em Clean

My friend’s mother used to say to always make sure to wear clean underpants in case you end up at at the doctor or in the hospital. 

 

I guess that’s some good advice.

 

In that context, I thought this was a funny post on facebook about how passwords are like underpants:

 

“Change them often, keep them private, and never share them with anyone.”

 

Maybe you could add to this list as follows:

 

– Make them difficult to guess at. 

 

– Don’t use the same one for every occassion.

 

– Never put them out there in a conspicuous way. 

 

– And require that you change them at least every 90 day. 😉

 

(Source Photo: Facbook)

A SCIF Can Be Yours

A SCIF can be yours…if the wallpaper is right.

According to PC Magazine, a SCIF (Sensitive Compartment Information Facility) is a secure area where classified information can be discussed and handled. A SCIF is built to prevent information from leaking, being intercepted and compromised.

Now, your business or home office can have its own SCIF-type protection without the use of more expensive Faraday cage electromagnetic mesh (e.g. chain-link) conductive shielding or Japanese anti-Wi-Fi paint that blocks all frequencies.

BusinessWeek (31 January 2013) reports on a new wallpaper called MetaPaper that blocks Wi-Fi signals and helps “improve data security and network speeds.”
The Wi-Fi shielding wallpaper is developed by the French pulp and paper institute, Center Technique du Papier (CTP).

MetaPaper is a snowflake pattern wallpaper “printed in conductive metallic ink” that “blocks Wi-Fi signals, while still allowing FM radio and emergency frequencies to pass through.”

Its filtering is 99% effective (which may not be good enough for handling state secrets, but could be terrific for safeguarding most information) and sells for $12 per square meter.

Aside from information security, additional benefits of MetaPaper is to protect people’s health in terms of attenuating electromagnetic waves that cause genetic damage and cancer as well as socially to create quiet space, Wi-Fi free zones, such as in hospitals and movie theaters.

Here is a link to a presentation on MetaPaper’s development and benefits. 😉

Understanding Risk Management

Information Security, like all security, needs to be managed on a risk management basis.

This is a fundamental principle that was prior advocated for the Department of Homeland Security, by the former Secretary Michael Chertoff.

The basic premise is that we have limited resources to cover ever changing and expanding risks, and that therefore, we must put our security resources to the greatest risks first.

Daniel Ryan and Julie Ryan (1995) came up with a simple formula for determining risks, as follows:

Risk = [(Threats x Vulnerabilities) / Countermeasures)]  x  Impact

Where:

– Threats = those who wish do you harm.

– Vulnerabilities = inherent weaknesses or design flaws.

– Countermeasures = the things you do to protect against the dangers imposed.

[Together, threats and vulnerabilities, offset by any countermeasures, is the probability or likelihood of a potential (negative) event occurring.]

– Impacts = the damage or potential loss that would be done.

Of course, in a perfect world, we would like to reduce risk to zero and be completely secure, but in the real world, the cost of achieving total risk avoidance is cost prohibitive. 

For example, with information systems, the only way to hypothetically eliminate all risk is by disconnecting (and turning off) all your computing resources, thereby isolating yourself from any and all threats. But as we know, this is counterproductive, since there is a positive correlation between connectivity and productivity. When connectivity goes down, so does productivity.

Thus, in the absence of being able to completely eliminate risk, we are left with managing risk and particularly with securing critical infrastructure protection (CIP) through the prioritization of the highest security risks and securing these, going down that list until we exhaust our available resources to issue countermeasures with.

In a sense, being unable to “get rid of risk” or fully secure ourselves from anything bad happening to us is a philosophically imperfect answer and leaves me feeling unsatisfied–in other words, what good is security if we can’t ever really have it anyway?

I guess the ultimate risk we all face is the risk of our own mortality. In response all we can do is accept our limitations and take action on the rest.

(Source Photo: here with attribution to martinluff)

Leadership Cloud or Flood Coming?

I came across two very interesting and concerning studies on cloud computing–one from last year and the other from last month.

Here is a white paper by London-based Context Information Security (March 2011)

Context rented space from various cloud providers and tested their security.

Overall, it found that the cloud providers failed in 41% of the tests and that tests were prohibited in another 34% of the cases –leaving a pass rate of just 25%!

The major security issue was a failure to securely separate client nodes, resulting in the ability to “view data held on other service users’ disk and to extract data including usernames and passwords, client data, and database contents.”

The study found that “at least some of the unease felt about securing the Cloud is justified.”

Context recommends that clients moving to the cloud should:

1) Encrypt–“Use encryption on hard disks and network traffic between nodes.”

2) Firewall–“All networks that a node has access to…should be treated as hostile and should be protected by host-based firewalls.”

2) Harden–“Default nodes provisioned by the Cloud providers should not be trusted as being secure; clients should security harden these nodes themselves.”

I found another interesting post on “dirty disks” by Context (24 April 2012), which describes another cloud vulnerability that results in remnant client data being left behind, which then become vulnerable to others harvesting and exploiting this information.

In response to ongoing fears about the cloud, some are choosing to have separate air-gaped machines, even caged off, at their cloud providers facilities in order to physically separate their infrastructure and data–but if this is their way to currently secure the data, then is this really even cloud or maybe we should more accurately call it a faux cloud?

While Cloud Computing may hold tremendous cost-saving potential and efficiencies, we need to tread carefully, as the skies are not yet all clear from a security perspective with the cloud.

Clouds can lead the way–like for the Israelites traveling with G-d through the desert for 40 years or they can bring terrible destruction like when it rained for 40 days and nights in the Great Flood in the time of Noah.

The question for us is are we traveling on the cloud computing road to the promised land or is there a great destruction that awaits in a still immature and insecure cloud computing playing field?

(Source Photo: here with attribution to freefotouk)