Blockchain as Defender of the Truth

Scary times with Facebook and Cambridge Analytica in the crosshairs for leveraging “private” information about users.  Other people are freaking out at the amount of data Google has been collecting every time you use an Android phone.  I’m sure Apple is doing the same.

One more negative and then I’ll turn this positive.  Have you seen what AR (Augmented Reality) is doing for our ability to do real-time video editing?  Check out futureoffakenews.com.  This is morphing technology where two things are happening simultaneously.  First, an actor is delivering a speech and his mouth is being superimposed on the mouth of somebody famous.  Second, the actor’s words are being transcoded into the voice and inflection of the famous person.  The complete effect is a little off, but I’m sure the technology will get better every year.  At some point in the not too distant future, we will be able to create fake broadcasts of speeches being delivered in realtime.  One news network will be able to change — in realtime — what their favorite (or least favorite) politician is saying.  What and who do you believe at that point?

Take this down a level to the average citizen.  How do we defend ourselves against:

  • a disgruntled employee creating a fake video of his boss saying something awful,
  • a sexual harassment allegation backed up by fake propositions (or fake consent?),
  • a crooked local sheriff who creates videos of tourists speeding through their town.

One solution might be taking personal control over your already lost privacy.  How about we start encoding all our location data on a blockchain (so it can’t be altered).  If personal location and activity data was captured by each person’s phone and blockchain encoded, then I’d be able to prove I wasn’t at that hotel bar where I supposedly propositioned my female colleague.

How about all surveillance video be blockchain encoded so it can’t be altered.  Build blockchain algorithms into the ASIC that does the compression.  We need some way to ensure that our digital records are real and a blockchain might be just the ticket.

The way we defend the truth might be to memorialize the truth in ways that can be verified as genuine.  That means we need to be OK with the truth, the whole truth, and nothing but the truth being discoverable by both our friends and our foes.  How does that sit with you?

 

Switch to SSL

There are no excuses left.  Every website should be using SSL.  I spent a few hours this weekend and got McVicker Group, McVickerNet, and CodexVT all using a SSL for Free cert.

Not that I do anything super high security on these sites, but it makes me feel better to have an extra layer of identification on my web properties.

Once you have the cert installed, the easiest way to force all your traffic to SSL is by adding the following .htaccess code.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

Remember to backup your .htaccess file before making changes and swap out “yourdomain.com” in the last line.

If you are running WordPress, you will probably need to update internal links too.  I used a great plugin, SSL Insecure Content Fixer, and let it is fix all content and scripts.

New Verizon Cybercrime Report

Verizon Enterprise does an annual data breach analysis and it is pretty much a gold standard for information and trends in cybercrime.  This year’s report is chock full of easy-to-digest charts and good information.

I recommend everyone who cares about privacy and data security download and read at least the executive summary.

Most interesting statistics to me were:

  • 61% of breaches involved companies with fewer than 1000 employees
  • 81% of hacking breaches involved weak or stolen passwords

Combining those two findings really makes the case that every company should require 2 factor authentication.

Mobile Work and InfoSec

Here is a great blog post from Malwarebytes about how mobile workers are challenging from an InfoSec perspective. My clients all want to take advantage of anytime – anywhere computing, but it is difficult to maintain security while providing this type of access.

How to secure your remote workers

At the end of the post, there is a list of 8 important elements for protecting mobile workers. I agree with all of them, #8 being less important if you do a good job with #1-#7.

 

Never Hurts to Ask

Yesterday I blogged about my concerns with a free Google Apps extension that required the very scary googleapis.com/auth/drive permission. When you give a Google Apps extension this permission, it can read, write, or delete any documents you have access to in Google Drive.

I inquired why the extension needed so much authorization, and the developer replied quickly. He agreed! The permission was only required for a specific feature that didn’t seem super important for the free version.  So he removed the feature and permission requirement. In less than 24 hours!

Three take-aways for me:

  1. Use your brain when giving an app or website permission to access your information in the cloud. Why do they need the authorization they are requesting? This is particularly true when using Facebook or Google+ to login to other sites.
  2. Push back, you never know when you’ll find somebody reasonable on the other end. Or maybe you will learn more about why the authorization is necessary.
  3. Definitely try ProjectSheet Planning from forScale and support reasonable developers who understand cloud security concerns.

Now I’m happy and can white list the extension for my company to use.

Salesforce Makes Sense

I’ve been working with Salesforce.com since 2005 and I’ve made a few eyebrow raising comparisons over the years…

Salesforce is like Microsoft Access on the web. It lets IT Admins create applications that scale.

or

Salesforce is the least powerful, most expensive on-demand platform in the world.

Here is the crazy part. I meant it all as a compliment! Salesforce figured out early on that regular business people, not software engineers, are the ones who know their business best.  Giving non-developers the ability to customize or even create applications is worth a lot to a profitable company.  Hence Salesforce costs more in every dimension (per user, per GB, etc.) than other platforms.

Wait, not every dimension. I’m betting that total cost of ownership (TCO) is lower on most Salesforce.com apps. If you’ve got a problem that fits the Salesforce UI paradigm, then it definitely saves money over Amazon or Google App Engine.

The most recent example is Salesforce rolling out Lightning (Aura framework) capabilities with a super secure container configuration called LockerService. This is great news because it prevents less skilled developers from accidentally creating security holes.

So when comparing TCO for on-demand platforms, make sure you are taking into account security, implementation, and support costs. You’ll be surprised how cost effective Access for the Web can be.

Anti-Ransomware Advice

Here is a really good list of steps to help keep you safe from Ransomeware. The article is long, but stick with it and read all the headings – there are some good ideas you can easily implement. There are also some suggestions that are hard to stomach, but knowledge is power.

The Anti-Ransomware Protection Plan You Need to Follow Today

Personally, I use Time Capsule (network backup solution) for my Mac and it is a bummer to think that Ransomeware could find this network device and encrypt my backups too. I’ve taken to making a monthly snapshot on a USB drive for worst case recovery.

FDIC disabling removable storage

The US FDIC has recently come under fire for a series of insider data leakages. Getting hacked by your own employees is the elephant in the room for every organization. We harden our organizations from outside attacks, but insiders need efficient access to data in order to do their jobs.

FDIC to Enhance Cyber Security after Insider Attacks

One of the big changes happening at FDIC is disabling removable storage like USB keys and drives. I’ll be curious to see how this works from both an efficiency and effectiveness standpoint.

In most of my dealings (with smaller companies), the thought of clamping down on removable media is impractical.  Anyone who has millennials in their workforce know that restrictive technology policies are anathema to these energetic workers. Check out this excerpt from Fortune magazine.

The companies that top Great Place to Work’s first-ever ranking of the 100 Best Workplaces for Millennials stand out for their ability to engage this generation, recognize their talents and give them a significant role where they can make a difference. At these companies, pay, profit sharing, and promotion decisions are executed fairly; everyone gets a shot at special recognition; and workers have a say in decisions that affect them. These workplaces exhibit strong, open, two-way communication; a high tolerance for risk-taking; high levels of cooperation and support among employees; and reduced roadblocks to innovation, such as internal politics.

The best solutions I’ve found for insider threats are training and strong corporate culture. Make sure your employees know the policies and that your culture promotes the benefits of protecting all that information they are entrusted to access.  Protecting your organization from insider leaks with technology is super difficult — and it won’t prevent a determined insider from getting data out.

Most Exploited Bugs

A new major study conducted by Hewlett Packard Enterprise has some really good information. Get your copy here:

http://techbeacon.com/resources/2016-cyber-risk-report-hpe-security

My favorite finding from ReversingLabs is that the most exploited bug in 2015 was the same as in 2014 — it was discovered in 2011 and patched in 2012 and again in 2015. CVE-2010-2568 is an old Windows shell bug with .pif files.  Patch this now!

Not sure exactly what it says about ReversingLabs’ clients that they have all this data and yet can’t deploy this patch.

 

Father of Bitcoin?

Australian Chris Wright has claimed to be Satoshi Nakamoto — the creator of Bitcoin. If true, this puts an end to one of the biggest cyber mysteries of the 21st century.

http://www.economist.com/news/briefings/21698061-craig-steven-wright-claims-be-satoshi-nakamoto-bitcoin

The Bitcoin faithful will spend the next year on conspiracy theories, but I’m guessing the Economist and BBC did their homework before publishing.

If Chris Wright is Satoshi, then I’d love to hear his take on Bitcoin being the payment method of choice for illegal activity like ransomeware and money laundering.

UPDATE May 24, 2016: The hoax is on.  Or is it?  Check out how Wright is keeping the story alive.  Lots of room for belief and disbelief.

How Craig Wright Privately ‘Proved’ He Created Bitcoin