July 28, 2012 By Dan Lohrmann
I have some time sensitive information for network and security administrators around the country:
Don’t be lulled to sleep by the lack of network traffic at work from the Olympic Games opening ceremony.
The remarkable opening ceremony for the 2012 Summer Olympics in London was broadcast on NBC last night using the decades old approach – tape delayed at 7:30 PM on one traditional television channel. There was an NBC blackout of the live opening ceremonies in the USA on both TV and the Internet. (Critics were hitting hard at NBC for their decision to blackout live coverage of the opening and closing ceremonies, but let’s move on.)
The 2012 Summer Olympic Games are here, and the five to eight hour time difference between the mainland USA and the UK may be just the right combination (perfect storm) to bust your work network(s). According to numerous sources, NBC will be airing over 3500 hours of live Olympic coverage. There will also be plenty of next-day highlight videos to watch as well. This means that all those badminton-lovers out there will be able to get their fill of the sport via the Internet.
Seriously, this issue is a real threat to the survival of some company and government networks over the next few weeks. This opportunity comes, at most, every four years. The 12-15 hour time difference between the USA and China makes comparisons to the 2008 Beijing Summer Olympics almost meaningless.
We know from the past that the live streaming of sports can be a network killer. Businesses around the USA discover this fact during March Madness (basketball) games if the local team is playing on a Thursday or Friday afternoon. I have spoken with some companies that even shut down work during such popular sporting events, and others use the opportunity for a team-build event watching the game. However, that “if you can’t beat them join them” strategy won’t work for two weeks of Olympic sports.
For the sports enthusiast, the opportunities to watch Olympic competitions seem almost endless. New issues this time around include the mobile device problem along with company BYOD policies. So even if you filter sports or limit live streaming into company networks, could employees be running up bills on company-owned smartphones or iPads? Computerworld ran a story on this topic entitled: IT’s Olympic Challenge: Live Streaming Employees. Here’s an excerpt:
“Employers say, minimally, they'll be monitoring networks and will be prepared to cut off streaming access if they must. Some IT managers are reminding staff about network corporate policies.
Another problem is the potential for out-of-control mobile costs. Many employers support far more streaming-capable devices today than they did for the 2008 Olympics in Beijing…
Daniel Rudich, the senior vice president in charge of real time expense management at Tangoe, said the Olympics could have a 5% to 10% impact on their overall mobile budgets if users aren't prepared for it….
Brandon Jackson, the CIO of Gaston County, N.C., said the county's current default ‘is to block streaming media sites for most of our 1,200 users.’ However, he said exceptions are made for those workers who have "a documented business case" for accessing streaming media….”
Here are seven questions to ask executives and/or things to keep in mind:
1) What is your policy regarding personal use of computers, sports and filtering? Can you enforce the policy? What controls are in place?
2) Is watching live sports (or other personal entertainment) videos or streaming media allowed? (For companies that say they just trust their employees to get work done, some extra reminders and oversight may be required in the next few weeks.)
3) Can you limit bandwidth for video or live streaming, if necessary? Are the tools in place to adequately monitor network performance? (Again, special attention may be needed right now.)
4) What is the policy for “inappropriate use” of personally-owned devices? Even if the company network may not be impacted, worker productivity can still be a problem.
5) Watch out for Olympic-related malware and spam links. Warn users as necessary. Remember that global or national headlines provide opportunities for the bad guys as well, since users will be intrigued.
6) Turn lemons into lemonade - Take this opportunity to train staff and reinforce policies. When everyone is watching, it is often easier to get their attention in meaningful ways.
7) Beyond the London Olympics, think longer term and develop “what if?” scenarios for a variety of sports and/or other entertainment events. Test your controls.
One final thought. If a “not so stellar” employee suddenly starts coming into work early over the next few weeks to “get caught up.” You may want to check the network traffic – and the Olympic beach volleyball schedule.
July 22, 2012 By Dan Lohrmann
The countdown clock began long ago. We’re now under a week to go until the 2012 Summer Olympic Games begin in the United Kingdom (UK). But sadly for security pros preparing for this massive undertaking, the unflattering headlines pretty much summed up ongoing security problems. Here are a few samples:
Wall Street Journal: An Olympic Security Mess
“Last week, global security contractor G4S, which had contracted to provide 10,400 temporary security staff, announced that it could not meet its target. It now hopes it can provide some 7,000, but remains thousands short of even that.
G4S's failure has forced the British government to call in the Army and police from around the country to make up the difference. It has also led, predictably, to a round of condemnation not only for the private firm responsible, but for private contracting by public bodies.”
CBC News (Canada): Olympics security chief admits firm humiliated Britain
“The chief executive of the G4S security group acknowledged today in London that his company's failure to live up to its Olympic obligations has turned into a country-wide humiliation.
Quizzed by a panel of angry British lawmakers Tuesday over his company's failure to recruit enough people to guard the Games, Nick Buckles gave a grovelling mea culpa.
‘It's a humiliating shambles for the country, isn't it?’ asked Labour lawmaker David Winnick.
‘I cannot disagree with you,’ Buckles said.”
CBS News (US): Olympic security shortfall called “absolute chaos”
“G4S, one of the world's largest private security firms, says it has recruited more than 20,000 staff for the games. But its failure to have them all trained and deployed, two weeks before the July 27-Aug. 12 Olympics begin, has left British officials scrambling to plug the gaps.
There are very few security bright spots so far. This fiasco is clearly that kind of negative press that security leaders hope to avoid when preparing for major world-wide events. This series of events is also a far-cry from the positive Olympic security attention received at the Vancouver Winter Olympics Games in 2010. In general, security pros “win” when they stay out of the news.
British security teams have quickly moved to “Plan B” with local police taking on the duties that their private sector partners could not perform, such as becoming venue guards.
Perhaps even more embarrassing, if that is possible, was the announcement last week that two G4S security guards who were recently hired were arrested on suspicions of being illegal immigrants.
“The men, who are believed to be from Pakistan, had secured jobs with the under-fire firm to work at the City of Coventry stadium, which is due to host 12 matches.
Officers swooped on the venue after their alleged bogus status is said to have been revealed in an accreditation check by G4S, which has been criticised after failing to provide enough staff for the Games.”
As might be expected, British Prime Minister David Cameron vowed to go after G4S for the extra costs to the public.
The Games Must Go On
But despite all this bad news, the excitement is building around the world as we prepare for the Friday, July 27, 2012, opening ceremony and a packed two weeks of sports competition. (Side note: more events than ever will be online. So expect a people to be watching events at work and on vacation.)
The Olympic Torch has now reached “sky-Eye” central London, and I suspect that most people are ready for the real (sports) action. It was announced that Bob Costas will pay respects to the victims of the 1972 Munich Massacre during the opening broadcast. And this historic story offers a potential path for redemption for the current security mess, I think.
The real security test comes during the next three weeks. Will any bombs go off? Will all athletes and spectators be safe? Will protests cause major disruptions? Was London, a high-profile target for terrorism, a bad choice for this globally-watched series of sporting events?
If all goes well, without a significant terrorist incident or major security headline during the games, the lasting security damage can still be minimal in my view – when compared to Munich, 1972.
What I mean is that the world is excited about the opening and closing ceremonies, our gymnasts, track and field events, swimming world records, the personal journey for athletes and so much more. If things get back on track this week, all may still be forgiven – with a few inevitable lawsuits. So while gold may be out of reach, the security teams can still go for the silver lining.
Could most of this security trouble have been avoided? No doubt. Do the authorities need to hold G4S accountable? For sure. Will there be “lessons-learned” reports on security for future Olympic cities? Absolutely.
Nevertheless, this chief security officer remains somewhat optimistic. I’m hoping that, as our friends from India are saying: It’s okay London.
July 7, 2012 By Dan Lohrmann
Over the past few weeks, global news outlets have been warning users about Malware Monday and the pending Internet shutdown on July 9, 2012, for computers still infected with the DNSChanger malware. While the issue is certainly real, this blogger believes many headlines were (and still are) too alarmist.
For example, I view much of this material as “Fear, Uncertainty and Doubt” (FUD):
NY Daily News: How to avoid Monday’s Malware Meltdown? (I like the picture of a dark room full of computers with one user PC working.)
ArticleCell.com : Could Your PC be Heading to Malware Armageddon on July 9? (Armageddon, really?)
Even, our own … Government Technology: Are you safe from Internet Doomsday?
I find most of these articles to be somewhat informative, attention-grabbing and overblown in spreading fear. I worry that we are using up our (very few) cybersecurity industry silver bullets on the wrong Internet “crisis.” There are plenty of very, very serious problems online right now, but I would not put Malware Monday at (or near) the top of the list.
One could even make the argument that this malware event is even self-imposed, in that the FBI is turning off servers which they could leave running a bit longer to avoid “Monday’s Malware Meltdown.” Note: I’m writing this article on Saturday, July 7, and the courts could still order more time before the FBI turns off the servers.
Indeed, I could argue this "hold off a bit longer" point from either side, and there are polls which ask if the FBI should allow more time. Almost 90% of those taking the survey think it is time for the FBI to pull the workaround plug – and several good articles give reasons why.
All signals point to an event Monday that will impact a few thousand people who haven’t been paying attention but not the majority of us. I will be shocked if any major U.S. companies are paralyzed or out of business on Monday morning because of DNSChanger malware problems.
How Should We Prepare?
I like the tone of National Public Radio (NPR), which led with the headline: Malware Monday Just Another Day on the Internet for Most of Us.
The article begins, “Beware of Malware Monday on the Internet, but don’t be too concerned.”
In Michigan government, we have been working this problem since last year, and we have been coordinating action with the FBI and MS-ISAC – like most state and local governments. We also sent out notices to our customers and agency public information officers (PIOs) about the situation and what to do in the event of a problem on Monday. We believe that we are ready.
What Can We Learn From Malware Monday?
I'm taking a bit of a chance by writing lessons learned about an upcoming event that hasn’t even played-out yet, but I believe that I can safely mention some items. I am making a few assumptions about what will likely happen, specifically that some people will lose Internet access, but most people will be fine online.
Nevertheless, here are seven enterprise takeaways from the handling of the overall DNSChanger situation:
1) DON’T be a laggard regarding known Internet fixes - Follow industry guidelines and accepted practices in resolving malware and you won’t have to worry about these fix deadlines. (Most companies resolved this issue many months ago and are not very concerned about this Monday.)
2) Workarounds may still be around (and last) longer than you think. Ask the FBI, who wanted to turn off their “temporary fix” back in March. These types of situations come up fairly often in large enterprises, especially if we are supporting legacy systems and older technology.
3) Beware public decrees of “Internet Doomsdays.” Cut back on internal FUD, where possible. Over time, these global pronouncements sound as if we are crying wolf, if we are not careful. Indeed, many of our customers already believe that we declare a crisis multiple times a year. They are starting to yawn.
4) DON’T – Over-react to headlines and claims. Do your homework. How will this affect your enterprise? Coordinate with all relevant parties to understand roles / responsibilities.
5) DO – use well-researched facts to calmly deliver timely messages to customers when needed. Help them understand the ramifications at both home and work. What can they do to resolve the situation? How can they prepare? What are you doing? What’s next?
6) DO – Communicate in informal and formal ways. Become a trusted partner who can decipher scary headlines for users. Make lemonade out of the lemons. Use the front-page stories to get your key messages out – while everyone is hearing about these topics on the front pages of USA Today and the Washington Post and on TV.
7) DO - Test plans, run exercises, use scenario planning and more to be ready in case the “what if” worst case does happen. Or, are you truly prepared for outages, disasters and more? Talk to your teams and various options and solutions.
In conclusion, I like this quote from Zig Ziglar. “Expect the best. Prepare for the worst. Capitalize on what comes.”
UPDATE: Monday, July 9, 2012 at 7 AM (EST) - So far there have been minimal reported disruptions online related to Malware Monday and DNSChanger. We are still too early for final judgments, but so far so good regarding the Internet's overall functioning. There continue to be scary headlines and articles being displayed this morning from global news organizations and newspapers, such as Malware on Monday Update: Internet Service Providers brace for shutdown calls. Top searches continue to lead to this article from July 6, from the United Kingdom: Could the Internet Really Shut Down?
UPDATE: Monday, July 9, 2012 at 6 PM (EST) - As expected, reports of impacts on the Internet from Malware Monday have been minimal - even a bit less than I anticipated overall. ISPs are playing down any service disruptions that have been experienced by their customers. It is now clear that the doomsday scenarios were hype regarding DNSChanger. Yes, the threats successfully received global press attention, but these widespread headlines may cause future (real) Internet alarms to be ignored. I certainly stand behind the above "lessons learned" - with even more conviction now.
FINAL UPDATE: Tuesday, July 10, 2012 at 6 AM (EST) - Malware Monday officially ended a few hours ago, and the LATimes reported that the DNSChanger Malware may have affected about 47,000 Americans -who had difficulty connecting to the Internet. The news surrounding the event was mostly hype, according many news sources. Time to move on to new topics.
June 30, 2012 By Dan Lohrmann
I was recently on vacation with my family in Ocean City, Maryland. As I powered up my iPad from our fifth floor condo on 136th Street, more than a half dozen wireless networks popped up. I asked myself: Can I use (or trust) any of these? Are they free? Is it worth the risk, if they are?
The names were intriguing to me, ranging from Netgear58-5G to Oceanside136 to OceanNet Public Internet ST to Wireless Beach Access. Some of these networks had locks next to them and others did not. Clicking on a few of the options, I received a splash screen asking for a credit or debit card numbers. The price for access ranged from $4.99 for one hour to $9.99 for 24 hours to $42.99 for one month (31 days).
Others WiFi networks asked for a password, and I am happy to report that the networks were fairly secure. (My son wanted to start guessing passwords based upon the network names or Ocean City street names or boardwalk trivia, but I persuaded him not to go there.)
In case you’re wondering: no, I did not connect to any of these hotspots, and my wife and I preferred to use our Verizon data plans instead. This meant we had to up the number of minutes on her monthly data account, and that cost us an additional $20. I did use the free McDonalds WiFi, and the free WiFi at another restaurant but passed on the others.
But this situation leads to a series of questions that I’d like to address for travelers, such as: are any of these WiFi networks safe? Plenty has been written about airport Internet access and free WiFi in hotel lobbies, but what about wider issues for families traveling on vacation? Are there tips regarding which networks we can trust? Are there certain traps we should avoid?
First, how safe are free public WiFi networks? Well this video claims that WiFi hacking is the fastest growing consumer crime in America. This ABC News video on WiFi networks is also worth viewing. Here’s another good video on WiFi security from central Indiana. One message that is clear is that hackers are setting up fake hotspots to view your personal data.
If you do connect to free WiFi networks, you need to understand the risks and the lingo. Check out this article, which described the different buzzwords that are important. From sniffing to sidejacking to honeypots, this picture offers a great summary of the relevant terms.
Infographic by Veracode Application Security
Here are some more helpful tips that I found along the way: Five rules for (safely) using public WiFi networks. I’ve abbreviated the list here, but click on the article for more details:
Also, here’s an extended list of tips for using WiFi networks when traveling (the list is from Symantec).
One simple tip is to use a trusted network from the resort or hotel that you’re staying in – if available, such as Disney’s free WiFi. But even if you trust the source, the safety tips are still important to help.
Another good tip is to ensure that your personal firewall is enabled on your PC.
Bottom line, using public WiFi remains a minefield. While avoiding free WiFi is probably not practical for most people, we need to take steps to protect our computers and our families when traveling. Understanding your options is a good first step, but we need to take action on know steps to protect our data on vacation.
Any WiFi tips to share? I’d love to hear about your experiences, so leave a comment.
June 16, 2012 By Dan Lohrmann
What’s appropriate and what’s not regarding the use of social networks? Beyond formal codes of conduct at work, what behaviors and attitudes will likely lead to trouble? What tips can we share from those who have gone before us and learned about the good, the bad and the ugly? What good habits enable a positive experience in the long run? And, what are some examples of social media technology being used in destructive ways that undermine relationships?
These are topics that need more attention, in my opinion.
One aspect of cybersecurity that gets far too little attention online is pragmatic cyber ethics. Most security bloggers (including me) spend beaucoup time elaborating on viruses, malware, hacking, passwords, insider threats, external bad guys, policies, conferences, cloud computing challenges, do’s and don’ts of government technology contracts and more. However, we spend too little time addressing online etiquette issues that are getting people in trouble – even when technology and security are working properly.
Don’t get me wrong. Social media marketing advice abounds – if you are looking for it. A quick Google search will yield almost half a billion page views. One top article offers: 10 Social Media Tips From a Top Media Agency, with advice like “Don’t Be an Island” and “Listen Up.”
But marketing is not what I’m talking about. I’m referring to personal advice that works for the average user – even at home.
I like this About.com article entitled: Top 10 Social Media Do’s and Don’ts, which focuses on finding a job using social media. Also, there is advice on how to act online to, amongst other things, “not get fired.”
Another worthwhile article is a few years old but still very relevant: Social Media Etiquette: 20 Dos and Don’ts to Avoid Looking Like an Ass. Here’s an excerpt:
“… DO think before “speaking.” – Yes, social media involves the ability to publish your thoughts instantly. But just because something pops into your head, it doesn’t mean it should be shared with the world. Think first.
DO personalize messages and introductions. — When you first connect with someone new and they don’t already know you, go ahead and say hello. Let them know how you came across them. It’s a little less creepy and you might just make a great impression.
DO think (and network) outside your circle. — If your social networks only involve people who agree with you, you’re living in a box. It’s silly at best.
DON’T post questionable photos of others without their permission. — Regardless of whether or not you legally need a model release to post a certain photo, don’t post anything questionable or compromising of someone else unless you check with them first. It’s just the right thing to do. And if you don’t, remember this — karma’s a bitch. You have no idea what they have on you.
DON’T send automated messages to new followers. — When someone follows you on Twitter, don’t use automated tools to immediately bombard them with messages (no matter how sweet you think you’re being in your not-so-personal “hello”). Remember, it’s not just you annoying them — others are doing it too….”
But my favorite social media advice, and the blog that got me thinking about this topic again this week, comes from Pastor Kevin DeYoung. I urge you to read his entire post – regardless of your religious beliefs. Here’s an excerpt from: The One Indispensable Rule for Using Social Media:
“…Whether you are a tween, a teen, a pastor, a politician, a grandma, or a grad student, whether you blog, tweet, post, or pin, here is the one indispensable social media rule you must follow if you want to be wise, edifying, and save yourself a lot of anguish:
Assume that everyone, everywhere will read what you write and see what you post.
No matter your settings or how tight your circle is, you ought to figure that anyone in the world could come across your social media. All it takes is a link or a search or a bunch of friends you don’t know gathered around a phone that belongs to someone you do know. Anyone can see everything. Your pastor, your parishoners, your ex-whatever, your boss, your prospective employer, your spouse, your kids, your in-laws, your I don’t know if people forget fans, your constituents, your opponents, your enemies, your parole officer, the girl you like, the dude who freaks you out, the feds, the papers–assume everyone can read your rant and see your pics….”
Now I’m sure that some readers will misinterpret this perspective – especially endorsed from a chief security officer. No, I am not giving up securing sensitive data via appropriate channels. Yes, I think Facebook, Google and other others should offer better privacy setting options.
But social media sites are, by design, very open and shared. Kevin's advice affects how we wisely post material and interact in online conversations. There are real consequences to bad judgments regarding whether content should be posted. One friend said to another friend: “What part of the words ‘social media’ don’t you understand?”
I even left a comment on Kevin’s blog about this rule applying to most email exchanges at work. (I know this goes beyond the social media category.)
Yes, I believe secure email can be private. However, I have seen hundreds of examples of inappropriate use of email by staff to rant about personnel problems, coworkers, their management, a lack of a raise, their spouse or other topics. These emails can be forwarded to others, show up in court proceedings via an e-Discovery (court-order) request, accessed by the Freedom of Information Act (FOIA) in governments, sent via “blind cc,” or even inadvertently read by coworkers on screens.
I’m no longer surprised by stories of the inappropriate uses of social media. Yes, I am an optimist who believes that technology can, and will, do amazing things. But as Thomas Jefferson once advised, “When angry count to ten before you speak. If very angry, count to one hundred.”
I think this quote applies to online social media channels as well. What are your thoughts? Any tips to share?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.