My tinnitus story

Posted on by
1

I have been living with Tinnitus for 20 years, but until recently, I didn’t own it. Before I tell you how this came to be, a little background.

In 1998, I was diagnosed with Meniere’s Disease. I was experiencing intense dizzy spells, and many of you who are readers of this journal have heard or lived through what follows: dietary changes, a series of unsatisfying visits to various MDs, and a great deal of frustration. Back then, it wasn’t easy to do Internet research, but eventually my attacks stopped. What I got out of that experience was a case of Tinnitus.

My situation is a bit unique: I have been deaf in my left ear since birth. My right ear hears just fine – except for this continuous tone that sometimes is louder, sometimes is softer, but is always there. Over the years, I have learned to deal with it, but owning it? Nope. Sometimes I would hold a pity party for myself, sometimes it was more than annoying, especially when I was in crowded noisy rooms or restaurants. I remember one time I was at a professional conference of about 300 people. For dinner, we were seated at a very long tables and the noise was literally deafening. I quickly ate my meal and literally ran back to my room, in pain from the noise. I know it looked odd to my dinner companions.

I have been a member of ATA for most of those decades, and appreciate the amount of knowledge that the association provides its members in trying to understand and cope with this disease. But I didn’t own my Tinnitus. That is, until I went to the Iowa conference this past summer.

The conference is small – less than 100 attendees and that includes many of the speakers over two very full days. The audience is 90% professionals, including nurses, MDs and audiologists, with a few of us patients scattered in and allowed to participate. It was very worthwhile, and I want to describe some of the things that I learned during the event. I was surprised at how much I didn’t know, and it wasn’t just learning medical jargon, but actual, actionable, useful stuff that helped me begin to own my disease.

What does owning mean? It means that you control it, rather than it controlling you. You aren’t defined by your Tinnitus, you aren’t at its mercy, and you manage your own treatment and your own response to the disease. The noise you and I hear may be all in our heads, but we have to use our brains to figure out a way to cope and live our lives. Many of the stories here in this journal have carried this theme, but for some reason I didn’t really understand what they were getting at until I was sitting in the conference, listening to the various presentations. Then it all clicked, so to speak. (Sorry for that pun.)

Here are a few other things that I heard and took away from the event.

While I knew that Tinnitus is different for everyone, I didn’t realize how different it was. Meeting others who have it and hearing their stories was good to understand its individuality and the different paths that patients have taken to understand and cope with Tinnitus. When you see the breadth and depth of variations of research that is going on around the world, you begin to understand this is a huge problem – or many problems – to solve. You can get some of this by attending one of the local ATA support groups, too.

Another thing that I liked about the Iowa conference is that you get to put yourself in your doctor’s shoes and see Tinnitus from his or her perspective. This is helpful in understanding how they will treat you and respond to your needs and concerns. There were several presentations from audiologists, therapists, and other professionals so again you could appreciate their different points of view.

Meeting the ATA staff and board members attending the conference (ATA is one of the sponsors) was also a treat. It helps to put a face with the organization, and also gave me an opportunity to thank them personally for all their hard work in helping us.

The conference is also a good place to get first-hand knowledge about cutting-edge research, particularly by the University of Iowa team that has been involved in Tinnitus work for decades. By the end of the two days, you feel like you know these folks quite well.

At the conference, vendors present their devices and explain how they are used and whom they are intended. During one of these sessions, I learned that hearing aids are ways to manage Tinnitus, even if you don’t have much in the way of hearing loss. This is because they ca be programmed to block out the frequencies that you think you are hearing with your Tinnitus noise(s). Now I know I am a bit of an unusual situation – no hearing in one ear, and the opposite in the other. Not to worry – there are specific kinds of aids for this problem. Years ago I investigated in using a BAHA hearing aid, which involves implanting a microphone in the side of your skull (in my case, the left side) and transmitting the sound through your bones to your hearing ear. When I tried on the sample aid back then, I could actually hear stereo and locate the source of the sound coming from behind me – both of these for the first time. I opted not to use the aid then. But the advances of technology with regards to digital signal processing are significant, and now there are wireless CROS aids that can work with your cellphone via Bluetooth connections. At the conference, I could talk to audiologists who have installed both BAHA and CROS aids and get their first-hand experience. That kind of insight would be nearly impossible as an ordinary patient.

As patients, we tend to interact with the medical/industrial complex at the moment when we have a problem: we break a bone, we want it fixed. We have an infection, we want to get rid of it. But the single point of contact with our doctors method doesn’t work with a chronic condition such as Tinnitus (or Meniere’s or whatever). That is because research is ongoing: new drugs, new procedures, new devices, and so forth. We aren’t watching the medical literature like our doctors are doing, because we are busy living our lives. And even if we are willing to put the time into doing Internet research, we aren’t going to medical conferences and learning about many of the latest technologies and techniques. Until I attended the Iowa conference, my knowledge of Tinnitus was limited to what I read in this journal. While that is great it can’t provide me with everything that is going on in the world. The Iowa conference can quickly bring you up to speed in a way that doing your own net-based research or reading a medical journal article, even one intended for patients, can’t easily do.

Now, most medical conferences are way beyond my skills and knowledge (or so I imagine), and probably yours as well. The jargon of just understanding the different parts of the human body alone is daunting enough. The Iowa conference certainly had its moments when I was totally lost. But it had plenty of other moments when I got useful information that was clearly explained and in terms that any layperson could understand.

Next summer, put Iowa City on your calendar and plan on coming to the conference. You will be welcomed, and you might get to understand more about our common affliction. The cost is minimal for the benefits I received.

FIR B2B Podcast #96: Lessons from the demise of Klout

Posted on by
Reply

Klout is dead. The news wasn’t a surprise, and the announcement from its current owners at Lithium didn’t leave anyone tearing up. The idea of boiling influence down to a single number always struck us as overly simplistic. And the tools to measure influence are so much more sophisticated now than in Klout’s heyday.

But we should pause and understand why Klout fell into disuse and what marketers can learn about measuring the effectiveness of their social media campaigns. It’s also a good time to look at what other tools are available that are useful, such as LinkedIn Social Selling Index, (shown here) which gives your account various scores and then breaks them down into four components that have a little more meaning. You can see how you rank within your industry and within your LinkedIn network. There’s also Twitter Analytics, which tracks changes in your Twitter engagement through five different elements: tweets, tweet impressions, profile visits, mentions, and followers. Again, one number doesn’t really describe the range of influence that a social network provides, and you might want to focus on one or two elements as you measure your own reach.

I reviewed social media marketing tools many years ago and certainly that universe has seen some evolution, but SproutSocial, SimplyMeasured, Looker and Adobe’s Marketing Cloud are all still available and very reasonable measurement tools as you construct your campaigns. And as general purpose business intelligence tools such as Microsoft’s PowerBI and Domo become easier to use, they can be used for this purpose.

We also touch upon another looming deadline this week, with the GDPR regulations coming into full force. My podcasting partner Paul Gillin has written a piece about executives are turning more positive on its potential and also using the compliance deadline to effect some positive changes in their organizations’ privacy and data protection policies.

You can listen to our latest podcast (15 min.)here.

CSOonline: How Risk-Based Authentication has become an essential security tool (c2018)

Posted on by
Reply

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplify a patchwork of numerous legacy banking technologies.

Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods, especially as the typical enterprise attack surface has expanded and evolved. The expansion takes on several different dimensions:

  • Endpoints are getting more diverse. Thanks to more capable mobile devices and more susceptible embedded internet of things (IoT) products, attackers have more leverage and entry points. Botnets of thousands of these devices are quite common, and entire malware campaigns (such as Mirai in 2016) are a major threat vector.
  • More mobiles on enterprise networks means that users are mixing more personal and business activities on their phones and tablets. This erodes the boundaries between these two domains and makes it easier for attackers to leverage entry into the business network.
  • Social networks make it easier for hackers to use social engineering tactics to figure out users’ logins. As a result, authentication challenges are getting more sophisticated, with attackers compromising one-time passwords and weak MFA methods with better tools and the acquired social engineering knowledge.
  • Cloud computing has helped to leverage malware-as-a-service, and a number of malware construction kits and services are available for purchase that don’t require much in the way of skill beyond clicking on a few buttons.
  • Malware is getting more sophisticated at hiding in plain sight, being able to disable protective methods and establish themselves deep within a typical enterprise network.
  • Attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications, making them very hard to track if viewed as separate and independent events.
  • Shadow IT operations continue to proliferate, making it harder for IT to police and protect endpoints. Adding to this difficulty is that the average enterprise network is getting more complex and harder to defend. One study shows that the average bank had 30 domain configuration issues, 42 SSL configuration issues, 87 IP reputation issues, and 81 threat indicators across their digital footprints. That is a lot of different touch points to monitor and maintain.
  • Finally, ransomware is a growth business, with increasing number of attacks and pinpoint targeting on specific businesses and transactions.

Passwords are no longer secure

As the number of logins and password-protected services increases, it makes passwords more difficult to remember. That encourages more reuse or picking weaker ones that are easier to compromise. Users are experiencing more password fatigue, and they need better tools that can avoid passwords whenever possible without compromising security. All static passwords are now vulnerable, and RBA has become the best mechanism to introduce security and avoid further password reuse and fatigue.

These trends are forcing IT managers to more seriously use RBA methods and move from traditional binary login/logout practices to more nuanced user access. Authentication has to adjust to different circumstances. When a user is doing something particularly risky, such as a funds transfer or adding a new payee to their online banking account, they need more stringent authentication.

An enterprise needs to have more granular authentication tools, not just a simple yes or no process. Security blogger Brian Krebs says in a recent post, “Nobody has any business using these static identifiers for authentication because they are for sale on most Americans quite cheaply in the cybercrime underground. Most U.S. adults have had their static personal details on sale for years now.” RBA is needed to make sure that subtler yes/no decisions can be made for various authentication activities, and to be able to distinguish between the genuine user and a hacker try to force their way in.

The new generation of RBA solutions

RBA isn’t new. Various authentication vendors have been selling risk-based solutions that scored particular transactions on simple linear scales for years. What is new is a series of innovations that can make RBA more attractive and more secure. Here are a few of the RBA vendors:

The innovations found in these products include the following features, and IT buyers of RBA solutions should carefully examine how each of these are implemented before choosing one that fits their needs:

  • Continuous authentications and account monitoring that provides automated risk profiles and assessments. RBA needs to understand a user’s typical behavior, life and account patterns. For example, some software knows that you always use a particular neighborhood ATM for cash withdrawals, so that when you go visit an ATM across the country, you are presented with authentication challenges or get conditional access until you prove your identity. Unlike the older linear risk scales, these continuous methods are adjusting risk dynamically, and cover a wider collection of circumstances.
  • Real-time analysis. Helping this continuous assessment is being able to do so in near real-time. When someone is trying to use my credit card illegally (which actually happened to me last week), I should receive a notification from my bank within moments of the attempted transaction.
  • Orchestration across various diverse applications and environments. The best orchestration technologies can examine a wide variety of inputs and combine everything together to make a decision about whether a user is acting appropriately or if fraud or account takeover is happening.
  • Ability to work with various self-service portals. This allows users to reset passwords or deal with lost devices without having to call the enterprise help desk for support
  • Behavioral biometrics. RBA should also keep track of how the user behaves with the authentication application itself, so that a user’s collection of devices becomes part of its sensor network to perform the actual risk assessment. The ways in which we walk, stand, sit, and interact with our applications and devices (choosing menus, typing and touch cadence) turns out to be quite predicable and all can be used as authentication mechanisms.
  • Better integration of MFA methods. MFA is just one piece of the RBA puzzle. While it is an important one, it isn’t the only game in town. RBA tools need to determine when not to use MFA logins as much as when to use them. It used to be that we considered biometric methods as an additional MFA factor, akin to a better one-time password generator. However, biometrics and MFA are just additional inputs to the overall RBA decision process, and both need to be better integrated into an enterprise’s functional processes to handle the newer continuous risk-scoring methods.

Veeam papers on ransomware

Posted on by
Reply

I wrote a series of papers for TechTarget, sponsored by Veeam, mainly about ransomware. Here are links to download each paper (reg. req.):

  1. Understanding different types of phishing attacks. As we all know by now, all it takes is just one phishing message to slip by our defenses to ruin our day. Just one click, and an attacker can be inside our network, connecting to that single endpoint and trying to leverage that access to plant additional malware, take control over our critical servers, and find something that can be used to harm our business and steal data and money from our bank accounts. In this paper, I talk about the many different variety of phishing attacks and their increasing sophistication.
  2. How the role of backups have changed in the era of ransomware. (see this pdf) The role of backups has changed in the modern era and this paper describes this evolution. As attackers are getting smarter and more focused, IT managers have to also change with the times. Attackers are getting more adept at penetrating networks, necessitating that backups have to become more sophisticated and cover a multitude of circumstances, threat models, and conditions. And as we change the way we work, the way we consume data, the way we build our business computing systems and the way they depend on more complex online systems, we need to change the way we make backups too.
  3. Tips on defending your network against ransomware. (See this pdf) Defending your network and preventing your users from getting infected with ransomware means more than just implementing various firewalls and network intrusion systems. It is about creating a culture of being resilient.  It is developing a concerted backup and recovery process that will cover your systems and your data assets, so they will be protected when an attack happens and your business can return to an operational state as quickly and as inexpensively as possible. In this paper, I share some tips for making your systems more resilient.
  4. Fighting ransomware with tape and cloud: a backup field guide. (See this pdf) The old standby of data protection, tape backups, is still alive and well in many IT shops. Ironically, it is making a resurgence because of ransomware and other malware attacks. We don’t know what tomorrow’s threats will look like, and there is a lot of risk to having something online that is connected to a network with these types of threats today. While tape has had a long history as a backup medium, the cloud can complement tape backups too, as I describe in this paper.
  5. Steps to an effective phishing defense program. (See this pdf) When it comes to defending your network, many enterprise IT managers tend to forget that it is the people behind the keyboards that can make or break their security posture, and sometimes the people matter more than the machines. Phishing is happening all the time, to every organization. The trick is understanding this dynamic. I describe four different steps you can take to improve your defenses.
  6. The story of how the city of Atlanta reacted against a ransomware attack at the end of March 2018 is instructive both in terms of what not to do and how expensive such an attack can become. The city actually experienced two separate attacks, one that began March 22 and another on April 5. My paper describes the series of events and how the city got attacked.

CSOonline: Honeypots as deception solutions: What to look for and how to buy

Posted on by
Reply

Honeypots are once again in the news. If you stopped by the Watchguard booth at last month’s RSA Conference in San Francisco, chances are good that you connected with one of its Wifi hotspots. Those hotspots were there to log how many people would try to connect to an open network. Watchguard found that the average length of time spent connected was more than enough to compromise the connection. Recently, researcher Doug Rickert has been experimenting with the open source Cowrie SSH honeypot, writing about it on Medium. He found an average of at least 200 daily attempts, a few of them from serious hackers who tried to penetrate his honeypot further.

In this post for CSOonline, I talk about what makes honeypots so compelling as a security solution, what are some things to look for when you are thinking about purchasing a more thorough commercial deception package, different types of honeypots, and a table that links to some of the more popular solutions.

Understanding email encryption

Posted on by
Reply

Earlier this week, we had a major storm with the release of a new report about email encryption issues.Called Efail, it starts with this research paper and website. What I want to talk about today is the following:

First, the vulnerabilities described in the Efail documents were well known, with some of them been around for more than a decade. Basically, if you use HTML email to read your email – which if you are concerned about privacy you shouldn’t be doing in the first place – certain email clients combined with plug-ins for PGP or S/MIME will expose encrypted data to a hacker, if the hacker has access to your email stream.

Second, notice the if in the last sentence. That is a very big condition. Sure, hackers could target your network or email flow, but chances are unlikely.

 

Third, the amount of bad reporting was immense, with most reporters missing the fact that there was nothing wrong with the PGP or S/MIME protocols themselves, only poor implementations. (The Efail authors do a solid job of reporting which clients are at issue.) There are numerous encrypted email solutions that aren’t affected by Efail.

Part of my problem with the reporting is the way that Efail was disclosed, with little or no advance notice to security analysts and other affected parties. This didn’t help matters.

One of the more alarmist posts was from the EFF, which weighed in with some very confusing suggestions. That is both unusual (since they are level-headed most of the time on technical issues) and unfortunate (because they are suggesting that folks stop using encryption). That isn’t a good idea, especially if you are one of the few that actually use PGP in your daily life. (Lesley Carhart’s tweet was spot-on.)

There were some standout reports that I will recommend. First, if you are new to email encryption, the best general source that I have found is Andy Yen’s TED talk from several years ago. He explains how encryption works and what to look for and why you need it. Yen happens to work for Protonmail, which is certainly a good starting place to use encrytion. The best overall report is from Steve Ragan at CSOonline, who documents the disclosures and what you need to do to update your email clients in this post. Finally, if you are ultra-paranoid, you should turn off HTML rendering in your email client.

 

Corporate blogging rules of the road (and bonus podcast)

Posted on by
Reply

Let’s talk about what makes for a successful corporate blog and how you can assemble one of your own. Blogs are an essential element of any corporate marketing strategy, and should be the linchpin of creating an integrated digital marketing campaign that includes email newsletters, social media posts, and other kinds of content. But if you don’t have a strong blog, you will have a difficult time executing any solid marketing campaign.

I have written about corporate blogging for more than 13 years, including this story that ran in Computerworld, and contributed to dozens of different corporate blogs (in addition to running some websites that could be considered blogs if they were created in the modern era). Jeremiah Owyang once said that you shouldn’t accept blogging advice from people that are not bloggers. Given that he has blogged for as long (if not longer) than I have, he is worth paying attention to. I am writing about this again thanks to being inspired by a recent article about Autodesk and its 200-some corporate blogs.

Autodesk is the company behind AutoCAD and some 170 other products that are based on that industry segment. When you first see how many blogs they have, you think: that can’t possibly be the right strategy for them. But the more you look into what they are doing, the more you understand that this is actually brilliant. These different blogs (some of which you can see in the screen capture here) show something more than just quantity. For example, each Autodesk product and blog has its own dedicated marketing team, so it’s up to each to decide how to structure its operation and tell it’s own story. So as you are examining what Autodesk is doing, here are a few pointers.

First is understanding the key elements in assembling your team that will staff and run a blog. It is more akin to running a publication (something that I have done numerous times over my career in both print and online), but you may not have editorial and production people in-house. That is why it could make sense to outsource part of these back or front office functions of the blog to operations such as Skyword or Contently. While you pay a premium for these services, they can deliver benefits if you don’t have the time, skills or staff to handle these functions. Another part of successful blogging is creating an editorial calendar and planning what you will cover in the next quarter (or longer if you can), posting regularly and selecting the right topics. This makes it easier to assign posts and organize your campaigns.

Next, you need to understand your audience focus and define what the overall purpose of the blog or blogs will be, as well as adjusting to the appropriate level of knowledge for a particular readership. This is something that you want to do up front, before you start creating any posts.

It is also important to take the long view about your blog or blogs; on the Internet, content is eternal and many corporate marketers often make the mistake of having a blog stand up for just a particular campaign. I often get inquiries from something that I posted ten years ago. Many of the blogs and pubs that I have written for have taken down their content. Newsflash: storage and domain services are cheap these days.

Part of any successful blog is also figuring out what your metrics for success are, and that should involve more than just counting simple page views. While we all watch that particular statistic, it doesn’t tell the entire story, such as how engaged our readers are and how many of them convert to trial product versions or refer others who become customers. Figure out how you can track these things effectively.

Finally, make sure you pay your external writers quickly and without a lot of paperwork, otherwise they will migrate elsewhere. (That is where the outsourced back office providers can help.) I know this sounds somewhat self-serving, but I have seen many fine pubs lose talented writers who get frustrated when payments stretch out for months.

If you haven’t had enough suggestions, or if you want to send these suggestions to someone who is a more auditory learner, you can listen to a 20 minute podcast that Paul Gillin and I put together for our FIR B2B episode this week here.

Keeping your home safe from the Internet of Bad Things

Posted on by
5

Back before we had nearly universal broadband Internet in our homes, the only safety electrically-powered device that we had to worry about was to replace the batteries in our smoke detectors every six months. With the Internet of Things, we now have a lot more capabilities, but a lot more worries.

Some friends of mine have 23 connected devices to their home network: a Nest thermostat, security cameras, Alexa, smart TVs, network printers, gaming systems, smart watches and their computers. I am sure I have forgotten a few others. All of them can be exploited and used for evil purposes. Think of them as that back door to your home that is wide open.

This exploit for smart TVs was a news item last year. It uses a special digital broadcast signal to gain access to your TV’s firmware. I have been trying to update my firmware for weeks with no success, but I guess hackers are more adept. Still, this is a major concern for IoT devices both in the home and in the workplace. Many device makers don’t have any firmware update mechanism, and those that do don’t make it easy or automatic for users to do it. And devices are usually not monitored on corporate endpoint protection tools, which are usually designed for Windows, Mac and Linux machines.

Part of the problem is that the number of IoT devices continues to climb, with estimates in the tens of billions in the coming years. These devices are seemingly everywhere. And they are an attractive target for hackers. Hajime, Mirai, Reaper, Satori and Amnesia are all IoT-based malware that has been seen in the past couple of years. The hackers understand that once you can discover the IP address of a device, you can probably gain entry to it and use it for evil purposes, such as launching attacks on a corporate target or to leverage access to a corporate network to steal information and funds.

So what can you do? One friend of mine is so concerned about his home network that he runs his own firewall and has two different network-attached storage devices that make copies of his data. This enables him to get rid of having any data on his computers and removes all at-risk programs on them to further secure them. That is probably more than most of us want to do, but still it shows the level of effort that you need to keep things safe.

If you aren’t willing to put this much effort into your home network, here are a few easier steps to take. First, make sure you change all of your devices’ default passwords when you first install them – if you can. Some products have a hard-coded password: if security is a concern, toss them now. Second, if you don’t have a firewall/router on your home network (or if you are using the one supplied by your broadband provider), go out and get one. They now cost less than $100 and are worth it if you can take the time to set them up properly to limit access to your networked devices. Next, make sure your Wifi network is locked down appropriately with the latest protocols and a complex enough password. If you have teenagers, setup a guest network that limits their friends’ access.

Granted, this is still a lot more work than most of us have time or the patience for. And many of us still don’t even replace our smoke detector batteries until they start beeping at us. But many of you will hopefully be motivated to take at least some of these steps.

Backing up your social network data

Posted on by
4

(updated 10/26/18, 7/18/19 and 11/22/22)

Brian Chen’s recent piece about social media privacy in the NY Times inspired me to look more closely at the information that the major social networks have collected on me. Be warned: once you start down this rabbit hole, you can’t unlearn what you find. Chen says it is like opening Pandora’s box. I think it is more like trying to look at yourself from the outside in. There is a lot of practical information and tips here, you might want to file this edition of Web Informant away for future reference when you have the time to absorb all of it.

TL;DR: If you are short on time, F-Secure has this website where you can gather this data from the leading social networks quickly. But you still might want to ready about my experiences below.

Why bother? For one thing, the exercise is interesting, and will give you insights into how you use social media and whether you should change what and how you post on these networks in the future. It also shows you how advertisers leverage your account – after all, they are the ones paying the bills (to the news of some US Senators). And if you are concerned about your privacy or want to leave one or more of these networks, it is a good idea to understand what they already know about you before you begin a scrub session to limit the access of your personal information to the social network and its connected apps. Also, if you are thinking about leaving or migrating to another non-Twitter service, it would be nice to have a record of your contacts before you pull the plug. One other warning: these archives are only available for a limited time period, so BOLO for the emails telling you when you can download them, otherwise the links will expire and you will have to issue another request.

None of the networks make obtaining this information simple, and that is probably on purpose. I have provided links to the starting points in the process, but you first will want to login to each network before navigating to these pages. In all cases, you initiate the request, which will take hours to days before each network replies with an email that either contains a download link or an attached file with the information.

The results range from scary to annoyingly detailed and almost unreadable. And after you get all this data, there are additional activities that you will probably want to do to either clean up your account or tighten your privacy and security. Hang on, and good luck with your own journey down the road to better social network transparency about your privacy.

Facebook:  https://www.facebook.com/dyi?x=AdkA0Kau6MLj_7I0

Facebook sends you an HTML collection of various items, some useful and some not. You download a ZIP archive. There is a summary of your profile, a collection of your posts to your timeline, a list of all of your friends (including those who have left Facebook) and when you connected with them, and any videos and photos that you have posted. Two items that are worth more inspection are a list of advertisers that have your information: I noticed quite a few entries to more than a dozen different state chapters of Americans for Prosperity PACs that are funded by the Koch brothers. Finally, there is a list of your phone’s contacts that it grabbed if you ran its Messenger application, which it justifiably has been getting a lot of heat for doing. Note that this is different from your friend list. Also, when I requested the archive Facebook temporarily locked my account which I then had to unlock before the download.

LinkedIn:   https://www.linkedin.com/psettings/member-data

LinkedIn sends you two ZIP collections of CSV files that you can open in separate spreadsheets that contain different lists. The first set includes connections, contacts, messages that you have exchanged with other LinkedIn members, and profile information, and the second has activity, account history and invites Most of the files contained just a single line of data, which made looking at all of them tedious. The two collections of files is a bit odd: you should ignore the first one (which you get almost immediately) and wait for the “final” archive, which is more complete and arrives several hours later. Most of this data is rather matter-of-fact. One file contains a summary of your profile that is used for ad targeting, but there is no list of advertisers like with the other networks. Another file contains the IP addresses and dates of your last 50 logins, and another contains the dates and names of people that you have searched for on the network. What bothered me the most about my list of LinkedIn connections was the number of them differed by two percent from what is displayed on my LinkedIn home page and in the spreadsheet itself. Why the difference? I have no idea.

Google:  Takeout.google.com

Google operates somewhat differently and more opaquely than the others mentioned here. First, you go to the link above, which is a separate service that will collect your Google archive. The screen shot shows you just some of the dozens of different Google services that you can select to use in the gathering process. In my experiment this process took the longest: more than three days, whereas the others took minutes to several hours. Even before you get your archive, scanning this list and selecting which services you want included in your report is a depressingly lengthy activity.  When I finally got my archive, it spanned three ZIP files and more than 17GB in total, which is more than all the others combined.

However, that is just the beginning. When you bring up a web page that shows the various Google services, you have to separately extract the data for each service individually and each service uses it own data format that you then need to view in a particular application: for example, your calendar items are in iCal format, your email data is in MBOX format, and others are extracted in JSON format. Analyzing all this information can probably take a data scientist the better part of a few days, let alone you and I, who don’t have the tools, dedication or time. If you are thinking of de-Googling your life, you will have to do more than just switch to an iPhone and give up Gmail.

But wait, there is more: emails that you delete or find their way into your Spam folder are still part of your archive. In the Googleplex, everything is accounted for. Note that if you have uploaded any music to Google Play Music, this data isn’t part of your archive and you’ll have to download that separately.

Twitter: https://twitter.com/settings/account

Twitter will send you two files: one that is a PDF attachment that contains a list of all the advertisers that have your information, but the advertisers’ names are shown in their Twitter IDs and thus not very meaningful. The second document is an Html collection of all your tweets, and you can bring up your browser or access the data via in two formats: JSON and CSV exports by month and year. Notice that there is nothing mentioned about downloading all of your Twitter followers: you will have to use a third-party service to do this. One thing I give Twitter props for is that you have a very clear series of settings menus that might be useful to study and change as well, including connected apps and privacy settings. Facebook and LinkedIn constantly are rearranging these menus and make changes to their structure and importance, which makes them more difficult to find when you are concerned about them. But Twitter at least give you more control over your privacy settings and tries to make it more transparent.

Apple: http://privacy.apple.com/

Apple opened up its privacy portal earlier this summer to a few geographies and then to US and other countries in the fall. It took a day to request my data from 12 different datasets that it maintains, as you can see in the screenshot here. Each database corresponds to a particular app, such as AppleCare requests, iCloud bookmarks, interactions with your AppleID account, and contacts. You get .ZIP files for each one (split into smaller segments, if you request that), and you have to individually download each one. The link to the downloads expires in two weeks, which is a nice touch.

Manipulating these files isn’t easy. Almost each of these 12 files contain one or more nested .ZIP files within them, and it feels at time you are chasing your data down a hall of mirrors. My total downloaded, when everything was unzipped, was 7GB and covered more than 170 different files. Everything unzips into mostly .CSV files that will require parsing in your favorite spreadsheet. A lot of the information is coded in such a way that it meaningless without a lot of further study to tie back to your activities. For example, my Apple ID sign in file has a list of login dates for different services. Because it comes in an CSV import, you have to ensure that you format the date fields properly. In other words, getting this data is easy. Getting any actionable or useful information from the trove is not.

One data collection is useful, and that is your contacts that is in either iCloud or in your Apple address book. You will get individual vCards for each person, which could be useful in case of a disaster. There is also a list of all the phone calls made on your iPhone (if you have one), and again, parsing that into a spreadsheet will be some effort. That can be found in the “Other data/Apple Features using iCloud/Call history bucket. Think of this exercise as a treasure hunt. Like some of the other vendors’ data dumps, there is a CSV collection of advertisers, under marketing communications, along with the date and time they were delivered to your endpoint device. There are copies of anything you have purchased at an Apple store, which is also useful, if you can find them buried deep within in the Apple Online and Retail Store folder.

Action items

So what should you do? First, delete the Facebook Messenger phone app right away, unless you really can’t live without it. You contacts are still preserved by Facebook, but at least going forward you won’t have them snooping over your shoulder. You can still send messages in the Web app, which should be sufficient for your communications.

Second, start your pruning sessions. As I hinted in the Twitter entry above, you should examine the privacy-related settings along with the connected apps that you have selected on each of the four networks. The privacy settings are confusing and opaque to begin with, so take some time to study what you have selected. The connected apps is where Facebook got into trouble (see Cambridge Analytica) earlier this month, so make sure you delete the apps that you no longer use. I usually do this annually, since I test a lot of apps and then forget about them, so it is nice to keep their number as small as possible. In my case, I turned off the Facebook platform entirely, so I lost all of these apps. But I figured that was better than their hollow promises and apologies. Your feelings may be similar.

Third, protect your collected data. Don’t leave this data that you get from the social networks on any computer that is either mobile or online (which means just about every computer nowadays). I would recommend copying it to a CD (or in Google’s case, several DVDs) and then deleting it from your hard drive. Call me paranoid, or careful. There is a lot of information that could be used to compromise your identity if this gets into the wrong hands.

Finally, think carefully about what information you give up when you sign up for a new social network. There is no point in leaving Facebook (or anyone else) if you are going to start anew and have the same problems with someone else down the road. In my case, I never gave any network my proper birthday – that seems now like a good move, although probably anyone could figure it out with a few careful searches.

CSOonline: 4 open source red-team ATT&CK-based tools reviewed

Posted on by
Reply

In an article that I wrote last week for CSOonline, I described the use of a red team framework from Mitre called ATT&CK. in my post this week, I compare four free open source tools that leverage this framework and how they can be deployed to help expose your network vulnerabilities. The four tools are:

  • Endgame’s Red Team Automation (RTA),
  • Mitre’s own Caldera,
  • Red Canary’s Atomic Red, and
  • Uber’s Metta

Each have their good and bad points. You can read my review here.