May 11, 2013 By Dan Lohrmann
According to the wealth of cyberspace knowledge that is defined by Wikipedia, a “hacker” can mean many things:
For most of my career, I’ve thought of hackers as being the bad guys. As a cybersecurity leader, my mission in life was to stop those who try to access a computer system by circumventing its security system.
More recently, I’ve met more and more people who call themselves or friends “hackers” using the second definition. The new term has a much more positive connotation, with hack days, hackfests, hackathons, codefests and related events springing up all over the country where you can meet other hackers. In fact, the term hacker has almost become synonymous with clever, tech-savvy person – which includes a much wider audience.
So which type of “hacker” are you? What type of hacker am I? How did we get to this point?
Remembering How the Road Began
I often think back to how I got into a technology career in the first place. I almost dropped out of my college major in computer science on several occasions. There were the after midnight calls from Indiana back to Maryland while I was in college. I would wake my parents up ranting, “I can’t do this! It’s too hard. I’m going to fail.”
My parents would patiently listen, occasionally asking a few short questions. After an hour or more of unloading complaints that I won’t repeat, we would agree to some simple steps I could take like meeting with my advisor, getting a tutor, or studying with different classmates.
My mom would always end with words of encouragement. “We believe in you. We’re thinking and praying for you.” Those words now mean far more than I understood at the time.
My parents got me through school with both financial help and constant support. They encouraged “excellence, playfulness, cleverness and exploration in performed activities” – in academics, sports and every area of life.
The Journey Continues
As my technology career progressed, there were many joys and tragedies. I married my best friend. Sadly, my father died. We moved to Europe. I changed employers several times. We had four children. We moved back to Michigan.
Through it all, my mother was there. We’ve talked every Sunday night for more than twenty years. She would listen, encourage, challenge, motivate, celebrate and cry with us.
Meanwhile, I unexpectedly inherited another incredible gift – a second mother that I love. My mother-in-law didn’t detract from the relationship with my first mom. On the contrary, she brought a wealth of joy
and warmth to our family that words cannot described. Remembering her kind support, her interest in my job, the articles and books she sends me and her pointed questions on world events, always brings a smile to my face.
My two mothers have been, and continue to be, a positive model for my life. They have shown me what it means to be a parent, even when the kids are grown up. They teach me all about cyber ethics – without even mentioning a computer. They encourage me by asking questions in public on work-related topics, when I am (secretly) sure that they care little about the answer.
Even at work, I still feel their influence. I preach trust, integrity, self-sacrifice, kindness, perseverance and excellence to employees at work. I wonder: Who has demonstrated more of that complete package than my two mothers over the past 80+ years? I am truly blessed to have these women in my life.
Hackers and Mother’s Day
Tomorrow is Mother’s Day. I initially struggled with the idea of bringing cybersecurity and Mother’s Day together. But the more I thought about it, the more it makes sense.
My two favorite “hackers” (who don't even recognize the new meaning) are:
Thanks mom – for teaching me what it means to be a hacker - using the second definition.
May 4, 2013 By Dan Lohrmann
What will actually happen in (or to) cyberspace on May 7, 2013?
That is the question that many are asking as they prepare for a promised attack from the hacktivist groups this coming week. According to an announcement in an April 24 Pastebin threat to US and Israeli Governments, “We gonna launch a big attack against The USA Network and we gonna make some Damages.”
Some sources say that this is a serious threat, and government and banking enterprises need to be prepared. Govinfosecurity.com reported:
“Security experts say that OperationUSA, a coordinated online attack against banking and government websites slated for May 7, is a serious threat. As a result, organizations should be upping their distributed-denial-of-service attack mitigation strategies to guard against the attacks, which are being coordinated by the hacktivist group Anonymous.
Experts advise that call-center staff should be educated about DDoS attacks, in case customers call in about online outages or experience difficulty accessing accounts. And network and security teams should actively monitor Internet traffic on May 7 and take steps to block specific IP addresses.”
A look at the Twitter-feed or OpUSA yields some interesting tweets, links to anti-USA videos and more. Here is one of those tweets from Cisco Security @CiscoSecurity: “Stay informed about the planned #OpUSA cyberattacks against government and banking infrastructure http://cs.co/9001Xc4N #security”
Is the OpUSA Threat Overblown?
And yet, Krebs on Security reported that the threat may be “more bark than bite.” Brian
“A confidential alert, produced by DHS on May 1 and obtained by KrebsOnSecurity, predicts that the attacks ‘likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation. Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate
an anti-US message….’
In an interview with Softpedia, representatives of Izz ad-Din al-Qassam said they do indeed plan to lend
their firepower to the OpUSA attack campaign.”
A copy of the full DHS alert is available here.
So what is Michigan government doing? While I won’t list every step taken here, I can say that we are hoping for the best, while preparing for potential issues to occur. There are a variety of scenarios, but I believe that governments need to be prepared for Distributed Denial of Service (DDoS) attacks and possibly worse. In my opinion, this is now the new normal in cyber threats, and enterprises must be prepared.
I tend to also agree with DHS and Krebs that this may not be as big an issue on Tuesday as some predict. Nevertheless, we must treat this in the way that police regularly investigate other types of serious security threats.
Another observation is that this may become the “new normal” regarding cyber threats. Government enterprises need to have procedures in place to react to these cyber threats and potential attacks. There are services that can be purchased from your ISP to address DDOS, and there are also other security steps that enterprises can take regarding people, process and technology improvements. Michigan has experienced a DDoS attack before, and we will likely see similar cyber attacks again.
One final thought. The bad guys use these type of announcements to test our cyber defenses. They see what we do to mitigate risks or raise the alert levels on Tuesday. This information could be used in the future for unannounced online attacks.
For that reason, I suggest that cyber teams deploy only the defense tool needed, when they are needed. We need to have adaptive cyber defenses that are appropriate for the specific attack situation. Or more simply, don’t openly “show your hand” to the adversary.
What are you doing to prepare for Tuesday? Do you think these cyber threat announcements are becoming the new normal around the world?
April 27, 2013 By Dan Lohrmann
There has been a lot of discussion over the past week about Twitter and the power of social media following the breach of the Associated Press (AP) Twitter feed last Tuesday.
After the verified AP Twitter feed was hacked, a message was sent out that read, “Breaking: Two explosions in the White House and Barrack Obama is injured.”
Immediately, the stock market dropped dramatically. Stocks recovered after it became clear what happened.
Other Fake Tweets?
In case you’re wondering, no, this is not the first time that fake tweets have caused a public reaction. Twitter accounts have also been hacked from National Public Radio, CBS 60 Minutes and Reuters News.
In addition, Twitter business accounts for Burger King and Jeep were also hacked in the past. In the case of Burger King, the tweets made their site look like McDonalds. In response, McDonalds tweeted back that they had nothing to do with the breach – or tweets about the Whopper sandwich becoming a Big Mac.
Back in 2009, millions of people were duped by fake Twitter accounts with quotes from celebrities. “A phony account under the name of film star Christopher Walken and bearing his picture is still regularly read by more than 90,000 people.” Since that time, Twitter has cracked down on fake accounts and put “verified” accounts in place.
Digging Deeper Into Fake Tweet Consequences
What is now clear is that reading a tweet from a trusted source may never be the same.
The Huffington Post asked: Does Twitter have a credibility problem? “The latest hack was by far the most significant: the single AP tweet stunned investors and effectively wiped out $136.5 billion of the S&P 500 index's value in a matter of minutes.”
Now the SEC and FBI are even probing the fake tweets for securities fraud. Here’s an excerpt from USA Today:
“Stolen log-ons for financial and social media accounts readily flow through underground forums, and over the past week, there has been a big infusion of freshly stolen data. ‘Hackers are compromising our computing devices and then spreading false information that can be damaging to an individual or a company,’ Sherry says.
In the wake of the Boston Marathon bombings and devastating explosion in West, Texas, "phishers" sent out links to disaster videos in millions of e-mail messages. Clicking on one of these links displayed the video — but also infected the computing device.”
Getting Personal: Knowing Who, What, When, Where and How We Communicate
So how can we learn from recent incidents? What are we to do with an incredible tweet with news from a trusted source?
The first step is awareness. Understand our current social media environment. Know that fake tweets (and fake emails or text message scams) abound. There is even a fake Tweet builder website out there. (Be
aware that fake Twitter followers are a growing multi-million dollar business.)
The second step is to keep a healthy dose of skepticism on dramatic claims/news. We’ve seen denial of service attacks, intellectual property stolen, bank accounts drained, but now this misinformation campaign. So… double check your sources. When announcements come of bombs going off (or worse), check several reputable sites or feeds to gain additional information.
No doubt, this hesitancy takes away some of benefits of tweets and fast information. But what is more important, getting the data or information right or getting it fast? Yes, we want both, if possible. Nevertheless, we now realize that mistakes can and will be made – and cause harm.
Third, use stronger authentication systems on your own Twitter or other social media accounts. Add two-factor logon, when it becomes available. This may require a smartphone pin, email or text message to gain
access, but can make the process more secure. While two-factor authentication will help, it will not make this problem go away. Therefore, we still need steps 1+2.
In conclusion, the recent false alarms with Twitter should signal the need to take a step back and relook at how much trust we place on various channels and real-time messages. Beyond Twitter, there are false messages on websites, Facebook pages and other social media apps. Who is really sending these messages?
Our new high-tech tools provide easier ways to share data quickly, but quality is always hard. For example, I received tweets about the Boston bombers having foreign ties alongside other tweets that said they were definitely acting alone as Americans. Weeks later, we are still sorting out that intelligence information.
Which raises the question, should we be tweeting about those more complex topics anyway? Are our tools being used with proper online etiquette and effective controls? There were many people who displayed bad taste with Twitter during the Boston bombings.
Bottom line, each of us still needs to decide: Can I trust that tweet?
April 7, 2013 By Dan Lohrmann
Recently, my family was discussing lesser known facts about our first President, George Washington. The intriguing conversation centered on George Washington’s 110 Rules of Civility & Decent Behavior in Company and Conversation.
If you’re not familiar with this important corner of history, here’s a brief excerpt from the introduction to George Washington’s rules, drawn from Foundations Magazine online:
These rules proclaim our respect for others and in turn give us the gift of self-respect and heightened self-esteem.
Richard Brookhiser, in his book on Washington wrote that “all modern manners in the western world were originally aristocratic. Courtesy meant behavior appropriate to a court; chivalry comes from chevalier – a knight. Yet Washington was to dedicate himself to freeing America from a court’s control. Could manners survive the operation? Without realizing it, the Jesuits who wrote them, and the young man who copied them, were outlining and absorbing a system of courtesy appropriate to equals and near-equals. When the company for whom the decent behavior was to be performed expanded to the nation, Washington was ready. Parson Weems got this right, when he wrote that it was ‘no wonder everybody honored him who honored everybody.’”
What can we learn from George Washington’s rules today? That was our family’s discussion around the dinner table. What was the most fun, however, was adapting these rules for Internet use. How can these apply to modern life and social media today? We picked our top ten and attempted to translate (with a few laughs along the way). Here they are:
1. 1st & 65th Rules – “Every action done in company, ought to be with some sign of respect, to those that are present. Speak not injurious words neither in jest nor earnest scoff at none although they give occasion.” (Translation for Internet - Be nice online. Written words and posted pics may never go away in cyberspace.)
2. 2nd & 7th Rules - “When in company, put not your hands to any part of the body, not usually discovered. Put not off your cloths in the presence of others, nor go out your chamber half dressed.” (Translation for Internet – No sexting allowed, or plucking hairs or scratching body parts while on Facetime or Skype.)
3. 5th & 6th Rules – “If you cough, sneeze, sigh, or yawn, do it not loud but privately; and speak not in your yawning, but put your handkerchief or hand before your face and turn aside. Sleep not when others speak, Sit not when others stand. Speak not when you should hold your peace. Walk not on when others stop.” (Translation for Internet – Stop and think before you connect. Or, get an avatar to represent you.)
4. 17th Rule - Be no flatterer, neither play with any that delights not to be play'd withal. (Translation for Internet – Stop sending spam. Be careful when “the deal” online looks too good to be true.
5. 18th Rule - Read no letters, books, or papers in company but when there is a necessity for the doing of it you must ask leave. Come not near the books or writings of another so as to read them unless desired or give your opinion of them unask'd. Also look not nigh when another is writing a letter. (Translation for Internet – No reading your email or surfing in meetings. Leave the room if you get an emergency call.
6. 22nd Rule – “Show not yourself glad at the misfortune of another though he were your enemy.” (Translation for Internet – Stop the boasting, mean comments or mean-spirited ranting on Facebook, sports sites or blog posts. Ask: How will the other people feel after the “fun” ends?
7. 25th Rule - Superfluous complements and all affectation of ceremony are to be avoided, yet where due they are not to be neglected – (Translation for Internet - Don’t forget to post ‘Happy Birthday’ on Facebook for friends. But be careful not to overdo office celebrations. On the contrary, don’t neglect meaning accomplishments or milestones.
8. 38th Rule - In visiting the sick, do not presently play the physician if you be not knowing therein. (Translation for Internet – Become a trusted source online. Stop the fraud or misrepresentation. Don’t be something you’re not online or present your resume, expertise or online profile in an exaggerated way. Others will see it and label you as someone without integrity.
9. 50th & 89th Rules - Be not hasty to believe flying reports to the disparagement of any. Speak not evil of the absent for it is unjust. (Translation for Internet – Stop believing urban legends or spreading false gossip or slander. Go to www.snope.com to check facts or do some real research. Deal with disagreements with the individual(s) who is part of the solutions.
10. 60th & 71st & 81st Rules - Be not immodest in urging your friends to discover a secret. Gaze not on the marks or blemishes of others and ask not how they came. What you may speak in secret to your friend deliver not before others. Be not curious to know the affairs of others neither approach those that speak in private. (Translation for Internet – Keep personal ‘secrets’ off the social media websites. They will be forwarded to others. Also, hacking into other people’s passwords or social media sites will lead to trouble.)
I could go much further, but in order to abide by Washington’s brevity advice, I think it is best to stop. I urge your t take 15 minutes and read George Washington’s original rules. Better yet, discuss them with family, colleagues and friends. I’d also love to hear your thoughts (in the comments section) for how to apply these words to social media decency today.
I’ll leave you with perhaps my favorite rule from George Washington’s list. Rule 110 says, “Labor to keep alive in your breast that little spark of celestial fire called conscience.” That sums it all up for me.
March 31, 2013 By Dan Lohrmann
The book 1984 was written by George Orwell in the 1940s. Words and concepts such as; “Big Brother, doublethink, thoughtcrime, Newspeak and even Orwellian” come from this famous literary work.
More than sixty years later, philosophers still argue about what Orwell would say about the Internet, technology in 2013 or our future, if Orwell were alive today. Students continue to read and learn from Orwell and debate questions about security, privacy and monitoring on the Internet today.
Taking a step back and shifting the focus to tomorrow, what are today’s futurists predicting? And for security, what is coming down the road? I believe that this is more than just a fun daydreaming exercise. Indeed, we can learn some lessons to apply today by thinking more about tomorrow.
The Future According to Kurzweil
Futurist Ray Kurzweil says we’ve only just begun to innovate. He predicts a world with in-body computers to detect and fight disease and a world dominated by artificial intelligence.
After founding several companies, Kurzweil was recently hired as director of engineering for Google, so his ideas are not just far-fetched dreams. Here’s an excerpt from a late-January 2013 interview:
You have said that by the 2030s, people will have blood cell-sized computing devices in their bloodstreams and brains that connect directly to off-site computer data servers. What makes you think that?
We already have computerized devices that are placed inside the body and even connected into the brain, such as neural implants for Parkinson’s disease and cochlear implants for the deaf. These devices can already wirelessly download new software from the cloud. Technology is shrinking at an exponential rate, which I’ve measured at about 100 in 3D volume per decade. At that rate, we will be able to introduce blood cell-sized devices that are robotic and have computers that can communicate wirelessly by the 2030s.
How would such devices be regulated to ensure that outside forces can’t manipulate people’s thoughts and actions through the Internet?
Privacy and security are already very significant issues, considering the personal and intimate things that people do with their computers. This is an issue we will never be able to cross off our “concern list,” but we’re actually not doing that badly. Relatively few people today complain that they have been significantly damaged by privacy and security breaches. ...
Near-term Predictions: AOL’s ‘Digital Prophet’ David Shing
But Google’s engineers aren’t the only ones thinking about the future. AOL has their own futurist - Digital Prophet David Shing. In a recent presentation which focused more on the next decade than twenty or thirty years out, the ‘shock-haired Australian’ described ten predictions.
Here are a few of those:
The Future of Marketing?
And how will this change Internet Marketing over the next few years? I found this post on the future by “Dan (@Tropical MBA)” to be fairly compelling. While this topic of marketing trends may seem irrelevant to security and technology professionals, remember that we need to pay for our Internet content somehow. Business marketing of products is a major driver in technology innovation and service delivery.
This entire article is worth reading, but here are three of his seventeen trends:
The Future of Cybersecurity
So what does all this mean for the future of cybersecurity? A few months back, I articulated my views on what it will mean to be a security leader in 2020 for CSO magazine. One key message is that roles within security will only increase, as we depend more and more on technology moving forward. We are already witnessing the growth in the importance of embedded technology within critical infrastructures.
Another message: Security leaders should strive to be trusted advisors.
One perspective (which I believe is flawed) is that once we “figure out” identity management, current Internet holes and ID theft (possibly with biometrics), we will start to see a dramatic reduction in the role of cybersecurity. I disagree.
The list of future technology trends listed will mean that hacking and computer security concerns will evolve to include social media attention, imposters infiltrating trusted networks, the delivery of university education, devices implanted in the body, cars that drive themselves and much more.
For the foreseeable future, we will have what Kurzweil calls, “Personal and intimate things that people do with their computers.” Thus the need for continued security and privacy protections.
Or as Orwell once wrote, “We sleep safe in our beds because rough men stand ready in the night to visit violence on those who would do us harm.”
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.