Archive for the ‘Sabotage’ Category

Air Travel Gets Nastier

Monday, December 28th, 2009
Delta NWA Flight

Delta NWA Flight

The attempted Christmas Day bombing on Northwest Airlines Flight 253 from Amsterdam to Detroit was thwarted, but air travelers will continue to be inconvenienced by new rules imposed by the Transportation Security Administration. There does not appear to be a cost-benefit to such measures. According to the Bureau of Transportation Statistics, there have been six attempted terrorist attacks on flights into or within the U.S.: four planes that were hijacked on 9/11, the shoe bomber’s attempt to blow up a plane in December 2001 and now this incident. This works out to one terrorist attack for more than 16.5 million airline departures within or to the U.S.  TSA’s response was to further inconvenience airline passengers by various means including requiring passengers to remain seated during the final hour of flight and to forfeit access to their carry-on luggage at that time. I limit my air travel, not because of safety concerns, but because travel has become such an ordeal. If you have not already done so, now is the time to invest in a $99 camera for cheap Internet videoconferencing. Even if your recession budget allows for air travel, the inconvenience endured by Air Canada passengers into the U.S. today suggests that all but the most critical business travel should be re-evaluated.

Securing Our Digital Infrastructure

Tuesday, June 9th, 2009


President Obama’s recent statement on cyber-security highlights threats to our digital infrastructure which has been increasingly compromised by hackers. The President declared this a national priority to ensure resilience owing to our dependence on safe and secure computer networks. In connection with the President’s statement, the White House released a document titled “Cyberspace Policy Review“, which outlines the issues around our grid utilities, including computing.

Tomorrow, I will be speaking at a web-cast organized and hosted by Symantec, which has long been dealing with stealth security threats. Click here to register for participation. I hope you will join this discussion.

Global Virus Spread

Tuesday, February 17th, 2009
Globally Connected, in the Worst Way

Globally Connected, in the Worst Way

More than one million, and possibly as many as ten million, personal computers have been infected with the Conficker virus. The virus has claimed victims from the German military, computer networks in the British and French Air Forces and teaching hospitals in England. Conficker is particularly virulent because once it spreads it disables infected computers from being cleaned out, while searching nearby serves to break passwords and spread to any shared drives. It also replicates itself, like a DNA strand, onto any hardware device connected to a USB port, such as digital cameras, music players or key drives. When those infected devices are then connected to another computer, they infect that machine and so the virus spreads. This is apparently the means by which the computer networks of the French Navy were infected.

What makes Conficker so devastating is that on a daily basis, each computer infected with Conficker attempts to connect to 250 Internet domains for further instructions on destructive activities to carry out. Each day these 250 domains change, confounding efforts of security experts to shut them down. In effect, Conficker has created a massive botnet that could orchestrate spam attacks or cyber extortion or cyber militia attacks.

Generally, it is a bad idea to use external devices such as key drives for data storage; such devices can be lost or stolen. Now add another reason to the list: they can be used to transmit lethal viruses from one computer to another. Some businesses have their IT staff disable USB ports to prevent employees from using key drives. This may be an idea that small business owners should consider out of an abundance of caution.

Let’s Avoid Complacency with IT Security

Sunday, November 16th, 2008

Under the headline “Angry, Angry IT Guy Goes to Jail”, Silicon Valley blog Valleywag reports that “IT contractor Steven Barnes will serve a year in prison and pay $54,000 in restitution after being convicted of logging into a client’s network and deleting the Exchange database, among other things. Barnes claimed he acted after coworkers from Blue Falcon Networks, now known as Akimbo Systems, came to his home and took away his personal computers by force. Barnes reconfigured Blue Falcon’s server as an open relay for spammers, causing the company to be automatically blacklisted from delivering real mail.” Add this to the recent reminder I had posted of what to do to ensure that your IT systems are secure. Reinstating your e-mail privileges once your company is blacklisted is a major undertaking that you want to avoid at all costs.

Who Can Help?

Monday, October 27th, 2008

I recently had the experience of four fraudulent charges appearing on my credit card. I contacted the online merchants where the sales were made and learned of what appears to be a mill for the fraudulent use of credit cards. One merchant where my card had been improperly used to pay for goods determined that the same buyer with the same shipping address had attempted to put through more than 40 charges in the exact same dollar amount within a ten-minute period online. I also, after properly identifying myself as the holder of the credit card that was used to make the purchases, obtained the address to which the goods were to be shipped.

Getting help in dealing with credit card fraud is difficult because unless the purchases improperly charged to your account exceed $2,000, federal law enforcement generally won’t get involved. And with the sheer volume of card misuse, local officials cannot investigate every claim. So with little risk and some reward, incentives exist for credit card fraud to continue. Moreover, since card holders can obtain some protection from the card-issuing bank, they are not terribly motivated to invest much time in pursuing the matter, leaving the fraudsters to go on to victimize someone else.  I recommend a different approach: I obtained the address to which the goods improperly purchased on my credit card were to be shipped from the online vendor. This is the point in the transaction where the user of a stolen credit card has to step out of the shadows; otherwise, if he cannot take possession of the goods he has purchased on someone else’s credit card, it was all for nothing.

The risk for him is that if he has the goods shipped to his real address, that provides a means to identify him as the card thief. But if he has the goods shipped to a phony address, he will likely not receive them. So what is commonly done is that the thief will have the goods shipped to a street that exists, but the numbered address on the street does not. For this to work, he needs an accomplice who works with the shipping company who covers that route to know that any goods shipped to 123 Apple Drive, for example, are to be forwarded to him at another address. Apple Drive must exist within the identified city, state and zip code or else the package delivery service’s software will reject the package and return it to the sender. But if “123 Apple Drive” does not exist, there is a means to use that address to re-route purchased goods.

I discovered that the online merchants where my credit card was improperly used were instructed to ship the purchases to a street that exists within the city of Las Vegas at the correct zip code given, but the street number does not exist. I also discovered that in all four cases, the card thief elected the same delivery service. I wrote a letter with the pertinent information and all the relevant documentation I could obtain to the delivery service and requested that they investigate the matter internally. They replied to me that they would do so. I hope that the delivery service attempts to deliver a package to that phony address to track what happens to it. If more people alerted the delivery services in such instances, we could change the risk-reward equation for those who engage in credit card fraud and reduce the incidence of such abuse.

Critical Computer Systems Held Hostage

Thursday, September 11th, 2008

A recent incident that crippled the City of San Francisco teaches a lesson for small businesses

Recently, a network administrator employed by the City of San Francisco locked down the City’s computer network. By keeping a single password secret, Terry Childs (no relation to me!) denied access to IT administrators, thereby crippling important municipal functions, such as the City’s payroll and law enforcement records. After spending several days in jail and meeting in secret with San Francisco Mayor Gavin Newsom, he gave up the password and power has been restored. Subsequent investigation revealed that Mr. Childs was a disgruntled employee with a criminal record; he had been arrested for aggravated robbery 25 years ago in Kansas.

As we had advised in the first edition of our book,  “A good network administrator builds his or her reputation on trust that has been earned throughout their careers. But even with the best service administrator in your service, you must still protect against the risk of internal sabotage. These measures are not difficult to implement and should be welcomed by your network administrator as being in the best interest of the organization.” How can your small business avoid San Francisco’s experience of being held hostage by a disgruntled network administrator?

1.    Apply basic auditing methods. There are simple auditing methods that you can apply and review periodically, such as identifying who accessed which files, who generated which external network traffic and who sent a large number of e-mails or attachments to which addressee. You should, of course, inform your staff that activities on the IT network are monitored and the results of these activities are not matched with personal information unless there is a compelling reason to do so. Ask staff to refrain from storing personal information on company computers. These guidelines should be formalized in company policy.

2.    Automate independent backups. It is critical to back up your business data and certainly your network administrator needs to have access to the backups in the event it becomes necessary to retrieve data in the course of ordinary business or emergency. But always have one backup mirrored on a site to which the administrator does not have access. There are tools that can do this automatically at designated times during the day. This mitigates your risk of sabotage. If the City of San Francisco had such a system in place, the Mayor would not have been compelled to visit a saboteur in his jail cell.

3.    Outsource your e-mail service to a third-party provider.
I always advise small businesses to outsource their e-mail service to a third-party provider, as it is generally not cost-effective for them to manage these services in-house. This approach offers an additional benefit: it makes the e-mail system independent of internal systems staff, both reducing their work burdens and the opportunities for internal sabotage.

4.    Do not use any built-in “Administrator” accounts, but instead give two users administrative rights on the system. This way, each week those two people can independently monitor and audit suspicious activities on your network and system administrator tasks can be traced to their user identifications.

One of the key messages of Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses (Wiley, second edition, 2008) is that by preparing for the everyday disaster, you automatically build resilience for the more serious threat. No one wants to think about internal sabotage; it is deeply upsetting to imagine that your trust could be betrayed in such a manner. Thankfully, few of us will have to deal with this possibility. But what if San Francisco’s IT administrator had suffered an accident or a medical emergency (a statistically more likely outcome than the perpetration of sabotage)? The City’s IT systems would still be brought to a stand-still, without the solution of a jailhouse visit by the Mayor to retrieve the password. Restricting access to a single individual, no matter how apparently trustworthy, is not a good policy. Let your small business learn from the experience of San Francisco.