Archives For hacker

malwareWhat’s the Likelihood I’ll be Hacked Over the Next 12 Months?

That’s the question every business leader should be asking.

The answer – it’s likely.  Over the past week two of my kids have been hit by fraudsters. Neither ended up paying, but both were initially confused. Had it not been for the constant security awareness training that happens in our home, they might have paid the bill.

It could have been malware, but in this case it was a pop-up.  “Call Our Support Desk Now!  You’ve been infected by malware,” the message read. My 20 year old son had one on his iPad; my 21 year old daughter had one on her company laptop. Both came by inadvertently clicking on a pop-up ad.  In my daughter’s case, she did call the number to see what was up (her system was completely frozen at this point.)  The technician on the line wanted to access her system, which is no longer on any Apple support contract. For $250 he promised to set her up on an annual support agreement and remove the malware on her system.

At that point she called me in to talk with him.  First I asked him how he knew we had malware on this system.  He reported that he had received a message from our system telling him.  I probed further to understand what he was planning to do to fix our computer. His explanations were technical but vague. I asked him about malware, bots, and signs of intrusion.  He wouldn’t tell me specifically what the problem was. So then I started asking about remediation steps. Was this a scan, patch, firmware upgrade, etc. He couldn’t explain. It was clear he didn’t know what he was talking about, but he was adamant that we needed a solution. Finally I said, how do I know you work for Apple. He explained that his firm, BTS, was contracted by Apple for this type of support. I took down his number, thanked him, and called Apple. He was a fraudster.

In my son’s case, he simply called Apple support directly, ignoring the phone number on the screen. It too was fraudulent. Apple gave us the right tools to scan both systems to clear them of any adware or malware. And, using Apple’s chat software, the entire process was free.

Your Client’s Don’t Know Any Better

The problem is, your clients don’t know any better. What are the chances they would call and pay?  They’re working hard, trying to get through their day, and suddenly a message pops up, and like my son’s tablet, the system is locked. Apple walked my son through a hard-reset to get back to functionality. How many of your clients would simply call the number and pay the support fee?  Sure, if they work for IT, they’re probably savvy enough to do the right thing. But what about the countless office workers, especially those working in small businesses without dedicated IT support people?

Fortunately, in our case it was a simple hard-reset. It could have been ransomware, malware installed through a support link, or some destructive virus. The point is, your clients are highly likely to be hit with some sort of fraud scheme, malware, or ransomware in the near future. If all you provide is basic managed services, or possibly firewall support, these attacks will continue, and your client is likely to pay for it. Educating them on this is the first step. But then, every one of your clients really does need someone to monitor, detect, and respond to these types of problems. They will only get worse over time.

© 2015, David Stelzl

gartnerIoT – The Internet of Things Changes Security Forever

This week at Gartner, the Internet of Things (IoT) is one of the top 10 things to watch in 2016. Everything is digital – it’s the digital megatrend.  Software makes it easy to build things, change things, and connect things.  And this of course, leads to better customer experience, one the most neglected areas in past business plans, and an important focus for companies who want to grow in the coming year. Connecting things is part of the new customer experience.

Example: When it comes to home security, controlling your HVAC, or even turning on your oven to get the dinner started, you want to do it with your phone. We are coming to expect this…

Things in cars that used to be mechanical, like the gas peddle, are now digital – in many of the cars being built today, the peddle is actually controlling a software switch to tell the engine to speed up.  In the hospital, drugs that used to be injected into IV systems, are now dispensed with software. It’s all connected. In theory its more accurate and easier to update and modify.

The problem is, security in this new world has to change.

You’ve seen the car video – the one where the hacker breaks into a car his friend is driving to demonstrate that, not only can he access the car, he can completely take control of it. This is the case with much of the critical infrastructure around us including dams, sewage systems, elevators, and the future drone mail delivery system Amazon keeps talking about.

As Gartner speaker Christian Byrnes pointed out this week, lives are at risk as we move this direction. The IoT is going to happen, but how will companies secure it? This is exactly how Target was hacked, through the HVAC system.

Today I will be addressing business leaders in Richmond Virginia, at a special luncheon held at the Jepson Alumni Center. Thanks to Sklar Technology Partners and their technology sponsors for making this important session available. Small businesses in our country are under attack, and many of them don’t know it. Their technology vendors will encourage them to move to the cloud, connect to their customers, and leverage all kinds of technology (such as IoT) to create a more connected business. All of this will help them grow if they do it right. But without the proper security in place, it may lead to disaster. And as Byrnes pointed out in his session this week, “When people start dying, it can’t be good for business.”

© 2015, David Stelzl

Donna+SeymourHow to Stop CIOs From Sending You Back To IT

And What We Can Learn From Donna Seymour

Are you talking about the most important things in IT when you meet with business owners and CIOs? It’s security – not managed services.  Cost savings are great, but security is crucial.  In fact, for some, not only do they need more security…they need more education and perhaps a lawyer.

What Happened to Donna Seymour?

Just a few months ago no one knew the name, “Donna Seymour”. Today, she’s becoming a household name.  Is it her fault that millions of employee records were taken from the OPM? It might be – but who knows. It would be easy to jump on the bandwagon and say she should lose her job. The truth is, any company can be successfully hacked and the CIO can’t stop it. However, there are some things to consider.  Due care means taking the steps that should be taken to decrease the risk of an attack.  But this is harder than it sounds.

First, how often do politics get in the way of making the right decision? You know, the budget constraints everyone works under.  I just got off the phone with a sales rep going through my Vendor to Advisor Mastery Program – he’s facing this issue right now. A very large company in the midst of a merger, not willing to spend any money. How should he respond?

With Donna, what we can say, based on a recent study I wrote about a few days ago, is that these business leaders are not equipped to make a case for better security because they can’t quantify the risk.  They don’t know how much risk they really have, so they don’t know how to budget, or how to justify more budget.

As a result, Donna Seymour is not only being pressured to join the Target leadership in resigning, she’s being threatened with lawsuits.  She blames it on outdated infrastructure – that’s probably true, but as Eric Ries, author of The Lean Start Up recommends, you need to ask “Why?” five times, to get to the root cause….and it’s not outdated infrastructure.

Why did OPM get hacked?

Outdated infrastructure – that’s what they are telling us.  But why is the infrastructure outdated?  Because Donna didn’t get budget to upgrade it sooner.  Why not….etc.  I bet it eventually boils down to not predicting the need. A security expert probably would have predicted it. The average CIO would have delegated  that meeting down to someone in IT Security, and that person would have delayed any sort of action due to budget constraints – not wanting to pressure Donna, or being too afraid to ask. That IT person is still unknown and still employed.  Donna on the other hand may not be for long.  Donna should have taken the meeting.

Or, it could be that there just wasn’t a sales person bold enough to ask for the meeting with Donna. Maybe should have listened, if the sales rep had offered the assessment. Who knows.

Of course they’ve had assessments, but were they the right kind? Did they just choose the low cost provider and get what they paid for?  Or did the provider deliver the right results, but Donna failed to take action?  Who knows?

These lawsuits are personal 

Donna’s being held personally responsible for the loss of millions of personal employee files. Whatever her organization wasn’t willing to spend, she’ll make up for personally (Of course she can’t really do that – millions of people are affected and a credit score service is not going to protect them on this one.)

Are You Talking To The People Who Need To Know?

Are you calling on CIOs that won’t take the meeting? The WSJ reports, “CIOs generally should expect to be sued in increasing numbers over cybersecurity issues…”  In my latest book, The House & The Cloud, on page 195, I explain exactly what Donna needed, and what every CIO, CISO, and board member needs to know.  So you have a great reason to make the call – what can you say to get them to listen. Hopefully, by understanding these recent attacks, you can get someone’s attention before it’s too late.

© 2015, David Stelzl

In Early January I’ll be kicking off my first security executive briefing on  January 14th – taking a look at the major cybercrime trends, what business leaders should be watching and doing over the next 12 months, and what I believe is the root cause of this kind of failure to protect customer data…

© 2013, David Stelzl

Important Sound Bites…. (Based on the Mandiant Report)

  • “When they hack into a system, they do have the ability to crush the system…I think they’re there to steal the data.”
  • “If the mission were to change, they [Chinese Hackers] do have all the tools in place to destroy…”
  • “Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organizations primarily in the United States.” – SC Magazine
  • APT1: “Mandiant named the group APT1 –…it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks.
  • “Industries targeted by APT1 also “match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.” – Homeland Security Digital Library.  – Reports show that this has been going on for 12 years, and that 12 major industries are targeted in these attacks.
  • What does APT1 Consist of?   “The size of APT1’s infrastructure indicates that hundreds, and possibly thousands, of people work for this group, including linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.” – Homeland Security Digital

Executive Summary Report – scroll halfway down this linked page to read dozens of findings concerning the involvement of the “2nd Bureau of the People’s Liberation army (PLa) General staff Department’s (GsD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover Designator (MuCD) as unit 61398 (61398部队).”

© 2013, David Stelzl

 

 

I recently learned that resellers can access each others invoices online if they use a certain time billing system…it’s a security hole in the system that allows this.  That means that, if you use this software, your competition can see every invoice you have – at least as of yesterday (this may be fixed by now).  I came across this while working with some resellers who have been making inroads into the security space for SMB.  After discovering this, they are suddenly aware of just how big security is.  It’s one thing to work with clients on the subjective issue of being security – you have a virus, or you need encryption.  It’s a much bigger thing to realize your own digital assets are suddenly open to the entire world.

Security is real…suddenly the reseller technical people are seeing just how real a security issue can be.  Don’t miss this opportunity to understand what the president of a company looks like when he finds out his most important application is open to the world!  On the other hand, make sure you have the patch (as soon as it’s available).  If you don’t know what I am talking about you might want to contact me…

© 2012, David Stelzl

Sound bites are a term I use for collecting and memorizing powerful statistics or statements that come from credible sources like The Wall Street Journal.  By themselves, they won’t sell a thing – in fact most technology sales people are guilty of overusing them, or using them with the wrong people.  They have two purposes:

  1. They build credibility when taken from the right sources
  2. They soften cries from IT that the company has everything they need – “We have it covered”, they claim.

When the buyer hears powerful statements from The Wall Street Journal telling them that Visa, MasterCard, and the Pentagon have experienced major attacks and are unable to defend themselves, it is hard to sit there and claim to be in better shape – especially in the small and mid market companies.  In today’s session we explore marketing theory and what it is that actually motivates the buyer to carve out funding for major security projects.  We use the sound bites to accomplish their task, but then move on to more advanced marketing strategies (ones that should be taught in school, but just aren’t).  Here are some of the sound bites sent to me as part of last night’s homework…I thought everyone might benefit from seeing some of these things.  Note:  These are in not particular order, and may not even by the most significant…just a sampling.  Feel free to add more powerful ones if you like.

1. The people in the IT department pose the biggest risks to data security. They can access nearly anything on the network, usually with no one looking over their shoulders. WSJ 4/4/12
2. 56% of those surveyed (WSJ) after financial crimes were committed, said the most serious crimes involved insiders WSJ 4/4/12

3. 53% of respondents indicated IT was involved in serious cyber crimes involving money over the past year 4/4/12 (WSJ)

4. Damage is only just now coming to light in the form of millions of false 2011 income tax returns filed in the names of people currently receiving Social Security benefits – reported by WSJ for Puerto Rico, but not the US – just coming out now!  Cringely Report.

5. Out of 47 attempts last year, hackers managed to penetrate NASA’s computer network 13 times – Ziff Davis  – March 2, 2012

6. Global Payment Inc – shares dropped 9% after disclosing a cyber attack – Reuters.3/30/12 – affected Visa, MasterCard, Amex, and Discover – 10 Million Card holders affected  (all 4 had stock price drops as a result).

6. The Chinese People’s Liberation Army (PLA) runs a very active industrial espionage program because it has the joint mission of ensuring both military and economic security. So when companies from another country attempt to do business with a Chinese company or agency in an important area of technology, the PLA helps give its side an advantage by stealing data from the other side. They use the same targeted cyber-intrusion techniques they use to steal military secrets. They are after the “play books”–the documents that tell what the company is willing to give up and where it will hold the line. That data gives their side an advantage in negotiations. Sometimes, as in the Google case, they just steal the technology they want.  (FBI discussion with SANS – March 2012)

7. Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is “unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them WSJ 3/28/12

8. James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies,  I think we’ve lost the opening battle [with hackers].” Mr. Lewis said he didn’t believe there was a single secure, unclassified computer network in the U.S.  WSJ  3/28/12

9. 24 Million customers compromised through Sony PlayStation last year, over 100 million on NASDAQ.  WSJ 3/28/12

© 2012, David Stelzl