E-Mail security breaches: A cautionary tale.

This past week, I heard from a business colleague who heads up a firm that operates in the IT sector. It isn’t a large company, but its business is international in scope and its entire employee workforce would certainly be considered tech-savvy.

Nevertheless, the company suffered a serious security breach affecting its e-mail system … and it took nearly one week of investigation, diagnosis and repair to deal with the fallout. Ultimately, the system was secured with everything restored and running again, but it took much longer than  expected.

What had happened was that an unknown attacker obtained the user ID and password for one of the company’s e-mail accounts, and used those credentials to log on to the mail system as the legitimate user. The attacker then changed the contact name on the account to a fake U.S. telephone number – we’ll call it “+1(4XX) 6XX-9XXX” – and launched a program from his/her/its host computer (hosted by Microsoft and located in in a different country than the affected user) which sent out thousands of e-mails having the subject “Missed call from +1(4XX) 6XX-9XXX” and an attachment that looked like a harmless audio file containing a voicemail message.

This type of phishing attack is well-known, and it would be dangerous to open the attachment (no one at the company attempted to do so). The company’s e-mail server eventually blocked the account because it exceeded the maximum outgoing e-mail limit, but strangely enough the administrator was never notified of this fact. The company only discovered the breach after the user called in to complain about receiving thousands of “failed delivery” messages. It took the better part of a full business day just to piece together what was going on, and why.

The attacker also installed a rule on the compromised account which moved all incoming email to an obscure folder. The rule was cleverly disguised, making it easy to overlook and hence more time-consuming to find and remove.

This friend advised that there are a number of “lessons learned” from his company’s experience, which should be considered for implementation by businesses of all sizes everywhere:

1. Implement security policies requiring strong passwords (big, long, hard-to-guess ones) and frequent password changes (once every 90 days or more frequently). In the case of this particular company, its password strength policy was up to snuff but it wasn’t enforcing rotation. That changed immediately after the breach.

2.  Require multi-factor authentication (MFA). This is where a user doesn’t merely enter a password to log on, but also has to enter a one-time code sent via SMS or a smartphone app. It’s inconvenient, but regrettably it’s the world we live in today. In the case of this particular company, it hadn’t been using MFA. They are now.

3.  Be vigilant in reminding users NEVER to click on links or file attachments embedded in received e-mails unless they absolutely trust the sender. Some larger companies have “drills” which broadcast fake phishing emails to their employees. Those who click are identified and sent to “dum-dum school” for remedial training.

Failing that, companies should adopt policies wherein any employee who receives anything via e-mail that looks like particularly clever or tempting phishing, to notify the company about it immediately for investigation.

4.  Discourage users from logging on to their mail accounts from public locations using unencrypted WiFi. It’s easy to sniff WiFi signals and it’s even easier to read the data in unencrypted signals, which appear as plain text. Typically, if the WiFi connection requires a passphrase to be entered in order to connect, then it’s encrypted WiFi. If not … watch out.

5.  Monitor the e-mail server at least once each day to discover any security breaches or threats, since those servers may not always notify administrators automatically. The sooner a problem is discovered, the quicker and easier it will be to contain and kill it.

6.  Require users to archive messages in their Inbox and Sent Items folders regularly.  The moment an attacker is able to access an account, he/she/it can easily retrieve and quickly download all the messages on the server, and those messages could contain confidential or sensitive data. Therefore, taking this action will move those messages to each user’s device and purge them from the central server.

I’m thankful that my friend was willing to share his experience and suggestions for how to avoid a similar breach happening at my own company. Based on the “lessons learned,” we performed an audit of our own procedures and made several adjustments to our protocols as a result – small changes with potentially large consequences.  I suggest you do the same.

The evolution of e-mail.

It’s all about mobility now.

With the proliferation of mobile screens in both the business and personal environments, it was bound to have an impact on the way that people interact with e-communications.

And now we see the extent.  Recently-released stats from e-mail software and analytics company Litmus in its 2019 State of Email report reveal that ~43% of all e-mails are now being opened on mobile devices.

That compares to ~39% being opened in webmail and just ~18% in desktop applications.

How this is playing out is pretty clear.  People are riffling through e-mails on their mobile devices to determine what to keep and what to delete.  They might come back to the saved e-mails on a different (larger) device, but the first cut is most often via mobile.

This sort of “triage” behavior is happening in the workplace as much as in personal communications.  What it means is that the initial impression an e-mail leaves has to be super-effective like never before. The “from” line and the “subject” line have to work harder than ever to draw the attention of the viewer and avoid a quick consignment to the recycle bin.

Only slightly less important are the first one or two sentences of the e-mail content — particularly for those people who choose to have preview options activated.

It’s putting more emphasis than ever on “mere words” rather than photos, other images or eye-catching design. In an ironic twist, we’ve come full circle and are now back to where it all started with messages hundreds of years ago:  words, words and words.

Another interesting consequence is the second look that some marketers are giving to direct mail, which — although clearly more costly than e-communications – does provide far better way to draw attention of a target audience through design and imagery instead of the quick trip to the trash bin.

The Litmus 2019 State of Email report can be downloaded here.

Ruling the roost: Poultry is poised to become the world’s most consumed protein.

This 2015 projection of protein production published by The Wall Street Journal has been upended by the spread of African swine flu; poultry will overtake pork this year instead.

In the United States it seems hardly news that poultry is the most-consumed protein. In recent years poultry consumption in America has grown while beef consumption has stagnated, weighed down by high prices at the consumer level.

At the same time, the National Pork Board committed an unforced error earlier in this decade when it abandoned its longstanding (and doubtless highly effective) tagline “The Other White Meat” in favor of the mealy-mouthed platitude “Pork: Be inspired” – a slogan that convinces no one of anything.

Persistent reports from the medical community that red meat is less healthy than consuming poultry and fish products haven’t helped, either.

But poultry’s prominence in the American market hasn’t necessarily extended to many parts of the rest of the world. But that’s now changing.

In fact, according to reporting from a recently-concluded International Poultry Council meeting in the Netherlands, poultry is poised to become the most consumed meat protein in 2019.

The precipitating factor is African swine fever, which is now affecting pig herds in 15 countries on three continents. Pork production losses this year are expected to represent ~14% of the world’s pork supply – and that’s just the minimum forecast; the losses could go higher.

Interestingly, African swine fever’s most significant initial outbreaks were in Russia and Eastern Europe, but now East Asia is being affected most significantly. The first cases were found in China beginning in August 2018 but now have spread rapidly throughout the country.  For a country that is responsible for nearly half of the world’s supply of pigs, that’s a very big deal.

The swine fever is spreading to the nearby country of Viet Nam as well – which is the world’s fifth largest producer of pork.

The problem for pig growers is that African swine fever is the quintessential death sentence: The disease has a 100% mortality rate, and no vaccine has been developed to guard against its spread.

According to global food and agriculture financing firm Rabobank, China is expected to experience a ~30% drop in pork supplies this year, which in turn will mean a decline in total world protein supplies. The twin results of these development:  an increase in prices for all proteins … and poultry will overtake pork this year as the world’s most consumed protein.

Until such time when an effective vaccine against African swine fever is developed, we can expect that production of other proteins like poultry, eggs, beef and seafood will rise. So, it seems as though poultry’s presence as the world’s most-consumed protein will likely endure.  Poultry’s position as the protein leader may have stemmed from a different impetus in the United States than in the rest of the world, but everyone has ended up in the same place.

Drivers are more worried about distracted drivers than drunk drivers.

But then again, we’re just as guilty.

A recent survey of ~1,800 adult American drivers conducted by Wakefield Research has found that the top safety concern they have is distracted drivers on the road – a factor cited by ~70% of the respondents.

This far outstrips concerns about people driving under the influence of alcohol or other stimulants – a concern that was cited by just ~45% of the respondents.

But in a classic example of “do as I say, not as I do,” a clear majority of the survey respondents (~58%) reported that they check their own mobile devices when driving.  Perhaps we believe that our own skills are far above those of the average driver …

This squares with the findings another survey conducted recently by analytics firm Zendrive. That research found that 85% of drivers feel that distracted driving is a problem.  Despite those concerns, nearly half of the Zendrive survey respondents (~47%) admit that they themselves use their phones 10% of more of their time while driving.

Phone usage while driving seems pretty high overall, with nearly 6 in 10 reporting that they talk on the phone, half use maps or other navigation tools, and nearly 4 in 10 text while driving. Let’s take these results at face value … but I wonder if the actual behaviors are even more slanted towards mobile phone usage than the stats suggest.

We can at least give credit to the respondents for acknowledging that what they’re doing isn’t particularly kosher, since ~83% of them admitted that they put down their phones when they see law enforcement on the road.

And here’s one other finding that I found particularly interesting: nearly 40% of the survey respondents reported that their own children have asked them to stop using their phone while driving.

Talk about parent-shaming – and the parents admit it!

More findings from the Wakefield research can be viewed here.

Do you find these findings surprising, or about as you expected? Please share your thoughts and observations with other readers here.

Notre-Dame Cathedral, an iconic structure built for the ages, survives.

Before the fire: Notre-Dame Cathedral in Paris.

No matter how busy people may have been in their daily activities this past Monday, it’s likely that many took a few minutes to read or watch – and then talk about — the devastating fire at the Cathedral of Notre-Dame in Paris.

Along with the Arc de Triomphe, Notre-Dame may well be the most iconic structure in the city. Personally, I know many friends and relatives who have made it a point to visit the cathedral during their trips to Paris.  So it isn’t surprising that so many people all over the world would feel the tragedy in a personal way.

One of them is my brother, Nelson Nones, who has had a lifelong interest in Gothic architecture. Because he is someone who studied architecture and who has also visited Notre-Dame, I reached out to him for his assessment of the fire damage and what may be the future of the cathedral.

Here is what Nelson wrote in reply:

Watching the fiery collapse of Notre-Dame Cathedral’s central spire on TV yesterday was a truly sickening sight. As a student of Gothic architecture, and having visited most of France’s noteworthy cathedrals, I have many fond memories of Notre-Dame. 

The best of those memories was a Sunday evening pipe organ recital held more than 30 years ago, in 1988, which drew such a large audience that my three oldest children and I had to sit on the floor. Nowhere in the United States, I thought, would a classical pipe organ performance – free or not – attract such a large crowd. I didn’t expect my kids, then between the ages of 10 and 14, to be very impressed, but all of us were deeply moved. 

Nave and choir of Notre-Dame Cathedral during the fire on April 15, 2019. (Photo: Filippe Wojazer, Associated Press)

It’s way too early to know the full extent of fire damage, but the first pictures of the cathedral’s interior to be published as the fire subsided provide some vital clues. The stone vaults above the choir and crossing seem largely intact. (The circular opening at the apex of the vault at the crossing, still glowing with fire in the photos, is original construction.)  

However, in the nave, the vault webbing spanning the two pairs of diagonal ribs nearest the crossing has completely collapsed, as has the cross rib between those diagonals. Because the cathedral’s central spire appeared to topple toward the nave before it crashed, it seems this section bore the brunt of the impact. 

It doesn’t appear that any other vaulting collapsed in the nave. The condition of the vaults above the transepts isn’t visible from available photographs, nor is the state of the priceless stained glass rose windows in the transepts and nave.  

The latest reports indicate that the great organ, begun in 1733 and rebuilt by Aristide Cavaillé-Coll in 1864-67, remains intact. Both the great organ and its console, replaced in 2012, are situated in the grandstand beneath the West rose window, between the cathedral’s iconic towers. It doesn’t appear that the organ was damaged by falling debris, nor did it sustain significant water damage as firefighters struggled to prevent the fire from spreading upward to the belfries. 

The fire completely consumed the cathedral’s wooden roof and central spire, which was undergoing renovation at the time. Thankfully, from an architectural perspective the most important parts of the structure are built of limestone. Stones can crack from high heat, but only the stone vaults and perhaps the inner facade of the North tower appear to have received direct exposure to the fire. The integrity of the cathedral’s pointed arches, flying buttresses and piers, which are its primary structural components and are all made of stone, would have been imperiled to a far greater degree had the fire broken out at the base of the building and spread upward towards the roof. 

Cross-section of Notre-Dame Cathedral. (Timothy Adekunle, after B. Fletcher, A History of Architecture, New York, 1931)

In the Gothic style, the purpose of those arches, buttresses and piers is to transmit the considerable weight of stone vaulting vertically toward the ground. This technique replaced thick outer walls with glass windows in order to fill interiors with light and allow vaults to rise toward imposing heights. Notre-Dame de Paris, begun in 1160, was one of the Early Gothic cathedrals. Its vault rises up to 108 feet but was surpassed during the High Gothic period (c. 1200-1250) by Chartres (117 feet), Reims (125 feet), Amiens (139 feet) and Beauvais (159 feet). The builders of Beauvais, in fact, aimed so high (and reduced the thickness of the flying buttresses so much) that part of the vault collapsed in 1284, and the nave was never built.  

We’ll soon know whether Notre-Dame’s rose windows and other artifacts survived, or not. Reckoning the extent of structural damage to the cathedral, and the time it will take to rebuild, will take longer. It’s clear, though, that much of the stone vaulting that the bulk of this magnificent structure was built to support survived, averting an even greater catastrophe by catching burning lumber which would otherwise have fallen and ignited the wooden screens, pews and paintings below.

Nelson’s note, acknowledging that this was a terrible event, suggests that the damage to Notre-Dame could have been even worse, and it is gratifying to know that the structure wasn’t a total loss. Many of us will be interested to hear updates in the coming days about the structural integrity of the building, and the plans to rebuild what has been lost.

If you have any particular thoughts on the aftermath of the fire – or just memories to share of when you may have visited Notre-Dame – please share your comments with other readers here.

______________________________________

Update (4/16/19):  Subsequent to reports on the condition of Notre-Dame Cathedral the day after the fire, my brother submitted this second set of comments:

Photos taken and published on Tuesday, April 16th, after I wrote to you, provide further insight into the extent of fire damage at Notre-Dame de Paris.

The first (second still photo at https://nationalpost.com/opinion/john-robson-what-the-notre-dame-coverage-kept-missing) shows the nave, crossing and choir. This photo reveals that the entire vault over the crossing collapsed, including the diagonal ribs. Those ribs were still standing in the photo [pictured above] taken during the fire, as was at least half the vault which no longer remains. A closer inspection of the photo leads me to think that much of the eastern half of the vault webbing over the crossing may have already collapsed when the photo was taken, but it’s hard to tell for sure. In any event, whatever remained standing appears to have collapsed later that night. This is not at all surprising considering that the fire originally started above the crossing.

The newer photo also shows a circular hole in the high vault over the South side of the nave, in the third bay from the crossing, which was also visible in the earlier photo but which I didn’t describe in my earlier comments.  I’m quite sure this damage was also inflicted when the spire collapsed.

The second photo (https://nypost.com/2019/04/16/new-photos-show-heartbreaking-damage-inside-notre-dame-cathedral/) shows the north transept as well as the crossing. It reveals that half of the high vault above the second bay from the crossing collapsed.

I have found only one photo of the south transept taken after the fire but it doesn’t show the high vault. However, from news reports, I don’t think any of the high vaulting over the south transept collapsed.

At first I thought that only about 25% of the high vaulting was gone. A more precise figure would be 32% of the high vaulting. Specifically, the total floor area (not surface area) of the high vaults was about 19,830 square feet of which approximately 6,260 square feet (31.6%) no longer exists, based on the plan shown below. The red areas depict the high vaults which fell.

I should add that none of the lower vaults, flying buttresses, pointed arches or piers appear to have sustained any damage from the fire. Structural inspections are still being carried out on the two western towers.

There’s little doubt that additional sections of the high vault sustained so much exposure to high heat that they are no longer structurally sound. The greatest risk is the collapse of more diagonal and cross ribs, which would take down the stone webbing they support, too. It would not surprise me at all if it’s decided to replace nearly all the high vault when the cathedral is rebuilt, if only to allay future public safety concerns. Such a restoration could remain very true to the original masonry and would hardly be noticeable when completed – far less noticeable, I think, than if only part of the high vault is replaced.

The roof above the high vault, and the attic it encloses, will of course need to be completely rebuilt. Here I think the restorers will design and build a replacement that’s similar in appearance, but structurally very different from the one that burned. For example I should think they would want to use structural steel instead of oak framing, for fireproofing (not to mention the difficulty of finding enough virgin oak trees to duplicate the original timber). The original tile cladding was lead which is quite toxic, so I suspect the new cladding will be made of a completely different material such as copper. These changes won’t really affect the cathedral’s architectural integrity, because the old attic was visited very rarely, and cladding material such as copper eventually weathers to about the same color as lead.

A new central spire will rise above the roof, and here is where I think politics will rear its ugly head. The spire which collapsed wasn’t part of the original cathedral; it was built between 1844-64 to replace the original which was taken down in 1786. A Rolling Stone article published on April 16th (https://www.rollingstone.com/culture/culture-features/notre-dame-cathedral-paris-fire-whats-next-822743/) states, “Any rebuilding should be a reflection not of an old France, or the France that never was — a non-secular, white European France — but a reflection of the France of today, a France that is currently in the making.” It attributes this idea to John Harwood, an architectural historian and associate professor at the University of Toronto, but also quotes Jeffrey Hamburger, an art history professor at Harvard, who dismisses Harwood’s idea as “preposterous.”

My prediction? In the end, the restorers will bow to the secularists when it comes to rebuilding the spire, and put something there as grotesquely ugly (and quintessentially French) as the Centre Pompidou, Louvre Pyramid or Charles de Gaulle Terminal 1. But just like the spire which collapsed on Monday, this decision will be fraught with controversy and will stretch completion of the restoration well beyond the 5 years President Macron promised on April 16th.

_________________________________

Update (4/18/19): Here are additional observations from Nelson based on new developments at the Cathedral:

I found an aerial view of Notre-Dame Cathedral taken by a drone and published on Wednesday, 17th April. The aerial view confirms the red areas shown in the plan [see above]. Specifically, it is now clear that none of the high vaults collapsed in the south transept, or in the choir.

Aerial photo of Notre-Dame Cathedral, April 17, 2019.

It’s also very clear why the grand organ survived. It is located in the grandstand at the far left of the photo (and the plan), between the two towers. The roof above that area did not burn at all. Apparently the fire began spreading upward from the roof on the east side of the north tower, but the Paris fire brigade managed to contain the blaze there with water guns. The fire (and the water poured onto it) never got any closer to the organ.

Using enlargements of this and other published drone photos, I have also concluded that the black areas which I haven’t identified as gaps in the vaulting are charred debris from the wooden roof, which came to rest at the top of the vaults.  

As an interesting sidebar story, I learned this morning that the parish of Saint-Sulpice caught fire also, on 17th March. See the article here: https://www.reuters.com/article/us-france-church/paris-historic-saint-sulpice-church-briefly-catches-fire-nobody-hurt-idUSKCN1QY0P1. As best I can tell, the fire occurred at the entrance to the south transept, and damage was minor. The pipe organ, which (like Notre-Dame) is located in the grandstand at the west end of the nave, was nowhere near the fire.

According to the “Great Book of Wikipedia” (https://en.wikipedia.org/wiki/Church_of_Saint-Sulpice,_Paris#Notable_events), this was an arson attack. RT reported (https://www.rt.com/news/456629-french-catholic-churches-attacks/):

“The fire that hit Saint-Sulpice reportedly started in a pile of clothes left outside the cathedral, before climbing up the door and to the stained glass. The clothes are believed to have been left there by a homeless person. Police said the fire was ‘not accidental,’ but the pastor of Saint-Sulpice argued it was not an anti-religious attack.”

[When I visited Saint-Sulpice in July 2012 during the main Sunday Mass, I saw several “homeless” people hanging around outside the main entrance, begging for money.]

Saint-Sulpice will temporarily serve as the cathedral church for the Diocese of Paris until Notre-Dame is re-opened. Makes sense, because it is the second-largest church in Paris.

 

Delayed interaction with email: It’s a triage thing.

It happens all the time because it’s part of human nature.

In the business world as in any other realm, it can be frustrating when emails that need a reply languish in a state of suspended animation.

And it happens a lot. A workplace study conducted recently by Dr. Bahareh Sarrafzadeh of the Cheriton School of Computer Science at the University of Waterloo in Canada, in concert with several Microsoft co-researchers, has found that putting off responding to incoming emails that need a reply happens in more than a third of the cases.

Titled Characterizing and Predicting Email Deferral Behavior, the research was compiled from interviews with Microsoft employees involved in product development, product management, software development and administrative management.  All participants in the research used the Microsoft Outlook platform on a daily basis.

Dubbing it “email triage,” the study defines the phenomenon as “the process of going through unhandled email and deciding what to do with it.”

Email deferral (as opposed to moving an email message to the trash folder), occurs because “people have insufficient time to take an immediate action, or they need to gather information before they can act on a message,” the study states.

Among the factors typically weighed during triage include these questions that people ask themselves:

  • Do I know the answer?
  • Does it require any task to be done?
  • What is the level of complexity involved?
  • Can I handle it independently?

So, the reasons for putting off a reply are perfectly reasonable ones. The problem comes after the fact, because delaying an immediate reply can sometimes turn into complete inaction.

The reasons for this are understandable as well — even if they are inconsiderate to the person who sent the original e-communique:

  • If other people are copied on the incoming email, the recipient may assume that someone else is handling the issues raised.
  • Emails that contain attachments – particularly larger documents – are often put off for scrutiny at a later time, thereby delaying a response.
  • Emails that don’t specify a deadline for receiving a response can easily get pushed to the bottom of the pile.

Thus, a delayed response often means procrastination — or simply “out of sight/out of mind” forgetfulness as other business tasks intervene.

The published research paper can be viewed in its entirety here.  Bear in mind that the University of Waterloo research studied email triage behaviors in a business- and project-management environment. It’s even more dicey when we think of sales- and marketing-oriented communications.  If more than one-third of business management emails aren’t getting timely attention, we can be pretty certain that the engagement with other e-communications is lower still.

But there’s a cost to all of this delayed action (or inaction).  In the “business of business,” putting off providing a response contributes to a loss of project or organizational momentum. Sometimes all it takes is inaction on the part of one or two pivotal players to make an important project initiative grind to a complete halt.

That doesn’t work well for anyone.

Sitting on my desk now, I have no fewer than five projects that have limped along for the better part of two years, simply because at too many points along the way, email responses that should have taken days (or mere hours) to be received have taken weeks or even months instead.  Recurring queries to see if the projects are still active or relevant are answered in the affirmative … but then the waiting game continues.

What about your experiences? Does email triage hurt your own personal productivity or that of your office?  What have you done to get around the hurdles?

Twitter, in Four Sentences

Terry Teachout

Back in 2015, Wall Street Journal columnist, author and arts critic Terry Teachout had a few choice comments to make about Twitter — then as now one of the more controversial of the social media platforms.

With the passage of time — as well as significant elections, referenda and other socio-political developments intervening — it’s interesting to go back and read Mr. Teachout’s comments again.

From his perspective, in 2015 Teachout had postulated that the essence of Twitter could be boiled down to four statements, as follows:

  • How dare you talk about A, when B is infinitely more important?
  • If I disagree with you, you’re almost certainly arguing in bad faith — and are probably evil as well.
  • You are personally responsible, in toto and in perpetuity, for everything that your friends, colleagues, and/or ancestors have ever said, done, or thought.
  • (Statements #2 and #3 do not apply to me.)

Looking at these statements, it’s pretty remarkable how little has changed.

Or has it? What do you think?

[In an interesting side-development, Terry Teachout’s own Twitter account was hacked in 2018 — several years after he published his statements above.  As he recounts here, trying to get all of that sorted out with the social media platform was it’s own special kind of misery, even if ultimately successful.]