Jon DiPietro is Domesticating IT

You may have heard this already, but this social networking thing is starting to get popular. It’s fundamentally altering the way we conduct our daily lives and that has lots of people coming unhinged. Daily shrieks on my Facebook wall warn of a new plan from the modern day Trilateral Commission(Facebook, Google, and Foursquare) to turn us into strung out, ad-clicking junkies so they can cut off our heads and mount them on pikes. News reporters who wouldn’t know the difference between a browser cookie and an Oreo cookie write terrifying stories about web sites stealing deep, dark, private secrets: like the URL for your Facebook profile that is already indexed by Google.

But I had to write this post after reading the latest prediction of the privacy apocalypse from the Intelligentsia. In a February Wired Magazine article titled “Your Life Torn Open,” Andrew Keen wails that we are being led down a primrose path to Hell with these social networking sites. Fear mongering has a long and glorious history – especially in journalism and politics – because it’s such a powerful emotion. If Gordon Gecko were a journalist instead of a wall street banker he would have said, “Fear, for lack of a better word, is good.”

While being concerned about your privacy is very important, articles like Keen’s focus the attention in the wrong place, in my opinion. In an effort to warn people about an impending doom, he’s inadvertently doing more harm than good. His article peddles three untruths that I see commonly thrown around and I will take exception to them now.

#1 – Social Networking is Narcissistic

In my opinion, this is the laziest, most gratuitous slap anyone can take at social networking. Almost invariably, they cite Tweets about what someone had for lunch or wall updates about their pet did this morning. Since social networking begins with us talking about ourselves, it’s really easy (too easy) to make quips about it being narcissistic. But it’s also demonstrably false.

If social networking were truly narcissistic, then NOBODY WOULD FOLLOW ANYONE BUT THEMSELVES. And that would pretty much defeat the whole purpose of a social network, wouldn’t it? The very fact that someone has Facebook friends or Twitter followers annihilates the argument. I follow other people because I either learn something from time to time, or am entertained by that person, or want to keep my relationship with them warm by seeing what they’re doing. I’m interested.

There are billions of people on this planet who could not possibly care less about what I have to say. From their perspective, I’m obviously self-absorbed for writing about stuff they don’t care about. But I’m not talking to them. I’m talking to few hundred or thousand who do care. I’m talking to you. Does that make me a narcissist?

Now, I have no doubt there are true narcissists in social networks, but that’s because they are already narcissists and would be whether Facebook existed or not.

#2 – We Aren’t Naturally Social Beings

This line in Keen’s story made burst out loud with incredulity. This is absolutely demonstrably false. There have been countless experiments that illustrate the fact that much of our irrational behaviors are specifically geared toward social acceptance and group dynamics. Fear of public speaking is an example. We developed a fear of standing out from a crowd as a survival mechanism because there’s safety in numbers. Cognitive researchers have shown that our decision process is highly dependent on and easily swayed by others’ opinions. This helps promote harmony in small groups so that consensus can be reached on important decisions.

Keen opines that “human happiness is really about being left alone.” Really? Do I really even need to make an argument against that? Everybody likes some alone time now and then, obviously. But for my entire adult life I’ve heard about how our social fabric is being torn apart by people moving out of cities and into solitary lives in suburbia.

Now all of a sudden we’re all Greta Garbo? Here’s a free tip if you’re feeling too “social” – shut down your laptop and turn off your phone for a few hours. Problem solved!

#3 – Social Graphs Are Evil

Whereas the first two points I’ve made are demonstrable facts, this one is a little more of an opinion and personal preference. However, I feel like the whole paranoia over privacy settings gets a bit hysterical sometimes. First of all, you’re in complete control over what data you want to share and what data you want to keep private. Yes, reasonable people can argue about whether or not it could be more user friendly but the capability is there.

Second, we’re not talking about sharing social security numbers and credit card details. We’re talking about the brand of car you drive, your favorite songs and television shows, and news articles you’ve read. Lots of people think it’s “creepy” that this information can be used to target advertisements to us when log into Facebook or visit a newspaper website. I prefer to think of it as spam-blocking. I’m all in favor of giving these websites information that lets them improve the ads I see and offers I receive so that it’s more relevant to me.

Let’s Be Smart

OK, please don’t waste our time by mis-characterizing my point: I am not saying you should make everything public. I am not saying there’s no such thing as identity theft. I am saying that you should be concerned about the important things, like strong passwords and recognizing a phishing attack when you see one. Those are much, much more important than preventing Facebook from telling someone your favorite artist is Justin Bieber.

Well, maybe you do want to keep that one private.

Let me know what you think about privacy and targeted ads. I think there are more dangerous things to worry about but maybe I’m missing something.

Continue Reading

Weekly High Five lists the most interesting, compelling, and/or useful links of each week.

Welcome to the “Threats and Opportunities” version of the High Five.  This week’s links describe some things to be concerned about in 2010, and some trends to be excited about.  The last link is an absolute must watch video!

#5: Hackers are defeating tough authentication, Gartner warns

Another day, another scary article about how online identities are being compromised. The takeaway here is to become a more intelligent Internet user and take responsibility for your online accounts (for more information on this subject, see “How to Spot Phishing.”

Link: Computer World

#4: Green light for internet filter plans

From the “Big Brother Is Watching” department, Australia is considering forcing Internet service providers to install web site filtering to remove criminal content. All the same questions apply here. Who decides what’s criminal? How do you implement it? The reality is that this very easily thwarted and kids, criminals, and deviants will be able to get around it within hours of the filters being put in place.

Link: ABC News Australia

#3: The 12 Days of Christmas: Website Disaster Style

This is a very creative and effective article that describes some fundamental yet all to common mistakes that are being made with regard to web site design and architecture. It makes them very understandable to the noob (newbie).

Link: SEO.com

#2: What Matters Now

Meaningless coincidence; last week’s #2 position was also a post from Seth Godin. This is a free e-book that is a compilation of observations and advice from scores of the leading thinkers of our digital age.  I don’t even know where to start with this, as there is so much information, advice, and inspiration in this document.  You must check it out.

Link: Squidoo

#1: Forecast for 2010: The Coming Cloud ‘Catastrophe’

This is a really unfortunate title that appears to be a typical “least common denominator” appeal to fear mongering. However, this video and article provide ten predictions for next year that are fascinating and extremely thought provoking. In fact, the cloud catastrophe prediction is just on of ten, and in my opinion the least interesting.  There is one prediction about journalism and the media with which I completely disagree. However, I’ll be authoring a post soon on the trends that are predicted in this story, and many of them can be summarized with this recommendation; “THINK SMALL.”  This is a must view video!

Link: Business Week

Feel free to provide your thoughts and/or contributions…

Continue Reading

This afternoon I presented “Introduction to Cybersecurity” to members of the New England Water Works Association in New Haven, CT.  The presentation focuses a recurring theme of this blog; no/low cost options for improving security.  This particular presentation focuses on the particular challenges faced with securing SCADA (Supervisory Control And Data Acquisition) systems.

During the presenation, I stressed the point that humans are the weakest link.  I wish it had occured to me to embed the following video of Kevin Mitnick demonstrating social engineering techniques:

Remember, people are the weakest link.

Continue Reading

Is cyber security a technology problem or a people problem?

Cyber security is complex, highly technical subject that is best left to the Asperger-nerd in the computer room battling against the pimply-faced hacker sucking down Mountain Dew in his mother’s basement, right?  It’s a cat and mouse game that pits the white hats against the black hats, the antivirus computer scientists against the hackers, right?  It’s certainly not the realm of the average small business owner, right?  Wrong, wrong, and wrong!

What if I told you that human error was more responsible for data breaches in 2008 than hacking?  What if I told you that hacking was third on the Identity Theft Resource Center’s (ITRC) categorized list of data loss methods?  The reality is that cyber security is a people problem first and a technology problem second.

More Awareness, Less Reliance

I’ve come to a remarkable, if not depressing realization in my information technology career.  Over the last 20 years of consulting, I’ve visited scores of clients in hundreds of facilities and I can easily count the number of times I was ever given any sort of cyber security orientation – exactly once.  I’ve walked into propped-open back doors of more manufacturing facilities than you can shake a stick at, and more often than not waltzed right up to a machine control panel, hooked up my laptop, and started pounding away at the keyboard while smiling and waving at trusting operators I had never before met in my life.  The realization is this; the vast majority of companies, large and small alike, is completely oblivious to the weakest link in the security chain; people.

The misperception that cyber security is all about technology is a serious mistake that is made by both small and large businesses.  The small businesses often believe that they are not sophisticated enough to employ their own cyber security programs and, therefore, either ignore it altogether or simply outsource it to an IT subcontractor.  The large businesses spend millions of dollars on intrusion prevention systems, biometric security, and other sophisticated technological countermeasures.

Hopefully by now I’ve made the point that cyber security is about much more than firewalls, Trojans, and keyboard loggers.  So without further delay, here is a list of five no-cost practices every organization can implement that will go a long way toward securing their data.

Use Passwords, Use Them Well

OK, show of hands… how many of you are rolling your eyes?  It sounds obvious, but password laziness and ignorance is still the number one vulnerability for computer systems.  I understand how painful it is these days to maintain all of the user names and passwords in our lives these days.  However, it is the world we live in and we must accept it and follow these bare minimum password practices:

• No shared passwords:  This is especially common in process automation where there are many users of the same machine.  Everyone must have their own unique user name and password.
• Complex passwords:  Use combinations of letters and numbers, preferably composed of one or more words that are not in the dictionary.  Why?  Read this article about Dictionary Attacks.
• Change passwords:  This is probably the most annoying of these three practices, and I confess that it aggravates me to have to do.  However, changing passwords periodically is one of the best ways to prevent misuse of a password that is unknowingly (or even deliberately) disclosed.

Utilize Automatic Updates

Unpatched operating systems and out of date virus definitions are like the gimpy prey of a flock; they are the first to be targeted by the hunter.  Many computer viruses and other exploits rely on software vulnerabilities that are typically patched within days or weeks.  However, it is not at all unusual for me to see network servers out of date by more than a year.  Another common problem is for antivirus subscriptions to expire, preventing the virus definitions from updating.

Clean House

Every program loaded on a computer is a potential vulnerability.  The fewer of them there are, the better.  A typical Windows PC has loads of “crap-ware” installed on them that can and should be removed using the Add/Remove Programs option in Control Panel.  Additionally, there are Windows Components (e.g. Messenger, Media Player) that should be removed if not used.  Finally, there are usually Windows Services running by default that are not used.  This particular cleanup is generally left to computer professionals, as it is not always obvious which of these is required and disabling the wrong service can lead to “unexpected behavior.”

Create Policies

There are many reasons for establishing written computer and internet policies for employees.  One, of course, is legal liability for the employer.  The other is (or at least should be) educational.  It’s not enough to write up these policies; they need to be presented and explained in an open environment to ensure that they are understood and appreciated.  These policies go far beyond telling users they can’t surf porn on the company’s computers.  They need to include things like proper care and usage of portable storage devices, remote access procedures and policies, e-mail policies, etc…  You can find a list of templates at the SANS Security Policy Project web site.

Protect Sensitive Information

Insiders and subcontractors are another major vulnerability and care must be taken to provide information necessary for them to do their jobs, but no more.  This is especially true of subcontractors, of which I am one, who are frequently given and/or create sensitive documents, diagrams, lists, and other data.  It is important to establish guidelines for its use to ensure that the information is handled with care and returned or disposed of when the job is complete.  As incredible as it sounds, a subcontractor published a complete schematic of Pearl Harbor Naval Base’s power monitoring control system in a white paper available publically on the Internet (I just checked and the information has apparently been removed).

The Bonus Round

What is the hacker’s #1 tool of the trade?  I’ll give you a hint; it has nothing to do with computers.  It’s called Social Engineering and you can read more of it in my blog, “The Hacker as a Magician.”

Feel free to share your own anecdotes and pearls of wisdom on the subject.  What are some of the head-shaking moments you’ve witnessed?  Are there any “doh!” moments you care to share?

Credits and citations:

• Office thief cartoon by michael molenda
• Mr Oblivious photo by San Diego Shooter
• Data breach report from “2008 Data Breach Totals Soar”, Jan 5, 2009, Identity Theft Resource Center

Continue Reading

Phishing is a deceptive tactic used in emails, on bogus web sites, and other communication media that convince people to click on a link that typically brings the user to an impostor web site. These cyber attacks are generally attempting to accomplish one or both of the following:

• Surreptitiously obtain personal account information
• Plant virus and/or worm programs on the machine

Phishing is considered to be a “social engineering” cyber attack because it relies on tricking or deceiving humans into doing something they don’t realize they’re doing (see “The Hacker as a Magician“). This is contrasted by exploits, which rely on shortcomings or defects in computer firmware or software to accomplish their nefarious objectives.

There are two common link manipulation tactics used that are easily recognized if you know what to look for…

Tactic #1: WYSINWYG

“WYSIWYG” is an acronym for What You See Is What You Get and is commonly used to describe software programs that provide an intuitive, graphical user interface that provides an accurate visual representation of the final rendering of some sort of content. In this case, I’m coining a new acronym; What You See Is Not What You Get. This is because the first common misdirection tactic used in Phishing is to display a legitimate URL (uniform resource locator) address that, in fact, points to a completely different address.

In order to understand how this works, here is a very quick and dirty introduction to how links are built in HTML. You’ll notice that there are various links scattered throughout this article that are plain English words that can be clicked.  As an example, the code for creating “Click here to visit my blog” looks something like this:

Click <a href=”http://domesticatingit.com”> here</a> to visit my blog.

When your browser sees this code, it composes a link to the address pointed to in the “href” attribute (in this case, “http://domesticatingit.com”) but only shows you the word “here”. Phishing attacks frequently rely on displaying a link that appears to be a legitimate address but isn’t. Consider the following screen shot:

Example Phising email

This is an example from Microsoft’s web site of a common technique that Phishing attacks use to obtain online banking credentials. The text displayed in the email (#1) displays the legitimate URL for this fictitious bank’s login page. However, hovering over the link in Microsoft Outlook reveals that the actual address (#2) is a completely different address. There are three observations to make in this example:

1. The displayed address and the actual address are different. This is a huge red flag and should make you extremely suspicious.
2. The displayed address is secure (i.e. “https”) URL, and the actual is not. Again, this is a red flag.
3. The actual address is an IP address instead of a domain name. While there are occasionally legitimate reasons for doing this, it is another red flag that makes the link questionable.

In most software programs, hovering over a link will display the actual address either in a status bar or as balloon text below the link. Here’s an example from my Gmail account (using Firefox 3) that illustrates how to see where the link in an email is going to take you. The cursor is hovering over the “Review Legal Agreements” text and the status bar in the lower left hand corner displays the “href” attribute of the link.

Example of email link previewing

If for some reason hovering over the link does not reveal the destination address, you can usually right-click on the link and select “Copy Link Address” and then paste into Notepad in order to check it.

Bottom Line: Look before you leap.

Tactic #2: Sneaky URLs

Another tactic employed in Phishing attacks is to use URLs that, at first glance, appear to be legitimate because they include the real web site’s name somewhere in the URL. A recent Phishing exploit pointed toward Twitter users employed this approach to steal logins by using “twitter.access-logins.com” for the domain. Many people are fooled into believing this is legitimate simply because the word “twitter” appears in the address. It is further legitimized by rendering a near-perfect forgery of the real web site:

Twitter Phishing forgery

The reality, however, is that entering your login credentials on this site causes them to be logged to a hacker’s database that then uses the compromised accounts to send direct messages to other Twitter users.

This deception works because the address used directs a browser to the “twitter” subdomain of the “access-logins” web site. Without diving into a full-blown tutorial on how host names are constructed, suffice to say that you need to read host addresses from right to left in order to understand how they are qualified. The right-most portion of the address is “com”. The next portion of the address, “access-logins” is the actual domain name. The WHOIS registrant for this domain turns out to be:

Registrant:
  Organization   : zhang xiaohu
  Name           : zhang xiaohu
  Address        : changningzhonghuainanlu192hao
  City           : changning
  Province/State : Hunan
  Country        : CN
  Postal Code    : 421500

Bottom Line: Parse that address – make sure the two right-most components are correct (e.g. “twitter.com”).

Feel free to add your hints and suggestions in the comments below.  Also, forward this article to anyone you know who might be vulnerable to these tactics.  You can find more advice on avoiding Phishing scams on Fraud.org.

Continue Reading