Security

Have we become too complacent about cyber-security threats?

Phillip Nones Banking, Economics, Government, Human Resources, Security, Social Commentary, Social Media , , , , , , , , , ,

cyber warfareThe scandal involving the security risk to U.S. State Department e-mails is just the latest in a long list of news items that are bringing the potential dangers of cyber-hacking into focus.

But of course, we’ve seen it before — and it involves far more than just “potential” risk.  From Target, Best Buy and other retailers to Ashley Madison customer profiles, IRS taxpayer information and the U.S. government’s personnel records, the drumbeat of cyber-security threats that’s turned out to be all-too-real is persistent and ongoing.

In the realm of marketing and public relations, recent breaches of PR Newswire and Business Wire data gave hackers access to pre-release earnings and financial reports that have been used to enrich nefarious insider traders around the world to the tune of $100 million or more in ill-gotten gains.

These and other events are occurring so regularly, it seems that people have become numb to them.  Every time one of these news items breaks, Instead of sparking outrage, it’s a yawner.

But Jane LeClair, COO of the National Cybersecurity Institute at Excelsior College, is pleading for an organized effort to thwart the continuing efforts — one of which could end up being the dreaded “Cyber Pearl Harbor” that she and other experts have warned us about for years.

“We certainly can’t go on this way — waiting for the next biggest shoe to drop when hundreds of millions — perhaps billions — will be looted from institutions … It’s time we stopped making individual efforts to build cyber defenses and started making a collective effort to defeat … the bad actors that have kept us at their mercy,” LeClair contends.

I think that’s easier said than done.

Just considering what happened with the newswire services is enough to raise a whole bevy of questions:

  • Financial reports awaiting public release were stored on the newswires’ servers … but what precautions were taken to protect the data?
  • How well was the data encrypted?
  • What was the firewall protection? Software protection?
  • What sort of intruder detection software was installed?
  • Who at the newswire services had access to the data?
  • Were the principles of “least privilege access” utilized?
  • How robust were the password provisions?

In the case of the newswire services, the bottom-line explanation appears to be that human error caused the breaches to happen.  The attackers used social engineering techniques to “bluff” their way into the systems.

Mining innocuous data from social media sites enabled the attackers to leverage their way into the system … and then use brute force software to figure out passwords.

Once armed with the passwords, it was then easy to navigate the servers, investigating e-mails and collecting the relevant data. The resulting insider trading transactions, made before the financial news hit the streets, vacuumed up millions of dollars for the perpetrators.

Now the newswire services are stuck with the unenviable task of attempting to “reverse engineer” what was done — to figure out exactly how the systems were infiltrated, what data was taken, and whether malicious computer code was embedded to facilitate future breaches.

Of course, those actions seem a bit like closing the barn door after the cows have left.

I, for one, don’t have solutions to the hacking problem. We can only have faith in the experts inside and outside the government for determining those answers and acting on them.

But considering what’s transpired in the past few months and years, that isn’t a particularly reassuring thought.

Would anyone else care to weigh in on this topic and on effective approaches to face it head-on?

Criptext: When a recall actually looks pretty good.

Phillip Nones Business, Marketing Communications, Media, Security, Social Commentary , , , , , , , , ,

Criptext logo

I doubt there are many of us in business who have never inadvertently sent an e-mail to the wrong person … or sent a message before it was fully complete … or forgot to include an attachment.

In such cases, it would be so nice to be able to recall the e-mail — just like we used to do in the days of postal mail simply by retrieving the letter from the outgoing mail bin.

Recent news reports reveal that this capability is actually a reality now.

In the fast lane? Criptext principals just completed a successful round of investment funding.
In the fast lane? Criptext principals just completed a successful round of investment funding.

A start-up firm called Criptext has just raised a half-million dollars in private investment funds to help it perfect and expand a product that allows any sent e-mail to be recalled — even if the recipient has already opened and read it.

According to a report from Business Insider, Criptext is currently available as a plugin and a browser extension for the popular Outlook and Gmail email services.  It operates inside of the email, enabling the sender to track when, where and who has opened emails and/or downloaded attachments within them.

In addition, Criptext also enables the sender to recall emails, and even to set a self-destruct timer to automatically recall emails after a specified length of time.

Viewing a screenshot of how Criptext works (in this case with the Gmail service), things look pretty simple (and pretty cool, too):

Criptext activity panel example

I thought it would be only a matter of time before some developer would figure out a way to “unwind” an email communiqué once the “send” button was hit.  And now we have it.

Of course, time will tell whether Criptext can live up to its billing … or if it turns out to be more of a nightmare of glitches than a dream come true.

It would be great to hear from anyone who may have first-hand experience with Criptext — or other similar email functionalities.  Please share your experiences and perspectives pro or con with other readers here.

The Ideal Privacy Policy?

Phillip Nones Business, Direct Marketing, Marketing Communications, Security, Social Commentary, Social Media , , , ,

policyRecently, I came upon a column written by software entrepreneur and business author Cyndie Shaffstall in which she proposes the following policy for any company to adopt that truly cares about its customers’ privacy:

The Ideal Privacy Policy:

1.  We have on file only your first name, last name, and e-mail address.

2.  We ask for nothing else.

3.  We send you only e-mails you request.

4.  We have nothing to share with others – and wouldn’t if they asked.

5.  We won’t change this policy without prior notice – ever. 

Thank you for being our customer, 

~ Your Grateful Vendor 

Cyndie Shaffstall
Cyndie Shaffstall

As Shaffstall herself acknowledges, she’s never actually seen a policy like this.

But if a company actually adopted such a policy, it would certainly make people more comfortable about purchasing its products — particularly things like phones, wearables and other products that capture and process user-specific data as part of their functionality.

Unfortunately, Shaffstall is correct in asserting that few if any companies would actually adopt such a privacy policy.  Because if they did, they’d be voluntarily walking away from so much of what makes the online world such a lucrative business proposition.

But think for a moment:  Wouldn’t it be absolutely wonderful if we didn’t have to consider such privacy policies “too good to be true”?

Do you know any real-live examples of companies whose privacy policies come close to this ideal?  If so, please share them with readers here.

Data breaches: Target is just the tip of the iceberg.

Phillip Nones Banking, Business, Sales, Security , , , , , , , , , , , , ,

Target data breachI’m sure we aren’t the only family who’s had to suffer through the aftershocks of Target’s infamous Great Thanksgiving Weekend Data Breach that occurred in late 2013.

According to news reports, as many as 40 million Target credit cards were exposed to fraud by the data breach.  And as it turns out, the initial reports of nefarious doings were just the beginning.

Even after being given a new credit card number, my family has had to endure seemingly endless rounds of “collateral damage” for more than a year since, as Target’s very skittish credit card unit staff members have placed card-holds at the drop of a hat … initiated phone calls to us at all hours of the day … and asked for confirmations (and reconfirmations) of merchandise charges.

Often, these unwelcome communications have occurred on out-of-town trips or whenever someone in the family has attempted to make an innocuous online purchase from a vendor based overseas.

It’s been altogether rather icky — in addition to being a royal pain in the you-know-where.

But our experience has hardly been unique.  Consider these scary figures when it comes to data breaches that are happening with businesses:

  • On average, it takes nearly 100 days to detect a data breach at financial firms. 
  • It takes nearly 200 days to do so at retail establishments.

Those unwelcome stats come to us courtesy of a multi-country survey of ~1,500 IT professionals in the retail and financial sectors.  The study was conducted by the Ponemon Institute on behalf of network security and software firm Arbor Networks.

The next piece of unsettling news is that, even with the long “dwell” times of these data breaches, the IT professionals surveyed aren’t optimistic at all that the situation will improve over the coming year.  (Nearly 60% of those working in the financial sector aren’t optimistic, as do a whopping ~70% in retail.)

It’s doubly concerning because companies in these sectors are such obvious targets for hack attacks.  The reason is simple:  The amount and degree of customer data stored by companies in these sectors is highly valuable on the black market — thereby commanding high prices.

It makes it all the more lucrative for unscrupulous people to make relentless attempts to hack into the systems and extract whatever data they can.  IT respondents at ~83% of the financial companies reported that they suffer more than 50 such attacks in a given month, as do respondents at ~44% of the retail firms.

The impact on companies isn’t trivial, either.  Another study released jointly just last week by Ponemon and IBM, based on an evaluation of ~350 companies worldwide, finds that the average data breach costs nearly $160 for each lost or stolen record.  And that’s up over 6% from a year ago.  (The Target breach cost substantially more on a per-record basis, incidentally.  And for healthcare organizations, the average cost is well over $350 per record.)

dbWhat can be done to stem the endless flood of data breach attacks?  The respondents to this survey put the most faith in technology that monitors networks and traffic to stop or at least minimize these so-called advanced persistent threats (APTs).  More companies have been implementing formalized incident response procedures, too.

As Dr. Larry Ponemon, chairman of the Ponemon Institute has stated, “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable.”

Clearly, more investment in security tools and operations would be advisable.

Anyone else care to weigh in with opinions?

Going up against Goliath: The latest privacy tussle with Facebook.

Phillip Nones Business, Marketing Communications, Security, Social Commentary, Social Media , , , , , , , , , ,
Is that Maria Callas? Check with Facebook -- they'll know.
Is that Maria Callas? Check with Facebook — they’ll know.

It had to happen eventually:  Facebook’s “faceprints” database activities are now the target of a lawsuit.

The suit, which has been filed in the state of Illinois, alleges that Facebook’s use of its automatic photo-tagging capability to identify people in images is a violation of Illinois’ state law regarding biometric data.

Facebook has been compiling faceprint data since 2010, and while people may choose to opt out of having their images identified in such a way, not surprisingly, that option is buried deep within the Facebook “settings” area where most people won’t notice it.

Moreover, the “default” setting is for Facebook to apply the automatic photo-tagging feature to all users.

Carlo Licata, the lead individual in the class-action complaint filed in Illinois, contends that Facebook’s practices are in direct conflict with the Illinois Biometric Information Privacy Act.  That legislation, enacted in 2008, requires companies to obtain written authorization from persons before collecting any sort of “face geometry” or related biometric data.

The Illinois law goes further by requiring the companies gathering biometric data to notify people about the practice, as well as to publish a schedule for destroying the information.

Here’s how the lawsuit states its contention:

“Facebook doesn’t disclose its wholesale biometrics data collection practices in its privacy policies, nor does it even ask users to acknowledge them.  With millions of users in the dark about the true nature of this technology, Facebook [has] secretly amassed the world’s largest privately held database of consumer biometrics data.”

The response from Facebook has been swift – and predictable.  It contends the lawsuit is without merit.

As much as I’m all for of individual privacy, I suspect that Facebook may be correct in this particular case.

<em>Brave New World:</em> Biometrics
Brave New World: Biometrics

For one thing, the Illinois law doesn’t reference social networks at all.  Instead, it focuses on the use of biometrics in business and security screening activities — citing examples like finger-scan technologies.

As Eric Goldman, a professor of law at Santa Clara University notes, the Illinois law is “a niche statute, enacted to solve a particular problem.  Seven years later, it’s being applied to a very different set of circumstances.”

And there’s this, too:  The Illinois law deals with people who don’t know they’re giving data to a company.  In the case of Facebook, it’s commonly understood user data is submitted with consent.

That may not be a particularly appealing notion … but it’s the price of gaining access to the fabulous networking functionality that Facebook offers its users – all at no expense to them.

And of course, millions of people have made that bargain.

That being said, there’s one nagging doubt that I’m sure more than a few people have about the situation:  The folks at Facebook now aren’t the same people who will be there in the future.  The use of faceprint information collected on people may seem quite benign today, but what about tomorrow?

The fact is, ultimately we don’t have control over what becomes the “tower of power” or who resides there.  And that’s a sobering thought, indeed.

What’s your own perspective?  Please share your thoughts with other readers here.

Is Mobile Fraud Getting Set to Balloon?

Phillip Nones Banking, Business, Economics, Sales, Security , , , , , , , , , , ,

mobileMobile commerce is the latest big development in e-commerce.  So it’s not surprising that nearly all companies engaged in e-commerce expect their mobile sales revenues to grow significantly over the next three to five years.

In fact, a new survey of ~250 such organizations conducted by IT services firm J. Gold Associates, Inc. finds that half of them anticipate their mobile revenue growth to be between 10% and 50% over the next three years.

Another 30% of the companies surveyed expect even bigger growth:  between 50% and 100% over the period.

So … how could there be any sort of negative aspect to this news?

One word:  Fraud.

Fraud in e-commerce is already with us, of course.  For mobile purchases made now, a third of the organizations surveyed by Gold Associates reported that fraud losses account for about 5% of their total mobile-generated revenues.

For an unlucky 15% of respondents, fraud makes up around 10% of their mobile revenues.

And for an even more miserable 15%, the fraud losses are a whopping 25% of their total mobile revenues.

Risk management firm LexisNexis Risk Solutions has also been crunching the numbers on e-commerce fraud.  It’s found that mobile fraud grew at a 70% rate between 2013 and 2014.

That’s a disproportionately high rate, as it turns out, because mobile commerce makes up ~21% of all fraudulent transactions tracked by LexisNexis, even though mobile makes up only ~14% of all e-commerce transactions.

The propensity for fraud to happen in mobile commerce is likely related to the dynamics of mobile communications.  Unlike desktops, laptops and tablets, “throwaway” phone devices are a fact of life, as are the plethora of carriers — some of them distinctly less reputable than others.

fraudsterConsidering the growth trajectory of mobile e-commerce, doubtless there will be efforts to rein in the incidence of fraud – particularly via analyzing the composition and source of cellphone data.

Some of the data attributes that are and will continue to be the subject of real-time scrutiny include the following “red flags”:

>   A phone number being assigned to non-contracted carrier instead of a contracted one means the propensity for fraud is higher. 

>   Mobile traffic derived from subprime offers could be a fraud breeding-ground. 

>   Multiple cellphones (five or more) associated with the same physical address can be a strong indicator of throwaway phones and fraudulent activity. 

The question is whether this degree of monitoring will be sufficient to keep the incidence of mobile fraud from “exploding” – to use Gold Associates’ dramatic adjective.

I think the jury’s out on that one … but what do you think?

Security blind spots: It turns out they’re everywhere on the web.

Phillip Nones Business, Security , , , , , , , , , , , ,

sbsIt seems like there’s a story every other day about security breaches affecting e-commerce sites and other websites where consumers congregate.

And now we have quantification of the challenge. Ghostery, a provider of apps that enable consumers to identify and block company tracking on website pages, has examined instances of non-secure digital technologies active on the websites of 50 leading brands in key industry segments like news, financial services, airlines and retail.

More specifically, Ghostery was looking for security “blind spots,” which it defines as non-secure tags that are present without the permission of the host company.

What it found was that 48 of the 50 websites it studied had security blind spots.

And often  it’s not just one or two instances on a website. The analysis found that retail web pages host a high concentration of non-secure technologies:  438 of them on the Top Ten retail sites it analyzed (companies like Costco, Kohls, Overstock.com, Target and Walmart).

Financial services sites are also hit hard, with 382 blind spots identified, while airline websites had 223 instances. And they’re often present on the pages described as “secure” on these websites.

Scott Meyer, who is Ghostery’s chief executive officer, had this to say about the situation:

“Companies have very little understanding of what’s happening on their websites. The problem is not with any of the company’s marketing stacks, it’s with their own tech stacks.  What these companies have now is marketing clouds, not websites, and they’ve gotten complicated and hard to manage.”

Scott Meyer, Ghostery CEO
Scott Meyer, CEO of Ghostery (formerly The Better Advertising Project and Evidon).

There was one leading brand web site that came off looking squeaky clean compared to the others: Amazon.  “Amazon is incredibly sophisticated; others are not,” Meyer noted.

The implications of avoiding addressing these security blind spots could be seriously negative. Bot networks often use non-secure technologies to gain entry to websites.  Google is indexing company websites higher in search engine results based on their security ratings.

It makes it all the more important for companies to audit their websites and set up system alerts to identify the non-secure tags.

For the leading brands in particular, they just need to suck it up and do it for the benefit of their millions of customers.