When anonymous web data isn’t anymore

Posted on by
Reply

One of my favorite NY Times technology stories (other than, ahem, my own articles) is one that ran more than ten years ago. It was about a supposedly anonymous AOL user that was picked from a huge database of search queries by researchers. They were able to correlate her searches and tracked down Thelma, a 62-year old widow living in Georgia. The database was originally posted online by AOL as an academic research tool, but after the Times story broke it was removed. The data “underscore how much people unintentionally reveal about themselves when they use search engines,” said the Times story.

In the intervening years since that story, tracking technology has gotten better and Internet privacy has all but effectively disappeared. At the DEFCON trade show a few weeks ago in Vegas, researchers presented a paper on how easy it can be to track down folks based on their digital breadcrumbs. The researchers set up a phony marketing consulting firm and requested anonymous clickstream data to analyze. They were able to actually tie real users to the data through a series of well-known tricks, described in this report in Naked Security. They found that if they could correlate personal information across ten different domains, they could figure out who was the common user visiting those sites, as shown in this diagram published in the article.

The culprits are browser plug-ins and embedded scripts on web pages, which I have written about before here. “Five percent of the data in the clickstream they purchased was generated up by just ten different popular web plugins,” according to the DEFCON researchers.

So is this just some artifact of gung-ho security researchers, or does this have any real-world implications? Sadly, it is very much a reality. Last week Disney was served legal papers about secretly collecting kid’s usage data of their mobile apps, saying that the apps (which don’t ask parents permission for the kids to use, which is illegal) can track the kids across multiple games. All in the interest of serving up targeted ads. The full list of 43 apps that have this tracking data can be found here, including the one shown at right.

So what can you do? First, review your plug-ins, delete the ones that you really don’t need. In my article linked above, I try out Privacy Badger and have continued to use it. It can be entertaining or terrifying, depending on your POV. You could regularly delete your cookies and always run private browsing sessions, although you do give up some usability for doing so.

Privacy just isn’t what it used to be. And it is a lot of hard work to become more private these days, for sure.

FIR B2B Podcast #78: TALKING GOOD AND BAD UX WITH DANIELLE COOLEY

Posted on by
Reply

Danielle Cooley has spent more than 18 years applying a number of user experience (UX) research and design techniques to a wide variety of applications, including hardware, Windows, web, telephone and mobile. Her work has benefited such organizations as Pfizer, Navy Federal Credit Union, Fidelity Investments, Hyundai, Graco, Enterprise Rent-a-Car and more. She is a frequent conference speaker at professional UX gatherings and holds several technical degrees.

Paul Gillin and I talked to her on our latest podcast about rookie UX mistakes, such as popup come-ons and autoloading videos, the difference between UX and user interfaces, and how marketers should consider the UX maturity model of their organizations when developing their programs.

Danielle also ranted a bit about the “hamburger menu” of three parallel lines that are often shown in many mobile apps (including my latest website redesign, oops!) and how they have become a cover-up for bad navigation. Here’s a presentation on what to do instead.

Danielle and I wrote this article for a UX journal where we use the example of four data breaches (Cici’s Pizza, Home Depot, Wendy’s Restaurants, and Omni Hotels) to see how each firm tried to regain its customers’ trust.

Is iOS more secure than Android?

Posted on by
3

I was giving a speech last week, talking about mobile device security, and one member of my audience asked me this question. I gave the typical IT answer, “it depends,” and then realized I needed a little bit more of an explanation. Hence this post.

Yes, in general, Android is less secure than All The iThings, but there are circumstances where Apple has its issues too. A recent article in ITworld lays out the specifics. There are six major points to evaluate:

  1. How old is your device’s OS? The problem with both worlds is when their owners stick with older OS versions and don’t upgrade. As vulnerabilities are discovered, Google and Apple come out with updates and patches — the trick is in actually installing them. Let’s look at the behavior of users between the two worlds: The most up-to-date Android version, Nougat, has less than 1% market share. On the other hand, more than 90% of iOS users have moved to iOS v10. Now, maybe in your household or corporation you have different profiles. But as long as you use the most recent OS and keep it updated, right now both are pretty solid.
  2. Who are the hackers targeting for their malware? Security researchers have seen a notable increase in malware targeting all mobile devices lately (see the timeline above), but it seems there are more Android-based exploits. It is hard to really say, because there isn’t any consistent way to count. And a new effort into targeting CEO “whale” phishing attacks or specific companies for infection isn’t really helping: if a criminal is trying to worm their way into your company, all the statistics and trends in the universe don’t really matter. I’ve seen reports of infections that “only” resulted in a few dozen devices being compromised, yet because they were all from one enterprise, the business impact was huge.
  3. Where do the infected apps come from? Historically, Google Play certainly has seen more infected apps than the iTunes Store. Some of these Android apps (such as Judy and FalseGuide) have infected millions of devices. Apple has had its share of troubled apps, but typically they are more quickly discovered and removed from circulation.
  4. Doesn’t Apple do a better job of screening their apps? That used to be the case, but isn’t any longer and the two companies are at parity now. Google has the Protect service that automatically scans your device to detect malware, for example. Still, all it takes is one bad app and your network security is toast.
  5. Who else uses your phone? If you share your phone with your kids and they download their own apps, well, you know where I am going here. The best strategy is not to let your kids download anything to your corporate devices. Or even your personal ones.
  6. What about my MDM, should’t that protect me from malicious apps? Well, having a corporate mobile device management solution is better than not having one. These kinds of tools can implement app whitelisting and segregating work and personal apps and data. But an MDM won’t handle all security issues, such as preventing someone from using your phone to escalate privileges, detecting data exfiltrations and running a botnet from inside your corporate network. Again, a single phished email and your phone can become compromised.

Is Android or iOS inherently more secure? As you can see, it really depends. Yes, you can construct corner cases where one or the other poses more of a threat. Just remember, security is a journey, not a destination.

FIR B2B PODCAST #77: IMAGINING THE FUTURE OF CUSTOMER EXPERIENCE AROUND ‘MICRO MOMENTS’

Posted on by
Reply

Paul Gillin and I talk to Dermot O’Connor who is the VP of product and co-founder of Boxever, a marketing big data automation company. We discuss the changing nature of customer experience (CX) and how the rise of the online world of Google, Amazon and Facebook have changed customer expectations about their interactions with suppliers. Big data is essential to improvement for marketers. We also cover the differences between these two approaches and how difficult it is to incorporate the technology solutions that are required to implement the best CX, and how marketing departments need to get a handle on what data they have about their customers too.

Dermot offers his suggestions for how to create “Micro Moments” along the journey, a concept introduced in this Google blog. That’s about making each touch point with customers a part of crafting the best experience. O’Connor thinks the next phase of CX will center around micro-design and suggests ways in which himbrands can bring micro moments to life.

You can listen to our 12 min. podcast here:

Do real people want real encryption?

Posted on by
1

The short answer is a resounding Yes! Let’s discuss this topic which has spanned generations.

The current case in point has to do with terrorists using WhatsApp. For those of you that don’t use it, it is a text messaging app that also enables voice and video conversations. I started using it when I first went to Israel, because my daughter and most of the folks that I met there professionally were using it constantly. It has become a verb, like Uber and Google are for getting a ride and searching for stuff. Everything is encrypted end-to-end.

This is why the bad guys also use it. In a story that my colleague Lisa Vaas posted here in Naked Security, she quotes the UK Home Secretary Amber Rudd about some remarks she recently made. For those of you that aren’t familiar with UK government, this office covers a wide collection of duties, mixing what Americans would find in our Homeland Security and Justice Departments. She said, “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” She was trying to make a plea for tech companies to loosen up their encryption, just a little bit mind you, because of the inability for her government to see what the terrorists are doing. “However, there is a problem in terms of the growth of end-to-end encryption” because police and security services aren’t “able to access that information.” Her idea is to serve warrants on the tech companies and get at least metadata about the encrypted conversations.

This sounds familiar: after the Paris Charlie Hebdo attacks two years ago. The last person in her job, David Cameron, issued similar calls to break into encrypted conversations. They went nowhere.

Here is the problem. You can’t have just a little bit of encryption, just like you can’t be a little bit pregnant. Either a message (or an email or whatever) is encrypted, or it isn’t. If you want to selectively break encryption, you can’t guarantee that the bad guys can’t go down this route too. And if vendors have access to passwords (as some have suggested), that is a breach “waiting to happen,” as Vaas says in her post. “Weakening security won’t bring that about, however, and has the potential to make matters worse.”

In Vaas’ post, she mentions security expert Troy Hunt’s tweet (reproduced here) showing links to all the online services that (surprise!) she uses that operate with encryption like Wikipedia, Twitter and her own website. Jonathan Haynes, writing in the Guardian, says “A lot of things may have changed in two years but the government’s understanding of information security does not appear to be one of them.”

It isn’t that normal citizens or real people or whatever you want to call non-terrorists have nothing to hide.They do have their privacy, and if we don’t have encryption, then everything is out in the open for anyone to abuse, lose, or spread around the digital landscape.

Why You Need to Deploy IPv6: It Is All about Performance and Security

Posted on by
Reply

You have heard the arguments for using IPv6 for decades, but here is a novel reason: it is all about getting better network performance. A recent study from Cloudflare’s network operations shows that an IPv6 network can operate 25ms to 300ms faster than over an IPv4 network. That isn’t theory: that is what they actually observed. These numbers are corroborated with studies from LinkedIn and Facebook, although Sucuri did a test last year that shows about the same in terms of web surfing.

Part of the debate here has to do with what constitutes performance. As Geoff Huston at the Australian RIPE network coordination center writes, you have to look carefully at what is actually being tested. He mentions two factors: overall network reliability (meaning connection attempts, dropped packets and so forth) and round-trip time over the resulting network paths of the two protocols. Just because you use the same network endpoints for your tests doesn’t mean that your IPv4 packets will travel over the same path as your IPv6 ones.

Huston shows that IPv6 reliability rates have been steadily increasing, especially as native IPv6 implementations have grown, replacing tunneling and other compromises that have had higher failure rates in the past. And round-trip times have been improving, with IPv6 being faster than IPv4 about half of the time.

Cloudflare also observed that some smartphones can save on IPv4/v6 translation times if they can connect over IPv6 directly. Such phones are becoming the norm on T-Mobile and Orange mobile networks, for example.  This agrees with Huston’s research: the more native IPv6 implementations on your endpoints and routers you can use, the better your overall performance.

But there is a second reason why you should consider IPv6, and that has to do with security. After all, this is a security-related blog so we talk about this for a moment. In the past, there have been articles such as this one in Security Intelligence that warn, ”The thing is, despite IPv6 having been around for almost 20 years now, few security professionals truly understand it.” Other bloggers point out that enabling native IPv6 will make your network less secure, because more embedded devices (like webcams and industrial controls) can become compromised (think Murai and WannaCry). That post suggests that most network administrators should turn off native IPv6, to reduce the potential attack surface.

I disagree. This is because IPv6 has several key technological innovations over older IPv4: it avoids NAT, has stateless or serverless address autoconfiguration, has a better protocol header to minimize processing time, uses simpler administration of IPSec conversations, is more efficient with QoS implementations, has a better multicast and anycast support and uses other more modern technologies. Taken together, the good news is that you could also get some big security improvements, if you deploy IPv6 properly across your enterprise.

Supporting IPv6 isn’t a simple matter of turning on the protocol across your network: you have to migrate segments, servers, routers and endpoints carefully and understand how you can establish a full end-to-end native implementation of the protocol. But if you do it correctly, you could have a better performing and more secure network as a result.

Making tech hiring more inclusive

Posted on by
Reply

If you are in tech, you know we as an industry aren’t very inclusive when it comes to the people working at our companies. The problem has gotten worse since I entered the work force back in the days when fire was first invented and the Steves worked out of their fabled garage: fewer women and minorities now work in tech.

In the wake of the formerly celebrated bro-culture bad-boys that have either lost their jobs or have given forced social media apologies, even the general press has picked up on this meme. Witness the program this past weekend on Megyn Kelly’s Sunday Night, where she interviews six Silicon Valley women engineers and startup founders about their harassment by men.

So it is nice to see some good news in this sector, care of a recent post about Atlassian’s practices. They are software company that has employees in Sydney, San Francisco and other cities around the world and employ 1,700 people. Over the past year, 18% of their tech hires and more than half of their engineers were women, up significantly from earlier years.

Atlassian credits several things for their diversity. First and foremost is dropping the notion that they are a meritocracy, which is a mask that many Silicon Valley firms hide behind and use it to block inclusive practices. MIT research shows that managers at these companies perceive themselves as more impartial, and are therefore less self-aware and less likely to root out and bust their biases.

Sure Atlassian has some corporate credos that they post on their website, such as “play as a team” and “Don’t <mess> with the customer,” among others. But they also say that “Continuous improvement is a shared responsibility. Action is an independent one.”

To that effect, the post also mentions that the time to change is now, and the earlier in a company’s founding the better.  “Getting a first woman on the team is a lot easier when there’s only three employees and they’re all men, as opposed to when there are 20 that are all men. Invest early. You’ll have to put in less effort over the life of your company when you do,” says Aubrey Blanche, the company’s head of diversity inclusion (shown here).

The post mentions some tactics your firm should take to widen diversity, and includes following some key folks on your social media accounts (here is a handy Twitter list if you want to check some of them out yourself). Another idea: create a culture where feedback about how you’re doing in regard to inclusion is constant, embraced, and rewarded. Use Slack or other IM tools to directly ask your staff for feedback on a regular basis. Until your culture is inclusive and you are listening to your folks, you won’t be. Have meetings that are designed to let introverts excel: send out agendas in advance, ask people to prepare remarks, and engage your remote employees.

There are a lot more tips in this blog post on how to encourage a more diverse workforce. Take some time to read them, and more importantly, act on them.

CSO Online: As malware grows more complex, protection strategies need to evolve

Posted on by
Reply

The days of simple anti-malware protection are mostly over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potentially harmful infections. This is because malware has become sneakier and more defensive and complex.

In this post for CSO Online sponsored byPC Pitstop, I dive into some of the ways that malware can hide from detection, including polymorphic methods, avoiding dropping files on a target machine, detecting VMs and sandboxes or using various scripting techniques. I also make the case for using application whitelisting (which is where PC Pitstop comes into play), something more prevention vendors are paying more attention to as it gets harder to detect the sneakier types of malware.

CSOonline: Review of Check Point’s SandBlast Mobile — simplifies mobile security

Posted on by
Reply

There is a new category of startups — like Lookout Security, NowSecure, and Skycure — who have begun to provide defense in depth for mobiles. Another player in this space is Check Point Software, which has rebranded its Mobile Threat Protection product as SandBlast Mobile. I took a closer look at this product and found that it fits in between mobile device managers and security event log analyzers. It makes it easier to manage the overall security footprint of your entire mobile device fleet. While I had a few issues with its use, overall it is a solid protective product.

You can read my review in CSOonline here.

How Citrix Fuels Red Bull Racing

Posted on by
Reply

Few businesses create a completely different product every couple of weeks, not to mention take their product team on the road and set up a completely new IT system on the fly. Yet, this is what the team at Red Bull Racing do each and every day.

A video featuring the racing company’s staff and its ultra-fast pace was featured at Citrix Synergy conference in Orlando earlier this summer. When I saw it, I wanted to find out more about what happens behind the scenes. Indeed, during the week of Synergy, they were busy at one of the 20 different races they participate in around the world each year. “We design and manufacture all of our cars and go through some 30,000 engineering changes a year,” says Matt Cadieux, CIO of Red Bull Racing, “We create new car parts for every race because all of our cars get torn apart and rebuilt to new specifications that are designed to make the car go faster.”

The typical race week starts out with the team showing up several days ahead of the green flag, ready to unload 40 tons of equipment on the first day. The next day, the communications networks are connected and the cars assembled. “We don’t have time to debug things, we have to be up and running and do that in 20 different places around the world,” he said.

The company is based in the UK, where they have a very space-age data center. And it should! They designed it based on the look and feel of NASA’s mission control room in Houston. “We have one of the largest video walls in Europe,” said Cadieux. The data center houses three Linux clusters, a Windows cluster, and uses IBM Spectrum Storage to manage all their resources.

All that video isn’t just for showing pretty pictures. They have some serious data visualizations, where they are tracking in real time more than 200 different car metrics dealing with its performance. “It is very graphically intensive, and behind the graphics are some pretty large databases too,” Cadieux said.

Getting these graphically-rich screens sent to the racing team at the track requires some serious computing horsepower and a very dependable remote desktop experience, and that is where Citrix comes into play. “If we didn’t have Citrix, there is no way we could manage these apps effectively,” he said. The racing company uses a combination of XenDesktop and XenServer along with NetScaler to provide firewalls and load balancing. As their infrastructure has gotten more complex, they have been able to add functionality from this collection of products easily.

That is one of the reasons why Red Bull Racing has worked with Citrix for many years. “We always had great tech support from them and they always exceed our expectations. We have access to their developers and early code releases. For our use cases, we are always pushing technical boundaries, because we not afraid to try new things. We give a lot of blunt and honest feedback to their product teams, too.”

As you might imagine, using all these graphical screens places a burden on having the lowest possible network latencies when those bits are shipped all over the planet. “We needed to take some heavyweight apps and use them in remote places, and that means we need some solid networks too.” They make use of AT&T VPN technologies to provide their global connectivity.

For example, when they are in Australia, they can get less than 380 ms round trip latencies back to their data center in the UK. “Sometimes, users can feel that delay, but they still can use our apps. When we are running races in Europe, you almost can’t tell the difference between the remote session and being back inside our data center,” he said.

The support team that they bring to each race used to be bigger, but thanks to XenDesktop they have managed to leave several key team members back in the UK. “We still can have the collaboration between people at the track and at home with XenDesktop. The result is that we can make better and more informed decisions,” he said. There is also a limit on the number of team members that can be present on the track as part of the racing staffing regulations.

Red Bull Racing has been around for more than a decade and, as you might assume, their current technology portfolio is “massively different” when compared to what they used back then. “When we first started, our operations room was the size of a broom closet and our simulations had almost no correlation to what we observed in the real world. Back then it was more of a science project than something that could make appropriate business decisions. Now, our math models are much more complex and we do a better job with visualizing our data. The size of our models and the infrastructure required to run them has also exploded over time.” As he mentions in this Network World article, “It allows us to get a very under-the-covers view of the health of the car, where you can understand forces, or you can see things overheating, or you can see, aerodynamically, what’s happening and whether our predictions in computational fluid dynamics and the wind tunnel are what really happens in the real world.”

Red Bull Racing have also been able to be more responsive; now, they can instrument a problem, track down a solution, and have it ready for race day all in a matter of hours. “We can now react to changes and surprises and deal with them in a more data-driven way,” he said.

Cadieux came from a Detroit-area traditional automaker before he moved across the pond and started supporting race cars. The two businesses have more in common than you might think, because ultimately they are all about making engineering decisions around the cars themselves. “We build our cars for performance, rater than for the mass market, that’s all. The software problems are similar.” Well, maybe he is just being modest.

Does Cadieux have one of the best jobs in IT? Certainly. “It is a very cool job and I am very lucky to have it. We get to solve some very interesting problems and be at the forefront of using tech to improve our business. It is great to work with such a cohesive team and be able to move very quickly, and merge engineering with our business needs.”