SecurityIntelligence.com: The hiring shortage hits the black hats too

Posted on by
Reply

An interesting analysis in Digital Shadows recently spoke about the hiring shortage that has befallen the black-hat hacker community. While most enterprise IT managers are frustrated about getting skilled cybersecurity personnel for their own teams, there are some unexpected benefits, too.

I spoke to Ron Gula, the CEO of Tenable Security, who has witnessed this situation first-hand. Even though security budgets are increasing, “money can’t make smart people appear out of nowhere,” he told me. Finding new black-hat talent can be just as frustrating as your next legit IT hire.

You can read my story posted today on SecurityIntelligence.com here.

Quickbase blog: How to make scheduling meetings easier and more productive

Posted on by
Reply

One thing that hasn’t changed about today’s office environment is that meetings are still very much in force.  Certainly there are ways to make their end product – such as linked spreadsheets (poked fun of by this Xkcd comic) — more productive, such as how Proctor & Gamble eliminated 18-24 days of meetings per person per year after implementing QuickBase. This was very effective because many of the meetings consisted of identifying the most current version of a given source within a huge master spreadsheet. What used to take days now takes minutes or hours, since this single, and unworkable spreadsheet was divvied up into linked QuickBase files that were more manageable.

But there are other productivity gains to be had with meeting scheduling and tracking and online calendar technologies that can be had as well. Before you dive into any of these, realize that you will probably need more than one tool to help, depending on your needs.

Most of us arrange meeting times via email, or worse yet, through a series of phone calls. This makes everyone miserable because finding a common free time among your participants can be maddening, what with a series of seemingly never-ending emails or voice messages. There are two online services (SetMeeting.com and Doodle.com) that can do this for free. Both work by having each intended participant set up feasible free times and letting everyone converge quickly on a common slot. Yes, notifications are still sent via email that you have a pending meeting, but there is no back-and-forth negotiation over whether this Tuesday at 10 am is better than next Friday at 11:30. Doodle also has paid plans that start at $39/user/year that add features such as encryption, reports on who is missing from the common agreed time, and more.

Once you actually hold your meeting, you would like to keep track of what your agenda is, and how you intend to follow up. There are many tools that can help here, including Opp.io (free to $29/user/month), Glip.com (free to $10/user/month) and Getflow.com ($19/user/month and up).  Each tool offers an online SaaS portal where you can share documents and show tasks and workflow. Prices vary depending on the number of team participants and other usage factors.

But what if you are a consultant or have a retail business and want your customers to book your time electronically, rather than call to schedule an appointment? Then you’ll need another series of digital tools such as Timetrade.com or Calendly.com. Both allow you to set up permissible time periods that you are available, and like the common time schedulers, will send you an initial email notification but otherwise leave the back-and-forth messages out of your inbox. Calendly has a free basic account, with premium accounts at $10/user/month that add custom branding and URL links and reporting options. TimeTrade has various subscription options.

What about if you are traveling and want to broadcast your itinerary? You might want to inform your customers when you are traveling so you can arrange meetings and use your time more effectively. The free service TripIt.com can do this, but you probably want to use the paid version ($50/user/year) to make use of features such as tracking when your favorite airline seat becomes available on your flight and some other features that frequent flyers will appreciate.

While there isn’t a single digital tool that can satisfy everyone’s meeting needs, there are some very attractive ways that you can become just as productive as P&G did without spending a lot of money. And you could always take a few tips from our infographic that we posted a few years ago: comments such as staying on topic, arrive a few minutes early and end on time are always useful too.

See a USB drive, don’t pick it up!

Posted on by
1

Most of us know by now that if you spot a random USB thumb drive sitting on the ground, you should ignore it, or better yet, put in the nearest trashcan. This action was an early plot point in the TV series Mr. Robot. I even saw a poster at Checkpoint’s Tel Aviv headquarters when I visited there in January warning employees to dispose of such drives when found on their campus.

But still, human nature gets the better of us sometimes. A recent academic paper shows just how tempting that drive can be for college students at the Universities of Michigan and Illinois. The study found that out of 300 drives that were sprinkled around the various campuses, at least half were retrieved and inserted into computers. In some cases, the drives were inserted within a few minutes of being left.

These drives contained special code that would “phone home” and alert the researchers that they were found, but they could have contained more dangerous malware. Which is the point of this depressing exercise.

What is interesting about the paper was the lengths that the researchers went to understand their target’s motivations and rationale for picking up the drives in the first place. They were asked to complete a survey (paying them $10 to complete, after all, these are college students). Two thirds of them said they took no precautions before connecting them to their computers.

They also tested the time of day, location, and branding of the drive itself to see if these factors made them more or less likely to be retrieved. For branding, the researchers attached a “confidential” sticker, a return address label or keys to see if that made a difference. Interestingly, the return address label actually reduced insertion rates. The researchers also monitored Facebook and Reddit to see if any students posted warnings about the proliferation of drives around campus. Despite several postings and the fact that word spread on these networks quickly during the experiment, the drives were still retrieved.

This isn’t the first, and certainly won’t be the last such study. Several years ago, the Department of Homeland Security found that 60% of folks who found drives planted outside government buildings tried them out, and this percentage increased to 90% when the drives had a logo on them indicating some sort of official use. And last fall, a study commissioned by the trade group CompTIA found that 20% of 200 drives that were sprinkled across five cities were retrieved.

Certainly, there are some drives that are truly evil, such as this drive reported by Gizmodo that will literally cook your motherboard. Or the infamous Rubber Ducky drive used by penetration testers.

Bruce Schneier complained about this meme years ago, and wrote in a blog post:

“The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that it isn’t safe to plug a USB stick into a computer. Quit blaming the victim. They’re just trying to get by.”

Certainly, better and more security education would be a good idea. The college survey found that students perceived the files on the flash drive as being safer because they used .html extensions. Uh, not quite. But there is some hope: a few students were suspicious and actually used a text editor to open these files and connect them to offline computers.

iBoss blog: The IoT Can Be a Potent Insider Threat

Posted on by
Reply

Insider threats can come from the most unexpected places. Earlier this year, the hacker Andrew Auernheimer created a script that would scan the Internet to find printers that had port 9100 open. The script then printed out racist documents across the globe

You can read my post here about the threat of Internet-connected printers.

Dice: Using virtual avatars to create real empathy

Posted on by
1

We have reached a point where computers are needed to make our medical providers act more human. The idea is to use virtual reality techniques and programs to help train doctors to deal with health emergencies and other clinical care situations. The MPathic-VR system covers a wide range of situations and real-world behaviors that are typical in a clinical situation. You can read my story on Medical Cyberworlds (who developed the system) on Dice today here.

Why Uber might win

Posted on by
3

aaaLast week I took my first couple of Uber rides when I was in Los Angeles. I had resisted the temptation for some time, for several reasons. First, I wasn’t happy with their corporate culture and saw my one-man boycott as something personally meaningful, if a bit useless. Second, ride hailing is illegal here in St. Louis, where we have a Neanderthal taxi commission that has laid a nice featherbed for its own drivers. Finally, I don’t take all that many taxis for the most part, other than to and from the airport, and again, see point #2.

The Uber trips in LA were very enlightening. Both drivers appeared within minutes upon clicking the request on the Uber mobile app. In one case, I was at LAX airport and got to see how efficient the Uber pickups were: in the short time that I was waiting for my driver, about a dozen millennials had met their drivers and zoomed off. Before they got into their cars, I could tell they were Uber customers. They were staring at their screens, watching their cars approach the airport. LAX, unlike St. Louis’ Lambert airport, allows Uber to pickup passengers in a certain spots, in between the terminals. There is no need to queue up like at a “normal” cabstand, because you have already been assigned a driver.

This watching your car approach – or indeed, any nearby Uber car available at that moment – is the real genius idea behind the service. Often I have waited for a taxi pickup, not knowing where the cab is. With Uber, this uncertainly is removed. You have a countdown clock that tells you, quite accurately, when your car is to arrive. You see the name of the driver, the license plate, make and model of the car, and you can directly contact the driver to confirm exactly where you will be. With one ride, for some reason the app displayed a nonsense address for my location, but the driver called me and we clarified where I was actually standing.

Most of the cars that morning at LAX were Priuses and both my rides were Priuses, too. (Cnet has a funny story about how people just assume that all Priuses are Ubers here.) One driver explained the economics of operating even a fuel-efficient car with a Prius, showing me how much more profitable the hybrid can be. The cars were clean, relatively new models. One had a charging cable for my phone, a nice touch. The rides were about 20% less than what a typical cab fare would be too. On my return to the airport, I was told by the Uber app that because of congestion at that moment if I wanted a ride I would have to pay 30% more for it, or I could wait a few minutes for the price to drop. I waited, and was notified by the app when this happened to book my ride. That is another nice touch.

A final benefit is that when you get to your destination, you just get out of the car. There is no need to go through the payment process: that is handled automatically by the app. The driver doesn’t carry any cash: my fare is deducted from my credit card and the driver’s fee is added to his or her bank account. You then get an email receipt within seconds.

Both of my drivers shared that they were making decent livings with Uber, more than $50,000 a year and about $30 an hour. This is more when compared with driving a regular yellow cab in LA. One of my drivers was a former cabbie and told me that he never made as much as he does now with Uber. Both drivers also mentioned to me that they can drive when they want to: one gets up early and covers the morning rush, then takes a few hours off and returns for the afternoon and evenings. Many cabbies don’t have that flexibility because they aren’t working for themselves, they have to make the most of their employer’s cabs.

Granted, my data is just incidental. What about overall trends? Fortunately, the New York City taxi commission data is available for anyone to download and Todd Schneider has done just that. His latest post shows that there are more Uber cars in the city, and not surprisingly that yellow cabs are losing market share in terms of the number of daily riders, even though they take more fares per cab.

View post on imgur.com

Schneider also shows that the market for Uber is becoming more competitive, as the number of cars on the road has rapidly increased. (Lyft, Uber’s main competitor, has a smaller market share.) This could be one reason why Uber is dropping its prices in NYC. Schneider estimates that Uber made about $220 million during all of 2015 in NYC. Given their commission rate, that means they have added about a billion dollars to the city’s economy last year.

I know I am late to the ride hailing party, but these services are certainly changing the economics and the process of taking taxis to be sure. I think they have a lot of benefits, and I certainly will use them more frequently in the future. I hope they can win their legal battles here in St. Louis and elsewhere around the world.

Quickbase blog: Signs your team is misusing email for collaboration

Posted on by
Reply

There are numerous articles on the misuse of email (including this post where we talk about ways to onboard Gen Y workers), but one of the biggest mistakes is email becomes the general all-purpose tool for all kinds of inappropriate collaboration methods for your team. While email is great for point-to-point communications, it falls down when it comes to sharing and editing spreadsheets and documents, scheduling meetings, and tracking projects — all things that I talk about in my latest post for the Quickbase Fast Track blog here.

iBoss blog: Beware of Malware Stealing Privileged Credentials

Posted on by
Reply

When it comes to stealing information, hackers know where to look, and it usually is those users who have the most privilege or greatest access to network and system resources. The typical attack is to somehow locate one of your network’s weakly-protected PCs, create a rogue guest account to gain initial access, and then try to escalate this account to an administrator or someone who has more access rights to do more damage or obtain sensitive information. I talk more about this on a recent blog post for iBoss here.

Veracode blog: Why is SQL injection still around?

Posted on by
Reply

While there are many Web hacking exploits, none are as simple or as potentially destructive as SQL injection. This isn’t news: the attack method has been around for more than a decade. Sadly, for something so old it is still one of the most popular ways to penetrate networks and extract data. And it is easy to find and almost as easy to avoid. Why is SQL injection still with us? It all comes down to a lack of understanding about how SQLi vulnerabilities work.

You can read my post in Veracode’s blog here.

Lessons Learned From a Master Inventor: An Interview with IBM’s Lisa Seacat DeLuca

Posted on by
Reply

Lisa Seacat DeLuca is the most prolific female inventor in IBM’s history. With more than 400 patent filings, she comes up with a new idea almost every week. She’s had numerous jobs within IBM and currently works as an omnichannel strategist for IBM Commerce. She works from her home-based Baltimore lab, which is filled with lots of different gadgets, including a 3-D printer.

I recently interviewed her for a post in IBM’s SecurityIntelligence blog here.