It is time to get more serious about protecting your email

Did you get a strange email last week from someone that you didn’t know, including one of your old passwords in the subject line? I did, and I heard many others were part of this criminal ransomware activity. Clearly, they were sent out with some kind of automated mailing list that made use of a huge list of hacked passwords. (You can check if your email has been leaked on this list.) It really annoyed me, and I got a few calls from friends wanting to know how this criminal got ahold of their passwords. (BTW: you shouldn’t respond to this email, because then you become more of a target.)

But the question that I asked my friends was this: Do you still have logins that make use of that password? You probably do.

Email is inherently insecure. Sorry, it has been that way since its invention, and still is. All of us don’t give its security the attention it needs and deserves. So if you got one of these messages, or if you are worried about your exposure to a future one, I have a few suggestions.

First, you need to read this piece by David Koff on rethinking email and security. It brought to mind the many things that folks today have to do to protect themselves. I would urge you to review it carefully. Medium calculates it will take you 17 minutes, but my guess is that you need to budget more time. There is a lot to unpack in his post, so I won’t repeat it here.

Now Koff suggests a lot of tools that you can use to become more secure. I am going to just give you four of them, listed from most to least importance.

  1. Set up a password manager and start protecting your passwords. This is probably the biggest thing that you can do to protect yourself. It will make it easier to use stronger and unique passwords. I use LastPass.com, which is $2 per month. For many of my accounts, I don’t even know my passwords anymore because they are just some combination of random letters and symbols. If you don’t want to pay, there are many others that I reviewed at that link here that are free for personal accounts.
  2. Create disposable email accounts for all your mailing lists. Koff suggests using 33mail.com, but there are many other services including Mailinator.com, temp-mail.org, and throwawaymail.com. They all work similarly. The hard part is unsubscribing from mailing lists with your current address, and adding the new disposable addresses.
  3. Even with a password manager, you need to make use of some additional authentication mechanism for your most sensitive logins. Use this for as many accounts as you can.
  4. Finally, if you are still looking for something to do, at least try encrypted email. Protonmail.com is free for low-end accounts and very easy to use.

There is a lot more you can to make yourself more secure. Please take the time to do the above, before you get someone else trying to steal your money, your identity, or both.

Cyber Security Threat Actions This Week (podcast)

If your organization is not using the MITRE ATT&CK framework yet, it’s time to start. Katie Nickels from MITRE, Travis Farral from Anomali and I join host David Senf from Cyverity to talk about ATT&CK tactics, techniques and tools. You can listen to this 45-minute podcast here.  We discuss what ATT&CK is and isn’t, how it can be used to help defenders learn more about how exploits work and how to become better at protecting their enterprises, what some of the third-party tools (such as Mitre’s own Caldera shown here) that leverage ATT&CK and what are some of the common scenarios that this framework can be used for.

I did two stories for CSOonline about ATT&CK earlier this year:

 

How to market your book in the social media age

(This article originally appeared in the newsletter of the St. Louis Publishers Assn. It is part of a speech that I gave in July 2018 about marketing books by self-publishers.)

The most important phase of writing your book has nothing to do with the actual act of writing. It is in finding the right people who will promote the book to the world and turn potential readers into your buyers.

Back in the old days, before the Internet became popular, book authors hired publicists to promote authors, get them booked on talk shows and for book tours. They still exist, but there are other paths towards promotions. And what is good is that you can largely do much of this work on your own, if you have some self-promotional skills. The biggest part of that is in understanding how social media influencers work. (Here is a link to start your research.)

These influencers are the people that have the right kinds of followers in their networks. And they can become very powerful allies in your book marketing plan, and the cost to use them is pretty much just your time, and tenacity.

So how do you find these folks? The first thing is looking at your own social media networks, and making a list of the people that would be relevant to the topic of your book. What, you don’t have many friends on your networks? Now is the time to get busy friending people, and seeking out folks that could become pathways to promotion. You don’t need thousands of names, but you do need to approach this task on a regular basis, and friend new people every day. For those of us who are introverts, this can be painful, and can run counter to our instincts to hide behind our computer screens. Try to fight this, and reach out to people across your neighbors, your work colleagues, your church or other social organizations, and so forth.

One thing you don’t want to do is to buy lists of names. While this is certainly possible, you don’t know the quality of the names you are getting, and chances are many of these names aren’t going to be helpful to your book promotion anyway. Save your money.

Next, figure out the keywords that describe your audience, topic, focus, and what they are interested in and why they would buy your book. This means using these keywords to do many Google searches. Many means hundreds. Sometimes, you want to combine two or three keywords to be more effective.

Next, pick your social media network where your audience will hang out. If your book has a visual component, then stick with Pinterest or Instagram. If you have news-related content, Twitter. If it is general interest fiction, Facebook. Business-related topics, LinkedIn. These aren’t hard and fast choices, and feel free to experiment with more than one social network if you have the time. This doesn’t mean you need to craft a separate collection of Tweets, Pinterest Pins, etc. In fact, you can share announcements across multiple social networks. A good tool to do this is Hootsuite (shown here).

While you are doing all of this, you should settle on your book title and domain name for your book’s website. Yes, you need a website. Part of that website should be an email newsletter, where you tell your potential readers what is going on with your book, so they can get involved in its writing and production. You should commit to writing one post every week in the months leading up to your book launch on your website. After all, you are a writer!

Next, start collecting email addresses from your social media connections and use them to populate an email list. There are plenty of low-cost web hosting providers out there, and plenty of choices with email server companies such as MailChimp, ConstantContact, SendGrid, and others. Many of these services have free plans if your list is small, so take advantage of them. You can send out a new email with a copy of each blog post to save time if you wish.

Finally, start thinking about collecting reviewers. There is an entire universe of Amazon influencers, but I won’t get into that here.Look at NetGalley, especially if you want to join the IBPA. This is a website that is used to promote new books to a list of active readers and reviewers. Good luck with your marketing!

FIR B2B PODCAST #100: THE MOST MEMORABLE MOMENTS OF OUR DECADES IN TECH JOURNALISM

This week we take a trip down memory lane to discuss the highlights of our 60-some odd collective years of working as B2B journalists in the technology field. There are some great stories, such as Meeting Bill Gates (Paul at a press junket, David at an industry conference) and working with Greg Gianforte, now a member of Congress from Montana after making several fortunes starting technology businesses. Being a tech journalist has its risks: Charles Wang, when he was chairman of Computer Associates, campaigned to get Paul fired from Computerworld, but the two later became friends. David’s parody of Miss Manners got him a cease-and-desist letter from the columnist’s lawyers. We both recall what the introduction of the web did for our industry and our world back in 1994, and how quickly the publishing market changed as a result. David recalls with fondness his interaction with Bob Metcalfe, the inventor of Ethernet and now a professor at UT/Austin.

David remembers writing about a skunk works project from IBM to use spreadsheets as a front-end to their mainframe databases, and noted how the sole programmer behind the project, Oleg Vishnepolsky, later said his career was changed by the articles. Paul recalls the “old IBM,” which once IBM mistakenly put out a press release and then disavowed what it said.

We have lots of other memories, and hope you enjoy this episode.

Watch that keyboard!

We are using our mobile phones for more and more work-related tasks, and the bad guys know this and are getting sneakier about ways to compromise them. One way is to use a third-party keyboard that can be used to capture your keystrokes and send your login info to a criminal that then steals your accounts, your money, and your identity.

What are these third-party keyboards? You can get them for nearly everything – sending cute GIFs and emojis, AI-based text predictors, personalized suggestions, drawing and swiping instead of tapping and even to type in a variety of colored fonts. One of the most popular iOS apps from last year was Bitmoji, which allows you to create an avatar and adds an emoji-laden keyboard. Another popular Android app is Swiftkey. These apps have been downloaded by millions of users, and there are probably hundreds more that are available on the Play and iTunes stores.

Here is the thing. In order to install one of these keyboard apps, you have to grant it access to your phone. This seems like common sense, but sadly, this also grants the app access to pretty much everything you type, every piece of data on your phone, and every contact of yours too. Apple calls this full access, and they require these keyboards to ask explicitly for this permission after they are installed and before you use them for the first time. Many of us don’t read the fine print and just click yes and go about our merry way.

On Android phones, the permissions are a bit more granular, as you can see in this screenshot. This is actually just half of the overall permissions that are required.

An analysis of Bitmoji in particular can be found here, and it is illuminating.

Security analysts have known about this problem for quite some time. Back in July 2016, there was an accidental leak of data from millions of users of the ai.type third-party keyboard app. Analyst Lenny Zeltser looked at this leak and examined the privacy disclosures and configurations of several keyboard apps.

So what can you do? First, you probably shouldn’t use these apps, but trying telling that to your average millennial or teen. You can try banning the keyboards across your enterprise, which is what this 2015 post from Synopsys recommends. But many enterprises today no longer control what phones their users purchase or how they are configured.

You could try to educate your users and have them pay more attention to what permissions these apps require. We could try to get keyboard app developers to be more forthcoming about their requirements, and have some sort of trust or seal of approval for those that actually play by the rules and aren’t developing malware, which is what Zeltser suggests. But good luck with either strategy.

We could place our trust in Apple and Google to develop more protective mobile OSs. This is somewhat happening: Apple’s iOS will automatically switch back to the regular keyboard when it senses that you are typing in your user name or password or credit card data.

In the end though, users need to understand the implications of their actions, and particularly the security consequences of installing these keyboard replacement apps. The more paranoid and careful ones among you might want to forgo these apps entirely.

Practical ways towards more secure logins

Lately, numerous websites have adopted better security practices, supporting a wider variety of multiple factor authentication or MFA. I have been trying these out and for the most part they install relatively easily, although your mileage will vary. The idea is that you want something more than your username (often just your email address) and a password. No matter how complex your password, it can be circumvented by a determined hacker. And many of us (you know who you are) don’t use very complex passwords, or reuse them across various sites.

Let’s start first with the MFA tools that I want to use. First up is Google Authenticator. This is a smartphone app that generates a one-time PIN. You get to the dialog box on your website and enter the PIN and you can complete your login. Google Authenticator is dirt simple to setup: you scan a QR code that is displayed on your screen and it then shows you an entry for your website. The PIN changes every minute, so it is a lot harder to spoof than a code that is sent to your phone via text messaging.

The other tool is the Yubikey, a USB device that supports the FIDO standards from Yubico. There is a small button on the device that you press, and that sends the appropriate code to your website at the appropriate time to complete your login. They are inexpensive and now support a wide variety of website logins. Again, setup is fairly straightforward, and I just leave my key in my desktop’s USB port so I don’t have to worry about losing it.

If you use both methods (and you should, why not), this will prevent someone else from trying to login to your account, even if they know your password. Once you have completed a successful login on one device, you aren’t prompted again for the extra security.

Twitter announced this past week that they support the Yubikey, which adds to their existing support of Google Authenticator and other authenticator apps. Here are the instructions for setting it up. The interface for doing this can be found starting with this menu, under the Security heading. It isn’t all that verbose an interface, but you can choose which of the three methods (text, Yubico key, and mobile app) or all of them to use for the additional security.

Next up is my WordPress blog. If you host your blog on WordPress.org, they have long supported various MFA methods, including Google Authenticator, Authy, Duo and others. If you use WordFence Premium, you can also get the MFA protection. Speaking of WordFence, you really should use it (at least the basic version): it will tell you who is trying to break into your blog and last week I got several thousand attempts, which I think was a new record for me.

So I was more motivated to start having better protection for my login there. Since I use the basic WordFence, I looked around and found miniOrange, another plug-in that supports WordPress as well as Magento, Drupal and Joomla CMS. It works with Google Authenticator as well as its own QR code reader and soft token apps. I used the free version, but if you pay extra for a miniOrange account, you can support more than a single user as well as get additional MFA methods, including Yubikey. There are several other MFA plug-ins for WordPress, but I didn’t try them.

While I was doing these installations, my bitcoin wallet app notified me that they were requiring everyone to add MFA to their logins soon, otherwise I wouldn’t be able to transfer any funds in or out of my account. That is a smart decision, especially given the number of recent exploits in this market space. So I got Google Authenticator working on that as well.

Finally, a few weeks ago I was getting all sorts of notifications that someone was trying to login to my Facebook account, so I wanted to add both Google Authenticator and Yubikey to that login. I ran into problems: when I wanted to add the Authenticator app, Facebook turns on “Allow logins without a code for one week.” You can’t then turn this off without disabling my Authenticator app.  I am not sure this is a good idea, but when I went back to check on it for this post I couldn’t find the setting. Your dialog box when done will look like this.

As you can see, this is still not completely ready for your mom’s logins. (At least, it isn’t ready unless you want to support her when she has problems.) But you should take the time and add these tools to protect your own logins.

CSOonline: Rethinking the process of doing risk assessments

The world has changed significantly in the past two years, and so have the rules around assessing cyber security risk. A combination of greater digital business penetration, a wider array of risks, and bigger consequences of cyber threats have made the world of risk management both more complex and more important than ever. Sadly, word hasn’t yet gotten out that risk management is an essential part of today’s business operations. According to this PwC study cited by Silicon Republic, 40 percent of Irish companies are failing to do any risk assessments whatsoever.

If you want to get on board, read my article in CSOonline. I interview several people who show how things have changed and how IT can do these kinds of assessments properly.

FIR B2B Podcast #99: Why Was Intel’s CEO Really Fired?

The firing of Intel CEO Brian Krzanich last week over a single sexual harassment claim shocked some people because the scope of the crime seemed out of proportion to the punishment. This articleby Agility PR makes the case that one harassment claim can do more damage to your brand than a charge of financial fraud. The Register suggests that the reason for Krzanich’s dismissal goes deeper, and if that’s true, it wouldn’t reflect well on Intel. Companies need to navigate these waters with care, making sure they are prepared for a harassment charge, rather than hoping for the best.

What you ask Google influences the results you get. That’s probably not news, but it has interesting implications when you consider the trust people put in search engines to deliver the truth. Francesca Tripodi surveyed two Republican groups in Virginia — a women’s group and a college group — during their 2017 gubernatorial election. Just by varying one word in the search box, such as using  “NFL ratings up” vs. “NFL ratings down,” proved to deliver two very different result sets. We discuss what marketers can learn from the exercise and how to craft better keyword collections and hashtags for your future campaigns.

You can listen to our podcast here.

A new way to do big data with entity resolution

I have this hope that most of you reading this post aren’t criminals, or terrorists. So this might be interesting to you, if you want to know how they think and carry out their business. Their number one technique is called channel separation, the ability to use multiple identities to prevent them from being caught.

Let’s say you want to rob a bank, or blow something up. You use one identity to rent the getaway car. Another to open an account at the bank. And other identities to hire your thugs or whatnot. You get the idea. But in the process of creating all these identities, you aren’t that clever: you leave some bread crumbs or clues that connect them together, as is shown in the diagram below.

This is the idea behind a startup that has just come out of stealth called Senzing. It is the brainchild of Jeff Jonas. The market category for these types of tools is called entity resolution. Jonas told me, “Anytime you can catch criminals is kind of fun. Their primary tradecraft holds true for anyone, from bank robbers up to organized crime groups. No one uses the same name, address, phone when they are on a known list.” But they leave traces that can be correlated together.

Jonas started working on this many years ago at IBM. He is trying to disrupt the entity resolution market and eventually spun out Senzing with his tool. The goal is that you have all this data and you want to link it together, eliminate or find duplicates, or near-duplicates. Take our criminal, who is going to rent a truck, buy fuel oil and fertilizer, and so forth. He does so using the sample identities shown at the bottom of the graphic. Senzing’s software can parse all this data and within a matter of a few minutes, figure out who Bob Smith really is. In effect, they merge all the different channels of information into a single, coherent whole, so you can make better decisions.

Entity resolution is big business. There are more than 50 firms that sell some kind of service based on this, but they offer more of a custom consulting tool that requires a great deal of care and feeding and specialized knowledge. Many companies end up with million-dollar engagements by the time they are done. Jonas is trying to change all that and make it much cheaper to do it. You can run his software on any Mac or Windows desktop, rather than have to put a lot of firepower behind the complex models that many of these consulting firms use.

Who could benefit from his product? Lots of companies. For example, a supply chain risk management vendor can use to scrape data from the web and determine who is making trouble for a global brand. Or environmentalists looking to find frequent corporate polluters. A finservices firm that is trying to find the relationship between employees and suspected insider threats or fraudulent activities. Or child labor lawyers trying to track down frequent miscreants. You get the idea. You know the data is out there in some form, but it isn’t readily or easily parsed. “We had one firm that was investigating Chinese firms that had poor reputations. They got our software and two days later were getting useful results, and a month later could create some actionable reports.” The ideal client? “Someone who has a firm that may be well respected, but no one actually calls” with an engagement, he told me.

Jonas started developing his tool when he was working at IBM several years ago. I interviewed him for ReadWrite and found him fascinating. An early version of his software played an important role in figuring out the young card sharks behind the movie 21 were taking advantage of card counting in several Vegas casinos, and was able to match up their winnings all over town and get the team banned.  Another example is from  Colombia universities who saved $80M after finding 250,000 fake students being enrolled.

IBM gets a revenue share from Senzing’s sales, which makes sense. The free downloads are limited in terms of how much data you can parse (10,000 records), and they also sell monthly subscriptions that start at up to $500 for the simplest cases. It will be interesting to see how widely his tool will be used: my guess is that there will be lots of interesting stories to come.

Fixing Facebook’s flaws

Facebook has been under fire for the past several months as Zuck does his World Apology Tour, both in DC and in Belgium giving testimony to the EU Parliament. That link takes you to a YouTube video from The Verge which shows him not answering very pointed questions from the body’s members. The EU format was very different from his US Congressional testimony in April: In Europe, the session was just an hour and a half, with much of that time taken up by Members’ speeches. In the States, he was there for a total of ten hours.  Business Insider called the EU appearance “a wash out.” That difference between the two geographies was noted by lawmakers quoted in Vox. “We are here in terms of regulation,” said Claude Moraes of the British Labour Party, gesturing upward with one hand, “And the United States is here,” gesturing downward with the other.

Sadly, the social media giant has paid lip service in protecting users’ privacy. There is this story in the NY Times about how it cooperated with the major cellphone vendors to give them access to vast amounts of private user data.

And the company hasn’t done very well towards policing its content for terrorist and hate speech. This recent post in the UK’s Independent talks about the effort that the vendor is going to try to block hate speech in Germany. The reporter takes us inside a 1200-person cubicle farm where analysts try to screen content in real time.

But to get a more complete picture, you should read this report last month from the Counter Extremism Project called Spiders of the Caliphate. It lays out a chilling analysis of how poorly Facebook has been in policing pro-ISIS propaganda. It documents how their supporters operate on that network and even leverage its features. ISIS’ online networks are growing and are used to plan and direct various terror attacks as well as to mobilize foreign supporters to fight in various places around the world. ISIS’ Facebook presence is pervasive and well organized. According to the authors, ISIS “has developed a structured and deliberate strategy of using Facebook to radicalize, recruit, support, and terrorize individuals around the world.” They found from careful path analysis that ISIS’ “Facebook networks are strong, extensive, and growing.”

The authors selected a thousand Facebook accounts that they claim are ISIS supporters, using positive language and geolocation to specific areas, usernames with pro-ISIS meaning, accounts from people that claimed they worked at ISIS or are from place names that are under ISIS control. You would expect many of these accounts to originate from the Middle East, but there also were accounts from Nepal, South Korea and South America too: ISIS has truly gone global. There were even American accounts.

They examined each account’s timeline and pattern of liking and sharing posts and then recorded the number of their friends or followers and other data. They then visualized this data using the open source network path analysis tool Gephi. While I am not an expert here, it seems their methodology is sound.

They found many disturbing things. There were 28 accounts that were used exclusively to post pro-ISIS propaganda, with some posts that have remained online for more than a year and racked up thousands of views. Also, “a group of American ISIS supporters holds weekly meetings on Facebook Live to discuss topics ranging from ISIS ideology to how to avoid detection from the FBI.” ISIS supporters live in more than 80 different countries. Most supporters had publicly visible posts, too.

Facebook’s misleading efforts to counteract terrorism

Facebook says they have worked hard to try to stem this pro-ISIS tide, but the CEP report documents how they have mislead the public and been largely ineffective. The report says that Facebook has been unable to do anything “in a manner that is comprehensive, consistent, and transparent.” Rather, it has enabled ISIS supporters to flourish and grow their social networks. Of the 1,000 accounts analyzed, less than half of them had been removed by Facebook by March 2018, and many accounts were reinstated multiple times after removal. “Perhaps most concerning is that Facebook’s suggested friends algorithm reveals how the company’s tools have aided in connecting extremist profiles and help expand ISIS networks.” The report goes further and says that Facebook executives have purposely misled policymakers and the public in terms of their cleansing of their network from pro-ISIS activities.

The post in New Europe was quite disparaging and called Zuck’s non-answers before the EU evasive and a disaster. It mentions his claim that Facebook “can flag 99 percent of the ISIS and al-Qaeda related content that we end up taking down before any person in our community flags that for us.” Clearly, that number (apart from being meaningless) is at odds with the CEP report.

One final personal note about Facebook’s inadequacies.  Two months ago, I tried to download information from Facebook and other Internet sites that they have collected about my usage, and documented the experience in my blog here. It wasn’t an easy exercise, but it was sobering to see how many advertisers had my name in their sights, and in their sites as well. None of the Internet properties make this easy for you to do, but the effort is worthwhile and another eye-opener.

The New Europe post says, “It’s not like Facebook doesn’t have the resources to do better. Facebook’s market capitalization is more than the GDP of Belgium. Until Facebook finally tells the truth, it will be difficult for lawmakers and the public to hold it, and other tech companies, accountable for the level of disturbing and harmful content that proliferates online today.” Finally, I speak to this issue of corporate and leadership integrity on Shel Holtz’ For Immediate Release podcast this week. (Skip to 12:15 if you don’t want to listen to the entire hour.)