Who Are the Real Cyber Enemies?

This isn’t going to come as any surprise to any of you reading these messages from me; simply file this little tidbit as ‘par for the course.’

Premera Blue Cross Blue Shield revealed that it was a vector for an attack that exposed health records of some 11 million of it’s customers.

In a WSJ article a couple of weeks ago, Kaspersky Lab ZAO (the Russian security firm with antivirus of the same name) revealed that organized criminals have stolen millions of dollars from US and Eastern European banks over the last two years.
Some of the most revealing information is that the culprits have been identified (as it appears) Chinese nationals. Certainly this information can be faked, but the important information I want to pass along is the dynamic and rapidly evolving landscape of computer crime.

I’m frequently asked “why should I care about the attack on an insurance company like Premera or Anthem; they don’t really have financial information.”

The reality is folks, that the people stealing this information not only have taken identity information from these companies, they’ve taken medical records. The use of which can be used for everything from unfair competitive advantage or blackmail for some individuals who have sensitive medical information they would rather not be revealed.

What was once considered targets of opportunity and the hacking attempts of ‘script kiddies’ are now sovereign nations and organized crime attacking targets of choice.

Certainly this doesn’t come as any surprise to any of you, this information stolen globally affects all of us. But here’s a scary thought for all of us… The attacks we hear about, the viruses and trojans we discover, are the attacks that have FAILED. In fact the environment is so target rich that the scale is still tipped far in the attackers favor.

So as I’ve sent out my first three tips, they all appear VERY basic, but they are the foundation of good information protection practices. My next tip will focus on the use of multi-factor authentication.






Information Security Tip 3 – Do I REALLY want to connect to that public Wifi?

Physical hardware does not need to leave your possession for data to be compromised, particularly when you’re using equipment or network connections in public internet cafes, business centers, airports or hotels. 

It is not uncommon to find spyware on such PCs. Many users may have plugged USB sticks into such computers to aid data transfer, but this is in itself a possible source of infection. 

It may come as a surprise to know that a business center in a hotel can often be less securely managed than a street cybercaf√© like Starbucks. And when it comes to the wireless internet facilities available in hotels ad other public areas, it is easy for anyone to set up a fake WiFi network and encourage people to connect to it to capture sensitive information.

Consider using a VPN; I use a VPN on my mobile devices and laptops when ever and where ever I go. There are several good inexpensive options. I use Private Internet Access

First of all make sure your personal firewall is turned on for your PC, both PCs and Macs have them.

If you don’t have a data tethering plan on your mobile device, consider getting one and use it in place of connecting to a public WiFi

Finally you might simply want to consider only using certain sites when connecting to a public WiFi access point.


Information Protection – Tip 2

90% of all passwords are vulnerable
it takes 5 minutes to go from hackable to uncrackable… (Look I know these sound like the fundamentals but you’d be surprised at what I see people do).
In fact over a long enough timeline every passwords security drops to zero.
(Thank you passwordday.org for allowing me to shamelessly plagiarize this first paragraph)
Surprisingly you would think those who were brought up in the age of always having a computer nearby, The Millennials, would think this is as old hat as the advice to use condoms or not smoke (both of which many choose to ignore anyway), but the statistics show otherwise. Only 41% them and their neighbors the Gen X’ers changed their passwords ever or only when prompted.
And 55% use the same password for everything.
I could write a book on good credential hygiene, but the site for password day 2014 has several excellent suggestions.

Information Protection – Tip 1

Let’s start with the basics… It’s called phishing for a reason…
95 Percent of all successful attacks started with an attempt to get you to click on a link you shouldn’t…
Seriously people; would you knowingly drive to a questionable part of town… in the middle of the night… with your doors unlocked… your windows rolled down…¬† your wallet, purse or whatever sitting open on the front seat… cash and credit cards out in plain sight and easy reach…
AND THEN give all of your personal information including driver’s license number, social security number, passport and banking information to the first STRANGER you meet?
THAT’S exactly what you’re doing when you venture to those questionable websites (if you really need a lesson on the ones to which I refer dust me privately and I’ll be happy to give you my opinion), or click the link in the email guiding you to an heretofore unknown inheritance from the long lost you didn’t know you had.
Here’s my first tip… DON’T
Patient: “Doctor, Doctor! It hurts when I do this…”
Doctor: “Well, don’t do that!”

Information Protection and Privacy

This past Wednesday was national data privacy day, created by congress in 2009 to help raise awareness of need to protect personal information and data.

While it seems laughable that the same government that espouses the need to protect our data is the same body that brings us Edward Snowden-esque allegations of widespread data infiltration of its citizens by same said government; I think there is a point here worth noting…

At the risk of stating the obvious; protecting your information and identity, whether online or otherwise, IS important.

But it is also YOUR data, and therefore YOUR responsibility. Which is good because we are largely on our own. Being freeing is, in a lot of ways, freeing; we aren’t going deluded ourselves that something is happening when it’s not. (What do you mean I’m denied medical coverage?! That’s why I pay for insurance!)

Having spent a considerable amount of time in the EU, one of the things they do is take the protection and privacy seriously, the EU’s Data Protection Directive requires substantial disclosure of the use of collected personal information and levies heavy fines to those commercial enterprises that violate the directive.

The U.S. has no commensurate directive or legislation. So it becomes our responsibility to ensure our own protection.

I mentioned around Christmas time that I would be sending out ‘bite sized’ tips on protecting your information. Some of them are so obvious they seem ludicrous to even mention, but having been in my position for as long as I have (and two Masters degrees in information security), I find that 99% of protecting your information is about good personal practices (when was the last time you changed your passwords, and do you use the same or similar passwords for your banking information as you do for Amazon?)

I rest my case.




Net Neutrality and Internet Sovereignty a Match Made in Censorship


If you don’t think net neutrality and internet sovereignty are related, you better think again.

The republicans in congress are fiercely fighting the request by the Obama administration to classify broadband internet providers as a utility making them, and the Internet, subject to much stricter regulation.

At the heart of the net neutrality debate is ostensibly whether or not internet should be considered like a utility and therefore subjected to utility provider regulation similar to electric or telephone service.

Meanwhile in China, Internet Czar Lu Wei and President Xi Jinping are arguing the states right to manage and govern the the information running across it’s sovereign territory. The Internet, Wei argues, is part of the national infrastructure like roads and power and it is the states responsibility to insure infrastructure stability.

Both prescribe controlling information flow across the internet, albeit each country takes a slightly different approach. While China is more overt in controlling information; by classifying and categorizing information protocols, the proponents against net neutrality arrive at very much the same place.

The tragedy of the Charles Hebdo shootings simply underscore the stakes involved in the freedom of information debate.

We are quickly facing a world where the information we’ve taken for granted may not be as easily accessible.


Are You Really Private?


From the Snowden leaks last year, to all of the ‘cyber breaches’ and loss of personal information from large retailers in the last couple of years; we as a global village are finding out that keeping things to yourself is not as easy as it once was.

All of the social media platforms compound the difficulty of keeping our private information private, and we all struggle with the increasing importance to do so.

In a world where EVERYTHING is ‘out there forever’ as soon as it’s set in to the wild, and where almost everything is subject to discovery in our increasing litigious society; I see an increase in the number of secure messaging apps aiming to help keep conversations private; for example;

Sicher, Silent Circle, CyberDust, Signal, et al. all use end to end encryption and data destruction to provide a means for groups of people to communicate with each other securely and privately.

Even WhatsApp, the popular text messaging replacement application is starting to use end to end encryption.

But I’ve noticed another trend unique to these secure applications; while they have provided a means of ‘hiding from prying eyes’ they have fostered a new sort of social media platform.

For example one of my favorite new apps is CyberDust (available on iOS, Android, and Windows Phone). CyberDust not only provides secure person to person messaging because everything runs over an encrypted channel, and the messages self destruct after a short period of time AND are NEVER stored on their servers or any endpoint; CyberDust also provides a sort of ‘Twitter-Like’ platform where a person can ‘Blast’ a message to a group of subscribed followers.

I’ve been using CyberDust to sort of ‘Pre-Publish’ posts, as a platform that allows me to get something ‘out-there’ quickly without a lot of editing, and in somewhat longer format than the Twitter limit of 140 characters.

I find this feature incredibly useful, because I can send raw unedited posts to my followers without worrying too much about the editorial content, grammar, and so forth; and since I save my posts to Evernote, I can come back at a more convenient time, clean them up and post them on LinkedIn or my blog (blog.ross-sivertsen.com).
But I’ve noticed as I’ve used CyberDust, something more disturbing occurring; many of the people I follow, some of them professionals, are posting pictures and comments I believe they would think twice about posting if the platform they were using was as open as Facebook, or Twitter.

Let me say before I continue, that I’m neither Polly Anna nor prudish about this subject, and I am in NO WAY making a judgment about anyone I follow; I publish a number of posts that are all raw, unedited, and sometimes incendiary.

What I am saying is; even with a platform that leaves no physical nor virtual evidence of pictures, posts or comments; when we intentionally broadcast a message to a group of people, do we not leave with our audience, followers and listeners a residual impression of who we are; whether or not evidence exists?

This subject goes beyond privacy issues and quickly is an issue of reputation management. The fact of the matter is regardless of whether or not the platform is secure and encrypted, I am sending a post out to the public, i.e. more than one person to whom I have no personal relationship other than they follow me, rather than one or two people with whom I have a relationship and where the conventional social contract of confidentiality is the norm.

I believe in the right to personal expression and exercise said personal expression frequently, I am also acutely aware of the consequences of my actions, and of the things I publish or portray.

My point is that this message becomes a cautionary tale to everyone (most of all myself) that we leave a lasting impression of who we are and what were about with the people around us; even if the evidence self destructs after 30 seconds.

Three people can keep a secret, if two of them are dead.” – Benjamin Franklin