Security insider: Ben Rothke, Nettitude Group

Ben Rothke is a Principal Security Consultant at the Nettitude Group and is a CISSP, CISM and PCI QSA. He has over 15 years of industry experience in information systems security and privacy. He is the author of Computer Security: 20 Things Every Employee Should Know, and authors The Security Meltdown blog for CSOonline.

I first met him in Israel on a tour of infosec companies and he always has something thoughtful and interesting to say. Given his tenure, it isn’t surprising that his first major security issue that he can recall was a misconfigured firewall that was letting a whole lot of Internet traffic in. It took him a few hours to figure out the correct configuration. As he said, “everything old is new again when it comes to information security!”

Since he does a lot of PCI compliance work, his go-to tool is Ground Labs Card Recon tool for cardholder data discovery. He also uses tools from Skyhigh Networks and the native AWS security services as well. “The native AWS controls do go a long way to help configure and debug security configurations of their cloud services.” Another tool that he personally uses is Norton Mobile Security to protect his mobile devices. He also uses LastPass for managing his password collection. “I was concerned when they had their breach about putting all my eggs into one basket, so yes, you have to be prepared for that.”

“Nowadays you pretty much know when someone is trying to social engineer you,” he says. You can tell when you get an odd Facebook message or some dopey email, such as someone’s wallet has been stolen while on a trip and you haven’t heard from that person in ten years.” But the attackers have the odds in their favor: “All it takes is a couple of folks to click on the bait and they are living the high life.”

Over the last 18 months he has personally seen three different ransomware cases. For two of them, “they had good backups and ignored the ransom demands and were fine,” he said. The clients were able to reimage their machines and went about their business. However, with one client, “they had no leverage and had to pay the $600 ransom and learn from it. But now they have good backups, they took the attack as a wakeup call.” We commiserated on the fact that “you can’t have too many backups. Now that we have the cloud, it is easier, you can have a huge amount of data backed up without any tapes anymore.”

“Sometimes I see clients that have some rivalry between two different IT divisions,” he says. “It is like the competition between the police and fire departments. But they have to work together, and try to avoid finger pointing, and let them work it out and work together and understand each other’s point of view. Some companies are integrated better than others.” He says there isn’t any real magic to this integration. “It is more of a culture issue. If you are part of the same team, and guys are sitting near each other on the same floor, it is easier for one person to hand off to another and interact with them and build mutual trust.”

Part of the challenge is that everyone needs to be operating “from the same playbook, and understand the same collection of systems. After all, they are all supporting the same business goals and understanding the same endgame,” he says. “The challenge is that it takes a good executive at the top, whether that be a CIO, CTO or a CISO, for everyone to work well together and for this harmony to trickle down. Without this leadership, the conflicts trickle down too.”

You can subscribe now to my Inside Security newsletter and get information such as this interview and updated security news delivered regularly to your inbox.

Security Intelligence blog: Understanding the Relationship Between AI and Cybersecurity

The first thing many of us think about when it comes to the future relationship between artificial intelligence (AI) and cybersecurity is Skynet from the “Terminator” movie franchise. But I spoke with Dudu Mimram,  the CTO at Telekom Innovation Laboratories when I was in Israel earlier this month, and he has a somewhat rosier view. He suggested that AI must be understood across a broader landscape, regarding how it will influence cybersecurity and how IT can use AI to plan for future security technology purchases.You can read my blog post in IBM’s Security Intelligence here.

Adrian Lamo, RIP

I first met Adrian Lamo back in 2002. I was teaching a high school networking class and I thought it would be cool to have the kids experience a “real” hacker, since so many of them aspired to learn how to get into the computerized grading system that the school ran. It wasn’t a very exciting teachable moment, as I recall. But Lamo made a big impact on me, as he couch-surfed in my New York suburban apartment.

Sadly, I learned that last week he died at age 37 in Wichita, KS. The cause of death hasn’t yet been determined, and he had been living in the area for the past year, according to reports. Lamo moves around alot, thanks to a rather interesting personality that could best be described as on the autism spectrum.  When I met him, he had the symptoms of obsessive-compulsive disorder and was later diagnosed with Aspberger’s. One of his quirks was that it would take him a while to leave my apartment every morning: he had a sequence of steps to follow in a very specific order before he could walk out the door.

Lamo was a study in contradictions: both very bright and very socially awkward, a Sheldon Cooper before his time. He had a high sense of morality. At the time Lamo stayed with me, he had been arrested for breaking into several different computer systems, including that of the freelancer database of the New York Times. His method was to find an open Web proxy server and use that to gain entry inside a corporate network. (It is still a common entry point method, although many companies have finally figured out how to protect themselves.) He never profited financially from these attacks, instead he would often leave hints on how a company could close these proxies and improve their security. He was sentenced to house arrest for the Times attack.

At the time we met, he was called the “homeless hacker” – not because he was living on the streets, but because he was young and had no fixed address, and would go from couch to couch as the mood took him. I offered him a place to stay and a chance to get to know him better, thinking how cool could that be? Little did I know.

When I told my then-teenage daughter about his impending visit, she was rather incredulous (you have someone wanted by the police staying with us) but ultimately she was won over by his geek cred – she had a problem with her cell phone that she recalls him fixing in a matter of seconds.

Well, Lamo went on get a degree in journalism, ironically enough. He was very connected to the tech trade press, and Brian Krebs recalls his various interactions with him in this post.

Lamo is remembered in various tributes in the past few days with his role in the Wikileaks/Cablegate case of 2010, when he divulged the name of Private Manning to the feds as the leaker. Both then and now, his decision was vilified in the hacking community, with numerous online threats.

I had a chance to speak to Lamo back in 2011 and recorded the interview for ReadWrite, where I was working at the time. It covers a lot of ground:

He has some very wise comments about the importance of government secrecy, and the freedoms that it enables for us all. Lamo saw the Manning case from the other side, as a case that would be eventually remembered supporting our freedoms. It was a real issue for him, because as a hacker he could certainly understand what Manning was trying to do, but as someone who also understood the role of our military he couldn’t in good conscience allow her to leak all that data. When Manning contacted Lamo he had a crisis of conscience and made his decision. He struggled over harming Manning, whom he considered a friend, or harming countless others who would be placed at risk because of Manning’s leaks. He wishes Manning had come to him before making the documents public.

This is certainly an interesting position for a hacker to take, to be sure. He was vilified in the hacker community because of it, but I think he made the right decision. “Who would have thought that when we first met ten years ago that I would have been involved in the single biggest intelligence leak in history,” he told me. How true.

He continued to work as a security consultant, helping corporations understand better security practices as well as going out on the speaking circuit. Ironically, his preferred method of communications more recently was FedEx! “I’m a little bit of a Luddite these days,” he said.

Lamo left this planet far too soon. He was a very smart guy and had a very solid moral compass, and those two traits guided his actions all his short life. I am sad that he is no longer with us, and hope that his life can be noted and celebrated for his accomplishments, verve and significance.

Security Intelligence blog: An Interview With IBM Master Inventor James Kozloski on His New Security Patent: The Cognitive Honeypot

What does a master IBM inventor who typically models brain activity have to do with enterprise security? If you ask James Kozloski, you won’t get a quick answer, but it will definitely be an interesting one.

Kozloski, who is a manager of computational neuroscience and multiscale brain modeling for IBM Research, is always coming up with new ideas. He was recently part of a team of IBMers that received a security patent for a cognitive honeypot. If you don’t know what that is, check out my story on IBM’s SecurityIntelligence blog for details with this very interesting inventor.

Notable TechWomen, in honor of Ada Lovelace Day

The TechWomen program brings emerging women STEM leaders from around the world to the Bay Area for five weeks of mentoring and career development. Sponsored by the US State Department and run by the Institute of International Education, over the past six years it has brought more than 400 women here.

I spoke to two of the women that are taking part in the program, both are 32 and from different parts of Africa. Martine Mumararungu runs the core traffic engineering for a Rwanda ISP and has a BS in CS. She was one of seven women in her classes. “Most girls in Rwanda think STEM is just for men,” she told me. Luckily, she had an older brother and sister who were interested in science, and that sparked her own interest. She started out in programming, taking classes in C++ and Java, and got more interested in networking technology. She eventually earned her CCNA and CCNP certifications and has found them very much in demand in Rwanda and very valuable for her job at the ISP. She is using the program to learn more about IT security and how she can beef up her ISP’s profile in that area.

Umu Kamara hails from Sierra Leone where she is the assistant IT manager for a private shipping company. She got her BS in Physics and also got several Microsoft certifications. She switched to IT because she was always interested in systems and databases. She started out wanting to become a medical doctor but wasn’t accepted into the program because of low English grades. Now she is glad she didn’t go that route and likes being in IT. Her father (who died when she was four) was a mechanical engineer, and that motivated her to get interested in science at an early age. She is using the program to learn more about cloud technologies and data center security. She may try to switch her EDR products to more cloud-based ones. When I asked her about the relative bandwidth that she has in the States versus at home, she just laughed, agreeing with me that yes, here it is “a bit faster.” She also agreed that the Internet is here to stay no matter where you live, and even if you have just a marketing company you still need an online presence. “You can’t do without it.”

She experienced a data breach at her company; unfortunately, it was just after her boss left town for a seminar so she had to handle the situation. It was caused by an infected cell phone that was connected to the corporate network, and used malware-infused PDF and Word documents. She had to work long days to reinstall her servers and updates. “It was a good experience but I wouldn’t want to do it again.” The company was offline for several days and the revenue impact was huge, since ships couldn’t unload without the appropriate systems operating.

FIR B2B#70 podcast: The peculiar PR paradox of the resurrection of A.I. with Jason Bloomberg

“On the one hand, AI is perhaps the most revolutionary set of innovations since the transistor. But on the other, the bad press surrounding it continues to mount, perhaps even faster than the innovations themselves. And AI promises to change the role technology plays for every industry on this planet.” So writes Jason Bloomberg in a post on LinkedIn Pulse earlier this month. Paul Gillin and I sat down with him in our latest podcast to discuss some of the issues surrounding how to best publicize AI and some lessons that overall PR and marketing folks can learn from the rise and fall and current rise of AI. Bloomberg has been a tech reporter for decades, writing for Forbes and various other B2B tech pubs over the course of his career.

Jason’s post makes four important points about PR and AI:

  • AI vendors jump in with more hype than reality, what he calls AI-washing (after white-washing).
  • AI has been on the verge of being the next big thing for decades now.
  • AI will cost jobs. As if we didn’t have enough threats these days.
  • Skynet. Need we say more?

Listen to our 20 min. podcast here:

FIR B2B podcast #49: Rich Mironov on how product managers need to work together with marketers

Paul Gillin and I this week interview Rich Mironov, who has held marketing and product management positions at many silicon valley companies including Tandem (when we called cloud computing “timesharing”), Sybase, Air Magnet and iPass. Rich and I have worked together over the years and he is a very astute guy who understands how enterprise software is made and marketed.

You don’t want to build something that no one wants and as he says, there are no health benefits from joining a gym. And since most users only use a few functions of every product, it is important to focus on the three or four things that really matter about the product.

Listen to our podcast here:

Lessons Learned From a Master Inventor: An Interview with IBM’s Lisa Seacat DeLuca

Lisa Seacat DeLuca is the most prolific female inventor in IBM’s history. With more than 400 patent filings, she comes up with a new idea almost every week. She’s had numerous jobs within IBM and currently works as an omnichannel strategist for IBM Commerce. She works from her home-based Baltimore lab, which is filled with lots of different gadgets, including a 3-D printer.

I recently interviewed her for a post in IBM’s SecurityIntelligence blog here.

Remembering Ed Iacobucci

Another great tech manager has left our ranks this week, Ed Iacobucci. Ed lost a 16-month battle with pancreatic cancer. I last saw him two years ago when I was transiting Miami, and he was good enough to meet me at the airport on the weekend to brief me on his latest venture on desktop virtualization, Virtual Works. That is the kind of guy he was: coming out to the airport for a quick press meet on the weekend. There aren’t too many folks that would do that, and it shows the mutual respect we had for each other.

Ed was one of the originals in the PC industry. By that I mean that many of his ideas turned into products that we are still using today, or with companies that have gone on to become giants. He worked for many years as the IBM PC brain trust, first in their mainframe communications area and later on was one of the leads for the misguided OS/2 operating system. Both were big interests of mine and I followed his career since then.

You have to realize what a study in contrasts working for the PC division of IBM was back in the day. You had all these upstarts (such as Apple, Kaypro, Columbia, Osborne, and the like) that were building clones to run DOS. These companies were for the most part populated by people in the their 30s. Not at IBM: you had older folks who had come up the ranks in the mainframe world that were taking things into a new direction for IBM: using commodity parts that could be assembled quickly for very low cost. Ed was part of that revolutionary guard at IBM. Now IBM doesn’t even make PCs anymore.

You also have to realize what things were like in the early PC days for the trade press too. Aside from the fact that our publications used dead trees instead of electrons, we had tremendous access to these guiding lights of the industry. We could call up anyone and get anything. We would fly somewhere on a moment’s notice to meet someone or attend a briefing to see a new product.

Back in the early PC era, I just loved people like Ed: smart, articulate, open, funny, and did I mention smart? Tech reporters soaked up the information about their products, their worldview, their “vision” (although that term is overused now). We could always count on the ilks of Ed to ‘splain somethin’ and give us a pithy quote that actually shed some light on a tricky tech topic. I have forgotten more about operating system design that I learned from Ed than most reporters even know today.

When OS/2 was still a project that combined the best and brightest of IBM and Microsoft, I was writing my first book with Mike Edelhart, who was my mentor and editor at PC Week (now eWeek). The book, like the operating system, went through several revisions as we waited for it to take off and become the corporate standard. Sadly for us (and them), that never happened and the book was never published.  Mike and I did have some cool and memorable experiences: holing up at a hotel on Coronado Island to finish the first draft, scheduling a press briefing in Austin where 60 IBM’ers came to brief a few PC Week reporters the secrets and inner workings of OS/2, and getting to meet the cast of Star Trek: The Next Generation at another press briefing (as one version of OS/2 was called Warp).

Ed left IBM in 1989 to found Citrix, which was a very small company for several years until it became the software behemoth that it is today. That began his next career in virtualization, something that he was still working on at his death.

After Citrix he left the tech field temporarily to found NetJets, a time-sharing company for business aircraft. Just like his other startups, he was way ahead of his time: now there are many jet sharing companies around. I always regret that I didn’t get in touch with him during that era and get a chance to ride on one of his jets (a guy can dream, right?).

In the release announcing his death, he is quoted as saying “Every human being has his own vision of what’s happening in the future. I was lucky in that what I thought would happen did happen. When we know we can do it and the rest of the world doesn’t – that’s when things get interesting.” It sure does. It was a honor to know him.

So long Ed, and thanks for the wonderful memories and terrific times and great products over the years.

Houston, give us a reading on the 1202 program alarm

Like many of you that grew up in the 1960s, I have been spending a lot of time online looking at the various commemorative links to the Apollo 11 moon landing that happened 40 years ago this week. I found it fascinating, not just because the event was such a key moment in my teenaged nerd life, but also because it shows how we managed to triumph over technology that wouldn’t even be found inside your average watch today, let alone a cell phone or computer.

The Apollo spacecraft had three different display units onboard, running two computers: one in the main command module and one in the lunar module. Both weighed 70 pounds, ran at 1 MHz and had about 152 kb of memory.

To get an idea of how primitive the guidance computer was, you didn’t have a typewriter interface or a display screen, but a box with mostly numeric input that you had to key in “nouns” and “verbs”. You can go here and try the simulator.

The first moon landing was beset with problems. Armstrong had 17 seconds of fuel remaining, after having to take manual control over the lunar module and fly past some obstacles. The site was four miles off course because the module wasn’t completely depressurized when it separated from the command module – a small amount of gas pushed it off course.  And during the descent, several people (including the New York Times at the time here) documented how many times the guidance computer would get overwhelmed with data inputs and had to be rebooted, because Aldrin had not set one of the radar switches properly and it was filling up the computer with too much data. A young engineer, Stephen Bales, made the critical decision to ignore these warnings.

There is a great video segment about it from CBS News.

There are probably hundreds of Web sites with various tributes to the space program, I will just mention two places that I enjoyed reading. First is a special report compiled by EE Times, which has eyewitness accounts from a few of the engineers who worked at NASA, along with a teardown of the space suits used and other technical info about the program.

The other is a list of numerous technological achievements from the space program that have found their way into our lives. And while Tang isn’t on the list (and it is dubious whether it should be), there are lots of other things showing just how much innovation NASA had to do to put two men on the moon and bring them back home safely.