“Ransomware! Ransomware! Ransomware!” Those words may lack the timeless resonance of Steve Ballmer’s epic “Developers! Developers! Developers!” scream in 2000, but ransomware was seemingly an obsession or at Black Hat USA 2017, happening this week in Las Vegas.

There are good reason for attendees and vendors to be focused on ransomware. For one thing, ransomware is real. Rates of ransomware attacks have exploded off the charts in 2017, helped in part by the disclosures of top-secret vulnerabilities and hacking tools allegedly stolen from the United States’ three-letter-initial agencies.

For another, the costs of ransomware are significant. Looking only at a few attacks in 2017, including WannaCry, Petya, and NotPetya, corporates have been forced to revise their earnings downward to account for IT downtime and lost productivity. Those include ReckittNuance, and FedEx. Those types of impact grab the attention of every CFO and every CEO.

Talking with another analyst at Black Hat, he observed that just about every vendor on the expo floor had managed to incorporate ransomware into its magic show. My quip: “I wouldn’t be surprised to see a company marketing network cables as specially designed to prevent against ransomware.” His quick retort: “The queue would be half a mile long for samples. They’d make a fortune.”

While we seek mezzanine funding for our Ransomware-Proof CAT-6 Cables startup, let’s talk about what organizations can and should do to handle ransomware. It’s not rocket science, and it’s not brain surgery.

  • Train, train, train. End users will slip up, and they will click to open emails they shouldn’t open. They will visit websites they shouldn’t visit. And they will ignore security warnings. That’s true for the lowest-level trainee – and true for the CEO as well. Constant training can reduce the amount of stupidity. It can make a difference. By the way, also test your employees’ preparedness by sending out fake malware, and see who clicks on it.
  • Invest in tools that can detect ransomware and other advanced malware. Users will make mistakes, and we’ve seen that there are some ransomware variants that can spread without user intervention. Endpoint security technology is required, and if possible, such tools should do more than passively warn end users if a problem is detected. There are many types of solutions available; look into them, and make sure there are no coverage gaps.
  • Aggressively patch and update software. Patches existed for months to close the vulnerabilities exploited by the recent flurry of ransomware attacks. It’s understandable that consumers wouldn’t be up to date – but it’s inexcusable for corporations to have either not known about the patches, or to have failed to install them. In other words, these attacks were basically 100% avoidable. Maybe they won’t be in the future if the hackers exploit true zero-days, but you can’t protect your organization with out-of-date operating systems, applications, and security tools.
  • Backup, backup, backup. Use backup technology that moves data security into the data center or into the cloud, so that ransomware can’t access the backup drive directly. Too many small businesses lost data on laptops, notebooks, and servers because there weren’t backups. We know better than this! By the way, one should assume that malware attacks, even ransomware, can be designed to destroy data and devices. Don’t assume you can write a check and get your data back safety.
  • Stay up to date on threat data. You can’t rely upon the tech media, or vendor blogs, to keep you up to date with everything going on with cybersecurity. There are many threat data feeds, some curated and expensive, some free and lower-quality. You should find a threat data source that seems to fit your requirements and subscribe to it – and act on what you read. If you’re not going to consume the threat data yourself, find someone else to do so. An urgent warning about your database software version won’t do you any good if it’s in your trashcan.

Ransomware! Ransomware! Ransomware! When it comes to ransomware and advanced malware, it’s not a question of if, or even a question of when. Your organization, your servers, your network, your end-users, are under constant attack. It only takes one slip-up to wreak havoc on one endpoint, and potentially on multiple endpoints. Learn from what’s going on at Black Hat – and be ready for the worst.

We saw “Valerian and the City of a Thousand Planets” and thoroughly enjoyed it. It was far better than the professional reviews; yes, the plot was a bit convoluted, and the yes, the romance between the major and the sergeant seemed forced and cheesy… but it was good fun. (And the romance was far less cheesy […]

A major global cyberattack could cost US$53 billion of economic losses. That’s on the scale of a catastrophic disaster like 2012’s Hurricane Sandy.

Lloyds of London, the famous insurance company, partnered with Cyence, a risk analysis firm specializing in cybersecurity. The result is a fascinating report, “Counting the Cost: Cyber Exposure Decoded.” This partnership makes sense: Lloyds must understand the risk before deciding whether to underwrite a venture — and when it comes to cybersecurity, this is an emerging science. Traditional actuarial methods used to calculate the risk of a cargo ship falling prey to pirates, or an office block to a devastating flood, simply don’t apply.

Lloyds says that in 2016, cyberattacks cost businesses as much as $450 billion. While insurers can help organizations manage that risk, the risk is increasing. The report points to those risks covering “everything from individual breaches caused by malicious insiders and hackers, to wider losses such as breaches of retail point-of-sale devices, ransomware attacks such as BitLocker, WannaCry and distributed denial-of-service attacks such as Mirai.”

The worry? Despite writing $1.35 billion in cyberinsurance in 2016, “insurers’ understanding of cyber liability and risk aggregation is an evolving process as experience and knowledge of cyber-attacks grows. Insureds’ use of the internet is also changing, causing cyber-risk accumulation to change rapidly over time in a way that other perils do not.”

And that is why the lack of time-tested actuarial tables can cause disaster, says Lloyds. “Traditional insurance risk modelling relies on authoritative information sources such as national or industry data, but there are no equivalent sources for cyber-risk and the data for modelling accumulations must be collected at scale from the internet. This makes data collection, and the regular update of it, key components of building a better understanding of the evolving risk.”

Where the Risk Is Growing

The report points to six significant trends that are causing increased risk of an expensive attack – and therefore, increased liability:

  • Volume of contributors: The number of people developing software has grown significantly over the past three decades; each contributor could potentially add vulnerability to the system unintentionally through human error.
  • Volume of software: In addition to the growing number of people amending code, the amount of it in existence is increasing. More code means the potential for more errors and therefore greater vulnerability.
  • Open source software: The open-source movement has led to many innovative initiatives. However, many open-source libraries are uploaded online and while it is often assumed they have been reviewed in terms of their functionality and security, this is not always the case. Any errors in the primary code could then be copied unwittingly into subsequent iterations.
  • Old software: The longer software is out in the market, the more time malicious actors have to find and exploit vulnerabilities. Many individuals and companies run obsolete software that has more secure alternatives.
  • Multi-layered software: New software is typically built on top of prior software code. This makes software testing and correction very difficult and resource intensive.
  • “Generated” software: Code can be produced through automated processes that can be modified for malicious intent.

Based on those points, and other factors, Lloyds and Cyence have come up with two primary scenarios that could lead to widespread, and costly, damages. The first – a successful hack of a major cloud service provider, which hosts websites, applications, and data for many companies. The second — a mass vulnerability attack that affects many client systems. One could argue that some of the recent ransomware attacks fit into that scenario.

Huge Liability Costs

The “Counting the Cost” report makes for some depressing reading. Here are three of the key findings, quoted verbatim. Read the 56-page report to dig deeply into the scenarios, and the damages.

  • The direct economic impacts of cyber events lead to a wide range of potential economic losses. For the cloud service disruption scenario in the report, these losses range from US$4.6 billion for a large event to US$53.1 billion for an extreme event; in the mass software vulnerability scenario, the losses range from US$9.7 billion for a large event to US$28.7 billion for an extreme event.
  • Economic losses could be much lower or higher than the average in the scenarios because of the uncertainty around cyber aggregation. For example, while average losses in the cloud service disruption scenario are US$53 billion for an extreme event, they could be as high as US$121.4 billion or as low as US$15.6 billion, depending on factors such as the different organisations involved and how long the cloud-service disruption lasts for.
  • Cyber-attacks have the potential to trigger billions of dollars of insured losses. For example, in the cloud- services scenario insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss. For the mass software vulnerability scenario, the insured losses range from US$762 million (large loss) to US$2.1 billion (extreme loss).

Read the 56-page report to dig deeply into the scenarios, and the damages. You may not sleep well afterwards.

People Queue Magazine has a fascinating new article, “No more queuing at the ladies’ room.” You’ll want to read the whole thing, because it has some fascinating mathematics (this is a scientific article, not a sociological one). Here’s a teaser:

Although it’s a well-documented fact that women have to wait longer at the bathroom stall, so far the mathematical perspective seems to be lacking in literature. This is in spite of the decennia-long existence of the field of queuing theory, which has traditionally been applied most to problems of technology and decent people, rather than to such inescapable habits as the act of excreting.

Nevertheless, mathematics is what you need to analyze queues because of the inherent random nature of queuing phenomena, turning simple lines of people into complex nonlinear systems with numerous parameters, whereby a small deviation can lead to excessive additional waiting. This is as opposed to good old linear systems, which see linear changes of parameters translated in proportional variations at their output.

Nonlinear systems are common in everyday life and nature. A virus for example will result in a pandemic much faster if it is just slightly more infectious. And just a few extra cars make for a traffic jam appearing out of thin air. Similarly, toilet queues, or any queue for that matter, pose nonlinear problems in which the fragile balance between capacity and demand can be disrupted by subtle tweaks.

A first factor explaining why women wait longer is that the net number of toilets for women is smaller than that for men. The toilet sections for men and women are often of equal size, as is the surface dedicated to each of them. What appears to be “fair” at first sight, is quite unreasonable knowing that a toilet cabin inevitably takes up more space than a urinal. Overall, an average toilet area can accommodate 20 to 30% more toilets for men (urinals + cabins) than for women.

The major impact of the number of toilets on the average waiting time can be understood from the Erlang-C queuing model. This model allows to calculate the average waiting time when the number of available toilets, the average time spent on the toilet and the average arrival intensity are known. Where λ stands for the average arrival intensity expressed in number of arrivals per minute, μ for the inverse of the average time spent on the toilet, and t for the number of toilets, the average waiting time is obtained from following formulas:

Read the whole article — and there’s no waiting, whether you are male or female.

Automotive ECU (engine control unit)

Automotive ECU (engine control unit)

In my everyday life, I trust that if I make a panic stop, my car’s antilock brake system will work. The hardware, software, and servos will work together to ensure that my wheels don’t lock up—helping me avoid an accident. If that’s not sufficient, I trust that the impact sensors embedded behind the front bumper will fire the airbag actuators with the correct force to protect me from harm, even though they’ve never been tested. I trust that the bolts holding the seat in its proper place won’t shear. I trust the seat belts will hold me tight, and that cargo in the trunk won’t smash through the rear seats into the passenger cabin.

Engineers working on nearly every automobile sold worldwide ensure that their work practices conform to ISO 26262. That standard describes how to manage the functional safety of the electrical and electronic systems in passenger cars. A significant portion of ISO 26262 involves ensuring that software embedded into cars—whether in the emissions system, the antilock braking systems, the security systems, or the entertainment system—is architected, coded, and tested to be as reliable as possible.

I’ve worked with ISO 26262 and related standards on a variety of automotive software security projects. Don’t worry, we’re not going to get into the hairy bits of those standards because unless you are personally designing embedded real-time software for use in automobile components, they don’t really apply. Also, ISO 26262 is focused on the real-world safety of two-ton machines hurtling at 60-plus miles per hour—that is, things that will kill or hurt people if they don’t work as expected.

Instead, here are five IT systems management ideas that are inspired by ISO 26262. We’ll help you ensure your systems are designed to be Reliable, with a capital R, and Safe, with a capital S.

Read the list, and more, in my article for HP Enterprise Insights, “5 lessons for data center pros, inspired by automotive engineering standards.”

Isn’t this exciting? Here’s an email received that promises me a significant payout ($620,000) for, well, am not really sure. I’m sure the scam would require paying some up-front fee and/or handing over bank account information. If you receive messages like this, simply delete them.

Subject: Dear Talented,

Dear Talented,

I am Talent Scout For BLUE SKY FILM STUDIO, Present Blue sky Studio a Film Corporation Located in the United State, is Soliciting for the Right to use Your Photo/Face and Personality as One of the Semi -Major Role/ Character in our Upcoming ANIMATED Stereoscope 3D Movie-The Story of Anubis (Anubis 2018) The Movie is Currently Filming (In Production) Please Note That There Will Be No Auditions, Traveling or Any Special / Professional Acting Skills, Since the Production of This Movie Will Be Done with our State of Art Computer -Generating Imagery Equipment. We Are Prepared to Pay the Total Sum of $620,000.00 USD. For More Information/Understanding, Please Write us on the E-Mail Below.

CONTACT EMAIL: email hidden; JavaScript is required

All Reply to: email hidden; JavaScript is required

Note: Only the Response send to this mail will be Given a Prior Consideration.

Talent Scout
Kim Sharma

We added a new friend to our back yard bird list, the Gilded Flicker, a type of woodpecker. We already knew about our Gila Woodpeckers, and also the more common Northern Flicker, but the Gilded Flicker really stood out. See those beautiful yellow/gold feathers? And the little patches of red on the cheeks? Gorgeous.

Here’s the current list of our backyard birds, in alphabetical order by scientific name, as of July 2017. (Cactus Wren wins the contest for best name.) We live in the Moon Valley neighborhood of Phoenix, in the north-central part of the city.

  • Accipiter cooperii – Cooper’s Hawk
  • Agapornis roseicollis – Rosy-Faced / Peach-Faced Lovebirds
  • Archilochus alexandri – Black-Chinned Hummingbird
  • Auriparus flaviceps) – Verdin
  • Bubo virginianus – Great Horned Owl
  • Buteo jamaicensis – Red-Tailed Hawk
  • Callipepla gambelii – Gambel’s Quail
  • Calypte anna – Anna’s Hummingbird
  • Calypte costae – Costa’s Hummingbird
  • Campylorhynchus brunneicapillus – Cactus Wren
  • Cardinalis cardinalis – Northern Cardinal
  • Colaptes auratus – Northern Flicker
  • Colaptes chrysoides – Gilded Flicker
  • Columbina inca – Inca Dove
  • Columba livia – Common Pigeon / Rock Dove
  • Geococcyx californianus – Greater Roadrunner
  • Haemorhous mexicanus – House Finch
  • Melanerpes uropygialis – Gila Woodpecker
  • Mimus polyglottos – Northern Mockingbird
  • Passer domesticus – House Sparrow
  • Pipilo aberti – Abert’s Towhee
  • Spinus psaltria – Lesser Goldfinch
  • Spinus tristis – American Goldfinch
  • Sturnus vulgaris – Common Starling
  • Toxostoma curvirostre – Curve-Billed Thrasher
  • Zenaida asiatica – White-Winged Dove
  • Zenaida macroura – Mourning Dove
  • Zonotrichia atricapilla – Gold-Crowned Sparrow
  • Zonotrichia leucophrys – White-Crowned Sparrow

“Thou shalt not refer winkingly to my taking off my robe after worship as disrobing.” A powerful new essay by Pastor Melissa Florer-Bixler, “10 commandments for male clergy,” highlights the challenges that female clergy endure in a patriarchal tradition — and one in which they are still seen as interlopers to church/synagogue power.

In my life and volunteer work, I have the honor to work with many clergy. Many, but not all, are rabbis and cantors who come from the traditions of Reform Judaism. Many of them are women. I also work with female Conservative and Reconstructionist rabbis and cantors, as well as female pastors and ministers. And of course, there are lots of male clergy, from those traditions as well as the male-only Orthodox Jewish and Roman Catholic domains.

Congregations, schools, seminaries, communities, and non-profits enjoy abundant blessings when employing and engaging with female clergy. That doesn’t mean that women clergy are always seen as first-class clergy, and treated with the same respect as their male counterparts.

There are too many assumptions, writes Pastor Florer-Bixler, who ministers at the Raleigh Mennonite Church. Too many jokes. Too many subtle sexist put-downs. I’ve heard those myself. To be honest, there are some jokes and patronizing assumptions that I’ve made myself. While always meant kindly, my own words and attitude contributed to the problem.

In her essay, Pastor Florer-Bixler writes about mansplaining, stereotypes, and the unspoken notion that religious institutions are essentially masculine:

In her recent lecture-essay “Women in Power: From Medusa to Merkel,” Mary Beard describes the pervasiveness of the cultural stereotype that power — from the halls of ancient Greece to the modern parliament — is masculine.

She cites a January 2017 article in The London Times about women front-runners for the positions of bishop of London, commissioner of the Metropolitan Police and chair of the BBC governing board. The headline read: “Women prepare for a power grab in church, police and BBC.”

Beard points out that “probably thousands upon thousands of readers didn’t bat an eyelid” at the suggestion that those seats of power were the property of men — possessions being “grabbed,” that is, taken away, by women.

Straight-forward sexism

Pastor Florer-Bixler writes about sexism, and I cringe at having seen all of these behaviors, and not speaking out.

Drawing attention to pregnancy, making sexualizing comments about “disrobing,” suggesting that a clergywoman should smile more, describing a female pastor’s voice as “shrill” — all expose the discomfort that men feel about women in “their” profession.

Masculine assumptions about gender were evident in the young clergywomen’s proposed commandments:

Thou shalt invite me into budget and financial conversations instead of assuming I won’t be interested.

Thou shalt not ask or expect me to take notes in a meeting, make copies or serve coffee.

Thou shalt not assume, based on my sex, that I’m better at working with children, youth or women than you are.

Thou shalt not call me “Sweetie,” “Kiddo” or “Girl.”

More than just ridiculous humiliations, these stereotypes affect the ministries and careers of women in church leadership. One colleague discovered that a pastor search committee was told that for the salary they were offering, they should expect only women to be willing to serve. The committee was livid — not at the pay gap but at the idea that they would have to consider only women.

We must do better

Pastor Florer-Bixler offers some suggestions for making systemic improvements in how we — male clergy, lay leaders, everyone — work with female clergy. The way forward will unquestioningly be slow, but we must do what we can to be part of the solution, and not part of the problem.

Men have all-male theological traditions and ministerial roles to which they can retreat. Not so female pastors.

If a woman stands up to this patriarchal tradition, she faces the accusation of intolerance. Women should not be expected to “get along” with sexist individuals, theologies, practices and institutions as if this were a price to be paid for church unity.

What is the way forward? For one, men must do better. When male pastors co-opt ideas that have come from female colleagues, they must reassign the insights. When they learn of pay gaps, they must address them.

When female clergy are outtalked or overtalked, male pastors must name the imbalance. They must read the sermons, theology and books of women. And decline to purchase books written by men who exclude women from the pulpit.

Women are addressing this as we always have: through constant negotiation between getting the job done and speaking out against what is intolerable. In the meantime, we create spaces where women can begin to speak the truth of our power to one another. For now, this is what we have.

This is what Daffy Duck would describe as “dethpicable.” Absolutely deplorable.

We can now read emails exchanged last year between Don Trump Jr. (the president’s son) and Rob Goldstein, an intermediary with Russia. According to Mr. Trump, who released the emails today, the point of the discussion was the Magnitsky Act, which related to sanctions placed on Russian officials by the U.S. Congress in 2012.

Repealing the act and lifting its sanctions is widely known to be a high priority for the Russian government. The only plausible reason why Russian agents would want to discuss the Magnitsky Act with the Trump campaign, during the election, would be to lobby for repeating the act.

You can read and download the whole email exchange here (released by Mr. Trump). The very earliest messages in the thread had Mr. Goldstein saying, quite explicitly, that the meeting’s purpose was to reveal allegedly incriminating information about Hillary Clinton, for the purposes for helping Donald Trump’s campaign. And, “This is obviously very high level and sensitive information but is part of Russia and its government’s support for Mr. Trump.”

Don Trump Jr. did not push back on or question Mr. Goldstein’s assertion that the Russian government was actively seeking to help his father. In fact, he said, “… if it’s what you say I love it.”

Meanwhile, President Donald Trump continues to insist that any connection between his campaign and the Russian government is “fake news.” Despicable.

General Erich Ludendorff, one of the top German generals during World War I, was a prominent character in the recent “Wonder Woman” movie. In the movie, General Ludendorff was killed by Diana Prince. In reality, the general survived the war, helped Adolf Hitler with his “Beer Hall Putsch,” ran for president of Germany in 1925, fell out of favor, and died in 1937.

I have a “2 degrees of separation” link to the general. My father-in-law, Joe, served in the Royal Navy during World War II. Quoting from Joe’s memoir, he wrote about early 1945:

… I joined a sloop HMS “Alacrity” at Dumbarton, where she was built at Denny’s yard. A Sloop was a small anti-submarine convoy escort vessel. We did our running-in trials in the Scottish Western Isles. At Mull, there were about 6 or 7 ships and we had an intership walking race, 10 miles, from Tobermory to Salen. I came in second, wearing out a pair of boots in the process. We were taken back to Tobermory in the yacht “Philante”, which had once belonged to a German general (von Ludendorff, I think). In the Atlantic we made contact with a U-Boat (U 764) and depth-charged it until it came to the surface. With our guns trained on it, we escorted it up to Loch Eriboll in the North of Scotland.

There’s my two degrees: Alan -> Joe -> Ludendorff’s yacht -> Ludendorff.

About that unterseeboot

According to the Wikipedia,

U-764 surrendered on 14 May 1945 at Loch Eriboll, Scotland. She was sunk as a target in position 56°06′N 09°00′W as part of Operation Deadlight on 2 February 1946.

Here’s my father-in-law’s picture of U-764:

 

MacKenzie Brown has nailed the problem — and has good ideas for the solution. As she points out in her three part blog series, “The Unicorn Extinction” (links in a moment):

  • Overall, [only] 25% of women hold occupations in technology alone.
  • Women’s Society of Cyberjutsu (WSC), a nonprofit for empowering women in cybersecurity, states that females make up 11% of the cybersecurity workforce while (ISC)2, a non-profit specializing in education and certification, reports a whopping estimation of 10%.
  • Lastly, put those current numbers against the 1 million employment opportunities predicted for 2017, with a global demand of up to 6 million by 2019.

While many would decry the system sexism and misogyny in cybersecurity, Ms. Brown sees opportunity:

…the cybersecurity industry, a market predicted to have global expenditure exceeding $1 trillion between now and 2021(4), will have plenty of demand for not only information security professionals. How can we proceed to find solutions and a fixed approach towards resolving this gender gap and optimizing this employment fluctuation? Well, we promote unicorn extinction.

The problem of a lack of technically developed and specifically qualified women in Cybersecurity is not unique to this industry alone; however the proliferation of women in tangential roles associated with our industry shows that there is a barrier to entry, whatever that barrier may be. In the next part of this series we will examine the ideas and conclusions of senior leadership and technical women in the industry in order to gain a woman’s point of view.

She continues to write about analyzing the problem from a woman’s point of view:

Innovating solutions to improve this scarcity of female representation, requires breaking “the first rule about Fight Club; don’t talk about Fight Club!” The “Unicorn Law”, this anecdote, survives by the circling routine of the “few women in Cybersecurity” invoking a conversation about the “few women in Cybersecurity” on an informal basis. Yet, driving the topic continuously and identifying the values will ensure more involvement from the entirety of the Cybersecurity community. Most importantly, the executive members of Fortune 500 companies who apply a hiring strategy which includes diversity, can begin to fill those empty chairs with passionate professionals ready to impact the future of cyber.

Within any tale of triumph, obstacles are inevitable. Therefore, a comparative analysis of successful women may be the key to balancing employment supply and demand. I had the pleasure of interviewing a group of women; all successful, eclectic in roles, backgrounds of technical proficiency, and amongst the same wavelength of empowerment. These interviews identified commonalities and distinct perspectives on the current gender gap within the technical community.

What’s the Unicorn thing?

Ms. Brown writes,

During hours of research and writing, I kept coming across a peculiar yet comically exact tokenism deemed, The Unicorn Law. I had heard this in my industry before, attributed to me, “unicorn,” which is described (even in the cybersecurity industry) as: a woman-in-tech, eventually noticed for their rarity and the assemblage toward other females within the industry. In technology and cybersecurity, this is a leading observation many come across based upon the current metrics. When applied to the predicted demand of employment openings for years to come, we can see an enormous opportunity for women.

Where’s the opportunity?

She concludes,

There may be a notable gender gap within cybersecurity, but there also lies great opportunity as well. Organizations can help narrow the gap, but there is also tremendous opportunity in women helping each other as well.

Some things that companies can do to help, include:

  • Providing continuous education, empowering and encouraging women to acquire new skill through additional training and certifications.
  • Using this development training to promote from within.
    Reaching out to communities to encourage young women from junior to high school levels to consider cyber security as a career.
  • Seek out women candidates for jobs, both independently and utilizing outsourcing recruitment if need be.
  • At events, refusing to field all male panels.
  • And most importantly, encourage the discussion about the benefits of a diverse team.

If you care about the subject of gender opportunity in cybersecurity, I urge you to read these three essays.

The Unicorn Extinction Series: An Introspective Analysis of Women in Cybersecurity, Part 1

The Unicorn Extinction Series: An Introspective Analysis of Women in Cybersecurity, Part 2

The Unicorn Extinction Series: An Introspective Analysis of Women in Cybersecurity, Part 3

Did they tell their customers that data was stolen? No, not right away. When AA — a large automobile club and insurer in the United Kingdom — was hacked in April, the company was completely mum for months, in part because it didn’t believe the stolen data was sensitive. AA’s customers only learned about it when information about the breach was publicly disclosed in late June.

There are no global laws that require companies to disclose information about data thefts to customers. There are similarly no global laws that require companies to disclose defects in their software or hardware products, including those that might introduce security vulnerabilities.

It’s obviously why companies wouldn’t want to disclose problems with their products (such as bugs or vulnerabilities) or with their back-end operations (such as system breaches or data exfiltration). If customers think you’re insecure, they’ll leave. If investors think you’re insecure, they’ll leave. If competitors think you’re insecure, they’ll pounce on it. And if lawyers or regulators think you’re insecure, they might file lawsuits.

No matter how you slice it, disclosures about problems is not good for business. Far better to share information about new products, exciting features, customer wins, market share increases, additional platforms, and pricing promotions.

It’s Not Always Hidden

That’s not to say that all companies hide bad news. Microsoft, for example, is considered to be very proactive on disclosing flaws in its products and platforms, including those that affect security. When Microsoft learned about the Server Message Block (SMB) flaw that enabled malware like WannaCry and Petya in March, it quickly issued a Security Bulletin that explained the problem — and supplied the necessary patches. If customers had read the bulletin and applied the patches, those ransomware outbreaks wouldn’t have occurred.

When you get outside the domain of large software companies, such disclosures are rare. Automobile manufacturers do share information about vehicle defects with regulators, as per national laws, but resist recalls because of the expense and bad publicity. Beyond that, companies share information about problems with products, services, and operations unwillingly – and with delays.

In the AA case, as SC Magazine wrote,

The leaky database was first discovered by the AA on April 22 and fixed by April 25. In the time that it had been exposed, it had reportedly been accessed by several unauthorised parties. An investigation by the AA deemed the leaky data to be not sensitive, meaning that the organisation did not feel it necessary to tell customers.

Yet the breach contained over 13 gigabytes of data with information about 100,000 customers. Not sensitive? Well, the stolen information included email addresses along with names, IP addresses, and credit card details. That data seems sensitive to me!

Everything Will Change Under GDPR

The European Union’s new General Data Protection Regulation (GDPR) is go into effect May 2018. GDPR will for the first time require companies to tell customers and regulators about data breaches in a timely manner. Explains the U.K. Information Commissioner’s Office,

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.

What is a personal data breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

Example

A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.

When do individuals have to be notified?

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

What information must a breach notification contain?

  • The nature of the personal data breach including, where possible:
  • the categories and approximate number of individuals concerned; and
  • the categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

Also, says the regulation,

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay. Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.

Bottom line: Next year, companies in the E.U. must do better disclosing data breaches that affect their customers. Let’s hope this practice extends to more of the world.

This is an amusing spam scam, if only because it’s so poorly written. Mr. Andrew McCabe, the Acting Director of the FBI, is certainly not behind this scam. Also, the FBI doesn’t send emails using Cyber Internet Services Private Ltd. in Pakistan, or refer people to Nigerian banks, or pay people via ATM card.

If you receive messages like this, don’t respond — simply delete them.

From:  Andrew McCabe email hidden; JavaScript is required
Subject: RE: Urgent, Respond
Date: July 8, 2017 at 3:52:34 PM MST
Reply-To: email hidden; JavaScript is required

Attn: Sir/Madam.

We the Federal Bureau Of Investigation (FBI Honolulu) United States Of America have discovered through our intelligent monitoring network that you have a transaction going on as either inheritance payment,Lottery or contract payment in a tone of Millions of United States Dollars which have been approved but have not been settled. 

This is to officially inform you that we have verified your contract /inheritance file after close monitoring and found out why you have not received your payment,both on your part and on the part of your debtors. 

Secondly, we have been informed that you are still dealing with the non officials in the bank who are attempting to secure the release of your fund to you. We wish to advise you that this is illegal and you should stop further communication with them forthwith because such an illegal act like this can lead to cancellation of your fund. 

we have been having so many complains from people who have been scammed around the world hence, after concluding in a meeting with members of the International Monetary Fund (IMF), we came to a conclusion that every payment will be made through the SKYE BANK OF NIGERIA (SKYEBANK). We also concluded on the use of ELECTRONIC ATM PAYMENT SYSTEM as the only direct means to pay all beneficiaries. 

By this method, your funds will be loaded in TWO BATCHES into an ATM card,and sent to you, from this card you can withdraw a maximum of us$5,000 per day from any ATM machine worldwide, BUT from the financial houses there is no limit. 

So if you would like to receive your funds in this way please send your following information to the paying bank. 

1)Your Full Name:……..
2)Your Complete Address (Physical Address with Zip Code not P.O.BOX) :……
3)Name of City of Residence:………
4)Country:…………
5)Direct Telephone Number:………
6)Mobile Number:………
7)Fax Number:…………
8)Age:……………….
9)Sex:……………….
10)Occupation:………..
11)Working Identity Card/Int’l Passport:…..

Below are the contact details of the PAYING BANK(SKYE BANK OF NIGERIA PLC.) in the Federal Republic Of Nigeria to whom you will send your information for the processing of the ATM card as soon as possible:

Contact the Bank right now with this information below

CONTACT PERSON: Mr.Timothy Oguntayo,
HEAD OF OPERATIONS,ATM CARD PAYMENT SYSTEM
DEBT SETTLEMENT COMMISSION, SKYE BANK OF NIGERIA.
EMAIL: email hidden; JavaScript is required

The DEBT SETTLEMENT COMMISSION has been mandated to issue out your payment through Skye Bank (Authorized Bank). For your information, you have to stop any further communication with any other person(s) or office(s) who claim that to be established agents using it to defraud innocent people worldwide.This is to avoid any hitches in receiving your payment.

THANKS FOR LISTENING TO OUR ADVISED.

Faithfully Yours,

Andrew G. McCabe
FBI Director
FBI HEADQUARTERS IN WASHINGTON D.C.,
FEDERAL BUREAU OF INVESTIGATION
J. EDGAR HOOVER BUILDING
935 PENNSYLVANIA AVENUE, NW WASHINGTON, D.C. 20535-0001
ANTI-TERRORIST AND MONITORY CRIMES DIVISION

It’s almost painful to see an issue of SD Times without my name printed in the masthead. From Editor-in-Chief to Editorial Director to Founding Editor to… nothing. However, it’s all good!

My company, BZ Media, is selling our flagship print publication, SD Times, to a startup, D2 Emerge LLC. The deal shall formally close in a few weeks. If you’ve been following SD Times, you’ll recognize the two principals of the startup, David Lyman and David Rubinstein. (Thus, the “D2” part of the name.)

BZ Media co-founder Ted Bahr and I wish David, and David, and SD Times, and its staff, readers, and advertisers, nothing but success. (I retired from BZ Media mid-2013, becoming a silent partner with no involvement in day-to-day operations.)

D2 Emerge is ready to roll. Here’s what David Rubinstein wrote in the July 2017 issue (download it here):

The Times, it is a-changin’

There’s a saying that goes ‘when one chapter closes, another one begins.’

This issue of SD Times marks the close of the BZ Media chapter of this publication’s history and opens the chapter on D2 Emerge LLC, a new-age publishing and marketing company founded by two long-time members of the SD Times team: the publisher, David Lyman, and the editor-in-chief … me!

We will work hard to maintain the quality of SD Times and build on the solid foundation that has been built over the past 17 years. Wherever we go, we hear from readers who tell us they look forward to each issue, and they say they’re learning about things they didn’t know they needed to know. And we’re proud of that.

The accolades are certainly nice — and always welcome. Yet, there is nothing more important to us than the stories we tell. Whether putting a spotlight on new trends in the industry and analyzing what they mean, profiling the amazing, brilliant people behind the innovation in our industry, or helping software providers tell their unique stories to the industry, our mission is to inform, enlighten and even entertain.

But, as much as things will stay the same, there will be some changes. We will look to introduce you to different voices and perspectives from the industry, inviting subject matter experts to share their knowledge and vision of changes in our industry. The exchange of ideas and free flow of information are the bedrock of our publishing philosophy.

We will somewhat broaden the scope of our coverage to include topics that might once have been thought of as ancillary to software development but are now important areas for you to follow as silos explode and walls come tumbling down in IT shops around the world.

We will work to improve our already excellent digital offerings by bettering the user experience and the way in which we deliver content to you. So, whether you’re reading SD Times on a desktop at work, or on a tablet at a coffee shop, or even on your cellphone at the beach, we want you have the same wonderful experience.

For our advertisers, we will help guide you toward the best way to reach our readers, whether through white papers, webinars, or strategic ad placement across our platforms. And, we will look

to add to an already robust list of services we can provide to help you tailor your messages in a way that best suits our readers.

BZ Media was a traditional publishing company, with a print-first attitude (only because there weren’t any viable digital platforms back in 2000). D2 Emerge offers an opportunity to strike the right balance between a digital-first posture and all that is good about print publishing.

I would be remiss if I didn’t acknowledge BZ Media founders Ted Bahr and Alan Zeichick, who took a cynical, grizzled daily newspaperman and turned him into a cynical, grizzled technology editor. But as I often say, covering this space is never dull. Years ago, I covered sports for a few newspapers, and after a while, I saw that I had basically seen every outcome there was: A walk-off home run, a last-second touchdown, a five-goal hockey game. The only thing that seemed to change were the players. Sure, once in a while a once-in-a-lifetime player comes along, and we all enjoy his feats. But mostly sports do not change.

Technology, on the other hand, changes at breakneck speed. As we worked to acquire SD Times, I had a chance to look back at the first issues we published, and realized just how far we’ve come. Who could have known in 2000, when we were writing about messaging middleware and Enterprise JavaBeans that one day we’d be writing about microservices architectures and augmented reality?

Back then, we covered companies such as Sun Microsystems, Metrowerks, IONA, Rational Software, BEA Systems, Allaire Corp, Bluestone Software and many more that were either acquired or couldn’t keep up with changes in the industry.

The big news at the JavaOne conference in 2000 was extreme clustering of multiple JVMs on a single server, while elsewhere, the creation of an XML Signature specification looked to unify authentication, and Corel Corp. was looking for cash to stay alive after a proposed merger with Borland Corp. (then Inprise) fell apart.

So now, we’re excited to begin the next chapter in the storied (pardon the pun) history of SD Times, and we’re glad you’re coming along with us as OUR story unfolds.

Here are a few excerpts from one of the most important articles on leadership ever published.Management Time: Who’s Got the Monkey?,” from Harvard Business Review in 1974, equally applies to the business and non-profit worlds.

The premise of the article, by William Oncken Jr. and Donald L. Wass, is that leaders too often take over responsibility for tasks that should be owned by their employees or volunteers. The authors refer to this as “subordinate-imposed time.” This not only harms the organization, but overloads the leaders. The manager’s objective should be to guide, to mentor, to advise, to set objectives, to define success, to help secure resources – but not take on the work!

What’s essential to remember is that the task — the monkey — can only be on one person’s back at a time. Should it be on yours? (Or as I put it when doing management training, should the ball be in your court, or in someone else’s court?)

Excerpt 1: A common scenario

Let us imagine that a manager is walking down the hall and that he notices one of his subordinates, Jones, coming his way. When the two meet, Jones greets the manager with, “Good morning. By the way, we’ve got a problem. You see….” As Jones continues, the manager recognizes in this problem the two characteristics common to all the problems his subordinates gratuitously bring to his attention. Namely, the manager knows (a) enough to get involved, but (b) not enough to make the on-the-spot decision expected of him. Eventually, the manager says, “So glad you brought this up. I’m in a rush right now. Meanwhile, let me think about it, and I’ll let you know.” Then he and Jones part company.

Let us analyze what just happened. Before the two of them met, on whose back was the “monkey”? The subordinate’s. After they parted, on whose back was it? The manager’s. Subordinate-imposed time begins the moment a monkey successfully leaps from the back of a subordinate to the back of his or her superior and does not end until the monkey is returned to its proper owner for care and feeding. In accepting the monkey, the manager has voluntarily assumed a position subordinate to his subordinate. That is, he has allowed Jones to make him her subordinate by doing two things a subordinate is generally expected to do for a boss—the manager has accepted a responsibility from his subordinate, and the manager has promised her a progress report.

The subordinate, to make sure the manager does not miss this point, will later stick her head in the manager’s office and cheerily query, “How’s it coming?” (This is called supervision.)

Excerpt 2: Who owns the initiative?

What we have been driving at in this monkey-on-the-back analogy is that managers can transfer initiative back to their subordinates and keep it there. We have tried to highlight a truism as obvious as it is subtle: namely, before developing initiative in subordinates, the manager must see to it that they have the initiative. Once the manager takes it back, he will no longer have it and he can kiss his discretionary time good-bye. It will all revert to subordinate-imposed time.

It’s not a long article. Read it!

“The wheels on the Prius go flop flop flop….”

Sunday’s travels in our trusty 2005 Toyota Prius were marred only by a flat tire. I wish to share two hard-earned bits of wisdom with other Prius owners, and potentially with owners of other front-wheel drive vehicles.

1. Don’t trust the included tire-changing jack.

The crappy screw jack included with the Prius is useless. Literally. With the car on level ground, and with the parking brake set, the jack quickly tilted — and the car fell off the jack. Yes, the jack was set at the correct life point. On a second attempt, the car would have fallen again if we didn’t let it down quickly. In any case, the jack was extremely difficult to turn.

Fortunately, someone gave us a ride to an auto-parts store, where we purchased an inexpensive hydraulic floor jack. That made quick work of the task, and the new jack will live in back of the car from now on. If you have a flimsy screw jack with your car, you may wish to upgrade to something more solid.

2. Don’t put compact spares onto the front.

The flat was the front driver corner. Once the car was jacked up, it only took a few minutes to mount the compact donut spare. However, the car simply wouldn’t drive properly — the vehicle not only pulled to the left, but there were error lights flashing on the screen. Even with the pedal to the metal, the vehicle wouldn’t go over 30 mph, slowing to 15 mph going uphill. Uh oh!

Thinking the problem through, we realized that the donut was throwing off the traction control system (which can’t be switched off with that model year). So we pulled over, swapped the donut to the rear, and put the rear’s full-size wheel/tire on front. (Thank you, hydraulic jack!) The car immediately drove correctly, plenty of pep, no pulling, and no error lights. The lesson: On front-wheel drive cars, always put the donut on the rear, even if that makes the wheel-changing process a bit more complicated.

Note: There is nothing written about optimal placement of the compact spare in the car’s owners manual. So consider yourself advised on both fronts.

The good news is that we made it home just fine. The bad news is the tire has a cracked sidewall. Time to go tire shopping!