Book review: Good Reception by Antero Garcia

The use of technology in schools is analyzed from the actual front lines of a ninth grade classroom in South Central LA in this new book. The teacher, Antero Garcia, has learned some valuable lessons on his own about how technology can’t fix broken schools and how teachers use new media such as smartphones and tablets as an ancillary activity and not part of mainstream classroom methods. Garcia finds that the transformative moments for his students happened in spite of his pedagogical activities, and that the iPods he supplied as part of the research project described in this book often hindered rather than helped their learning. This book will be interesting to educators and parents who are trying to understand the appropriate role of technology with students and schools.

Read More
Becoming a better master of my email domain

This post adds my own personal experiences to improving the email authentication protocols of my own domain. I wrote about these issues in general for iBoss earlier this year and described the three protocols (SPF, DKIM and DMARC) and how they interact with each other. These protocols have been around for a while, and implementing them isn’t easy and hasn’t been very popular, outside of perhaps Google-administered email domains.

A recent survey from Barracuda shows how the majority of folks haven’t yet set up anything in their environments, as you can see by this graphic below. Another survey from Agari (who sells DMARC managed services, so they have something of a self-interest) says 82 percent of federal government domains lack DMARC protection. To try to fix this, the feds are getting more serious about DMARC, requiring it across all agency networks soon. 

So I wanted to be able to lead by example and actually put these tools in place on my own servers. That was easier said than done.

I first contacted Valimail in August. They have a managed email authentication service and agreed to work with me to get me set up. Valimail knows what they are doing in this space. As an example, a few weeks ago one researcher posted how he could deliberately break some DKIM records if he created some oddball email messages. Turns out Valimail has this covered and posted a counter reply. They claimed that the researcher didn’t really understand how it was used in practice.

And that is the issue: these protocols are very, very hard to implement in practice. Getting my domains setup wasn’t easy: part of that was my fault, and partly because this is a knotty area that has a lot of specific knobs to turn and places where a misplaced comma can wreck your configuration. So I am glad that I had them in my corner.

Let’s talk about what was my fault first. I have two different Internet providers for my domains. First is GoDaddy, which registers my domains. I have always felt it is a good idea to separate my content from my registrar, which is where my second provider, EMWD.com, comes into play. They host my blogs and mailing lists. The problem is that the three email protocols touch on aspects of both what the registrar has to do and what the content hosting provider has to do, and so I found myself going back and forth between the two companies and their various web-based control panels to add DNS entries and make other adjustments as I needed. For your particular circumstances, that may not be necessary. Or it could be more complicated, depending on how many individual domains (and sub-domains) you own and how you have set up your email servers.

When you first sign on with Valimail, they run a report that shows how messed up your email system is. Now right here I want to stop and explain what I mean. Your email system is probably working just fine, and your messages are flowing back and forth without any real issues. Except one: they aren’t using the full power of the various authentication protocols that have been developed over the years. If you don’t care about spam and phishing, then stop right here. But if you do care — and you should — then that means you need to get email authentication done correctly. That is the journey that I have been on since this summer.

OK, back to my story. So I got a report from Valimail that looked like this.  It shows that I made several mistakes in configuring my mail server because it uses a different domain (webinformant.tv) from the domain that I use for sending individual emails (strom.com). Duh! It was embarrassing, after all these years claiming to be this email “expert” (I did write a book on corporate email use once upon a time) and yet I still missed this very obvious mistake. But that is why you hire outside consultants to help you learn about this stuff.

That wasn’t my only problem. Second, I was using WordPress as my blogging software. Now, what does this have to do with email, you might ask? My problem was I didn’t immediately make the connection either. Some of my emails weren’t being authenticated properly, and it was only after further investigation did I realize that the comments that were being collected by my blog were the culprits. WordPress uses email to notify me about these comments. Luckily, there is a plug-in for fixing this that was available. Of course, it still took some effort to get it working properly.

This is why you want someone like Valimail to be working with you, because the chances of making any errors are huge, and your email infrastructure can be a bigger project that you realize, even for a small organization such as my own operation.

I have one other technology piece in my mix. One of the reasons why I chose EMWD is because they offer cheap but really good hosting of Mailman, which is a Unix-era email server that I have been using for more than a decade for my weekly Web Informant newsletters. It isn’t as fancy as Mailchimp or some of the other more modern mailers, but I also am familiar enough with its oddities that I feel comfortable using it. So any DKIM/DMARC/SPF installation also had to make some changes to its parameters too. Luckily, The folks at Valimail knew which ones to tweak.

So it took several months of elapsed time to work with Valimail to get things correctly setup. And that is probably a good thing because uncovering all the various applications that make use of email in oddball ways will take some time, particularly if you are a decent-sized company. Most of the elapsed time for my situation was because I was busy on other matters, and also because it took me several tries to understand the scope of what I had to do. Also, because Valimail’s typical customer is a larger enterprise, they weren’t very familiar with the cPanel interface that EMWD (like a lot of smaller ISPs) employs, or working with WordPress, so they had a learning curve too.

The team that helped me was very patient, which was great because I did need a lot of hand-holding (in the form of JoinMe meetings and screen sharing sessions) to walk me through the various processes. But what this demonstrated to me is how ingrained using email for various tasks can be, even for a company of one employee.

So the moral of the story: even if you know what you doing, this is one area that requires very specialized knowledge. But if you want to make an effort to reduce spam and phishing, you should implement all three of these protocols. And you might end up fixing some other email issues across your enterprise along the way too.

Read More
FIR B2B Podcast: Seth Greene on making effective podcasts

This week my podcasting partner Paul Gillin and I talk to Seth Greene about how to market small (and large) businesses using some time-tested direct response marketing methods that begin with creating podcasts. Seth is the author of Market Domination for Podcasting, as well as several other books. He offers so much great advice in this interview that you’ll want to have your notebook handy. Among his tips and observations about podcasting:

  • Global smartphone proliferation and Apple CarPlay have been big factors in the recent rapid growth of podcasts. It’s time for businesses to take notice.
  • It’s not about big markets – A few hundred regular listeners can give your business a great boost if they’re the right people.
  • Optimal length is 20-30 minutes, which is the length of the average workout or commute.
  • You can do a lot of your own promotion. Use Facebook, LinkedIn, Twitter. Send email to your clients. Ask your guests to promote to their lists.
  • Interview formats work well for a couple of reasons. One is that it’s hard to keep a narrative going all by yourself for a half hour. Another is that guests will often promote to their friends and associates. If you have a co-host, it’s even easier to keep the discussion moving. In Seth’s case, a partnership with TV celebrity Kevin Harrington has been a huge boost to listenership.
  • The biggest mistake B2B marketers make with podcasts is being boring. You’ve got to bring personality to your show.
  • Don’t turn down any opportunity for media promotion of your program. You never know who’s reading/listening.

Greene’s Market Domination firm has been one of the fastest growing direct response marketing firms in the country. He is the only person in history that Dan Kennedy has nominated for marketer of the year three years in a row and he’s been featured on numerous TV shows and quoted frequently in national business magazines.

Check out his SharkPreneur podcast, co-hosted with Shark Tank’s Kevin Harrington, and follow Seth on Twitter.

Read More
Why you should be afraid of phishing attacks

I have known Dave Piscitello for several decades; he and I served together with a collection of some of the original inventors of the Internet and he has worked at ICANN for many years. So it is interesting that he and I are both looking at spam these days with a careful eye.

He recently posted a column saying “It sounds trivial but spam is one of the most important threats to manage these days.” He calls spam the security threat you easily forget, and I would agree with him. Why? Because spam brings all sorts of pain with it, mostly in the form of phishing attacks and other network compromises. Think of it as the gateway drug for criminals to infect your company with malware. A report last December from PhishMe found that 91% of cyberattacks start with a phish. The FBI says these scams have resulted in $5.3 billion in financial losses since October 2013.

We tend to forget about spam these days because Google and Microsoft have done a decent job hiding spam from immediate view of our inboxes. And while that is generally a good thing, all it takes is a single email that you mistakenly click on and you have brought an attack inside your organization. It is easy to see why we make these mistakes: the phishers spend a lot of time trying to fool us, by using the same fonts and page layout designs to mimic the real sites (such as your bank), so that you will login to their page and provide your password to them.

Phishing has gotten more sophisticated, just like other malware attacks. There are now whaling attacks that look like messages coming from the CFO or HR managers, trying to convince you to move money. Or spear phishing where a criminal is targeting someone or some specific corporation to trick the recipient into acting on the message. Attackers try to harvest a user’s credentials and use them for further exploits, attach phony SSL certificates to their domains to make them seem more legitimate, use smishing-based social engineering methods to compromise your cell phone, and create phony domains that are typographically similar to a real business. And there are automated phishing construction kits that can be used by anyone with a minimal knowledge to create a brand new exploit. All of these methods show that phishing is certainly on the rise, and becoming more of an issue for everyone.

Yes, organizations can try to prevent phishing attacks through a series of defenses, including filtering their email, training their users to spot bogus messages, using more updated browsers that have better detection mechanisms and other tools. But these aren’t as effective as they could be if users had more information about each message that they read while they are going through their inboxes.

There is a new product that does exactly that, called Inky Phish Fence. They asked me to evaluate it and write about it. I think it is worth your time. It displays warning messages as you scroll through your emails, as shown here.

There are both free and paid versions of Phish Fence. The free versions work with Outlook.com, Hotmail and Gmail accounts and have add-ins available both from the Google Chrome Store and the Microsoft Appsource Store. These versions require the user to launch the add-in proactively to analyze each message, by clicking on the Inky icon above the active message area. Once they do, Phish Fence instantly analyzes the email and displays the results in a pane within the message. The majority of the analysis happens directly in Outlook or Gmail so Inky’s servers don’t need to see the raw email, which preserves the user’s privacy.

The paid versions analyze every incoming mail automatically via a server process. Inky Phish Fence can be configured to quarantine malicious mail and put warnings directly in the bodies of suspicious mail. This means users don’t have to take any action to get the warnings. In this configuration, Outlook users can get some additional info by using the add-in, but all the essential information is just indicated inline with each email message.

I produced a short video screencast that shows the differences in the two versions and how Phish Fence works. And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in. Check out Phish Fence and see if helps you become more vigilant about your emails.

Read More
Why Your Survey Won’t See the Light of the Media Day

I wrote this piece with Greg Matusky, the head of the Gregory FCA agency.

As a marketer of a security firm, you know that surveys can serve as high-impact marketing tools when shared with clients, used to power top-of-the-funnel lead gen campaigns, punch up sales literature, incorporated into white papers, and create great content for any number of channels.

But when it comes to gaining media attention for your survey, well, that can be a struggle. The media is inundated with corporate-funded surveys and often turn a jaundiced eye to them precisely because of their inbred biases.

Gaining exposure in the media or by having the results “go viral” on social media requires you to create surveys that deliver results that withstand media scrutiny. But these surveys also must meet the definition of what is new, what is newsworthy, and what is interesting to an audience eager to better understand the changing world of cybersecurity. Above all, you need to put away your marketer’s hat and assume a reporter’s perspective in order to create results welcomed, not ignored by the media. Here’s what you need to know.

Man Bites Dog. Findings should be unexpected, counter-intuitive, unusual, or all three.

Having a survey that repeats common wisdom is a sure way for reporters to instantly hit the delete key.

This Barracuda survey found that 74 percent of respondents stated that security concerns restrict their organization’s migration to the public cloud and have prevented widespread cloud adoption. So tell me something new! The results might have been news back in 2000, but not now.  A great survey breaks new ground. It adds to the common knowledge and doesn’t just repeat it. Push your organization to formulate questions that produce the unexpected, counter-intuitive findings that media love.

Bigger is Better!

Sample sizes need to be big enough to impress – and be meaningful. Sample sizes of a few hundred participants, based on some non-random selection, such as people filling out a SurveyMonkey form, isn’t going to cut it. You can’t fool the media. They want statistical validity and the credibility that comes from large sample sizes.

Want a prime example? Consider Kaspersky Lab and B2B International release of a survey that drew on 5,000 companies of all sizes from 30 countries. Now that carries heft, and indeed, the results were cited in several places, including that the average cost of a data breach for enterprise businesses in North America is $1.3M. Another survey from Bitdefender interviewed 1,050 IT professionals in several countries to find out their cloud security purchase decisions. Both of these surveys are keepers.

Compare those surveys to a Beyond Trust study of nearly 500 IT professionals and concluded the “5 Deadly Sins” within organizations that ultimately increase the risks of a data breach. Yes, that will be conclusive – not. You are cherry picking the results here for sure.

But sample size isn’t enough. Take for instance a recent survey conducted by One Identity. It asked 900 IT security professionals for their thoughts. Seems like a promising sample size. But the results talk about inadequate IT processes around user access by disgruntled former employees and other nefarious actors — providing a widespread opportunity to steal usernames and passwords, risking the infiltration of their entire IT network. That brings us to our next point.

Blind them with science!

Make sure you ask the right evidence-based questions. Many surveys focus on “soft” assessments, such as “Do you believe your cybersecurity is better/worse this year when compared to last year?” Can anyone really answer that question with hard facts? Probably not. To win media coverage, show the reporters the evidence behind the questions, or ask for specific information that can be based on more than just a “feeling.” As an example of what not to do: “Most organizations are worried that the technical skills gap will leave them exposed to security vulnerabilities,” which is from a Tripwire survey.

Here is another result from that same Tripwire survey that doesn’t really have any solid data behind it: “Seventy-nine percent believe the need for technical skills among security staff has increased over the past two years.” Where did they get their beliefs from?

And then there is this survey from ABI Research, which finds that 40% of respondents believe that data security is the leading barrier to adopting innovative technologies. Again, how did the participants rank their beliefs and come up with this conclusion? This survey says nothing.

Consider the source of the discontent.

Sometimes having surveys come from surprising places, such as academic researchers, is a sexy way to interest media. Third parties make the findings more newsworthy and citable. Here is a report about the relative security of swiping patterns versus a six-digit PIN code that was done for the US Naval Academy. They surveyed more than a thousand people to find out that “shoulder surfers” (busybodies who look over our shoulders at crowded places) can remember the swipe patterns better than the numeric PINs. It also provides an unexpected result too. Could your organization team with a similarly credible third party to tell its story?

The best surveys use data that isn’t easily available.

Data such as server logs or actual threat data that show particular trends is useful and notable. Many security vendors now report on data from their own networks, using their monitoring tools that track what is actually being observed “out in the wild.” There is no belief system required: This is cold, hard data. The king of these kinds of surveys is the Verizon Data Breach Investigations Report, which has been coming out for the past decade. This report examines the actual attacks and isn’t asking for anyone’s opinion or feelings. It is encyclopedic, comprehensive, thoughtful, and analytical. Because it has been around for so long, the analysts can pull together trends from its historical records. And, at least until Verizon was itself breached, the data came from a solid brand too.

As you can see, there are some surveys that are worthwhile. The best ones take time and cost money to pull off properly. But they are worth it in terms of great media coverage.

Read More
How to protect your emails using Inky Phish Fence

Inky Phish Fence is an anti-phishing platform available for many email systems and can detect and defend against many types of suspicious emails and phishing attacks. It comes as an add-in for Outlook for Exchange/Office 365 accounts. It is also available for G Suite and Gmail as a Chrome extension. Enterprise users would most likely use a purely server-side gateway version where the checks are performed automatically and the warnings get inserted into the actual email. The consumer add-ins are free, the corporate version starts at a few dollars per month per user with quantity discounts available.

I tested the product in November 2017.

 
Read More
SecurityIntelligence blog: The history of ATM-based malware

I haven’t used a bank ATM for years, thanks to the fact that I usually don’t carry cash (and when I need it, my lovely wife normally has some handy). I still remember one time when I was in Canada and stuck my card in one of the cash machines, and was amazed that Canadian money was dispensed. I was amazed at how the machine “knew” what I needed, until I realized that it was only loaded with that currency.

Well, duh. Many of you might not realize that underneath that banking apparatus is a computer with the normal assortment of peripherals and devices that can be found on your desktop. The criminals certainly have figured this out, and have gotten better at targeting ATMs with all sorts of techniques.

Back as recently as three years ago, most ATM attacks were on the physical equipment itself: either by placing skimming devices over the card reading slot to capture your debit card data or by forcing entry into the innards of the ATM and planting special devices inside the box. Those days are just a fond memory now, as the bad guys have gotten better at defeating various security mechanisms.

For many years, almost all of the world’s ATMs ran on Windows XP. Banks have been upgrading, but there are still a lot of XP machines out there and you can bet that the criminals know exactly which ones are where.

But there is a lot happening in new ATM exploits, and my post for IBM’s Security Intelligence blog on the history of ATM malware hacking talks about these developments. In fact, ATM malware is now just as sophisticated and sneaky as the kind that infects your average Windows PC, and ATM malware authors are getting better at emptying their cash drawers. For example, malware authors are using various methods to hide their code, making it harder to find by defensive software tools. Or they are taking a page from the “fileless” malware playbook, whereby the malware uses legit OS code so it looks benign.

There is also a rise in network-based attacks which exploit lax banking networking topologies (segmentation seems to be a new technology for many of them), or rely on insiders that either were willing or had compromised accounts. Some of these network-based attacks are quite clever: a hacker can command a specific ATM unit to reboot and thereby gain control of the machine and have it spit out cash to an accomplice who is waiting at the particular machine.

Sadly, there are no signs of this changing anytime soon and ATM malware has certainly become mainstream.

Read More
Life imitating art

One of my favorite sci-fi books was Card’s Ender’s Game series, which chronicle smart kids who play video games and end up controlling an interstellar war. There is a lot more to the books and well worth your time if you haven’t read any of them, and even the movie was decent. The same basic plot point was part of a movie called The Last Starfighter made many years ago. Now the Pentagon has taken a cue from the idea and is writing its own video game called Operation Overmatch, according to this piece in DEFENSE ONE. The game, which is still in its early development stages, will help train soldiers in warfighting tactics and methods. It includes six types of armored vehicles playable across four different urban levels. When you think about this, it makes a lot of sense, given that many of their recruits are probably FPS fans. The article talks about some of the issues involved in designing a realistic simulation that teaches critical thinking and decision-making skills that could have life and death consequences.

That isn’t the only item in the news this past week that got me thinking about the notion of life imitating art. A group of Brazilian researchers has compiled an open-source blockchain-related database of discretionary expenditures and reimbursement by members of their Parliament. The project is called Serenata de Amor, which means love serenade. Brazil passed a mandatory financial disclosure law just a few years ago in an attempt at making their government more transparent and accountable. Like in the States and elsewhere, public servants have accounts that they can get reimbursed for their business expenses, but sometimes this “slush fund” can be abused. The most infamous case of this happened more than 20 years ago in Sweden when a public official was found to be buying groceries on her government credit card account and was dubbed The Toblerone affair. These Brazilian coders got together to try to stop this abuse.

The disclosures are searchable and the code has been written in English to facilitate international collaboration. Here is a post on Medium that describes the project and how people can contribute.

What does this have to do with life imitating art, you ask? If you have read the book or seen the movie called The Circle, you immediately recognize one of the major plot points about transparency in government. Instead of a blockchain database, people wear body cameras that stream their activities 24×7 and develop their own online audiences that watch their every move. If a Congressperson is continually broadcasting their daily meetings, there are no longer any backroom deals.

Sci-fi is always ahead of reality in some interesting ways. A noted example was the first geosynchronous satellites, which were thought of by Arthur Clarke back in 1945, 20 years before they actually became a reality. But it does seem lately things are getting more interesting.

Read More
Book review: The Selfie Generation

Alicia Eler once worked for me as a reporter, so count me as a big fan of her writing. Her first book, called The Selfie Generation, shows why she is great at defining the cultural phenomenon of the selfie. As someone who has taken thousands of selfies, she is an expert on the genre. Early on in the book she says that anyone can create their own brand just by posting selfies, and the selfie has brought together both the consumer and his or her social identity. The idea is that we can shape our own narratives based on how we want to be seen by others.

Do selfies encourage antisocial behavior? Perhaps, but the best photographers aren’t necessarily social beings. She captures the ethos from selfie photographers she has known around the world, such as @Wrongeye, Mark Tilsen and Desiree Salomone, who asks, “Is it an act of self-compassion to censor your expression in the present in favor of preserving your emotional stability in the future?”

Are teens taking selfies an example of the downfall of society? No, as Eler says, “teens were doing a lot of the same things back then, but without the help of social media to document it all.”

She contrasts selfies with the Facebook Memories feature, which automatically documents your past, whether you want to remember those moments or not. She recommends that Facebook include an option to enable this feature, for those memories that we would rather forget.

Eler says, “Nowadays, to not tell one’s own life story through pictures on social media seems not only old-fashioned, but almost questionable—as if to say ‘yes, I do have something to hide,’ or that one is paranoid about being seen or discoverable online.”

Eler mentions several forms of selfies-as-art. For example, there is the Yolocaust project, to shame those visitors to the various Holocaust memorials around the world who were taking selfies and make them understand the larger context. And the “killfie,” where someone taking a picture either inadvertently or otherwise dies.

This is an important book, and I am glad I had an opportunity to work with her early in her career.

Read More
HPE Enterprise.nxt blog: CEO cybersecurity 101: Improve your executives’ security hygiene

Chances are, your CEO doesn’t have the best data security hygiene. And too often that’s the case among other executives as well. Everyone’s current favorite, Equifax, had execs using poor password choices that failed to follow best security practices, among other bad practices.

Although they may not all make headlines, companies with poor security habits are (unfortunately) plentiful. The 2017 Verizon Data Breach Investigations Report found 81 percent of hacking-related breaches use either stolen or weak passwords. In other words, the breaches resulted from easily compromised identities.

You can read my story on HPE’s blog here about some suggestions on how to improve security posture in the C-suite and bring our execs up to par. They should be leading by example in this area.

Read More
1 2 3 196