Archives For Hacking

TALC100% Signed Up To See If Their Data Is Safe!

Yesterday’s event in Las Vegas was a great success. We had representatives from the local cybercrime enforcement unit of the Las Vegas Police Department, as well as Fire Department, along with just over 20 business leaders.  Delon Lukow, President of ProStar offered an assessment to each attendee as a thanks for attending.  This initial assessment will help business leaders determine if there are in fact symptoms of data theft, or major holes in their security strategy. Every person there agreed to take this first step.

After the meeting I had the opportunity to meet with Lukow to review the most important elements of small business risk, and what risks small businesses are most likely to face. It is ProStar’s mission to help educate business leaders in this region, to take a more proactive stance against cybercrime.  My hope is that more SMB focused technology companies will sponsor these types of events.

© 2015, David Stelzl

Thanks again to our sponsors including Cox Communications and Nuvestack!

Advertisements

Despite Hacks…People Still Don’t Take Action.

Earlier this week, CBS correspondent Candice Leigh Helfand interviewed me for an article,

Despite Hacks: Info Leaks, Americans Still Lax On Digital Security.

In the wake of Target and Snapchat news just a month ago – CBS-DC wanted to know what to expect in the coming year, and where companies need to refocus.

Target Hacked!

The Target case is interesting because it’s not an online hack!  Just around the holiday peak shopping season, “Target disclosed that encrypted debit-card PINs, credit and debit card numbers, card expiration dates and other bits of sensitive information were stolen from millions of customers (around 40 million) who shopped at the retailer between Nov. 27 and Dec. 15 of last year.”  Wow! How did that happen?  They got it all – PINS too.  By Tampering with credit card swipe machines.

Snapchat Hacked!

The Snapchat hack is another story – only “4.6 million of its users”.  But the news here is that it happened right after, “Security experts warned the company at least twice about a vulnerability in its system.”  In an earlier post I mentioned that I’m speaking on these topics in Chicago next week…but I know several of the executives invited responded back (as they always do), “I don’t get involved in that stuff”…that’s exactly the problem.

When business leaders don’t have any involvement – or take the time to understand, you end up with a Snapchat.  In fact, just after TJX was hacked, losing around 100 million credit cards, I met with several security teams that had called on TJX companies – getting the same response.  Even worse, one of them tried to tell TJX that their wireless networks were accessible from outside the building!  Did they take action?  No.

In the linked news report, Candice writes, “Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.”  In other words, this is a big one and it will be costly.

The need is there – the problem is getting through to the right people to educate them on the need.  The impact vs. likelihood model I present in the House & the Cloud has been the most effective means of doing this.

© 2014, David Stelzl

Irvine CA. Sunrise

Irvine CA. Sunrise

Irvine CA….

Are Your Secrets Still Secret?

Hackers target startups that secure early-stage funding. Some startups are detecting heightened cyberattacks just after they raise Series A funding.” According to recent reports from the Wall Street Journal.

Business leaders tend to disregard this kind of news because their IT people are telling them, “We’ve got it covered.”  This afternoon I will be speaking to a group of CIOs in Irvine California, hosted by Accuvant and sponsored by McAfee.  This is a message every business leader needs to hear – before it’s too late.

The criminals aren’t sitting around worrying about new technologies that thwart their mischievous deeds.  They’re researching, testing, and collaborating.  The amount of money that goes into R&D on the enemy’s side hasn’t been published like it often is with security technology companies.  For instance, Cisco is proud of the fact that they spend around 300 million on security R&D annually (last I heard).  But innovation is happening on both sides, and the attacker is usually ahead (if not always ahead.)  There is no telling how much effort goes into their side, but based on the attacks we’ve seen, it’s significant, and should be scary.

A New Target: Start Up companies

“In March 2012, when cybersecurity startup Skyhigh Networks received $6.5 million in funding, the company noticed a marked increase in outsiders looking for vulnerabilities in its network.”  Nation State sponsored attacks, as well as competition, may be the instigators here.  Recent Patent Law changes encourage the theft of intellectual property when it deals with innovation.  The person who files first has an advantage over the patent rights…that means that as your clients are inventing, others are watching online to see when a development is ready, but not yet filed in the patent office.  This would be a good time to strike.  Notice that the security risks are suddenly higher at this point.  The measurement of impact goes up, but so does the likelihood of attack (an important model covered in my book, The House & the Cloud).  Understanding this is key to building a solid security architecture – it is also critical for the security provider if you want to better understand the sales cycle and how to justify a change in security spending.

Chinese Government – Are They Really Hacking?

There have been numerous hacker reports about Chinese Government over the past year.  Are they really hacking into US companies?  I have not personally experienced this – however the news is certainly saying, “Yes”.

“The disclosure early this year of a secretive Chinese military unit believed to be behind a series of hacking attacks has failed to halt the cyber intrusions,” according to Reuters’s Deborah Charles and Paul Eckert report.  Wall Street published this earlier in November, pointing to the People’s Liberation Army’s Shanghai-based Unit 61398 – the primary suspect. This sounds pretty specific.  What are they after?

According to the above mentioned article, this effort involves “cyber espionage to steal proprietary economic and trade information,” from the US.  In other words, they are after US innovation – taking what has taken years to develop, with a plan to develop the same innovations without the cost of R&D. Expect these new products to come on the market for much less, competing with the inventor on price.  This is called a copycat product, and often puts the inventor out of business.

If your clients are still thinking they are safe, have avoided attacks, and have it covered when it comes to keeping their innovation secrets under cover, they’re likely out of touch with the real world.  IT has often said, “We have it covered,” only to later find out that hackers have been inside for years.  The FBI says it takes 14 months, on average, to realize you’re under attack, but many companies will never figure it out – soon it will be too late.

© 2013, David Stelzl

 

U.S. Eyes Pushback On China Hacking

Reads the headline in today’s tech section of the Wall Street Journal.  Over the past several months there have been numerous articles published in the Journal – some saying this is real, others denying it…I appreciate one article stating that these attacks are small enough for our government to ignore, so that there is no one single incident demanding a response, but big enough to threaten the long term viability of some of the major companies in the US.  In another Journal article I read, “All major US companies have been successfully compromised…”  Where is this all headed?

Companies who insist “They’ve got it covered…” are in trouble in my opinion.  No company is really impenetrable.  In fact, the idea of using a pen-test to show your clients that their data is safe is a false sense of security.  A failure to break in simply shows the incompetence of the pen-testing team.  It certainly doesn’t mean the company is well secured.

In today’s article the Journal reports – “The Obama administration is considering a raft of options to more aggressively confront China over cyberspying,…, a potentially rapid escalation of a conflict the White House has only recently acknowledged.”  The key phrase here is, “Only recently.”  Why have government officials denied this for so long?  Perhaps for political and economic reasons. The Journal states it like this, “Before now, U.S. government officials and corporate executives had been reluctant to publicly confront China out of fear that stoking tension would harm U.S. national-security or business interests.”

Why are the Chinese on the attack?  “China is stealing trade secrets as part of plans to bolster its industry.”  It’s simple, the US has a greater capacity for innovation.  By invading company’s intellectual capital, other nations can cut thousands of man-days out of the R&D process.  Google, EMC, RSA New York Times, Wall Street Journal, and many other well-known companies, along with many federal organizations including the Pentagon, have reported problems traced back to China in recent years.  However, things like “dependency on China to underwrite U.S. debt and to provide a market for U.S. businesses,” have allowed these nation-state sponsored attacks to go unchallenged.

Recently our government officials have come out saying, “Cybersecurity threats are the greatest threat to our security—economic security, political security, diplomatic security, military security.”  No matter how big your customers are, cybersecurity is something you want to understand and engage them in.  We’ll be covering more on this threat in the coming weeks as we approach the May, Making Money w/ Security workshop.  I’m looking forward to seeing you there.

© 2013, David Stelzl

Yesterday we completed our first day of Making Money w/ Security – an online security sales course I provide through webex.  As security trends evolve, one area has become particularly interesting to me – that of social media and how it can be used as a vehicle for social engineering.  After class one attendee passed on an article from the WSJ, Spam Finds a New Target…here are some important points from the Wall Street Journal’s write up…

  • Facebook blocks over 200 million malicious actions every day!
  • In August 2011, over 92% of email messages were spam messages, in Nov, over 70%.  These numbers fluctuate month to month, but they are always high.
  • Twitter and Facebook are the new targets – people are on to the email problems, but social media is wide open as people accept friend requests from unknowns.  In fact, in another recent article, WSJ reported on a study showing the number of men who gave out sensitive information, including passwords, to a white hat hacker posing as a 25 year old woman using social media!  Incredible, but believable.

As I speak to executives around the world at Lunch & Learns and other customer facing events, I am hearing the need to leverage social media as a means of marketing and branding.  I agree, this is a tool that can accelerate any company’s business when used correctly.  But this also opens the door for users, who are completely unaware of the security risks, to invite predictors to install code on their machines.  The same machines that will later access the company’s most sensitive data.  If you are not attending Making Money w/ Security this week, stay tuned – we’ll be scheduling more later this year.

© 2012, David Stelzl

Here’s a rare clip from a recent Making Money with Security Workshop…don’t forget to check out my upcoming virtual workshop.  I only have 16 seats left and there is no travel on this – perfect for smaller sales organizations.

http://www.stelzl.us/sales_development_MMS1_virtual.asp

© 2010, David Stelzl

In the second half of this interview Nate and Kelly ask the killer question…”what about cloud computing?”  Listen in and see what I say about it.