iBoss blog: Wireless Keyboards are Vulnerable to Sniffing Attacks

One of the most vulnerable places across your enterprise (apart from the inner workings of your user’s brains, that is) can be keyboards. And recently, an innovative keylogger attack has been found by Bastille Networks that intercepts wireless keyboard transmissions. The attacker can be located up to 250 feet away from the computer and is a new twist on some old exploits. Out of 12 wireless keyboard manufacturer, the researchers found that eight (such as the one from Kensington, above) were susceptible to the attack. You can read more in my post for the iBoss blog here.

EventTracker blog: What is privilege escalation

A common hacking method is to steal information by first gaining lower-level access to your network. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts, where the attacker can steal data. This is called privilege escalation, and it happens often.

You can read my post here on the EvenTracker blog on what you can do to protect yourself.

WindowsITpro: Choosing among various Slack-like communication tools

We all spend too much time on email, and if your inbox is overflowing with messages from your coworkers, it might be time to investigate another way to communicate. I review for WindowsITpro some of the issues involved in choosing a tool for team communications with intranet-like features, text messaging, workflows and collaboration features. While Slack is a leader in this field, there are lots of other choices (such as Glip, shown below) that could cost less or do more.

FIR B2B podcast #51: The end of Gawker and where CMOs should spend their budgets

This week Paul Gillin and I look at six recent stories and how they affect marketing decisions, including the end of Gawker, how Google is changing its algorithms to penalize pop-up mobile ads, a survey out of the Duke business school about expectations on social media marketing, and why many marketers aren’t doing enough to take advantage of LinkedIn’s deeper engagement features. You can listen to the podcast here:

‘I have nothing to hide’ doesn’t mean you are anonymous

nothing to hideIn my post from last week, I addressed some of the concerns in the growing conflict between security and privacy. One of the issues that I didn’t talk about, as several readers reminded me, is the difference between privacy and anonymity. This is often summarized by saying, “I don’t care if someone tracks me, I have nothing to hide.” Well, consider the following scenarios.

Scene 1. You are hiking on a remote trail. As you are enjoying the view, someone is taking pictures with their smartphone and pointing their camera in your direction. flash hiding scarfSo essentially your image is being taken without your consent. At first, you think this is fine: after all, you are anonymous, just some random hiker. But when the photographer posts your image on their social feed, your face is recognized thanks to the site’s software. And now, not only are you identified, but your location is also specified. So you have been tagged without your consent. One way around this is to wear specialized clothing that defeats flash photographs, as shown here.

Scene 2. You maintain a very active Pinterest account and post numerous pictures when you are at various events, or when you travel to distant cities. One consequence of this is that anyone who spent time looking at your account could see where you have been and what you have done.

Scene 3. Beginning in 2007, employees of the UK-based News Corp. regularly hack into celebrities’ voicemail accounts. They are sued and eventually pay various fines. Eventually, things come to boil in 2011 and others are charged, and one staffer is actually jailed. Testimony reveals that thousands of phones were involved and dozens of staffers had access to the collected information.

Scene 4. In the neighborhood where I live in St. Louis, the community monitors nearly 100 cameras that continuously capture video imagery to aid in solving crimes. Several dozen people have been arrested as a result of investigations using these images, which are available to law enforcement personnel. While they don’t have facial recognition software yet, it is only a matter of time. But what if anyone could access the video feeds online and monitor what is going on?

Scene 5. Your online activities are being tracked. One of the stories that I wrote about tracking online fraud recently was how security researchers were able to use machine learning to predict when an endpoint device could be considered compromised. They found a series of common characteristics that were easy to discover, without any sophisticated software. These included freshly made cookies (fraudsters clear their cookies often while regular users almost never do), erased browser histories, 32-bit Windows running on 64-bit CPUs and using few browser plug-ins. While any of these factors taken alone might be from a legit user, combined together they almost always indicated a machine used by an attacker.

Still think you have nothing to hide? Maybe so, but it is a bit creepy to know that your digital footprints are so obvious, and show up in so many places.

Some vendors, such as email encryption software Mailpile, have gone to great lengths to document how they address their users’ privacy. Given their market focus, it isn’t surprising. But still the level of detail in that document is impressive. “People should be able to communicate privately,” as they state in their document. That means no eavesdropping on email content, supporting authentic messages and privacy when it comes to the message metadata and storage too. What I liked about the Mailpile manifesto was their non-goals: “Mailpile is not attempting to enable anonymous communication. Most people consider e-mail from anonymous strangers to be spam, and we have no particular interest in making it easier to send spam.”

So as you can see, there is a difference between being anonymous online and maintaining your privacy. Like anything else, it is a balance and everyone has their own trade-offs as to what is acceptable, what isn’t, and what is just creepy. And expect new technologies to upset this balance and make these choices more difficult in the future.

The best tools to predict and manage cloud computing costs

Cloud pricing can be a frustrating experience. Everything is charged by different metrics. Some of the prices are spelled out, some are hidden behind paywalls or aren’t clear until you get your monthly bill and realize you forgot to turn off an instance that is chewing up your wallet. Some are charged by usage, others by the month.

I look at some of the issues in keeping track of your cloud costs and summarize the numerous services that are currently available. You can read my post on WindowsITpro here.

The debate between privacy and security

aaaaIt seems as if we are headed for a showdown between privacy and security. I don’t think I have seen a time where there has been more conflict, and more acrimony, than the present day.

Let’s take a look at a few examples.

Earlier this month, the UK’s Telegraph newspaper ran a story that reported the BBC will send out specialized vans to determine if its customers are illegally accessing TV streams without paying a special license to do so. The story was later repudiated by The Register, but not after some sturm und drang across various social media and the BBC made it clear that it wasn’t scooping up traffic on home Wifi networks. That story reminded me of a Google snafu. Between 2007 and 2010, Google Street View cars tapped into the browsing histories, text messages and personal emails of people on unsecured WiFi networks. Street view cars haven’t gotten much love since then. Earlier this summer, an Oakland man was arrested near Google’s Mountain View HQ. He later admitted to bombing other Street View cars earlier this year. He said he did this because he thought Google was watching him, and “that made him upset.” Street View does capture some wacky stuff, and I will leave it to you to dig that up.

But Google isn’t the only place where you can invade someone’s privacy. Take the site Ready or Not. It was developed by UC Berkeley researchers and has an app that can track your physical movements thanks to your phone’s GPS and social media accounts that have location services enabled. You just type in a Twitter ID and you can bring up a map showing where that person has been lately. This is a lesson to turn off those services if you don’t need them: but the problem is many of our apps do require them, so you are left with annoying messages to turn them back on.

Then there was a mother in Houston, Texas who was horrified to learn hackers had compromised her home’s security camera system and put up a live feed of her two daughters’ bedroom online. It turns out one of her daughters accidentally opened up the virtual the door to a group of hackers when she decided to play Minecraft on an unprotected server. It was easy enough for the attackers to identify the IP address of the daughter’s iPad. From there, they made their way to the router and the connected home’s security cameras.

progressiveSometimes the tradeoffs between privacy and security can be a benefit for us. Progressive Insurance sells several billion dollars’ worth of auto insurance over the past several years. Customers agree to place a monitoring device called a Snapshot (pictured) in their cars in exchange for lower premiums. The device beeps when you are speeding or braking hard, and if you are driving after midnight.

aHow about this scarf that can be used to hide your face and other features when you are out on the town and don’t want some flash-wielding paparazzi taking your picture? Its surface and pattern is specially designed to foil the camera’s exposure sensors.

And then several years ago at the royal wedding of Prince William, British police arrested more than 50 protestors. What made this significant was that many of them were arrested before they actually did any acts of civil disobedience, recalling the pre-crime plot lines of the movie and Phil Dick story “Minority Report.” How did the cops locate these miscreants? Using social media posts, of course.

These are just a few examples of where the security/privacy debate is headed. I don’t have any ready answers for how this all going to shake out, but it certainly is going to make for additional conflicts as we struggle with finding the right balance.

FIR B2B Podcast: Don’t Confuse Stats with Strategy

This week Paul Gillin and I discuss three B2B marketing-related articles from TechCrunch, some commentary about content marketing and how one firm excels at it, and a piece on Twitter’s waning influence in the WSJ. The context is our regular For Immediate Release podcast, and you can play it below.

iBoss blog: Hacking Your Network Through Smart Light Bulbs

Earlier this year I posted an entry about how the Internet of Things (IoT) can create all sorts of insider threats.  Sadly, this is becoming true faster than anyone has thought. Now connected light fixtures can be compromised, perhaps creating a new punchline to that age-old joke: “How many security managers does it take to screw in a lightbulb?” Only, no one is really laughing. Security researchers at Rapid7 have found nine different vulnerabilities with using the Sylvania Osram Lightify smart bulbs. I talk about which ones of these you should be concerned with if you have these lights in your buildings in my latest blog for iBoss.

SecurityIntelligence blog: Tracking Online Fraud: Check Your Mileage Against Endpoint Data

A recent Simility blog post detailed how it is tracking online fraud. With the help of a SaaS-based machine learning tool, the company and its beta customers have seen a 50 to 300 percent reduction in fraudulent online transactions. This last January, they looked at 100 different behaviors across 500,000 endpoints scattered around the world. They found more than 10,000 of those devices were compromised, and then looked for patterns of similar behavior. They found seven commonalities, and some of them are surprising.

You can read my blog post on IBM’s SecurityIntelligence.com here.