Security Intelligence blog: Understanding the Relationship Between AI and Cybersecurity

The first thing many of us think about when it comes to the future relationship between artificial intelligence (AI) and cybersecurity is Skynet from the “Terminator” movie franchise. But I spoke with Dudu Mimram,  the CTO at Telekom Innovation Laboratories when I was in Israel earlier this month, and he has a somewhat rosier view. He suggested that AI must be understood across a broader landscape, regarding how it will influence cybersecurity and how IT can use AI to plan for future security technology purchases.You can read my blog post in IBM’s Security Intelligence here.

StateTech: Best practices for single sign-on technologies for state IT departments

The days when users are required to remember numerous complex passwords may be coming to an end, as single sign-on (SSO) technologies are finally taking hold in state and local agencies. SSO tools provide a number of valuable security benefits. Among them are to better bridge the gap between cloud and on-premises servers, applications and services and they help agencies prevent the proliferation of bad passwords. You can read more details in this first piece for StateTech magazine.

Several factors have brought this about: better technology, a wider selection of identity management tools, lower-cost SSO alternatives and a heightened awareness of massive password breaches. State and local agencies should keep several important factors in mind as they consider SSO solutions, as I wrote about in a second article for StateTech magazine recently.

My most recent comparative review for Network World on SSO tools was done in 2015 and gave Centrify (shown here) and Okta the highest marks.

GregoryFCA blog: Stop sucking your thumb and start getting your people in the media 

Ever wonder why some cyber security firms are constantly in the news? Do they offer a better solution? Know more than their competition? Do the heavy-lifting research that differentiates and substantiates their spokespeople in the minds of the media? Could be.

Or it could be that your spokespeople simply aren’t savvy enough to win media interest. In cyber security, expertise means a lot. But so does the ability to deliver powerful and memorable sound bites on breaking or trending news while empathizing with the interviewer to give the media what it wants (without a sales pitch!).

The process begins with carefully selecting your spokesperson and then educating and grooming them to deliver a message that simultaneously entices coverage while still reflecting favorably on the reputation and expertise of your company.

Start with the audience. Are you shooting for general business media or the technical, vertical media? If you’re looking for coverage in the New York Times or on CNN, then you want a spokesperson who can speak at a 30,000-foot level about how an attack or topic impacts a business, family, or person.

The trades? Well, they want someone who can get into the weeds and explain the precise technical shortcomings or trap doors that a hacker or fraudster is exploiting.

Who in your organization could speak to one or both sides of the coin? Make the call and then train them to understand: 

1. Media coverage is not about sales or lead gen. Rather, it’s about leveraging third-party credibility to establish thought leadership. Great spokespeople know how to quickly size up the direction of an interview and give the reporter new insights or understandings, information they can’t get elsewhere to propel their stories forward and get them filed and into print.

2. Reporters and producers want interviewees who understand the media rules of engagement. A great interview is a bit like jujitsu. A reporter comes at you from a position or angle. You need to be ready to take the barrage or use the momentum to deflect and disarm. It’s a learned skill, and one that will never be mastered without preparation and training.

3. Media interviews don’t waste time, they leverage it. Thought leaders lead by sharing and engaging with a community. There’s no more powerful way to share and engage than in leveraging the reach and credibility of the media. Building a media presence doesn’t take away from a thought leader’s job. Rather it advances it, along with the goals and objectives of their employer.

4. Charisma counts and it can be learned. Not by our spokespeople, you say? They are too nerdy, too techie. Ironically, there’s nothing wrong with getting your tech on if you’re speaking to the right audience and understand some of the rules of engagement espoused here. A 23-year old nerdy ex-hacker often conveys more authenticity than some slick, paid corporate spokesperson. The key is to harness that nerd-dom and put it work educating and engaging with the media in a real and compelling manner.

5. Sound bites matter. It’s not spin. It’s not hyperbole. The media love short, pitchy sound bites that they can use to convey meaning in a few words instead of paragraphs. “It’s ridiculous that 140 million Americans had their data stolen because a single person failed to install a patch.” You get the point. Develop those sound bites for your spokespeople before each interview and you will dramatically increase the impact of your media coverage.

Some people are naturals at speaking to the media. Most aren’t. But it is a skill your spokespeople can learn and practice before they ever talk to a reporter. The PRCoach website has a bunch of clips illustrating common interview mistakes, and has other helpful resources too. And this document lists the mistakes spokespersons make with consumer media, such as not staying on topic or losing control over the interview, or taking too long to make your point and not speaking in sound bites.

Use these five points as the backbone of their training as you shape them into go-to media sources. And maybe you can develop your own version of such security rockstars as Troy Hunt, Tavis Ormandy (who is from Google), Cris Neckar of Divergent Security and Chris Vickery that are often breaking news and being quoted by the security trade press.

Adrian Lamo, RIP

I first met Adrian Lamo back in 2002. I was teaching a high school networking class and I thought it would be cool to have the kids experience a “real” hacker, since so many of them aspired to learn how to get into the computerized grading system that the school ran. It wasn’t a very exciting teachable moment, as I recall. But Lamo made a big impact on me, as he couch-surfed in my New York suburban apartment.

Sadly, I learned that last week he died at age 37 in Wichita, KS. The cause of death hasn’t yet been determined, and he had been living in the area for the past year, according to reports. Lamo moves around alot, thanks to a rather interesting personality that could best be described as on the autism spectrum.  When I met him, he had the symptoms of obsessive-compulsive disorder and was later diagnosed with Aspberger’s. One of his quirks was that it would take him a while to leave my apartment every morning: he had a sequence of steps to follow in a very specific order before he could walk out the door.

Lamo was a study in contradictions: both very bright and very socially awkward, a Sheldon Cooper before his time. He had a high sense of morality. At the time Lamo stayed with me, he had been arrested for breaking into several different computer systems, including that of the freelancer database of the New York Times. His method was to find an open Web proxy server and use that to gain entry inside a corporate network. (It is still a common entry point method, although many companies have finally figured out how to protect themselves.) He never profited financially from these attacks, instead he would often leave hints on how a company could close these proxies and improve their security. He was sentenced to house arrest for the Times attack.

At the time we met, he was called the “homeless hacker” – not because he was living on the streets, but because he was young and had no fixed address, and would go from couch to couch as the mood took him. I offered him a place to stay and a chance to get to know him better, thinking how cool could that be? Little did I know.

When I told my then-teenage daughter about his impending visit, she was rather incredulous (you have someone wanted by the police staying with us) but ultimately she was won over by his geek cred – she had a problem with her cell phone that she recalls him fixing in a matter of seconds.

Well, Lamo went on get a degree in journalism, ironically enough. He was very connected to the tech trade press, and Brian Krebs recalls his various interactions with him in this post.

Lamo is remembered in various tributes in the past few days with his role in the Wikileaks/Cablegate case of 2010, when he divulged the name of Private Manning to the feds as the leaker. Both then and now, his decision was vilified in the hacking community, with numerous online threats.

I had a chance to speak to Lamo back in 2011 and recorded the interview for ReadWrite, where I was working at the time. It covers a lot of ground:

He has some very wise comments about the importance of government secrecy, and the freedoms that it enables for us all. Lamo saw the Manning case from the other side, as a case that would be eventually remembered supporting our freedoms. It was a real issue for him, because as a hacker he could certainly understand what Manning was trying to do, but as someone who also understood the role of our military he couldn’t in good conscience allow her to leak all that data. When Manning contacted Lamo he had a crisis of conscience and made his decision. He struggled over harming Manning, whom he considered a friend, or harming countless others who would be placed at risk because of Manning’s leaks. He wishes Manning had come to him before making the documents public.

This is certainly an interesting position for a hacker to take, to be sure. He was vilified in the hacker community because of it, but I think he made the right decision. “Who would have thought that when we first met ten years ago that I would have been involved in the single biggest intelligence leak in history,” he told me. How true.

He continued to work as a security consultant, helping corporations understand better security practices as well as going out on the speaking circuit. Ironically, his preferred method of communications more recently was FedEx! “I’m a little bit of a Luddite these days,” he said.

Lamo left this planet far too soon. He was a very smart guy and had a very solid moral compass, and those two traits guided his actions all his short life. I am sad that he is no longer with us, and hope that his life can be noted and celebrated for his accomplishments, verve and significance.

FIR B2B podcast #92: TechTarget CMO John Steinert on the science of ‘intent marketing’

John Steinert joined TechTarget as CMO two years ago after a decades-long career in B2B technology at companies that included Pitney Bowes and SAP. So why join a tech publisher? Steinert actually doesn’t see TechTarget as a publisher, and in this recent piece he explained why he was so excited about the opportunity: product, purpose, people and potential. In this interview we discuss the differences between publishing and content marketing, how intent marketing can help provide insights into impending technology purchase decisions and how marketers can make their content more effective and targeted. 

TechTarget’s not-so-secret weapon is its lead generation and tracking mechanisms, which permit the company to see exactly what kinds of content is crucial for their visitors. Steinert describes what data is collected — with visitors’ permissions of course — and how it can be used by their advertisers and sponsors. He also distinguishes between visitors who are just looking to snack on information versus binge consumers, who are likely closer to purchase.

This all makes a difference in what kind of content is created and how keywords are chosen to bring in the right visitors. “You have to have strong SEO, people have to find your stuff and it has to be cross-linked and judged popular and valuable,” he says 

TechTarget’s distinction has always been its portfolio of microsites focused on technologies products or categories — such as But you’d be hard-pressed to find the names of those sites on the company’s home page today. That’s deliberate. Far from being a publisher, TechTarget is today a data company.

Incidentally, both Paul and myself have had a long connection with TechTarget: Paul was the company’s sixth employee and I have been a regular freelancer for numerous websites of theirs.

There is a lot of wisdom in what Steinert says, and he is worth a careful listen to our 25 min. podcast here.

Using your cellphone when overseas (2018 edition)

I just returned from a trip to Israel, and as the old joke goes, my arms are so tired. Actually, my fingers, because I have been spending the better part of two days on the phone with support techs from both AT&T and Apple to try to get my phone back to the state where it works on the AT&T network.

My SOP for travel is to use a foreign SIM card in my phone. This has several benefits. First, you don’t pay roaming charges for local in-country calls, although if you are calling back to the States, you might have to pay international long distance charges, depending on your plan. Second, if people in-country are trying to reach you, they don’t pay for any international calls either, since they are calling a local number. (Some of the networks overseas have the more enlightened method of calling party pays, but we won’t go there for now.) You also don’t use any minutes or data GB on your American cell account, which is nice if those are limited.

For the past several years, I had been using two different travel SIMs. First is one from FreedomPop, which was a very inexpensive card with monthly fees around $15 for a decent plan. I had some billing issues initially but these were resolved. It doesn’t work in Israel, so I ended up buying another SIM at the airport kiosk in Tel Aviv. My last trip in October had some major hiccups with that card, and so I decided to try a new supplier, Call Israel. They offered a plan for $50 that seemed reasonable. AT&T charges $60 a month with lower data usage for Israel. If you go elsewhere the fees could be less.

Call Israel mailed me a SIM a week before my trip, and right away I saw an issue: I was just renting my SIM card. At the end of my trip, I had to mail it back. Strike 1.

But strike 2 was a big one. I made the mistake of taking my Israel SIM out of my phone when I changed planes in Europe on the return trip, and put in my AT&T SIM card. That confused my phone and got me in trouble. When I landed in the States I spent an hour on the phone with a very nice AT&T person who verified that my phone was working properly on their network. Except it wasn’t: I could get voice service, but not broadband data service. Some parameter that the Call Israel SIM had needed was still set and messing up my phone, and there was no way that I could access that information to remove it.

I ended up speaking to Apple next, because I figured out that they could get rid of whatever it was that was blocking my data service. I had to find an older iTunes backup that I had made before I went abroad (lucky I had done so with Time Machine), and then wipe my phone clean and bring that backup to the phone. All told, several hours were wasted. I found out that there is a subtle but important difference in how iTunes and iCloud handle backups. I was fortunate to find a very nice woman from Apple who called me back as we tried various strategies, and eventually we figured out what to do. This took place over the course of a couple of days. Here is the bottom line: your phone has hundreds of parameters that determine whether it will communicate properly. Some of them aren’t accessible to you via the various on-screen controls and are hidden from your use. The only way to change them is to restore from a known working backup.

So if you are planning on being out of the country, think carefully about your options. Consider if you need a foreign SIM for a brief trip. If you can afford service from your American provider, do so. Or if you can find Wifi hotspots, you probably can do 90% of the work on your phone by setting it to airplane mode when you leave town and not turning it on until you return. Under this scenario, you would use Facetime, What’sApp and Skype for voice and texting. Does that additional 10% make the difference? If you have a terrible sense of direction and need Google Maps, for example, you will need that broadband data. Or if you are traveling with other Americans and need to meet up, you might need the cellular voice flexibility.

SIMs come in at least three different sizes, and most suppliers ship them with cardboard adapters so you can fit them in your phone’s compartment. It doesn’t hurt to check this though.

Next, don’t swap SIMs until you reach your destination. If you need to look at buying a local SIM, make sure you understand how you have to bring your phone back to its original state when you come home. Make backups of your phone to your computer, to the cloud, to as many places as possible before you leave town. If you have an iPhone, read this article on how to find the iTunes backups on your system.

Next, when you are looking for a mail-order SIM, make sure you are actually buying it and not just renting it. Check to see that it will work in all the countries on your itinerary. Or wait until you get to your destination, and buy a local SIM from a phone store or airport kiosk.

Finally, examine the calling plan for what it will entail and match it with your expected usage on texting, data, and voice volume. Examine whether your calls back to the States are included in the plan’s minutes or not. If you don’t use a lot of data, you probably can get by with a cheaper voice-only plan and finding WiFi connections.  Happy trails, and hope they don’t turn into travails.

CSO Online: Inside RSA’s state-of-the-art fraud intelligence command center

As cybercriminals get better at compromising financial accounts and stealing funds, vendors are beefing up their defensive tools to prevent fraud and abuse. I had an opportunity while I was in Israel to visit Daniel Cohen (shown here) of RSA’s Anti-Fraud Command Center (AFCC), the nerve center of a division that is devoted to protecting consumers’ financial records and funds. The AFCC is an example of what a state-of-the-art web threat and fraud intelligence operation looks like. Here is my report for CSO Online.

CSO Online: 10 questions to answer before running a capture the flag (CTF) contest

Capture-the-flag (CTF) contests have been around for decades. One of the longest-running and more popular series began at the Vegas DEFCON show in 1996 and attracts thousands of participants. Running your own CTF contest can build security skills and help identify new internal and external talent. In this article for CSO Online, I compare CTFs with cyber ranges such as CyberGym (shown here) so you can learn what types of challenges you need to include for your own contest, how to make the contest run smoothly, and other logistics to consider. An introduction to FIDO

Many years ago, the idea of making a more universal multi-factor authentication (MFA) token seemed like a good idea. Back then, hardware tokens were proliferating, and so were the number of logins for different web-based services. Out of that era, the Fast Identity Online (FIDO) Alliance was created in July 2012 and publicly announced in February 2013 to try to bring some standards to this arena. Since then, the FIDO standards have gone through several revisions and extensions, and more than 100 vendors have joined the non-profit association, including some of the largest names in the identity and authentication business.

While it has taken a while to gain traction, FIDO is now at an inflection point and has reached sufficient maturity that deploying it isn’t a matter of if, but when for most enterprises.

You can read my post on FIDO for today.