Drupal is a leading open source content management tool that hosts a significant portion of the most popular websites on the internet. If you have not heard about the Drupal security flaws from earlier this year, then you need to take a closer look at what happened and start taking precautions to protect your own installations. You can read my post in IBM’s Security Intelligence blog here.
Many of you have written me since getting a similar extortion email over the past few months. The emails all have similar characteristics: they usually mention an older password that you have used on one of your accounts in the subject line, and then suggest that the sender is monitoring your computer with spyware and will send out some compromising information about you if they aren’t paid the ransom.
As I said back in July, these emails shouldn’t be answered, or even opened. The sad fact is that if you are still using something with this password, you probably should be motivated to clean up your act and do a better job with your passwords.
I usually tell my correspondents to use this as an opportunity to do two things. First, to install a password manager. I use LastPass but there are plenty of others. These tools make your logins more secure because you can create complex passwords that you can’t remember, and more importantly, you don’t need to remember them either.
The second item is to use an authenticator app on your smartphone. These apps are probably the best security you can use to protect your accounts. Google, LastPass, Microsoft, Duo, Authy, and numerous other vendors have free ones. They work in conjunction with a one-time code that changes every minute or so. When you login to your accounts with this app enabled, you have that amount of time to enter the code that is shown on your phone’s screen into the web form as part of your login process. If someone has your password, they won’t be able to see this code and properly login.
Even better than using these authenticator apps is to make use of a special FIDO hardware key. Both Google and Yubico sell them. They are more secure but less convenient, because you have to remember to have the key on you when you need to login.
Certainly, there are other alternatives to authenticator apps and keys. Some of you have enabled a different authentication process with your logins, such as using an SMS text message to receive these one-time codes. This is much less secure than either the authenticator apps or the hardware keys, because a hacker can arrange to send this code to their own phone. Sadly, many websites (such as my bank) only support codes sent via the SMS method.
But here is the issue: apart from having authenticator apps and password managers, some of you are still writing your passwords down somewhere, and this is the most insecure thing you can do. Even if you keep a piece of paper in a locked safe, it is still less useful and less secure than the combination of password manager + authenticator app that I described above. That special piece of paper does you no good when you are across town from your office, for example.
There was this recent exchange on Twitter between Capital One and a customer, where the bank’s representative told the customer to not use a password manager. One person commented, “Hey Capital One! 1992 called. You need to hire a more up-to-date Security Officer.” Another recent study showed that password managers weren’t familiar or necessary to more than half of those surveyed.
Some of you have gone to great lengths to store your passwords on your phone’s address book, using a special code that will jog your memory about which password you have chosen for a particular site. Given the compromises that the mobile version of Facebook Messenger has at reading and distributing your contact data, this is also asking for trouble. It really isn’t worth the effort.
One of my readers called me about a month ago in a panic when he got the extortion email message. Once I calmed him down (he was up half the night worrying about it), we came up with a plan, such as I outlined above. I checked back with him recently and he did implement half of my suggestions. But he argued, “I can repeat my passwords on less sensitive accounts, because I don’t have anything to worry about with those accounts. There is nothing to steal here.” Wrong on these counts:
First, every reused password is another way for a hacker to worm their way into your digital life. Let’s say you purchase something from an online retailer, and never return to that site ever again. Meanwhile, you have forgotten that you saved your credit card on the retailer’s site, and then you have forgotten which retailer it was. When that retailer suffers a breach, your credit card is now at risk.
Consumers aren’t alone in reusing their passwords. A study for One Identity of 1000 IT professionals shows some poor security practices in place in several countries. They noted that admin passwords are often shared, among other bad practices.
Maybe you have a reused password for something blander, such as the account to your local library so you can download an ebook or two. Again, that library could be hit by an attacker, and that login could become compromised and reused on some other site. Hackers have automated routines that try username/login pairs across hundreds of websites, testing if you have used them elsewhere. While the hacker may not steal anything of actual monetary value, they are stealing and using your identity. So just don’t reuse them, ever. Please.
Second, whatever system you have developed to avoid using a password manager doesn’t scale. The more websites you need logins for, the more likely you are to forget you already used one of your favorite combinations. My password manager has more than 200 logins. Granted, I am an extreme case, but still your digital life is probably has dozens of logins too.
Third, you could argue that most modern browsers have password saving features to make it easier to login to websites, so you don’t need a password manager. Again, this gives you a false sense of security, particularly if you laptop or phone is lost or stolen. It is child’s play to read your saved password list on your device, and then you have a whole lot of hurt. When you install a password manager, you should turn off the saving password feature in your browser to avoid conflicts.
All the password managers have automated checks to tell you when you are about to reuse one of your existing passwords. Why would you have dupes with using the password managers? This is because you might not have changed all of your old passwords, and the manager is on the look out for one that it already knows about and has squirreled away.
Finally, another nice thing about password managers is that you can have your logins available for all your devices, even if you move around from laptop to phone to desktop. It just makes a lot of sense to use them. So take some time, and get on board, and be secure.
NB: I updated the information for locations in my St. Louis neighborhood in this 9/2021 post for Nicki’s blog here, including current costs and internet speeds.
There are more than 20 different coworking places in the St. Louis metro area where I live. I have been to many of them, even though I have my own dedicated office. Why? Because I want to be a part of the startup community and that is where many of them work. The spaces also are great meeting places.
Coworking spaces are useful for several reasons. When you travel, you have a place to set your laptop down and a nearby bathroom. If you just need a space for a few days or a week, you don’t have to go through the hassle of a monthly office rental. And if you have outgrown your dining room or spare bedroom in your home, and want something other than the local coffee shop, it might be time to investigate the local co-working scene.
There are a wide variety of operators, from the global, multi-city ones such as Spaces, WeWork and Industrious to smaller, one-off locations that are quirky and anything but corporate. Finding the right one can be a chore, but you should take the time to make sure it matches your needs.
Why a chore? When you begin your research, you will find out that it is hard to track down exactly what you will be paying for renting an office. This is a combination of factors: First, occupancy varies widely, and many places charge for different sized offices. Rates can also vary depending on how many people will be housed in any given office, although some places don’t care (within reason). Many of the operators want you to come in person to check things out, so they can give you the hard sell. So my first suggestion is you should make sure you know the costs and contracts up front. Here are some other tips:
This week Paul Gillin and I delve into details about the power of polarization in our podcast. Brands can certainly benefit, and this article shows exactly how Nike and Dick’s saw an increase in certain metrics after they took a particular political stand. Their experience shows that brands can reap benefits both from the positive and negative sentiment around a particular conversation. We wish more companies would take a stand on things that energize their most passionate advocates.
Next up is our favorite medium: podcasts. This story about how American Airlines turned an internal short podcast into a marketing benefit is worth noting. The podcast covers the behind-the-scenes thinking on airline policies. It was originally meant for employees, but executives decided to post the episodes publicly, saying “There really is no such thing as internal communications anymore.”
Speaking about podcasts, some media companies have begun to sour on using them. The problem is one of managing expectations, and that quality costs money. NPR’s “Serial” podcast is a good case-in-point: it was well done, but expensive.
We close this week’s show by talking about how the inevitable disappointment in voice (aka Alexa-based) marketing has set in, as witnessed by Marketing Week. Yes, the interface isn’t as intuitive as it could be, and certainly nowhere as comprehensive as typing on a keyboard. Plus, we all like to see the stuff we intend to buy, even if it is just a picture online. That reminds us of our favorite “Star Trek” clip of Mr. Scott, trying to use voice commands, only to end up typing on the keyboard.
You can listen to our 16min. podcast here:
Last month the US DoJ unsealed this indictment of a North Korean spy Park Jin Hyok that they claim was behind the hacks against Sony and the creation and distribution of Wanna Cry. It is a 170+ page document that was written by Nathan Shields of the FBI’s LA office and shows the careful sequence of forensic analysis they used to figure out how various attacks were conducted. In this post for CSOonline, I talk about some of the implications for IT managers, based on the extensive details described in the indictment.
We have a new co-working space in St. Louis that brings the total to six choices in my immediate neighborhood of the Central West End to locate your office. These are alternatives to renting your own office, or when your business has grown beyond your dining room and requires something more professional. Or when you need temporary conference space, or want to conduct a training session. They combine flexibility with the gig economy, and provide benefits and camaraderie too. I am a big fan of these places, even though I inhabit my own permanent office.
The new kid in the ‘hood is called Spaces and is part of a network of hundreds of sites located across the country and around the world. I wrote this review for Nicki’s Central West End Guide about them and its competitors. Surprisingly, it was hard to pin down prices on office rental. I also suggest a few things to think about when you are trying to choose your space that can apply no matter where you are located.
I wrote a series of blog posts at the SaltConf18 in September 2018. SaltStack is a devops automation, remote control and orchestration tool that has a great deal of power and is used in some very large enterprise networks managing hundreds of thousands of servers.I also wrote white papers about their technology and its applications.
Here are links to the various pieces (the actual posts have since been removed from their site):
— I wrote this white paper which talks about typical use cases of the SaltStack Enterprise product and Salt’s key features.
— Understanding security automation in the context of the stages of grief
— The relationship of the digital and physical worlds has never been closer, a post about Cyndi Tetro’s session.
— Examining how IBM Cloud and Cloudflare use Salt to manage their global networks
This week we discuss a few different items, all revolving around one kind of disaster or another. First, we note the news about the Benioffs buying Time magazine. With a fire-sale price, perhaps they can keep the weekly news magazine afloat and fund journalism that the publishers couldn’t do on their own. But will either of us read it in the future? Doubtful.
Next up, Paul wrote this fascinating article about a Talend GDPR survey. It shows that marketers can avail themselves of numerous after-the-fact opportunities. Who is talking about GDPR since the May deadline? We’ve heard crickets. Clearly, there is still much to be said about compliance, and the punishments ahead, such as the recent breach of British Airways’ customer data. Lawyers are standing by, to be sure.
Given the situation in the Carolinas with Florence, it’s timely to discuss some caveats and suggestions for natural disaster marketing. The thoughts covered in this blog post about how to tread carefully during these times are worth reviewing.
Next, Paul has a beef with a “new” product announcement for a product that was announced on a company blog three weeks ago. This means to us that it wasn’t actually new. If it is in the public, that is the news moment. After all, we can look this stuff up. Don’t pass off your news when it isn’t; you won’t engender any trust.
We also mention this post, about how patients are desperate to resemble their doctored selfies. Plastic surgeons alarmed by ‘Snapchat dysmorphia. While it had its beginnings with Instagram and Facebook, the elective surgery is frightening and depressing. David suggested reading Alicia Eler’s Selfie Generation book. When we asked her about this trend, she said “I see this as part of the same trend of selfie dysmorphia found on Instagram. Snapchat is used most by people under 23, so this is just another facet of the same selfie psychology stuff.”
<P.
Listen to our 17 min. podcast here:
Like many of you in college, I read Elisabeth Kübler-Ross’ Death and Dying about the various stages of grief. I think IT security managers go through similar stages when their networks have been breached by hackers and malware. There is the shock of the breach, then denial that their equipment was at fault, then anger at the hackers for having targeted their company. Eventually, everyone gets down to work trying to fix the problem, and finally accepts that it happened.
We have all seen what happens when IT staffs never make it past the denial stage: their networks remain in ruins for weeks or months. They overspend on consultants, they have to scrap and replace their servers, and they suffer tremendous business losses. Sony Entertainment, the City of Atlanta, Maersk shipping, the list is far too long.
I was thinking about these stages this week when I was at SaltConf18 listening to how users of SaltStack are deploying this tool to help them make their enterprises more secure. Some users have developed their own home-grown solutions, cobbling together various routines that provide for widespread patching across all of their systems. Others were eagerly learning about the news on how to deploy SecOps for SaltStack, which was announced this week and will be delivered next year. When the product was introduced, Mehul Revankar, a senior product manager for the SecOps product, spoke about how it took care of the various different stages of identification, remediation, creation of actionable content and being able to scale up well to protect the largest collections of servers and endpoints.
Just like in coping with the loss of a loved one, we have to figure out how to move through these stages constructively and productively. Getting unstuck is key. When it comes to people, we have psychoanalysis and supportive friends to help us through these dark times. But when it comes to protecting our computing infrastructure, we have to turn to better automation to help us through the response and remediation of our equipment. (Maybe there is a role for therapy, but I’ll put that aside for this blog post.)
Certainly, SecOps isn’t the first security tool to use automation, and it won’t be the last. Many vendors are moving into this territory, frankly because they don’t have a choice. When you have to patch ten thousand Linux or Windows servers because of a vulnerability, you can’t do the job manually. Oftentimes, the window of opportunity for such massive patching is a matter of hours or days before the first exploits start showing up in the wild. By now we all know what happened at Equifax last year when they delayed patching their Apache Struts servers. They were still stuck at the denial stage.
As First Data’s VP Amaya Souarez said in her keynote session at SaltConf18, “You can’t hire yourself out of this problem, we have to automate.”
A recent study of several dozen IT executives supports this need for better security automation. One was quoted in the study saying, “The future of security is [being] as autonomous as possible — where a combination of real-time, intelligent analytics, and integrated automation and remediation cover an ever-increasing part of manual investigative and response runbooks.”
That was the design goal of SecOps for SaltStack. The trick is being able to break down the process — going from recognition to remediation — in such a way that an automated tool can sequentially apply a series of security policies and rules to make the automation work under a wide variety of conditions. To be effective, automation has to deal with circumstances when a rule fails as well as when it succeeds. At this week’s conference, Justin McMillion and David Kleiner of Sunayu showed how they built their automated auditing tool. Their firm does a lot of work for the Department of Defense to help them keep their Linux servers up to date and within compliance of various DoD standards. They created some clever dashboards and routines using SaltCheck to do this, and mentioned during their session how they were envious of what they could have done if SecOps was available.
When I look at smaller-sized tech companies, I tend to judge them by the company that they keep. By that I mean who they partner with, who are their customers, and where are their products being used. By any of those metrics, SaltStack is in very good quarters indeed.
At the SaltConf18, we heard from several large customers using Salt to run some very sophisticated and complex networks, such as Cloudflare and IBM Cloud. Both companies run their infrastructure with just a few staffers, which is another testimonial to how powerful Salt can be in its automation and orchestration features.
Tom LeFebvre is a network engineer and was the presenter for Cloudflare. Cloudflare runs about a tenth of the total global Internet traffic across its infrastructure, and is used by some of the largest web properties to accelerate the delivery of their content. They manage more than seven thousand servers with Salt, located in more than 150 different data centers running more than 250 Salt Master copies.
They are deep users of Salt, and are constantly trying to improve their deployment to make it operate faster and more reliably. When you are connecting servers between China and the US, you have to keep network latencies and traffic to a minimum, especially as it has to traverse the Great Chinese Firewall.
Some of the things they have learned is to try to use packages rather than scripts to update server operating systems, and use highstate calls whenever possible to reduce the loads being placed on the Minions. They also developed a series of graphical dashboards that keeps track of the highstates and set up special alerts for help troubleshoot failed conditions or when Minions were consuming too much time to complete their tasks. They tied these conditions to notifications that were sent out to the staff via Google chat messages, which shows how easy it is to extend Salt with other services. They also rewrote some of their Pillars into pure Python, again to help increase performance. Finally, they are increasing the number of Masters deployed in each data center to handle their canary deployments, which means providing an early warning when something goes wrong with one of their massive system rollouts or upgrades.
Also presenting at the conference were an unlikely couple: Nathan Newton from IBM Cloud and Mike Wiebe from Cisco. The two have been active in working with SaltStack to modify its minions and other code to work with the giant network gear that IBM Cloud uses to run its global network. Newton spoke on how he has just 12 team members that runs their network and a large part of that efficiency is due to Salt. IBM Cloud has tens of thousands of Cisco NX-OS and Arista EOS network switches that are spread across 80 data centers around the world.
Again, what impressed me was how both men were working with SaltStack to extend the original premise of the product to handle the completely different context of network management, by having the Minions run directly on the Cisco gear. Newton said during one of his presentations, “IBM is good at building data centers, but once they are built the next day we need automation to take care of them.” That’s where they need help. They reached a tipping point last year where they were maintaining 60,000 different devices and “we couldn’t do it manually. We needed to be more proactive and have better automated tools.” That’s where Salt came into play. One of the reasons why they duo went with Salt was because of its event-driven automation, and the ability to cause particular actions and not just notify the team when something went wrong.
What impressed me most about both IBM and Cloudflare’s implementations was how willing they were to keep pushing Salt to do more and do it better. Both of them obviously believe in the product to trust it to be such a critical part of their network infrastructure.