Category Archives: Published work

iBoss blog: How Cyber-geddon Could Happen to Financial Networks

Posted on by
Reply


An article in the June Economist paints a dark picture of the aftermath of a fictional financial services hack. They start with some history and extrapolate based on current potential compromises to various networks. What is interesting about this piece is how cold and calculating they can be: “Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure.”

What this means for the finserve industry and a more detailed description of their scenario can be found in my blog post for iBoss here.

How to create a great content strategy for your company (podcast)

Posted on by
1

Does this sound familiar: You don’t have a coherent content marketing program at your company. You have multiple stakeholders and content authors scattered across several divisions, with no single person in charge overall. You don’t have an editorial calendar, or even know what one is. You don’t have any content strategy or an editorial advisory board, or have a clue how to create either of them. You have a corporate blog but haven’t posted anything in weeks, or maybe months. You began a corporate YouTube channel years ago but don’t know who is in charge of posting videos there.

Sadly, most of these aspects are all too often the situation when it comes to how many companies treat their content. I have been in many organizations where content is often a dirty word, and a lack of understanding of how to produce great content is pervasive. It doesn’t have to be that way. This isn’t a hard thing to turn around, and indeed I came across recently a great case study of one company where they did exactly that.

This week, my podcasting partner Paul Gillin and I interviewed Giuseppe Caltabiano for our latest episode, which you can play directly here:

He is the VP of marketing integration of the IT division at Schneider Electric, a company with 180,000 worldwide employees and a producer of data center power conditioning equipment. When he took the job, he was brought in to fix their marketing efforts, and he realized that he had to turn towards managing their content to do so.

His story is an interesting one, because within a year he was able to pull together the things that I mentioned up top: pull together a unified edit calendar (the company had several), set up an editorial advisory board, and assemble a solid team who understood the importance of great content and how to formulate a strategy.

One of the things that Caltabiano did was to focus on their corporate blog and use it as the center of their content strategy. He planned content that would target readers who are at the very early stages of their journey as potential customers. They also supplemented the blog with an internal email newsletter and with paid promotions too.

He uses what is called a “big rock” strategy for his content. This means stories are centered around anchor feature topics that can be repackaged and reused in multiple formats and on multiple platforms. “Content leads to three times as many downloads as traditional marketing campaigns,” he writes.

Another element was the role that pilot projects played in getting executive buy-in to his plans. “If your bosses are pleased with the initial progress, they’ll give you the money so you can” run with your plans. They are now setting up pilots in other places around the world to expand their reach.

“We learned that email newsletters drive more traffic than other owned channels, SlideShare and YouTube are great for B2B content, and that we need weekly governance calls with employees from each country to solve any immediate problems that pop up,” he wrote.

So take a listen to our podcast interview, and see if there are ways that you can reinvigorate your content plan with some of the innovative ideas that Schneider used.

Redmond magazine: Skype for Business, some assembly required

Posted on by
Reply

The on-premises and cloud editions of Skype for Business Server and the Cloud PBX are promising and less-expensive alternatives to traditional phone systems, but come in a complex array of options and require integration. The software has gained some promising features along with growing support for third-party software, hardware and services. In my review for Redmond Magazine, I look at what is involved in getting it setup and how it works with a sample video conference phone from Logitech here (shown above).

Security Intelligence blog: The Increasing Dangers of Code Hooking

Posted on by
Reply

Security researchers discovered a series of implementations of an old type of exploit known as code hooking. These implementations are increasing and becoming more dangerous. Operating under the name of Captain Hook, these exploits make use of code injection techniques that could cause numerous vulnerabilities and potentially affect thousands of products.

I look at the process of code hooking and its relevance to your enterprise security in my latest post for the IBM blog Security Intelligence here.

iBoss blog: Wireless Keyboards are Vulnerable to Sniffing Attacks

Posted on by
Reply

One of the most vulnerable places across your enterprise (apart from the inner workings of your user’s brains, that is) can be keyboards. And recently, an innovative keylogger attack has been found by Bastille Networks that intercepts wireless keyboard transmissions. The attacker can be located up to 250 feet away from the computer and is a new twist on some old exploits. Out of 12 wireless keyboard manufacturer, the researchers found that eight (such as the one from Kensington, above) were susceptible to the attack. You can read more in my post for the iBoss blog here.

EventTracker blog: What is privilege escalation

Posted on by
Reply

A common hacking method is to steal information by first gaining lower-level access to your network. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts, where the attacker can steal data. This is called privilege escalation, and it happens often.

You can read my post here on the EvenTracker blog on what you can do to protect yourself.

WindowsITpro: Choosing among various Slack-like communication tools

Posted on by
Reply

We all spend too much time on email, and if your inbox is overflowing with messages from your coworkers, it might be time to investigate another way to communicate. I review for WindowsITpro some of the issues involved in choosing a tool for team communications with intranet-like features, text messaging, workflows and collaboration features. While Slack is a leader in this field, there are lots of other choices that could cost less or do more.

(Note: this article is outdated and products are no longer available.)

‘I have nothing to hide’ doesn’t mean you are anonymous

Posted on by
2

nothing to hideIn my post from last week, I addressed some of the concerns in the growing conflict between security and privacy. One of the issues that I didn’t talk about, as several readers reminded me, is the difference between privacy and anonymity. This is often summarized by saying, “I don’t care if someone tracks me, I have nothing to hide.” Well, consider the following scenarios.

Scene 1. You are hiking on a remote trail. As you are enjoying the view, someone is taking pictures with their smartphone and pointing their camera in your direction. flash hiding scarfSo essentially your image is being taken without your consent. At first, you think this is fine: after all, you are anonymous, just some random hiker. But when the photographer posts your image on their social feed, your face is recognized thanks to the site’s software. And now, not only are you identified, but your location is also specified. So you have been tagged without your consent. One way around this is to wear specialized clothing that defeats flash photographs, as shown here.

Scene 2. You maintain a very active Pinterest account and post numerous pictures when you are at various events, or when you travel to distant cities. One consequence of this is that anyone who spent time looking at your account could see where you have been and what you have done.

Scene 3. Beginning in 2007, employees of the UK-based News Corp. regularly hack into celebrities’ voicemail accounts. They are sued and eventually pay various fines. Eventually, things come to boil in 2011 and others are charged, and one staffer is actually jailed. Testimony reveals that thousands of phones were involved and dozens of staffers had access to the collected information.

Scene 4. In the neighborhood where I live in St. Louis, the community monitors nearly 100 cameras that continuously capture video imagery to aid in solving crimes. Several dozen people have been arrested as a result of investigations using these images, which are available to law enforcement personnel. While they don’t have facial recognition software yet, it is only a matter of time. But what if anyone could access the video feeds online and monitor what is going on?

Scene 5. Your online activities are being tracked. One of the stories that I wrote about tracking online fraud recently was how security researchers were able to use machine learning to predict when an endpoint device could be considered compromised. They found a series of common characteristics that were easy to discover, without any sophisticated software. These included freshly made cookies (fraudsters clear their cookies often while regular users almost never do), erased browser histories, 32-bit Windows running on 64-bit CPUs and using few browser plug-ins. While any of these factors taken alone might be from a legit user, combined together they almost always indicated a machine used by an attacker.

Still think you have nothing to hide? Maybe so, but it is a bit creepy to know that your digital footprints are so obvious, and show up in so many places.

Some vendors, such as email encryption software Mailpile, have gone to great lengths to document how they address their users’ privacy. Given their market focus, it isn’t surprising. But still the level of detail in that document is impressive. “People should be able to communicate privately,” as they state in their document. That means no eavesdropping on email content, supporting authentic messages and privacy when it comes to the message metadata and storage too. What I liked about the Mailpile manifesto was their non-goals: “Mailpile is not attempting to enable anonymous communication. Most people consider e-mail from anonymous strangers to be spam, and we have no particular interest in making it easier to send spam.”

So as you can see, there is a difference between being anonymous online and maintaining your privacy. Like anything else, it is a balance and everyone has their own trade-offs as to what is acceptable, what isn’t, and what is just creepy. And expect new technologies to upset this balance and make these choices more difficult in the future.

The best tools to predict and manage cloud computing costs

Posted on by
Reply

Cloud pricing can be a frustrating experience. Everything is charged by different metrics. Some of the prices are spelled out, some are hidden behind paywalls or aren’t clear until you get your monthly bill and realize you forgot to turn off an instance that is chewing up your wallet. Some are charged by usage, others by the month.

I look at some of the issues in keeping track of your cloud costs and summarize the numerous services that are currently available. You can read my post on WindowsITpro here.

EventTracker blog: What is privilege escalation and why should I care?

Posted on by
Reply

A common hacking method is to steal information by first gaining lower-level access to your network. This can happen in a variety of ways: through a print server, via a phished email, or a taking advantage of a remote control program with poor security. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts. That is where the real damage and data theft starts. Given the number of Internet-available servers and reused passwords, this rough outline of attack happens more often than anyone wants to admit, and it can be a very big threat. The good news is that fixing this isn’t very difficult, just requiring diligence and vigilance. It also helps if you have the right protective software, such as what you can purchase from EventTracker, to stop these sorts of “privilege escalation” attacks.

The first thing is in understanding how prevalent this really is, and not bury your hand in the virtual sandbox. Consider the Black Hat 2015 Hacker Survey Report, which was done on behalf of Thycotic last December. The results showed 20% of those surveyed were able to steal privileged account credentials “all the time”. Wow. And what is worse is that three fourths of those surveyed during the conference saw no recent improvements in the security of privileged accounts too. Finally, to be more depressing, only six percent of those surveyed could never find any account information when they penetrated a network

Granted, the survey is somewhat self-serving, since Thycotic (like EventTracker) sells security tools to track and prevent privilege escalation events.

Next, you should understand how the hackers work and what methods they use to penetrate your network. A great play-by-play article can be found here in Admin magazine. The author shows you how a typical hacker can move through your network, gathering information and trying to open various files and find unprotected accounts.  In the sample system used for the article, the author “found a very old kernel, 28 ports open for incoming connections, and 441 packages installed and not updated for a while.” This is certainly very typical.

So what can do you to be more pro-active in this arena? First, if you aren’t using one of these tools start checking them out today. You should certainly have one in your arsenal, and I am not just saying this because I am writing this blog here. They are essential security tools for any enterprise.

Second, clean up your server password portfolio. You want to strengthen privileged accounts and shared administrative access to critical local Windows and Linux servers (Lieberman Software has something called Enterprise Random Password Manager that will do this quite nicely). Any product you use should discover and strengthen all server passwords and then encrypt them and store them in an electronic vault, and will change them as often as your password policies dictate. These types of tools will also report on those resources that are still using their default passwords: a definite no-no and one of the easiest ways that a hacker can gain entry to your network.

An alternative, or an addition to the password cleanup is to use a single sign-on tool that can automate sign ons and strengthen passwords at the same time. There are more than a dozen different tools for this purpose: I reviewed a bunch of them for Network World about a year ago here.

Next, regularly audit your account and access logs to see if anyone has recently become a privileged user. Many security tools will provide this information: the trick is to use them on a regular basis, not once when you first purchase them. Send yourself a reminder if you need the added incentive.

Finally, start thinking like a hacker. Become familiar with tools such as Metasploit and BackTrack that can be used to pry your way into a remote network and see any weaknesses. Known thy enemy!