, , ,

Congress votes against Internet customer privacy; nothing changes

It’s official: Internet service providers in the United States can continue to sell information about their customers’ Internet usage to marketers — and to anyone else who wants to use it. In 2016, during the Obama administration, the Federal Communications Commission (FCC) tried to require ISPs to get customer permission before using or sharing information about their web browsing. According to the FCC, the rule change, entitled, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” meant:

The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, giving broadband customers the tools they need to make informed decisions about how their information is used and shared by their ISPs. To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.

More specifically, the rules required that customers had to positively agree to have their information used in that fashion. Previously, customers had to opt-out. Again, according to the FCC,

Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Consumer Privacy Never Happened

That rule change, however, ended up being stuck with legal challenges and never took effect. In March 2017, both chambers of Congress voted to reverse that change. The resolution, passed by both the House and Senate, was simple:

Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” and such rule shall have no force or effect.

What’s the net effect? In some ways, not much, despite all the hyperbole. The rule only applied to broadband providers. It didn’t apply to others who could tell what consumers were doing on the Internet, such as social media (think Facebook) or search engines (think Google) or e-commerce (think Amazon) or streaming media (think Netflix). Those other organizations could use or market their knowledge about consumers, bound only by the terms of their own privacy policy. Similarly, advertising networks and others who tracked browser activity via cookies could also use the information however they wanted.

What’s different about the FCC rule on broadband carriers, however, is that ISPs can see just about everything that a customer does. Every website visited, every DNS address lookup, and every Internet query sent via other applications like email or messaging apps. Even if that traffic is end-to-end encrypted, the broadband carrier knows where the traffic is going or coming from – because, after all, it is delivering the packets. That makes the carriers’ metadata information about customer traffic unique, and invaluable, to marketers, government agencies, and to others who might wish to leverage it.

Customers Can Shield — To Some Extent

Customers can attempt to shield their privacy. For example, many use end-to-end VPN services to route their Internet traffic to a single relay point, and then use that relay to anonymously surf the web. However, a privacy VPN is technically difficult for many consumers to set up. Plus, the service costs money. Also, for true privacy fanatics, that VPN service could also be a source of danger, since it could be compromised by an intelligence agency, or used for a man-in-the-middle attack.

So in the United States, the demise of the FCC ruling is bad news. Customers’ Internet usage data — including websites visited, phrases searched for, products purchased and movies watched — remains available for marketers and others who use to study it and exploit it. However, in reality, such was always the case.

, ,

Three years of the 2013 OWASP Top 10 — and it’s the same vulnerabilities over and over

Can’t we fix injection already? It’s been nearly four years since the most recent iteration of the OWASP Top 10 came out — that’s June 12, 2013. The OWASP Top 10 are the most critical web application security flaws, as determined by a large group of experts. The list doesn’t change much, or change often, because the fundamentals of web application security are consistent.

The 2013 OWASP Top 10 were

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

The preceding list came out on April 19. 2010:

  1. Injection
  2. Cross-Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross-Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Insecure Cryptographic Storage
  8. Failure to Restrict URL Access
  9. Insufficient Transport Layer Protection
  10. Unvalidated Redirects and Forwards

Looks pretty familiar. If you go back further to the inaugural Open Web Application Security Project 2004 and then the 2007 lists, the pattern of flaws stays the same. That’s because programmers, testers, and code-design tools keep making the same mistakes, over and over again.

Take the #1, Injection (often written as SQL Injection, but it’s broader than simply SQL). It’s described as:

Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.

The technical impact?

Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

And the business impact?

Consider the business value of the affected data and the platform running the interpreter. All data could be stolen, modified, or deleted. Could your reputation be harmed?

Eliminating the vulnerability to injection attacks is not rocket science. OWASP summaries three approaches:

Preventing injection requires keeping untrusted data separate from commands and queries.

The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful with APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.

If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI provides many of these escaping routines.

Positive or “white list” input validation is also recommended, but is not a complete defense as many applications require special characters in their input. If special characters are required, only approaches 1. and 2. above will make their use safe. OWASP’s ESAPI has an extensible library of white list input validation routines.

Not rocket science, not brain surgery — and the same is true of the other vulnerabilities. There’s no excuse for still getting these wrong, folks. Cut down on these top 10, and our web applications will be much safer, and our organizational risk much reduced.

Do you know how often your web developers make the OWASP Top 10 mistakes? The answer should be “never.” They’ve had plenty of time to figure this out.

,

Blue passion vines are ready for butterflies and caterpillars

To our delight this morning, our new Blue Passion vines had their first flowers. Passiflora caerulea is an amazing plant. It grows these colorful and complex flowers, which only last about one day, but there’s a long array of buds in various stages of development, so we’ll have blooms nearly every day for months.

The Gulf Fritillary butterfly common here in Phoenix (Agraulis vanillae) lays its egg on the passion vine. The colorful caterpillars munch on the leaves, and build their chrysalis there, becoming a new butterfly. The lifecycle continues.

We purchased two Blue Passion vines a few years ago. We totally enjoyed their gorgeous flowers, and hundreds of caterpillars and butterflies that created a beautiful ecosystem — every morning we’d go outside and check for new flowers and new caterpillars. Unfortunately both vines died last winter. In early March we purchased three replacements, and the first flowers opened today. The Gulf Fritillary caterpillars (which we nicknamed Fruities) are flitting around it, so I expect we’ll have eggs, and caterpillars, very soon.

Isn’t nature grand?

, ,

Top Do’s and Don’ts for creating friendly calendar invites

“Call with Alan.” That’s what the calendar event says, with a bridge line as the meeting location. That’s it. For the individual who sent me that invitation, that’s a meaningful description, I guess. For me… worthless! This meeting was apparently sent out (and I agreed to attend) at least three weeks ago. I have no recollection about what this meeting is about. Well, it’ll be an adventure! (Also: If I had to cancel or reschedule, I wouldn’t even know who to contact.)

When I send out calendar invites, I try hard to make the event name descriptive to everyone, not just me. Like “ClientCorp and Camden call re keynote topics” or “Suzie Q and Alan Z — XYZ donations.” Something! Give a hint, at least! After all, people who receive invitations can’t edit the names to make them more meaningful.

And then there’s time-zone ambiguity. Some calendar programs (like Google Calendar) do a good job of tracking the event’s time zone, and mapping it to mine. Others, and I’m thinking of Outlook 365, do a terrible job there, and make it difficult to specify the event in a different time zone.

For example, I’m in Phoenix, and often set up calls with clients on the East Coast or in the U.K. As a courtesy, I like to set up meetings using the client’s time zone. Easy when I use Google Calendar to set up the event. Not easy in Outlook 365, which I must use for some projects.

Similarly, some calendar programs do a good job mapping the event to each recipient’s time zone. Others don’t. The standards are crappy, and the implementations of the standards are worse.)

There’s more than the bad time-zone mappings. Each Web-based, mobile, and desktop calendar app, even those that claim to conform to standards, has its own quirks, proprietary features, and incompatibilities. For example, repeating events aren’t handled consistently from calendar program to calendar program. It’s a real mess.

Here are a few simple do’s and don’ts for event creators. Or rather, don’ts and do’s.

  • DON’T just put the name of the person you are meeting with in the event name.
  • DO put your name and organization too, and include your contact information (phone, email, whatever) in the calendar invite itself. Having just a conference bridge or location of the coffee shop won’t do someone any good if they need to reach you before the meeting.
  • DON’T assume that everyone will remember what the meeting is about.
  • DO put the purpose of the meeting into the event title.
  • DON’T think that everyone’s calendar software works like yours or has the same features, vis-à-vis time zones, attachments, comments, and so-on.
  • DO consider putting the meeting time and time zone into the event name. It’s something I don’t do, but I have friends who do, like “ClientCorp and Camden call re keynote topics — 3pm Pacific.” Hmm, maybe I should do that?
  • DON’T expect that if you change the event time on your end, that change will percolate to all recipients. Again, this can be software-specific.
  • DO cancel the event if it’s necessary to reschedule, and set up a new one. Also send an email to all participants explaining what happened. I dislike getting calendar emails saying the meeting date/time has been changed — with no explanation.
  • DON’T assume that people will be able to process your software’s calendar invitations. Different calendar program don’t play well with each other.
  • DO send a separate email with all the details, including the event name, start time, time zone, and list of participants, in addition to the calendar invite. Include the meeting location, or conference-call dial-in codes, in that email.
  • DON’T trust that everyone will use the “accept” button to indicate that they are attending. Most will not.
  • DO follow up with people who don’t “accept” to ask if they are coming.
  • DON’T assume that just because it’s on their calendar, people will remember to show up. I had one guy miss an early-morning call he “accepted” because it was early and he hadn’t checked his calendar yet. D’oh!
  • DO send a meeting confirmation email, one day before, if the event was scheduled more than a week in advance.

Have more do’s and don’ts? Please add them using the comments.

, , ,

What’s the deal with Apple iCloud accounts being hacked?

The word went out Wednesday, March 22, spreading from techie to techie. “Better change your iCloud password, and change it fast.” What’s going on? According to ZDNet, “Hackers are demanding Apple pay a ransom in bitcoin or they’ll blow the lid off millions of iCloud account credentials.”

A hacker group claims to have access to 250 million iCloud and other Apple accounts. They are threatening to reset all the passwords on those accounts – and then remotely wipe those phones using lost-phone capabilities — unless Apple pays up with untraceable bitcoins or Apple gift cards. The ransom is a laughably small $75,000.

What’s Happening at Apple?

According to various sources, at least some of the stolen account credentials appear to be legitimate. Whether that means all 250 million accounts are in peril, of course, is unknowable.

Apple seems to have acknowledged that there is a genuine problem. The company told CNET, “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.” We obviously don’t know what Apple is going to do, or what Apple can do. It hasn’t put out a general call, at least as of Thursday, for users to change their passwords, which would seem to be prudent. It also hasn’t encouraged users to enable two-factor authentication, which should make it much more difficult for hackers to reset iCloud passwords without physical access to a user’s iPhone, iPad, or Mac.

Unless the hackers alter the demands, Apple has a two-week window to respond. From its end, it could temporarily disable password reset capabilities for iCloud accounts, or at least make the process difficult to automate, access programmatically, or even access more than once from a given IP address. So, it’s not “game over” for iCloud users and iPhone owners by any means.

It could be that the hackers are asking for such a low ransom because they know their attack is unlikely to succeed. They’re possibly hoping that Apple will figure it’s easier to pay a small amount than to take any real action. My guess is they are wrong, and Apple will lock them out before the April 7 deadline.

Where Did This Come From

Too many criminal networks have access to too much data. Where are they getting it? Everywhere. The problem multiplies because people reuse usernames and passwords. For nearly every site nowadays, the username is the email address. That means if you know my email address (and it’s not hard to find), you know my username for Facebook, for iCloud, for Dropbox, for Salesforce.com, for Windows Live, for Yelp. Using the email address for the login is superficially good for consumers: They are unlikely to forget their login.

The bad news is that account access now depends on a single piece of hidden information: the password. And people reuse passwords and choose weak passwords. So if someone steals a database from a major retailer with a million account usernames (which are email addresses) and passwords, many of those will also be Facebook logins. And Twitter. And iCloud.

That’s how hackers can quietly accumulate what they claim are 250 million iCloud passwords. They probably have 250 million email address / password pairs amalgamated from various sources: A million from this retailer, ten million from that social network. It adds up. How many of those will work in iTunes? Unknown. Not 250 million. But maybe 10 million? Or 20 million? Either way, it’s a nightmare for customers and a disaster for Apple, if those accounts are locked, or if phones are bricked.

What’s the Answer?

As long as we use passwords, and users have the ability to reuse passwords, this problem will exist. Hackers are excellent at stealing data. Companies are bad at detecting breaches, and even worse about disclosing them unless legally obligated to do so.

Can Apple present those 250 million accounts from being seized? Probably. Will problems like this happen again and again and again? For sure, until we move away from any possibility of shared credentials. And that’s not happening any time soon.

, ,

New phishing scam referencing a company called FrontStream

We received this realistic-looking email today claiming to be from a payment company called FrontStream. If you click the links, it tries to get you to active an account and provide bank details. However… We never requested an account from this company. Therefore, we label it phishing — and an attempt to defraud.

If you receive a message like this, delete it. Don’t click any of the links, and don’t reply to it either. You’ve been warned.

From: billing [email address at frontstream.com]
Sent: Wed, Mar 22, 2017 10:34 am
Subject: New Account Ready for Activation

Dear [redacted],

Your account is now available at our FrontStream Invoicing Website for you to view your existing outstanding invoices and make payment. You can directly activate your account here:

[link redacted]

Or you can go to the FrontStream Invoicing website [link redacted], select ‘REGISTER’ option and go through the activation process. Below is your detailed account information from our record. They’re required in order to complete your account activation.

Customer Number: [redacted]

Phone Number: [redacted]

Activation Code: [redacted]

Sincerely,

Accounts Receivable

UPDATE MARCH 22

I tweeted about this blog post, and @FrontStream replied:

@zeichick Sorry for the confusion! The email was sent in error from our customer invoicing system. We’ll be following up with more details.

Given that we aren’t a FrontStream customer, this is peculiar. Will update again if there are more details.

UPDATE MARCH 27

Nothing more from FrontStream.

, ,

New ban on flying with a laptop or tablet means the terrorists win

The U.S. and U.K. are banning larger electronic items, like tablets, notebooks and DLSRs, from being carried onboard flights from a small number of countries. If that ban spreads to include more international or even domestic flights, this will result in several nasty consequences:

1. Business travelers may be unable to bring computers on trips at all. Some airlines ban checking luggage with lithium ion batteries into the cargo hold. Nearly all of these devices use LIB. If you can’t carry them onboard, and you can’t check them, they must stay home, or be overnighted to the destination. Shipping those devices may work for some people, but it’s a sucky solution.

2. Even if you can check them, there may be a surge of thefts of these costly electronic goodies from checked baggage. I always carry my expensive pro-grade DSLR and lenses onboard, and never check them. Why? I’m worried about theft and about breakage — that stuff is fragile. If I had to check my camera gear, they’d stay home. Same with my notebook and tablets. There is too much opportunity for stuff to disappear, especially when anyone can easily obtain a universal key for those silly TSA locks. Yes, a family member lost a DSLR from checked luggage.

3. This messes up the plans of airlines who are moving to a BYOD-centric entertainment model. Forget the drop-down TV screens playing one movie. Forget the individual seat-back TV screens offering a choice of movies, TV shows and video games. Airlines are saving money, saving weight, and making customers happy by ditching the electronics and using onboard WiFi to stream entertainment to the passengers’ phone, tablet or laptop. (And they get to charge for air-to-ground WiFi.) According to the Economist, 90% of passengers bring a suitable device. Everyone wins, unless devices are banned. No tablets? No laptops? No onboard entertainment.

The answer to terrorist threats isn’t security theater. Address the risks in an intelligent way, yes. Institute stupid rules that affect all travelers, no. One guy tries to light his shoe on fire, and now you have to take off your shoes to go through airport screening. And now there’s a “threat” and so here’s a new limitation on people making international flights.

That’s how the terrorists win and win and win.

,

Having fun with a vintage HP-28S calculator

Today’s calculation device is this lovely vintage HP-28S “advanced scientific” calculator from the late 1980s.

As a working calculator, it’s not my favorite. HP gets points for creativity, but the clamshell design makes for an awkward user experience. I’m finding it frustrating to use because each line on the display is hard to read, there are too many keys, and the visual cues are subtle. It is also hard to pry the clamshell open.

The keys do have a nice clickiness to them. If you are doing basic math, you can fold the alphanumeric left part of the clamshell behind the right part.

Functionally, the HP-28 series is also innovative, as it’s where HP first exposed RPL to the user. RPL is Reverse Polish Lisp, a next-generation RPN, or Reverse Polish Notation, designed to handle complex algebraic expressions.

Were I doing that sort of equation-solving or scientific work this afternoon, the HP-28S would be ideal. Today’s project, though, is simple arithmetic related to tracking video editing timings. (Last time I did this, I used an HP-32S II, which has a simpler interface and much larger numbers on the one-line display.)

While I don’t use it often, the HP-28S is a prized member of my extensive collection of vintage calculators. My goal is to keep using all the devices (well, at least, the ones that still function) because it’s more fun than simply looking at them.

,

The cybersecurity benefits of artificial intelligence and machine learning

Let’s talk about the practical application of artificial intelligence to cybersecurity. Or rather, let’s read about it. My friend Sean Martin has written a three-part series on the topic for ITSP Magazine, exploring AI, machine learning, and other related topics. I provided review and commentary into the series.

The first part, “It’s a Marketing Mess! Artificial Intelligence vs Machine Learning,” explores probably the biggest challenge about AI: Hyperbole. That, and inconsistency. Every lab, every vendor, every conference, every analyst, defines even the most basic terminology — when they bother to define it at all. Vagueness begets vagueness, and so the terms “artificial intelligence” and “machine learning” are thrown around with wanton abandon. As Sean writes,

The latest marketing discovery of AI as a cybersecurity product term only exacerbates an already complex landscape of jingoisms with like muddled understanding. A raft of these associated terms, such as big data, smart data, heuristics (which can be a branch of AI), behavioral analytics, statistics, data science, machine learning and deep learning. Few experts agree on exactly what those terms mean, so how can consumers of the solutions that sport these fancy features properly understand what those things are?

Machine Learning: The More Intelligent Artificial Intelligence,” the second installment, picks up by digging into pattern recognition. Specifically, the story is about when AI software can discern patterns based on its own examination of raw data. Sean also digs into deep learning:

Deep Learning (also known as deep structured learning, hierarchical learning or deep machine learning) is a branch of machine learning based on a set of algorithms that attempt to model high level abstractions in data by using a deep graph with multiple processing layers, composed of multiple linear and non-linear transformations.

In the conclusion, “The Actual Benefits of Artificial Intelligence and Machine Learning,” Sean brings it home to your business. How you can tell if an AI solution is real? How can you tell what it really does? That means going beyond the marketing material’s attempts to obfuscate:

The bottom line on AI-based technologies in the security world: Whether it’s called machine learning or some flavor of analytics, look beyond the terminology – and the oooh, ahhh hype of artificial intelligence – to see what the technology does. As the saying goes, pay for the steak – not the artificial intelligent marketing sizzle.

It was a pleasure working on this series with Sean, and we hope you enjoy reading it.

, ,

The Russians are hacking! One if by phishing, two if by Twitter

Was the Russian government behind the 2004 theft of data on about 500 million Yahoo subscribers? The U.S. Justice Department thinks so: It accused two Russian intelligence officers of directing the hacking efforts, and also named two hackers as being part of the conspiracy to steal the data.

According to Mary B. McCord, Acting Assistant Attorney General,

The defendants include two officers of the Russian Federal Security Service (FSB), an intelligence and law enforcement agency of the Russian Federation and two criminal hackers with whom they conspired to accomplish these intrusions. Dmitry Dokuchaev and Igor Sushchin, both FSB officers, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the United States and elsewhere.

Ms. McCord added that scheme targeted Yahoo accounts of Russian and U.S. government officials, including security staff, diplomats and military personnel. “They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities,” she said.

From a technological perspective, the hackers first broke into computers of American companies providing email and internet-related services. From there, they harvested information, including information about individual users and the private contents of their accounts. The hackers, explained Ms. McCord, were hired to gather information for the FSB officers — classic espionage. However, they quietly went farther to steal financial information, such as gift card and credit card numbers, from users’ email accounts — and also use millions of stolen Yahoo accounts to set up an email spam scheme.

Was this state-sponsored cybertheft? Probably, but it’s not certain. What we have are serious allegations, but we don’t know if the FSB agents were working on orders from the Kremlin, or if they were running their own operation for their own private benefit. It’s simply too soon to tell.

The Turkish/Dutch Hacking Connection

Similarly, it’s too soon to know who is behind this week’s use of hijacked Twitter accounts to fling some nasty rhetoric against the Netherlands. This comes on the heels of the Dutch government’s efforts to block Turkish government ministers from traveling to the Netherlands to encourage Turkish ex-pats to vote in a Turkish referendum. At the same time, the Netherlands themselves were having an important election, with one of the leading candidates offering an isolationist, anti-Muslim platform. According to Reuters,

A diplomatic spat between Turkey, the Netherlands and Germany spread online on Wednesday when a large number of Twitter accounts were hijacked and replaced with anti-Nazi messages in Turkish.

The attacks, using the hashtags #Nazialmanya (NaziGermany) or #Nazihollanda (NaziHolland), took over accounts of high-profile CEOs, publishers, government agencies, politicians and also some ordinary Twitter users.

The account hijackings took place as the Dutch began voting on Wednesday in a parliamentary election that is seen as a test of anti-establishment and anti-immigrant sentiment.

The hackers did a good job getting access to Twitter accounts. Reuters continued,

The hacked accounts featured tweets with Nazi symbols, a variety of hashtags and the phrase “See you on April 16”, the date of a planned referendum in Turkey on extending Erdogan’s presidential powers.

Among them were the accounts of the European Parliament and the personal profile of French conservative politician Alain Juppe.

They also included the UK Department of Health and BBC North America, along with the profile of Marcelo Claure, the chief executive of U.S. telecoms operator Sprint Corp.

Other accounts included publishing sites for Die Welt, Forbes and Reuters Japan and several non-profit agencies including Amnesty International and UNICEF USA, as well as Duke University in the United States.

How did the hackers get access to Twitter? In part by breaking into a Dutch audience analytics company, which would have had access to some or all of those accounts. As Reuters reported,

At least some of the hijacked tweets appear to have been delivered via Twitter Counter, a Netherlands-based Twitter audience analytics company. Twitter Counter Chief Executive Omer Ginor acknowledged via email that the service had been hacked.

Meanwhile in a separate action, Reuters said,

Last Saturday, denial of service attacks staged by a Turkish hacking group hit the websites of Rotterdam airport and anti-Islam firebrand Geert Wilders, whose Freedom Party is vying to form to form the biggest party in the Dutch parliament.

So – as with the Yahoo hack in 2014 – are these the work of state-sponsored hackers? Or of hackers who believe in a cause, and who are working on their own to support that cause? It’s too soon to tell, and in this case, we may never know; it’s unclear if any organizations as powerful as the U.S. Justice Department and FBI are investigating. What we do know, though, is that nearly everything is vulnerable. A reputable analytics service can be hacked in order to provide a backdoor means to take over Twitter accounts. Internet access companies can be subverted and used for espionage or for staging man-in-the-middle attacks.

How many more of these attacks will be unveiled in the weeks, months and years ahead? One safe prediction: There will be many more attacks — whether state sponsors are behind them or not.

,

Repurposing, solution, robust, best of breed, mission-critical, next-generation, web-enabled, leading, value-added, leverage, seamless…

Let’s take a chainsaw to content-free buzzwords favored by technology marketers and public relations professionals. Or even better, let’s applaud one PR agency’s campaign to do just that. Houston PR, based in the UK, has a fun website called “Buzzsaw” which removes those empty phrases from text, such as press releases. Says the agency:

This free tool automatically hacks PR buzzwords out of press releases to make life more bearable for Britain’s hard-working journalists.

The Buzzsaw can also be used for speeches, strategy documents, advertising copy or any other collections of words that need to be as clear as possible.

You’ll find that toe-curling terms like repurposing, solution, robust, best of breed, mission-critical, next-generation, web-enabled, leading, value-added, leverage, seamless, etc, are struck out by the Buzzsaw.

It also takes a scythe to cutesy Hipster-style words and phrases like “totes amazeballs”, “awesome” and “super excited”.

To compile the Buzzsaw database we asked thousands of journalists to supply examples of the PR terms that irritate them the most.

Here are some of the words and phrases that Buzzsaw looks for. Note that it does tend to be British-centric in terms of spelling.

“win rates”, “business development lifecycle”, “market-leading”, “global provider”, “simple mission”, “optimal opportunities”, “unmatched capabilities”, “big data”, “pace of investment”, “priority needs”, “Blue Sky Thinking”, “Descriptor”, “Packages”, “Manage expectations”, “collegiate approach”, “oxygenate the process”, “low hanging fruit”, “Happy Bunny”, “Robust procedures”, “keep across”, “Stewardship”, “Solutioning”, “net net”, “sub-ideal”, “action that solve”, “expidite the deliverables”, “park this issue”, “suite of offerings”, “sunset”, “horizon scan”, “110%”, “Socialise”, “Humble”, “Special someone”, “Super”, “Shiny”, “Taxing times”, “Do the math”, “Sharing”, “Nailed it”, “Bail in”, “Revert”, “Sense check”, “Snackable content”, “higher order thinking”, “Coopetition”, “Fulfilment issues”, “Cascade”, “Demising”, “Horizon scanning”, “Do-able”, “Yardstick”, “Milestone”, “Landmark achievement”, “Negativity”, “True story”, “So True”, “Next-generation”, “Voice to voice”, “So to speak”, “Step change”, “Edgy”

Check it out — and if you are a tech PR professional or marketeer, maybe try it on your own collateral.

, , ,

Exciting News: BZ Media sells InterDrone to Emerald Expositions

As many of you know, I am co-founder and part owner of BZ Media LLC. Yes, I’m the “Z” of BZ Media. Here is exciting news released today about one of our flagship events, InterDrone.

MELVILLE, N.Y., March 13, 2017 BZ Media LLC announced today that InterDrone™ The International Drone Conference & Exposition has been acquired by Emerald Expositions LLC, the largest producer of trade shows in North America. InterDrone 2016 drew 3,518 attendees from 54 different countries on 6 continents and the event featured 155 exhibitors and sponsors. The 2017 event will be managed and produced by BZ Media on behalf of Emerald.

Emerald Expositions is the largest operator of business-to-business trade shows in the United States, with their oldest trade shows dating back over 110 years. They currently operate more than 50 trade shows, including 31 of the top 250 trade shows in the country as ranked by TSNN, as well as numerous other events. Emerald events connect over 500,000 global attendees and exhibitors and occupy over 6.7 million NSF of exhibition space.

“We are very proud of InterDrone and how it has emerged so quickly to be the industry leading event for commercial UAV applications in North America,” said Ted Bahr, President of BZ Media. “We decided that to take the event to the next level required a company of scale and expertise like Emerald Expositions. We look forward to supporting Emerald through the 2017 and 2018 shows and working together to accelerate the show’s growth under their ownership over the coming years.”

InterDrone was just named to the Trade Show Executive magazine list of fastest growing shows in 2016 and was one of only 14 shows in the country that was named in each of the three categories; fastest growth in exhibit space, growth in number of exhibitors and in attendance. InterDrone was the only drone show named to the list.

InterDrone 2017 will take place September 6–8, 2017, at the Rio Hotel & Casino in Las Vegas, NV, and, in addition to a large exhibition floor, features three subconferences for attendees, making InterDrone the go-to destination for UAV educational content in North America. More than 120 classes, panels and keynotes are presented under Drone TechCon (for drone builders, engineers, OEMs and developers), Drone Enterprise (for enterprise UAV pilots, operators and drone service businesses) and Drone Cinema (for pilots engaged in aerial photography and videography).

“Congratulations to Ted Bahr and his team at BZ Media for successfully identifying this market opportunity and building a strong event that provides a platform for commercial interaction and education to this burgeoning industry”, said David Loechner, President and CEO of Emerald Expositions. “We have seen first-hand the emerging interest in drones in our two professional photography shows, and we are excited at the prospect of leveraging our scale, experience and expertise in trade shows and conferences to deliver even greater benefits to attendees, sponsors, exhibitors at InterDrone and to the entire UAV industry.”

, ,

Look out iOS, Android and IoT, here comes the CIA, says WikiLeaks

To absolutely nobody’s surprise, the U.S. Central Intelligence Agency can spy on mobile phones. That includes Android and iPhone, and also monitor the microphones on smart home devices like televisions.

This week’s disclosure of CIA programs by WikiLeaks has been billed as the largest-ever publication of confidential documents from the American spy agency. The document dump will appear in pieces; the first installment has 8,761 documents and files from the CIA’s Center for Cyber Intelligence, says WikiLeaks.

According to WikiLeaks, the CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within the CIA’s Directorate for Digital Innovation. WikiLeaks says the EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA.

Smart TV = Spy TV?

Another part of the covert program, code-named “Weeping Angel,” turns smart TVs into secret microphones. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode. The owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

The New York Times reports the CIA has refused to explicitly confirm the authenticity of the documents. however, the government strongly implied their authenticity when the agency put out a statement to defend its work and chastise WikiLeaks, saying the disclosures “equip our adversaries with tools and information to do us harm.”

The WikiLeaks data dump talked about efforts to infect and control non-mobile systems. That includes desktops, notebooks and servers running Windows, Linux, Mac OS and Unix. The malware is distributed in many ways, including website viruses, software on CDs or DVDs, and portable USB storage devices.

Going mobile with spyware

What about the iPhone? Again, according to WikiLeaks, the CIA produces malware to infest, control and exfiltrate data from Apple products running iOS, such as iPhones and iPads. Similarly, other programs target Android. Says WikiLeaks, “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied.”

The tech industry is scrambling to patch the vulnerabilities revealed by the WikiLeaks data dump. For example, Apple said,

Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.

Enterprises should expect patches to come from every major hardware or software vendors. IT must be vigilant about making those security updates. In addition, everyone should attempt to identify unpatched devices on the network, and deny those devices access to critical resources until they are properly patched and tested. We don’t want to help mobile devices to become spy devices.

, , ,

Happy encouragement from my smartwatch

“You walked 713 steps today. Good news is the sky’s the limit!”

Thank you, Pebble, for that encouragement yesterday.

The problem with fitness apps in smartwatches is that you have to wear the watch for them to work. When I am at home, I never wear a watch. Since I work from home, that means that I usually don’t have a watch on my wrist. And when I go out, sometimes I wear the Pebble, sometimes something else. For a recent three-day weekend trip away with my wife, for example, I carried the pocket watch she bought me for our 15th anniversary. So, it’s hard for the Pebble app to get an accurate read on my activity.

Yesterday, I only wore this watch for a brief period of time. The day before, not at all. That’s why Pebble thought that 713 steps was a great accomplishment.

(Too bad Pebble is out of business. I like this watch.)

, , ,

What to do about credentials theft – the scourge of cybersecurity

Cybercriminals want your credentials and your employees’ credentials. When those hackers succeed in stealing that information, it can be bad for individuals – and even worse for corporations and other organizations. This is a scourge that’s bad, and it will remain bad.

Credentials come in two types. There are personal credentials, such as the login and password for an email account, bank and retirement accounts, credit-card numbers, airline membership program, online shopping and social media. When hackers manage to obtain those credentials, such as through phishing, they can steal money, order goods and services, and engage in identity theft. This can be extremely costly and inconvenient for victims, but the damage is generally contained to that one unfortunate individual.

Corporate digital credentials, on the other hand, are the keys to an organization’s network. Consider a manager, executive or information-technology worker within a typical medium-size or larger-size business. Somewhere in the organization is a database that describes that employee – and describes which digital assets that employee is authorized to use. If cybercriminals manage to steal the employee’s corporate digital credentials, the criminals can then access those same assets, without setting off any alarm bells. Why? Because they have valid credentials.

What might those assets be? Depending on the employee:

  • It might range from everything to file servers that contain intellectual property, as pricing sheets, product blueprints, or patent applications.
  • It might include email archives that describe business plans. Or accounting servers that contain important financial information that could help competitors or allow for “insider trading.”
  • It might be human resources data that can help the hackers attack other individuals. Or engage in identity theft or even blackmail.

What if the stolen credentials are for individuals in the IT or information security department? The hackers can learn a great deal about the company’s technology infrastructure, perhaps including passwords to make changes to configurations, open up backdoors, or even disable security systems.

Read my whole story about this —including what to do about it — in Telecom Times, “The CyberSecurity Scourge of Credentials Theft.”

, , ,

Apple replaces Videos mobile app with TV — confuses iPad users

Apple isn’t as friendly or as as communicative as one would think. Earlier today, I received a panic call from someone trying to sync videos to her iPad from a Mac – and receiving a message that there was no suitable application on the iPad. Huh? That made no sense. The app for playing locally stored videos on an iPad is called Videos, and it’s a standard, built-in app. What’s the deal?

In short: With the iOS 10.2 operating system update, Apple renamed the Videos app to TV. And it has to be installed from the Apple App Store. It’s a free download, but who knew? Apparently not me. And not a lot of people who queried their favorite search engine with phrases like “ipad videos app missing.”

What’s worse, the change had the potential to delete locally stored video content. One dissatisfied user posted on an Apple discussion forum:

New TV App deleted home videos from iPad

I had a bunch of home videos on my iPad, and when I updated to iOS 10.2, the new TV App replaced videos. On my iPhone 6, this process went fine. I launched TV, and up popped the Library, and within it was a sub-menu for Home Videos. The one and only one I had on my iPhone is still there.

But I had dozens on my iPad and now they are all gone. Not only are they all gone, but there is no sub-menu for Home Videos AT ALL! I can probably replace them by synching to my laptop, but this is a time-consuming pain in the *$$, and why should I have to do this at all?

This change was unveiled in October 2016, with much fanfare, claiming:

Apple today introduced the new TV app, offering a unified experience for discovering and accessing TV shows and movies from multiple apps on Apple TV, iPhone and iPad. The TV app provides one place to access TV shows and movies, as well as a place to discover new content to watch. Apple also introduced a new Siri feature for Apple TV that lets viewers tune in directly to live news and sporting events across their apps. Watching TV shows and movies across Apple devices has never been easier.

The update appeared, for U.S. customers at least, on December 12, 2016. That’s when iOS 10.2 came out. Buh-bye, Videos app!

The change moved a piece of core functionality from iOS itself into an app. The benefits: The new TV app can be updated on its own schedule, not tied to iOS releases, and iOS releases themselves can be smaller. The drawback: Users must manually install the TV app.

Once the TV app is installed, the user can re-sync the videos from a Mac or Windows PC running iTunes. This should restore the missing content, assuming the content is on the desktop/notebook computer. How rude, Apple!

Let me add, snarkily, that the new name is stupid since there’s already a thing from Apple called TV – Apple TV.

,

Snapchat IPO goes big — let’s hope it doesn’t go poof!

What’s the Snapchat appeal? For now, it’s a red-hot initial public offering and the promise of more public offerings to come, after a period of slow tech movement on Wall Street.

The Snapchat social-media service is perplexing to nearly anyone born before 1990, myself included. That didn’t stop its debut on the New York Stock Exchange from ringing everyone’s bell. According to Fox News, Snapchat’s (SNAP) wildly successful trading debut, which bested Facebook’s (FB), Alibaba’s (BABA) and Google’s (GOOGL). At the outset of trading Thursday, the stock jumped more than 40 percent to $24 a share, no thanks to Main Street investors who were largely left out of the action. Snapchat surged 44 percent Thursday, closing at $24.48, which valued the social media company’s market cap around $28.3 billion.

Not bad for a social media service whose appeal is that its messages, photos and videos only stick around for a little while, and then vanish forever. That places Snapchat in stark contract against services like Facebook and Twitter, which saves everything forever (unless the original poster goes back a deletes a specific post).

Snapchat’s hot IPO came on one of the biggest recent days on stock markets, with the FTSE 100 and Dow breaking records. As reported by the Telegraph:

“Animal spirits have taken over,” said Neil Wilson, of ETX Capital, as the FTSE 100 charged to a fresh intraday record high of 7,383.05. It closed at a new peak of 7,382.9, up 119.46 points, or 1.64pc, on the day, while the more domestically-focused FTSE 250 also hit an intraday high of 18,983.01.

and

On Wall Street, the Dow Jones crossed the 21,000 mark for the first time ever, as industrial and banking stocks rallied. Clocking in at 25 trading sessions, the rally from 20,000 to 21,000 is the Dow’s fastest move between thousand-point milestones since 1999.

Which 2017 IPOs will come next?

According to MarketWatch, possible hot IPOs to watch for in 2017 include:

  • Spotify: Spotify raised $1 billion in debt financing in March, according to The Wall Street Journal, with conditions that essentially force it to go public in 2017 or pay greater interest on its debt and increased discounts to its investors.
  • Palantir Technologies Inc.: Palantir sells its software to government agencies, including the Defense Intelligence Agency and other military branches, which could become more relevant under Trump’s administration.
  • Uber: In 2017, the ride-hailing startup is expected to face continuing battles over regulation as it fights with cities over self-driving cars as well as the operation of its driver-based business. Additionally, the company faces lawsuits over whether its drivers are employees or independent contractors, and a widespread ruling that finds the drivers are employees could have major implications for Uber’s business model.
  • Lyft Inc.: In 2016, Lyft was followed by rumors of a possible sale because it had hired investment bank Qatalyst Partners, which helps companies find a buyer. But John Green, Lyft’s co-founder, denied pursuing a sale in October and said the company could go public within a few years.
  • Airbnb Inc.: Like Uber and Lyft, Airbnb is also up against a bevy of regulations. But the company appears to be chipping away at short-term housing regulation city by city, with the most recent example coming in New York City. That will likely continue through 2017, Rao said, at least until the company can develop solid working relationships in major cities.
  • Dropbox Inc.: It feels like the file-storage company has been forever rumored to go public, but 2017 may finally be the year for Dropbox.

It will be a rollercoaster ride this year. Let’s hope the market exuberance doesn’t go the way of Snapchat’s messages: Poof!

, ,

Chicken sandwich at 12 o’clock high!

If Amazon can deliver packages by drone, then fast-food restaurants like Chick-Fil-A can air-lift chicken sandwiches via hot-air balloon. Right? At least, that’s the best explanation for this sighting in my Phoenix neighborhood.

Of course, what I really want is a Dunkin’ Donuts food truck going up my street. Like the old-fashioned ice cream vans. Though drones would be okay too. I’m not picky.