Angry BossIt’s 4:20 p.m. on Friday.  You’re looking forward to meeting your friends soon for happy hour at the local bar.  Your boss is on vacation, and you’re caught up for the week.  All is well.  As you take one last look at your e-mail, you see a message has just arrived from one of your suppliers – marked URGENT.  The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account.  They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution.  They helpfully provide the correct bank routing information and demand the payment be made today.  Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change.   The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.

Of course, you—the reader—already know the ending of this story.  The email was fraudulent, the company is now out a quarter of a million dollars, and you may be out of a job.  Yet this and similar scenarios play out every day, representing a 2,370% increase in the last 18 months in identified exposed losses resulting from business e-mail compromise targeting small, medium, and large businesses. Continue Reading It’s time to annoy your boss

Tom HanksTom Hanks excels at illuminating our nation’s history, from John Adams to Band of Brothers, Saving Private Ryan, Bridge of Spies, Apollo 13, and Charlie Wilson’s War.  Much of the impact springs from Hanks’ reverence for the primary source materials – the underlying records – that ground these compelling stories in the integrity of historical truth.  So it was no surprise last month when the National Archives Foundation honored Hanks with The Records of Achievement Award, an annual tribute to an individual “whose work has cultivated a broader national awareness of the history and identity of the United States through the use of original records.”

Fidelity to the facts, as documented in public records, is neither a quaint notion nor a mere gimmick to sell movie tickets or HBO subscriptions.  The integrity of our public institutions’ recordkeeping is an essential pillar of our democracy.  And it’s in peril. Continue Reading The importance of records in a post-truth America

Am I Drunk signWe’re addicted to information, but we can’t stand to think about it again once we’ve seen it, saved it, hoarded it.  Why?  We collect or create it in the moment, but have no thought or plan for its future.  Even when it was once and briefly useful, neglected information soon becomes the effluvium of our digital landfills.  And, like most landfills, the odor is disagreeable and no one wants to be near it.

Pinterest and the P:\ Drive

There is little doubt that social and cultural factors exacerbate and feed our addiction.  The immediate gratification of social media interactions, and the availability of “productivity” tools and data storage accelerate the accumulation of information.  “People hoard because they believe that an item [information] will be useful or valuable in the future. Or they feel it has sentimental value, is unique and irreplaceable . . . . They may also consider an item [information] a reminder that will jog their memory, thinking that without it they won’t remember an important person or event. Or because they can’t decide where something belongs, it’s better just to keep it.

How to Change

Addiction draws us into information overload, but our aversion to uncertainty keeps us from managing what we save or create.  Part of the challenge is that it’s just too hard to focus on something so big, yet so invisible.  We’ve all read the stats on how much information is created each year, but who understands how much 5 exabytes of information is anyway?   It’s beyond our tactile experience—like knowing how many gallons of water are in the ocean, or stars in the sky.

In thinking about change, Tali Sharot, associate professor of cognitive neuroscience at University College London, proposes, “Messages that tap into basic human desires — such as the need for agency, a craving for hope, a longing to feel part of a group — are more likely to have impact.”

In a previous post I talked about the consequences of allowing our private selves to bleed into our work selves.  The answer comes back to the summary of human desires, “what’s in it for me”?  So, using Dr. Sharot’s examples, I add here to the list of things we can do for ourselves, and ultimately for our organizations: Continue Reading Addiction and aversion … the yin and yang of information

EquifaxThe aftermath of the Equifax breach continues.  First, the Ugly:

Music Major?  Really?

The hoi palloi apparently find it offensive that Equifax’s Chief Security Officer, fired in the breach’s wake, had a music degree. The implication is that someone formally trained long ago in music is clearly incompetent to have a career in IT or Infosec, much less to be a CSO. That must be a surprise to Jennifer Widom (data management researcher, computer science professor, and Dean of Stanford University’s School of Engineering), who somehow, despite her undergraduate music degree, managed to help lay the foundations for active database systems architecture, crucial for such uses as security monitoring.  Or to countless others who came to Infosec after formal education in other disciplines – check out #unqualifiedfortech on Twitter.

Yesterday’s thoughtful Washington Post piece was well-titled: Equifax’s security chief had some big problems. Being a music major wasn’t one of them. And if your ironic sensibility remains unsated, see the 10/20/2016 article Musicians May Be the Key to the Cybersecurity Talent Shortage.

Next, the Bad: Continue Reading Equifax breach – the good, the bad, and the ugly

Worried couple checking credit account onlineThe grousing began within 24 hours of Equifax’s announcement, last Thursday, of its massive data breach that compromised personal data of over 140 million U.S. consumers.  I’m generally unsympathetic about such complaints (“We’re shocked – SHOCKED – that in a breach affecting 140+ million people, we’re having trouble immediately reaching a live person at the phone bank!  And the breach website is not operating smoothly!”). Usually only Louis CK’s masterpiece “Everything’s Amazing – and Nobody’s Happy” can coax me out of my grumpy place.

But as post-announcement events have unfolded, some of the initial criticism appears to have legs: Continue Reading Equifax breach – hot mess, or simply the world we live in?

Dark Territory: The Secret History of Cyber WarIn the early 1990s, NSA Director Mike McConnell created a brand-new position at the National Security Agency: Director of Information Warfare.  McConnell appointed Rich Wilhelm, with whom McConnell had worked closely on U.S. counter-command & -control intelligence operations during the first Iraq war.  After just a few weeks settling into his new job, Wilhelm walked into Director McConnell’s office and said “Mike, we’re kind of f***ed here.”

The problem?  The U.S. could penetrate and disrupt foreign adversaries’ increasingly computerized military, government, and civic infrastructures, and it was already clear that future conflicts would turn upon what would only later be dubbed cyber warfare.  But whatever we could do to our adversaries, they could do to us.  Making matters worse, the U.S. military, civilian governmental agencies, and private businesses were rapidly connecting everything in computer networks, with no meaningful attention paid to network security.  We’d be throwing rocks from the largest glass house on the planet.

In Dark Territory: The Secret History of Cyber War, Pulitzer Prize-winning journalist Fred Kaplan adroitly distills over one hundred key player interviews –  from U.S. cabinet secretaries, generals, admirals, and NSA directors, to analysts, aides, and officers in the trenches – into a riveting narrative that tracks the debut, developments, and dilemmas of cyber warfare.

Kaplan’s book is a cyber roller coaster ride spanning three decades.  Here are some notable highs and lows: Continue Reading The TAO of Cyber Warfare: Dark Territory

Young woman who's forgot her passwordAt last!!!  A good reason not to create dozens of hard-to-remember passwords!  The updated National Institute for Standards and Technology guidance on creating passwords has been out for a while now, but the word has been slow in trickling down to end users.  It’s time to pay attention, because the recommendations represent a huge departure from standard practice.  First, the good news:

The good

NIST is part of the US Department of Commerce and an authoritative standards-making body.  It is the entity that wrote the primer on how to create all those complex and hard-to-remember passwords in the first place. You know, passwords like *Pa$$w)rd3!  NIST now acknowledges through this publication that the old rules affected usability negatively. It also turns out that passwords composed of a few common words strung together are far stronger than upper-lower-numbers-characters passwords, so the old way was less secure than we thought.

It’s big news then that NIST has seen the error of its ways and now recommends creating passwords we can remember.  Even more important, it also now recommends that a password not be changed unless there is an indicator it has been compromised or forgotten by the user.  Of course, being the government, calling a password a password is just too hard.  The term in NIST SP800-63B 2017 is “Memorized Secret Authenticator.”  Whatever you choose to call it, user guidance is simple: Continue Reading dyktthctgohtcp?

Manually digging a holeLate last month in Mirmina v. Genpact, the Honorable Sarah Merriam of the United States District Court for the District of Connecticut properly confirmed that it remains permissible to manually preserve and collect discoverable email.  Her opinion was concise and spot-on, swatting away the plaintiff-movant’s speculative “concern” that defendant must have “withheld communications” that were responsive to the case’s discovery protocols.  Citing Zubulake V, Magistrate Judge Merriam accepted defendant’s detailed affirmation that in-house counsel appropriately coordinated and supervised the manual search for reponsive email by defendant’s ESI custodians, and she therefore denied plaintiff’s motion to compel.

The ediscovery blogosphere lit up once the Mirmina ruling was handed down – see here, here, here, here, here, and on and on.

What’s remarkable about this ruling is that a singularly unremarkable point has somehow become remarkable. Continue Reading Breaking news from Captain Obvious – it’s still OK to manually preserve and collect ESI

White WalkerA swarm of zombies, led by Byte Walkers, surges inexorably onward to penetrate a massive perimeter wall by force and stealth.  Sounds like Game of Thrones, right?  Instead, this is our cyberthreat reality. And in an ironic twist that would make George R. R. Martin blush under his beard, it’s now painfully real for HBO, which recently acknowledged suffering a massive cyber intrusion through which hackers claim to have stolen up to 1.5 terabytes of proprietary data, including Game of Thrones future epsodes.

First Sony, then Netflix, and now HBO – what’s a Westerosi to make of this? Continue Reading Game of Hacks