Catching More Flies With Honey

Catching More Flies With Honey

There’s an old saying that you can catch more flies with honey than with vinegar.

And this is true in cyberspace as well…

Like a honey pot that attracts cyber criminals, organizations are now hiring “ethical hackers” to teach employees a lesson, before the bad guys teach them the hard way.

The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.

The point of this is not to make people feel stupid when they fall for the hack–although they probably do–but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future.

One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks.

Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it.

While I think it is good to play devil’s advocate and teach employees by letting them make mistakes in a safe way–I do not think that the people should be named or reported as to who feel for it–it should be a private learning experience, not a shameful one!

The best part of the article was the ending from a cyber security expert at BT Group who said that rather than “waste” money on awareness training, we should be building systems that don’t let users choose weak passwords and doesn’t care what links they click–they are protected!

I think this is a really interesting notion–not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace–where every misstep or mistake doesn’t cost you dearly in terms of compromised systems and privacy. 😉

(Source Photo: Dannielle Blumenthal)

Robots: More Than A Technical Challenge


This is the DARPA Pet-Proto Robot (a predecessor to the Atlas model) showing some pretty cool initial operating capabilities for navigating around obstacles.

– Climbing over a wall
– Straddling a pit
– Going up a staircase
– Walking a plank

These things may seem simple to you and I, but for these robots, we are talking about their autonomously sensing what’s around them, identifying and evaluating alternatives to overcome them, deciding on what to actually do, and then successfully executing on it.

Not bad for a machine (even if we are spoiled by the the great science fiction writers and special effects of Hollywood)!

We will be seeing a lot more progress in this area in the 27 months in response to the DARPA Robotics Challenge (DRC), where robots are being looked to “execute complex tasks” for “humanitarian, disaster relief, and related activities” in potentially “dangerous and degraded, and human-engineered” environments.

I’d say only another 15-20 more years and the robots will walking among us–but are we prepared for the significant shift about to occur.

Think about it–these robots will be able to do a lot more of the physical work (construction, manufacturing, service, care-taking, even warfighting, and more), and while we will benefit from the help, jobs are going to continue to get a lot tougher to find if you are not in fields such as engineering, science, technology, design, and so on.

This is going to lead to continued, significant social, educational, and economic disruptions.

What is now a robotics challenge to meet certain performance benchmarks, may in the future become a human challenge to shift from a human-dominated world to one which is instead shared or commingled with machines.

This means that we need to define the boundaries between man and machine–will we be working and playing side-by-side, how about loving or fighting each other, and is there the possibility that the machine will some day transcend the inventor altogether.

I believe that we need significant more study and research into how robotics are going to transform the way we live, work, and interact, and how humanity will adapt and survive this new monumental opportunity, but also looming threat.

What is just an obstacle to overcome in a simulation chamber may one day become an urban battlefield where humans are not necessarily the clear winners.

While I love robotics and where it can take us, this cannot be a field limited to the study of hardware and software alone.

Big Phish, Small Phish

Phishing
Phishing is an attack whereby someone pretends to be a trustworthy entity, but is really trying to get your personal information in order to steal from you or an organization.
Phishing is a type of social engineeringwhere fraudsters try to deceive and spoof their victims by sending email or instant messages (or even by calling) and pretending to be a legitimate private or public sector organization. They then either request personal information, provide links to fake websites, or even create unauthorized pop-ups from legitimate websites to get you to give them your personal data.Additionally, phishing emails can contain attachments that infect recipient’s computers with malware, creating a backdoor to control or compromise a system and its information.

In all of these cases, the intent of phishing is impersonate others and lure consumers into providing information that can be used to steal identities, money, or information.

The word phishing alludes to the technique of baiting people and like in real fishing, fooling at least some into biting and getting caught in the trap.In this fraudulent type, perpetrators pretend to be legitimate financial institutions, retailers, social media companies, and government agencies in an attempt to get you to divulge private information like date of birth, social security numbers, mother maiden names, account numbers, passwords and more.

Once criminals have this valuable information, they can commit identity theft, break into your accounts, and steal money or information.Spear-phishing is a derivative of this scam that is targeted on specific people, and whaling is when the scam is perpetrated on organization executives or other high profile targets,  which can be especially compromising and harmful to themselves or the organizations they represent.

The first recorded phishing attack was in 1987.  Over the years, the prevalence of these attacks have steadily increased. According to the Anti-phishing Working Group (APWG), there were some 20,000-25,000 unique phishing campaigns every months through the first half of 2011, each targeting potentially millions of users.  Additionally, as of March 2011, there were as many as 38,000 phishing sites.  The most targeted industry continues to be financial services with 47% of the attacks.
There are a number of ways to protect yourself against phishing attacks.

  1. Delete email and messages that are unwarranted and ask for personal information
  2. Do not click on links, instead go directly to a website by using a search engine to locate it or copying the link and pasting it into the browser
  3. Configure your browser to block pop-ups
  4. Use anti-virus, firewalls, and anti-spam software
  5. Set up automatic security updates
  6. Input personal information only into secure sites, such as those that begin with “https”
  7. Only open attachments when you are expecting them and recognize where they are coming from
  8. Check financial statements upon receipt for any fraudulent activity
  9. If you are caught in a phishing scheme, notify law enforcement and credit reporting authorities immediately
  10. Always be cautious in giving out personal information
Whether you consider yourself a big fish or a small fish, beware of those trying to catch you up on the Internet–hook, line, and sinker.

Where The Biggest Nuts Rise To The Top

According to an article in Mental Floss (November/December 2011) engineers at the Advanced Dynamics Laboratory in Australia in 1996 researched how to mitigate The Muesli Effect, which describes the paradox of how, for example, cereral in boxes tend to separate with the smaller stuff lingering on the bottom and the large chunks rising to the top. This is the opposite of what you’d expect in terms of the larger, heavier pieices falling to the bottom–but they don’t.This is also known as The Brazil Nuts Effect, because the largest nuts (the Brazil Nuts) can rise to the top. While in physics, this may be good, in leadership it is not.With leadership, the Muesli Effect can led to situations where cut-throat, unethical, workplace operators push their way to the top, on the backs of the masses of hardworking individuals. Unfortunately, these workplace “bullies,” may stop at nothing to get ahead, whether it means manipulating the system through nepotism, favoritism, outright descrimination, or political shinanigans. They may lie, steal, kiss up, or kick down shamelessly disparaging and marginalizing coworkers and staff–solidying their position and personal gain, which unfortunately comes at expense of the organization and it’s true mission.Some really do deserve their fortune by being smarter, more talented, innovative, or hardworking. In other cases, you have those who take unjustifiably and ridiculously disproportionately at the expense of the others (hence the type of movements such as 99% or Occupy currently underway). This corruption of leadership begs the question who have they “brown-nosed,” what various schemes (Ponzi or otherwise) have they been running, how many workers have they exploited, suppliers squeezed, partners shafted, and customers and investors have they taken advantage of.

Countless such ingenious leaders (both corporate and individual) rise by being the organizations false prophets” and taking advantage of the “little guy”–some examples whether from Enron, WorldCom, HealthSouth, Tyco, MF Global, and Bernie Madoff are just a few that come to mind. These and other examples can be found as well in government, non-profit, as well as educational institutions.

Interestingly, the Museli Effect occurs when you shake a box vertically. However, if you rock it side-to-side, then you reverse the effect and larger and heavier pieces of chaff fall to the bottom letting the precious kernels rise to the top.

This is similar to organizations, where if you focus on working horizontally across your organization and marketplace–on who you serve, your partners, suppliers, investors, and customers in terms of breaking down barriers, building bridges, and solving customer problems–then the real gems of leadership have the opportunity to shine and rise.

In the age of social networking, information sharing, collaboration, and transparency, the reverse Muesli Effect can help organizations succeed. It is time to stop promoting those leaders who build empires by shaking the organization up and down in silos that are self-serving, and instead move to rewarding those that break down stovepipes to solve problems and add real value.

(Source Photo: here)

Be Careful What You Point That At

Qr_code

By now many of you may or may not have pointed your smartphones at a QR (“Quick Response”) code to get more information on products, places, events, and so forth.

 

A QR code is a barcode that that generally contains alphanumeric information and takes you to a website when you read the QR code with your smartphone (i.e. by taking a picture of it with a QR reader app).

 

QR codes remind me of the barcodes in the store at the checkout line, but QR codes look more like a squared-off roschach test compared to the barcodes on items you purchase which are rectangular straight lines from top to bottom.

 

By reading the QR code, you don’t have to remember or type any information into your smartphone–your just zipped right off to wherever the QR points you (usually after you confirm on the screen that you are okay with going to the URL).

 

But QR codes like with any information technology, can be used for good or evil — for some reason though people seemed to have been unsuspecting of the sort of innocuous looking QRs.

 

Kaspersky Lab has issued a warning on QR codes after finding consumers in Russia scammed when they thought they were downloading an Android app and where instead infected with malware that caused them to send SMS messages to a premium number that charged for each message sent.

 

So while QR codes can take a reader to a harmless website for information, like other computer code, they can contain instructions that cause you to send email, SMS messages, download applications, etc. 

 

So unless you know what you are QR reading (i.e. you have a high-degree of confidence in whoever placed the advertisement with the QR code)–think twice before scanning that barcode, because you may get a surprise package in your smartphone that you weren’t expecting causing infection of your device, loss of privacy to the information stored on it, or costing you money for things you never wanted or intended to spend on.

 

Scanning a QR code while as simple taking a picture of a sunset–may not have as beautiful consequences.

 

(Source Photo: here)

>What’s Lurking In The Update?

>

In defense, it is a well-known principle that you determine your critical infrastructure, and then harden those defenses—to protect it.

This is also called risk-based management, because you determine your high impact assets and the probability that they will be “hit” and deem those the high risks ones that need to be most protected.

In buttressing the defenses of our critical infrastructure, we make sure to only let in trusted agents. That’s what firewalls, anti-virus, spyware, and intrusion prevention systems are all about.

In so-called “social engineering” scams, we have become familiar with phony e-mails that contain links to devastating computer viruses. And we are on the lookout for whether these e-mails are coming from trusted agents or people we don’t know and are just trying to scam us.

What happens though when like the Trojan Horse in Greek times, the malware comes in from one of the very trusted agents that you know and rely on, for example, like from a software vendor sending you updates for your regular operating system or antivirus software?

ComputerWorld, 10 May 2010, reports that a “faulty update, released on April 21, [by McAfee] had corporate IT administrators scrambling when the new signatures [from a faulty antivirus update] quarantined a critical Windows systems file, causing some computers running Windows XP Service Pack 3 to crash and reboot repeatedly.”

While this particular flawed security file wasn’t the result of an action by a cyber-criminal, terrorist or hostile nation state, but rather a “failure of their quality control process,” it begs the question what if it was malicious rather than accidental?

The ultimate Trojan Horse for our corporate and personal computer systems are the regular updates we get from the vendors to “patch” or upgrade or systems. The doors of our systems are flung open to these updates. And the strategic placement of a virus into these updates that have open rein to our core systems could cause unbelievable havoc.

Statistics show that the greatest vulnerability to systems is by the “insider threat”—a disgruntled employee, a disturbed worker, or perhaps someone unscrupulous that has somehow circumvented or deceived their way past the security clearance process (or not) on employees and contractors and now has access from the inside.

Any well-placed “insider” in any of our major software providers could potentially place that Trojan Horse in the very updates that we embrace to keep our organizations secure.

Amrit Williams, the CTO of BIGFIX Inc. stated with regards to the faulty McAfee update last month, “You’re not talking about some obscure file from a random third party; you’re talking about a critical Windows file. The fact that it wasn’t found is extremely troubling.”

I too find this scenario unnerving and believe that our trusted software vendors must increase their quality assurance and security controls to ensure that we are not laid bare like the ancient city of Troy.

Additionally, we assume that the profit motive of our software vendors themselves will keep them as organizations “honest” and collaborative, but what if the “payoff” from crippling our systems is somehow greater than our annual license fees to them (e.g., terrorism)?

For those familiar with the science fiction television series BattleStar Galactica, what if there is a “Baltar” out there ready and willing to bring down our defenses to some lurking computer virus—whether for some distorted ideological reason, a fanatical drive to revenge, or a belief in some magnanimous payoff.

“Trust but verify” seems the operative principle for us all when it comes to the safety and security of our people, country and way of life—and this applies even to our software vendors who send us the updates we rely on.

Ideally, we need to get to the point where we have the time and resources to test the updates that we get prior to deploying them throughout our organizations.