The Huawei telecom ban makes no sense

Color me confused about our 5G technology policy. Today I see this statement: “I want 5G, and even 6G, technology in the United States as soon as possible. It is far more powerful, faster, and smarter than the current standard. American companies must step up their efforts, or get left behind. I want the United States to win through competition, not by blocking out currently more advanced technologies.” That is from a recent set of tweets from our president. He is expected to sign an executive order banning Huawei equipment from domestic cellular carriers before next week. Not to be outdone, Congress is considering HR 4747 that would prevent government agencies from doing business with them.

Huawei seems to be the latest target of badly behaving tech companies, and it has gotten a lot of enemies. Last week our Secretary of State meet with several European leaders, telling them to not purchase any equipment from Huawei in building out their 5G cellular networks. He told them that this gear will make it more difficult for American equipment to operate there.

The fear is that Chinese will embed spying devices in their gear, interfering with communications. Chinese hacking attempts have dramatically risen over the past year, according to this new report from Crowdstrike. While the report didn’t identify Huawei as the source, they did find several hacking attempts aimed specifically at telecom vendors and their government customers.

The US isn’t alone in its fear of Huawei spying. Poland, Italy and Germany are all considering banning their gear from their newer cell networks. Last year, both South Korea and Australia enacted such a ban, and the UK began removing their equipment too. Huawei supplies Australian and UK 4G equipment and BT said last month that they will begin removing that stuff.  A recent news story in The Register stated that Huawei won’t be used to run any new British government networks, even though it will continue to be used in British landline infrastructure.

But is the Chinese government really using Huawei equipment to spy on us? Jason Perlow writes in ZDnet that chances are low, mainly because first there is no concrete proof, and second because it wouldn’t be in their best economic interests. Also, given that you can find Chinese semiconductors in just about everything these days, it would be nearly impossible to effectively ban them.

But there is another confounding reason that no one has mentioned, and that has to do with this law called CALEA. It spells out requirements for telecom suppliers and how they must provide access to government wiretaps and other law enforcement activities from their gear. So technically, not only is Huawei doing this, but all the other telecom vendors have to do so too. If you are with me so far, you see that Huawei is obligated to have this “backdoor” if they want to do business in the USA, yet we are criticizing them for having this very same backdoor! How this will play out in these bans is hard to realize.

A Huawei ban makes no sense. But it won’t stop government agencies from piling on at this stage.

FIR B2B episode #115: Social Media Adoption Over the Years – the Latest from the Annual UMass Survey

Nora Ganim Barnes, Chancellor Professor of Marketing and Director of the Center for Marketing Research at the University of Massachusetts Dartmouth.Today Paul Gillin and I talk to Nora Ganim Barnes, Chancellor Professor of Marketing and Director of the Center for Marketing Research at the University of Massachusetts Dartmouth, about her latest survey of corporate social media usage. Barnes has been surveying two distinct populations for the past 12 years – the INC 500 and the Fortune 500 – to ascertain what social media platforms they use, how they use them and how they measure results. Her students visit the websites of all 1,000 companies measured and augment the research with telephone interviews.

For the first time in nine years, more F500 are using blogs than the INC 500, and the increase has been substantial in just the past three years (see chart below), jumping from 21% in 2015 to 53% in the most recent survey. Clearly, the largest companies have reclaimed blogging and are using their blogs to tell stories and better craft their marketing messages.

Barnes found that Twitter occupies an odd place in the social media pantheon: it is well used (with 369 out of 500 companies running active accounts), but not considered very effective. Still, companies don’t abandon Twitter, perhaps out of fear of missing out or the possibility that they might need it at some point.

What has also changed is that 56% of INC 500 execs are now doing a better job of listening on social media, tracking online conversations about their brands and products with various monitoring tools. That is a big increase from last year, when it was about half that number.

This year Barnes’ research  found a big concern about privacy, which is probably not surprising given the numerous breaches and missteps by Facebook and others in this area. Privacy was executives’ second biggest concern behind social ROI.

Finally, her survey saw double the firms who have formulated a social media plan from last year.  Although the overall percentage is still less than a quarter of the total, that’s progress.

You can download the UMass surveys at the link above, both the current ones and in year’s past. They are a rich resource that all corporate marketing departments should carefully examine.

You can listen to our 21 min. podcast here:

CSOonline: How online polls are hacked and what you should do about it

The news in January about Michael Cohen’s indictments covers some interesting ground for IT managers and gives security teams something else to worry about: He allegedly paid a big data firm Redfinch Solutions to rig two online polls in then-candidate Donald Trump’s favor. To those of us who have worked with online polls and surveys, this comes as no surprise.

Researchers at RiskIQ found another survey-based scam that involves a complex series of steps that use cloned YouTube identities to eventually get marks to take surveys to redeem their “free” iPhones. Instead, the respondents get malware installed on their computers or phones. Security managers need to up their game and understand both the financial and reputational risks of rigged polls and the exploits that are delivered through them. Then they can improve their protective tools to keep hackers away from their networks and users. In this story for CSOonline, I talk about some of these issues and explain why businesses should use online polls and how to keep your networks safe from bad ones. 

Privacy, transparency, and increasing digital trust

There is a crisis of trust in American democracy.” So begins a new report from the Knight Commission on Trust, Media and Democracy organized by the Aspen Institute. It lays blame on our political discourse, racial tensions, and technology that gives us all more access to more commentary and news. “In 2018, unwelcome facts are labeled as fake.”

Part of the problem with trust has to do with the ease of cyber-criminals to ply their trade. Once relegated to a dark corner of the Internet, now many criminals operate in the public view, selling various pieces of technology such as ready-made phishing kits to seed infections, carders to collect credit card numbers, botnets and web stressors to deliver DDoS attacks, and other malware construction kits that require little to no technical expertise beyond clicking a few buttons on a web form. A new report from CheckPoint shows that anyone who is willing to pay can easily obtain all of these tools. We truly have witnessed the growth of the “Malware-as-a-service” industry.

This week I was in London participating in a forum for the Euro press put on by RSA. I got a chance to interview numerous experts who have spent their careers examining cybercrime and understanding how to combat fraud. It was a somewhat sobering picture, to be sure. At the forum, RSA’s president Rohit Ghai spoke about how the largest facet of risk today is digital risk, and how businesses need to better integrate risk management and cyber security methods. “This is a team sport, and security, IT, operations and risk groups all need to work together,” he said. “Our goal is not just about protecting apps or data, but about protecting our trust assets. We trust strangers to share our homes and cars because tech brings us together and drives the sharing economy.” We need to replace this trust system in the B2B world as Airbnb and Lyft have done for consumer-based businesses.

Ghai agrees with the conclusions of the Knight report that trust is at an all-time low. We have gotten so distrustful of our digital lives that we now have a new acronym, LDL, for let’s discuss live. But we can’t turn back the clock to the analog era: we need trust to fuel our future economic growth. He mentioned that to be trustful, “an ethical company should be doing the right thing, even if no one is looking at them at the time.” I liked that idea: too often we hear about corporations that are polluting our environment, denying any responsibility or worse, covering up the details when they get caught.

Part of the challenge is that cybersecurity is really a business problem, not a failure of technology. This is because “breaches and intrusions will occur,” says Ghai. “We have to move beyond the shame of admitting a data intrusion, and understanding its business impact. Our goal should be maintaining cyber wellness, not trying to totally eradicate threats.” Taking better care of customers’ privacy is also good for business, as numerous reports (such as this one from RSA) have concluded recently. Almost half of the consumers surveyed believe there are ethical ways companies can use their data.

Another issue is that what we say and what we actually do about maintain our digital privacy is often at odds with each other. In a 2017 MIT privacy experiment, they found that student participants would quite readily give up personal data for very small incentives, such as a free pizza. This dichotomy is even seen with IT security pros. A recent survey by Yubico found that more than half of those IT managers who have been phished have still not changed their password behavior. If they don’t change to improve their own security, who will?

The same dichotomy can be said about transparency: sadly, there are few companies who are actually as transparent as they claim, either through willfully misleading the public (Facebook is tops in this regard) or by just doing a poor job of keeping their IT assets under appropriate controls (the City of Atlanta or Equifax are two prime case studies here).

Where do we go from here? Security expert Bruce Schneier says that trust is fragile, and transparency is essential to trust. The Knight report carries a series of recommendations for journalists, technology vendor managers, and ordinary citizens, and I hope we can implement many or all of them to make for a better mutual and trusted future. They include being better at practicing radical transparency, for journalists to disclose information sources as a rule, and making social networks step up and take responsibility for protecting their users. All of us need to work together if we want to turn this around and increase trust.

FIR B2B Podcast #114: Does moral marketing mean wading into politics?

Writing on Brandwatch, CMO Will McInnes says there are three gaps CMOs need to bridge: metrics, moral marketing, and innovation gaps. Understanding each one is essential to being a better marketer. We examine more closely the second one, where the author cites an Edelman study that found that two-thirds of consumers will choose, switch, avoid or boycott a brand based upon its stand on societal issues. Given the amount of polarization in American society right now, marketers should thing twice about wading into political debates. 

Another survey by Annenberg PR Center at USC found that 44% of CEOs said their most important communication goal for 2019 is to sell their products and services while 39% say their primary goal is to differentiate their company’s brand from the competition. Paul and I disagree on whether this is a positive trend or not; CEOs have the power to significantly influence public opinion, but is is fair to their shareholders to exercise that power? 

Finally, we look at a joint study by researchers at Boston University and the University of Georgia that found that only one in ten people can distinguish between sponsored editorial content.  People who mistook the advertisements for legitimate news articles were generally older, less educated and more likely to consume news media for entertainment purposes. We agree that any short-term boost a brand might get by deceiving an audience is negated by the reputation damage of being outed for that deed. However, Paul points out that one factor in the confusion is that branded content is getting better, and marketers should take credit for that fact. 

You can listen to our 14 min. podcast episode here:

Dealing with CEO Phishing Fraud

When we get emails from our CEO or other corporate officers, many of us don’t closely scrutinize their contents. Phishers count on this for their exploits. The messages often come around quitting time, so there is some sense of urgency so we will act before thinking through the consequences. 

Here is an example of a series of emails between “the boss” (in reality, the phisher) and his subordinate that happened in November 2017. You can see the growing sense of urgency to make a funds transfer happen, which is the phisher’s stock in trade. According to FBI statistics, this type of fraud is now a $12 billion scam. And yes, the money was actually sent to this attacker.

KnowBe4, which sells phishing training services, categorizes the scam into two separate actions:

  1. First is the phishing attempt itself. It is usually called spear phishing, meaning that the attacker has studied the corporate organization chart and targeted specific individuals. The attacker has also examined who has fiduciary responsibility to perform the actual funds transfer, because at the heart of this scam it is all about the money that they can steal from your business.
  2. Next is all about social engineering. The attacker has to appear to be convincing and act like the boss. Often, the targeted employee is tricked into divulging confidential information, such as bank accounts or passwords. Many times they use social media sources to amplify their message and make it seem  more legit.

The blog post mentions several different situations that are common with this type of fraud:

  1. Business working with a foreign supplier.
  2. Business receiving or initiating a wire transfer request.
  3. Business contacts receiving fraudulent correspondence.
  4. Executive and attorney impersonations.
  5. Confidential data theft.

A new blog post by Richard DeVere here provides some good suggestions on how to be more vigilant and skeptical with these emails. 

  • Examine the tone and phrasing of the email. One time a very brusque CEO — who was known for this style — supposedly sent a very polite email. The recipient flagged it as a potential phish because of this difference.
  • Have shared authority on money transfers. Two heads are better than one.
  •  As Reagan has said, trust but verify. Ask your boss (perhaps by calling directly) if this email really originated from him or her before acting on it. Phone calls and texts can be spoofed from your boss’ number. As the illustration above shows, this is quite common. Take a moment to process what is being asked of you.
  • Report the scammer to the right authorities inside and outside your company.

The bottom line: be wary and take a breath when you get one of these emails.

FIR B2B podcast #113: How One Former Journalist Crossed the Chasm to Content Marketing

Denise Dubie was a technology journalist for more than a decade before switching to corporate content marketing, and her reportorial instincts have served her well. Denise, who recently took a new job as Director of Content at PureB2B in the Boston area, was previously senior principal of content strategy at CA Technologies and before that a senior editor at Network World. It’s rare to find someone who has had such deep experience on both sides of the business.

We discuss how she made the transition from tech journalism to marketing and the value of her journalism background in her new corporate role. Denise comments on how her work style changed between the two types of jobs and where the greatest adjustments were necessary. We also talk about success metrics she used at CA and the surprisingly little value she found for social media as a promotional channel. 

Denise also provides some practical tips on what listeners can do to improve their content marketing programs. It starts with having a thorough understanding of customers, a topic we harp on frequently in this podcast. 

CSOonline: Building your forensic analysis toolset

A solid toolset is at the core of any successful digital forensics program, an earlier article that I wrote for CSOonline. Although every toolset is different depending on an organization’s needs, some categories should be in all forensics toolkits. In this roundup for CSOonline, I describe some of the more popular tools, many of which are free to download. I have partitioned them into five categories: overall analysis suites (such as the SANS workstation shown here), disk imagers, live CDs, network analysis tools, e-discovery and specialized tools for email and mobile analysis.

The dangers of DreamHost and Go Daddy hosting

If you host your website on GoDaddy, DreamHost, Bluehost, HostGator, OVH or iPage, this blog post is for you. Chances are your site icould be vulnerable to a potential bug or has been purposely infected with something that you probably didn’t know about. Given that millions of websites are involved, this is a moderate big deal.

It used to be that finding a hosting provider was a matter of price and reliability. Now you have to check to see if the vendor actually knows what they are doing. In the past couple of days, I have seen stories such as this one about GoDaddy’s web hosting:

 

And then there is this post, which talks about the other hosting vendors:

Let’s take them one at a time. The GoDaddy issue has to do with their Real User Metrics module. This is used to track traffic to your site. In theory it is a good idea: who doesn’t like more metrics? However, the researcher Igor Kromin, who wrote the post, found the JavaScript module that is used by GoDaddy is so poorly written that it slowed down his site’s performance measurably. Before he published his findings, all GoDaddy hosting customers had these metrics enabled by default. Now they have turned it off by default and are looking at future improvements. Score one for progress.

Why is this a big deal? Supply-chain attacks happen all the time by inserting small snippets of JavaScript code on your pages. It is hard enough to find their origins as it is, without having your hosting provider to add any additional burdens as part of their services. I wrote about this issue here.

If you use GoDaddy hosting, you should go to your cPanel hosting portal, click on the small three dots at the top of the page (as shown above), click “help us” and ensure you have opted out.

Okay, moving on to the second article, about other hosting provider scripting vulnerabilities. Paulos Yibelo looked at several providers and found multiple issues that differed among them. The issues involved cross-site scripting, cross-site request forgery, man-in-the-middle problems, potential account takeovers and bypass attack vulnerabilities. The list is depressingly long, and Yibelo’s descriptions show each provider’s problems. “All of them are easily hacked,” he wrote. But what was more instructive was the responses he got from each hosting vendor. He also mentions that Bluehost terminated his account, presumably because they saw he was up to no good. “Good job, but a little too late,” he wrote.

Most of the providers were very responsive when reporters contacted them and said these issues have now been fixed. OVH hasn’t yet responded.

So the moral of the story? Don’t assume your provider knows everything, or even anything, about hosting your site, and be on the lookout for similar research. Find a smaller provider that can give you better customer service (I have been using EMWD.com for years and can’t recommend them enough). If you don’t know what some of these scripting attacks are or how they work, go on over to OWASP.org and educate yourself about their basics.

Social media and charitable giving: my own philosophy

It seems as if my email and social media feeds have been filled with fundraising requests ever since Thanksgiving. As these requests pile up, I have been thinking about my own charitable giving policies and how they have evolved over the years.

The spread of social media has provided a ready-made pathway for asking our “friends” for money  — and tor them to return the favor. Back in the day when MySpace was the main social network, fundraising was conducted by individual emails or even letters in the mail. Now, thanks to Facebook (and other sties such as Causes and GoFundMe) it is very easy to set up your own personal campaign and you too can be asking your friends for money. In one way, that is progress: we should encourage more philanthropy and provide help to others when we can.

But the proliferation of sites has raised problems for us all: To which cause do we contribute? How can we be sure that a personal appeal in a GoFundMe campaign is legitimate? What do we really know about the causes we are being asked to support?

I confess that this tsunami of appeals causes me internal conflict. I want to be a good person, but my resources of money and time to sort out many requests are both limited.

 

I asked two of my friends how they sort out these person-to-person (p2p) requests they receive:

  • Sarah, a non-profit CEO, told me “If the request doesn’t really speak to me, or I feel like it isn’t really an urgent need, I pass it over. If I see it as making a difference, I usually try to support it in some way.  I typically make my decisions based on how well I know the person, or the specific need for the campaign. If it directly helps someone who has experienced a crisis or has a critical need, I am more inclined to give and at a more significant level.”
  • Kitty, a development director, contributed to her high school friend’s medical bills as he was dying of cancer. “I did this so his wife, whom I’ve never met, wouldn’t be burdened with these bills after he was gone.” She told me that she was generous with her donation because of the personal connection, even though the connection was established long ago.

For myself, I draw on my upbringing. When I was a teen, I learned about the Talmudic sage Maimonides and his concept about having eight different levels of charity. The highest levels have to do with what I will call double-blind giving: you don’t know the beneficiary, and they don’t know you are the specific donor. The modern style of p2p giving would be very far down Maimonides’ list.

For many years, my own charitable giving has tried to adhere to the Maimonides model. Almost 20 years ago, I decided to get involved in raising funds for curing various diseases: Juvenile Diabetes, AIDS, cancer, and Multiple Sclerosis. I knew friends and family members who suffered from them and that connection caused me to want to help. I ended up doing an annual bike or walkathon and using my contacts – namely those of you who are reading these missives – to raise money. And thanks to you, for many years I have often been very successful in providing meaningful support for these causes.

Then in 2002, I broke my shoulder training for a ride a month before an event. When I called the organizers, they told me to come to Death Valley (where the event was taking place) anyway: they wanted me to participate, even though I wasn’t going to be able to ride. I was glad I did, because my now wife Shirley (shown here at the JDRF finish line) was also a volunteer for the event, and that is where we met.

I was deeply moved that when I told the people who had made pledges to support the ride that I was not able to participate, virtually everyone said that their support was for the cause, not my individual participation, and they wanted to make the contribution in spite of my injury. That is truly the spirit of philanthropy that inspires me and that inspires you as well.

I asked several of my readers to their reactions to an early draft of this column. “An explanation of why and what you are riding helps me in my decision to give you funds,” said one. “I grew up in a time when asking for donation was an in-person activity,” said another. “Nowadays, we have no sense of community. Instead, these p2p donations have become nothing more than feel-good tax deduction trading.” Another supporter said she gives to my causes because I am doing something (the ride or the walk) in addition to “the ask.” And one reader said he is suffering from “donation fatigue,” even though he tries to give up to 10% of his income every month to various causes. And another wonders when did this public begging become so acceptable? She thinks we are taking a step backwards.

So, with that background, I will continue asking from time to time where I believe in the cause. I will happily consider requests where a broad-based benefit is the object of the giving. Together, each of us choosing our own causes, we can make a real difference.

You are welcome to share your own charitable giving philosophies with me or my readers.