Apple, formerly Apple Computer, is legendary in its secrecy. In the late 20th century, I was working for Tandem Computers down the road from Apple in Cupertino. There were stories of undercover agents roaming the tables of local eateries listening for employees talking about things that were not to be divulged in public then reporting their names back to the mother ship. In 2012, Apple announced plans to built its own off-campus restaurant to prevent anyone but employees from overhearing each other’s conversations.
Fast forward to modern times, and we’re in the always-connected era. Not only are employees probably talking about your latest secret project in public, they probably are working on it. Unless the information I am viewing is publicly available (like an article or conference presentation), I do not use my notebook, tablet, or phone for anything except playing movies and music on airplanes, in a coffee shop, or any other public location. As an information security professional, I know how easy it is for people to see what I am working on, even if they are hundreds of feet away from me.
Some organizations might mandate the use of privacy filters to limit viewing by seat mates, but take a look at your screen from the row behind you or standing in the aisle and be surprised. Most privacy filters only protect you from the side and not from over your shoulder. There are some with reflective surfaces that can help prevent shoulder-surfing but they may also diminish your own view. In fact, you might find out that your employees are removing the filters entirely because they cannot see the screen properly themselves.
If you travel a lot like I do, you have probably overheard a sales rep trying to close a deal on the rental car shuttle bus. More than once I’ve been able to deduce the company and the deal they were working on. “Look, we can underbid XXX, win the deal, then use the cost rider to get our margins back.” Wouldn’t you be surprised and pleased if XXX was your company and you were on your way to the same vendor meeting?
I was at a conference a couple weeks ago and overheard two people at a table behind me talking about their plan to hire college students to ride elevators at another conference and take notes on what was being said if the conversation included certain keywords. Since there is no expectation of privacy in a public place, this is perfectly legal. I guess they could also pay the older students to hang out in the conference hotel’s drinking spots.
Earlier I mentioned that it’s easy for people to see what I am working on, even if they are hundreds of feet away from me. How can this be? Free Wi-Fi. Unless your employees are using a virtual private network (VPN) connection, the information flowing from device to data center is unencrypted. And even if someone is using a VPN, or some versions of SSL, a rogue hotspot can watch everything go by as the “man in the middle” (MiTM).
How does this work? I am sitting in a coffee shop (or burger bar, hotel, airplane, etc.) and I fire up Wi-Fi on my device. I see a hotspot called Stabrucks so I link to it. Re-read the last sentence – carefully. This is a rogue hotspot. When I create my VPN, or use SSL to talk to a server, the computer behind the hotspot creates 2 connections; one between the device and itself, and one between itself and your company’s network. Each thinks it is running securely, but the MiTM can read every piece of information going back and forth.
Bill Stevens, the father of Victoria, a Sandy Hook Elementary school student, asks legislators why the protection that he can give her at home cannot be afforded her in school. Mr. Stevens states that in the event of an intruder, there would be no lockdown at his house, and 911 would only be called after he has secured the situation. This echoes the comments of E. Brian Normandy in an earlier blog post who believes that students should evacuate and scatter so that they don’t become easy targets for a gunman intent on killing as many students as possible.
But back to Mr. Stevens. He comments to the lawmakers that their security is so much better than that of his daughter’s school because they get armed guards while his daughter and her fellow students are left without any protection at all. He further tells them, “…that you will take my ability to protect my Victoria from my cold, dead hands.” In other words, he is of the school of thought that a good guy with a gun is the only way to protect oneself and one’s loved ones from a bad guy with a gun. Here is the video:
Originally called a “Frankenstorm,” Superstorm Sandy has left permanent marks on the Northeastern United States; New Jersey’s Barrier Islands will never be the same.
Millions of businesses and people were left without power immediately following the storm, and more than two weeks later, power is still out to some 50,000 people and hundreds of companies still have not been able to move back into their offices due to mud, mold, and other contamination.
According to Netflix, viewership doubled on the East Coast, with major spikes in cities including New York City, Boston, Philadelphia, Baltimore and Washington, D.C., with an early morning increase in children’s titles being streamed.
And where homes did have power, cellphone service was out for days. Why? Because the carriers had successfully resisted Federal Communications Commission calls to make emergency preparations, leaving Superstorm Sandy survivors to rely on the carriers’ voluntary efforts. And we’ll probably never know why the companies decided not to install backup power, because the FCC has been blocked from asking — even though about a third of people rely on mobile service as their only telephone service.
You see, 5 years ago the FCC, responding to findings that communications companies had supplied too little backup power during and after Hurricane Katrina, moved to adopt rules requiring the companies to have emergency energy sources. In response, the companies sued, claiming that the commission had no authority over them. Hey, life’s tough all over, right?
Which brings up an interesting question; if your organization’s business continuity plan included working remotely, was it successful, or was bogged down by lack of power, lack of cellphone service, or by everyone watching Netflix and other streaming services while schools and businesses were closed? Are you talking to vendors about shared or dedicated recovery space for the next “big one?” Please let me know in the comments.
Many companies are promoting the use of smart phones as tools to be used when disaster strikes. The idea is that you can store parts of your plan on the phone or use the browser to access your plan in the cloud. You can even access your notification system from your phone and get your people into action while you’re still stuck in traffic.
Unfortunately, I discovered that while my trusted iPhone has powers much greater than its diminutive stature would suggest, it has an Achilles Heel called iTunes. You see, my family was on vacation in the wilderness called Yellowstone National Park this past week. We only had access to cellular when we were at selected tourist areas, and only had access to Wi-Fi in the hotel. The evening that we arrived, my wife’s iPhone 4 showed the screen to the right. Yes, something went seriously wrong and it wanted its mommie. Unfortunately, I was carrying two iPads and two iPhones, but no laptop. When we got to our hotel, I used my iPad to search for solutions and the only answer was that when an iPhone wants to be connected to iTunes, it wants to be connected to iTunes and there is no workaround. I had a USB cable and asked just about everyone I saw in the park if I could use their computer to resurrect my phone, but no one was willing – and I can’t say that I blame them. Would you let a stranger connect their phone to your computer? I used my iPhone to make an appointment at the closest Genius bar which was in Salt Lake City and my wife and I used the handheld ham radios that I had in our suitcase as backups (yes, once a DR planner, always a DR planner).
So four days later, we arrived back in Salt Lake City and headed to the Apple Store where Summer helped me out. Since this was the third time in six months that this iPhone needed to be connected to iTunes before it would work, she suggested that I should have the phone replaced for $149, even though it was only 2 months out of AppleCare. I figured that $149 was a pretty good deal so I did the deed, she swapped out my phone and I was on my way.
But this post is about why your iPhone could make your disaster worse, so let me wrap it by asking you how many times your Motorola, Nokia, Pantech or other basic cellular phone needed to be connected to a computer before you could use it to make phone calls. I thought so. So now I am going to buy a basic cellphone and carry it with me at all times so that if my iPhone pulls this stunt again, at least I’ll have a phone that I can use to make calls – assuming that the cellular infrastructure is available and my battery is charged.
Do you have any horror stories about your phone not being able to work like a phone when you needed it most?
Updated 2012/08/05. Matt says, “I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
The still answer is, “When It’s Online.” I addressed this topic in several previous posts:
and it’s still true. In Matt Honan’s case, his data not only was in the cloud, but also was on multiple systems; a MacBook, an iPad, and an iPhone. And he still lost a year’s worth of photos, emails, documents, and who knows what else. Here is Matt’s story.
A high-tech reporter, Matt had his Apple iCloud account hacked by someone who somehow learned his 7-character alphanumeric password. While Matt didn’t use this password anywhere else, he hadn’t changed it for a very long time—years in fact. Which of course is a security no-no itself.
After logging in to his iCloud account, the hacker reset Matt’s password and tossed the confirmation message into the trash so that he wouldn’t see it. Since Matt’s backup GMail account was his hacked iCloud account, the hacker requested a GMail password reset and took over that account too and deleted it. The next target was Matt’s Twitter account, followed by Gizmodo’s Twitter account which was linked to Matt’s account. And you can imagine the #@%&$ that the hacker posted on both accounts.
The hacker then proceeded to remotely wipe his iPhone, iPad, and MacBook. Even though Matt saw it happening, there was nothing that he could do to stop the process. And since Matt didn’t have any offline backups, his data is gone forever.
Use complex passwords, don’t use the same password more than once, and change your passwords periodically
Use a password manager if you need to and choose an insanely complex password for it. Personally, I like the cross-platform SplashID with a line from a poem or song as the password
If it’s available, use two-factor or two-step authentication on websites, especially for password recovery
If you have linked multiple accounts, unlink them unless there is a very good reason for the linkage
If you have accounts that you no longer use (anyone with a MySpace account, raise your hand), try to delete them. If you cannot delete the account, then remove all possible information and lock down the account as tightly as you can
Once again—backup your data offline. A hard drive that you can stuff in a safe, in a closet, or under your bed is more secure than anything in the cloud
While I covered personal security above, the same information also applies to organizations, except that you’re probably going to use tape, virtual tape, or disk-to-disk archives for offline storage rather than cloning hard drives and putting them under your bed. If you have a web presence, blog, or use social media, go change your passwords now and evaluate how those accounts can be locked down before your reputation is tarnished by getting hacked.
As always, I look forward to your comments and recommendations.
After last week’s shooting at a movie theater in Aurora, Colo., the city of Houston has released a how-to video on surviving a shooter event. The video was created with funds from the Homeland Security Department.
If you are on fire, the keywords are, “Stop, Drop, Roll”
If you are in an earthquake, the keywords are, “Drop, Cover, Hold On!”
The new keywords for an active shooter incident are, “Run, Hide, Fight”
“It may feel like just another day at the office, but occasionally life feels more like an action movie than reality,” says a narrator. The City of Houston’s website recommends:
Run if a safe path is available. Always try and escape or evacuate even if others insist on staying.
Encourage others to leave with you but don’t let the indecision of others slow down your own effort to escape.
Once you are out of the line of fire, try to prevent others from walking into the danger zone and call 9-1-1.
If you can’t get out safely, find a place to hide.
When hiding, turn out lights, remember to lock doors and silence your ringer and vibration mode on your cell phone
As a last resort, working together or alone, act with aggression, use improvised weapons and fight.
So be safe, be prepared, and don’t let the crazies and terrorists win.
This week’s shooting incident at Aurora’s Century 16 theater is almost too much to bear. Experts are saying that 24-year-old James E. Holmes was planning this horror for months, buying weapons, ammunition, and explosives. He even booby-trapped his apartment before leaving for the theater.
The Internet is abuzz with speculation around how Holmes gained access to his weaponry, and what could have been done to detect and prevent him from carrying out his plan. Did anyone notice but ignore the signs that this lone wolf was capable of such bloodletting? What if mail order purchase of ammunition was banned? What if he couldn’t have bought a 100-round magazine for his rifle? It’s pretty obvious that Holmes had been planning his assault for months. Can it be possible that someone noticed something wrong but didn’t speak up? If he could not have gotten his supplies legally would he have found other means, or just given up?
There are dozens of discussions on whether or not citizens licensed by the state of Colorado to legally carry their own weapons would have been able to take out Mr. Holmes early on if the Century 16 theater in Aurora didn’t have a weapons ban in place. From what I have read so far, Holmes was not wearing a bulletproof vest, but just a nylon assault vest. There are cases like the 71-year-old with a concealed weapon permit who stopped a robbery in Florida last week, so it is plausible.
We aways seem to be fighting the last war, as evidenced by having to take off our shoes at the airport after Richard Reid tried to light his up on an airplane. So after the fact, theater chains have implemented rules banning the “wearing of masks or costumes that makes other patrons uncomfortable.” Unfortunately, this rule would not have prevented the Aurora incident since Mr. Holmes wasn’t wearing his gear into the theater. Before entering the theatre with everyone else, he placed his clothes and weapons cache outside of an emergency exit which he propped open so that he could get to it. Perhaps a law that emergency exits need to trigger an alarm would be a better move?
Not to minimize the horror of what happened, but there is no such thing as absolute security. Even if you lock yourself in your house’s safe room and never go out, the food and water supply aren’t 100% free from risk either. So the best that you can do is to be prepared for whatever comes at you, and that was the premise of my series on active shooters. That means gaining appropriate training and being prepared. Not just for an active shooter, but for a hurricane, flood, earthquake, pandemic, and other disasters.
There are plenty of training classes on the web or taught in person by organizations such as the Red Cross. Make a kit, have a plan, and stay informed is their motto. Do you or someone in your family know basic first aid and CPR? If not, then why not? When my mother-in-law collapsed in her chair, I was the only one amongst 9 adults and 8 teens whose training kicked in to tell my wife’s sister call 911 while I got her mother to a safe position on the floor.
As in the previous blogs, unless I quote someone else, these are my opinions and I am not speaking for any organization, including those that I am employed by or a member of.
This blog is all about the mindset and training needed to kill someone who is intent on causing great bodily harm to you, your friends and loved ones, or even your co-workers, before they kill you. This is the mentality of a sheep dog.
Before I go too much further, you need to know that not everyone can or should be a sheepdog. If you do not have the mindset to be a sheepdog, then you can be a sheep and that’s okay. Just don’t be horrified because the sheepdog next to you is carrying a concealed weapon so that he or she is ready when the wolf comes.
Peace officers are sheepdogs. They have made a conscious decision to walk into toxic environments so that others don’t need to. But wolves can be anywhere and you can’t always have a peace officer by your side.
But there are substantially more retired peace officers than there are active peace officers, and if certain training, qualification, and other requirements are met, they are allowed to carry concealed weapons. In fact, I will bet that most of them carry all the time, even when they are in a church or temple.
How many retired peace officers are working at your organization, but cannot carry due to company policy? Is there a specific reason for that policy or is it because a sheep in the executive staff is afraid of guns? These people have the mindset and the training to be sheepdogs and you should offer them every opportunity to protect their coworkers by allowing them to carry while at work.
If you are not a peace officer but think that you are a sheepdog, you need to be trained. Even if you can get a concealed carry permit without extensive training, you shouldn’t actually carry a weapon until you are completely comfortable that you can care for it and use it — and even then, only when absolutely necessary.
There are many facilities that can give you basic training, but before carrying a weapon, I strongly recommend a 20-40 hour tactical class divided between classroom and range time with at least 1000 rounds going downrange. Jackson Arms in the San Francisco bay area, Front Sight in Nevada, and Gunsite Academy in Arizona are just a few of the facilities available to you.
To be a sheepdog, you must be physically and mentally prepared, appropriately trained, and you must always carry your gun with you. I say always, because that one time that you decide to leave your gun locked in the safe is the one time that you are going to need it.
Guns are not for everyone, but if someone wants to be a sheepdog, it’s going to be hard for you to stop them. No matter what the media says, guns are not dangerous when properly handled by a trained individual. Which means that if you are not trained or you don’t have a training class scheduled, you shouldn’t own one.
Since 9/11, more of us have become sheepdogs, which is one reason that air travel has stayed safe. No longer will we sit in our seats like sheep when we see that our fellow passengers could be in danger. And this is a good thing, because the wolves will always be out there.
I want to hear your thoughts so please feel free to share this blog with your friends and send comments to me.
In the first three parts of this series, I talked about how to prevent an active shooter from getting into your building, what to do if one is in your building already, and how to protect teen and pre-teen students. In this penultimate piece, I’m going to discuss a topic that is controversial and has passionate proponents and detractors on both sides of the argument. Again, unless I quote someone else, these are my opinions and I am not speaking for any organization, including those that I am employed by or a member of.
Lt. Col. Dave Grossman retired after many years of service in the US Army, including a stint as a US Army Ranger and a teacher of psychology at West Point. He writes on ways to reduce violence in society and how to deal with the aftermath of violent events such as school shootings. One of is essays is titled, “On Sheep, Wolves and Sheepdogs.”
In it, he says that he was told that, “Most of the people in our society are sheep. They are kind, gentle, productive creatures who can only hurt one another by accident.” That is, even though violence is sensationalized in the media, the chance of an average American being the victim of a violent crime is about 16 in 1000. There also are wolves; those who have a capacity for violence and no empathy for their fellow citizens who prey on sheep; and finally, there are sheepdogs, those citizens who have a capacity for violence but with a deep love for their fellow citizens who can confront the wolf and protect the flock.
In my last blog, I asked, “what if teachers were able to either protect their students, or safely lead them out of the building?” What if teachers, or anyone else with the right mentality were trained to be effective sheepdogs? What if a sheepdog could dispatch the wolf before any sheep were harmed?
As I said, there are people who are passionate on both sides of of this topic, and the topic of this blog is guns. Not only guns, but carrying a concealed handgun. Many people see guns as evil whether they they are being carried by a wolf to victimize someone, or by a sheepdog to defend his or her flock. Dr. Jeff Ferguson helped 50 people escape from a gunman who entered a medical building in an attempt to take hostages. When the dust settled, only the gunman was injured. This is just one example of a sheepdog protecting his flock. Would there have been fewer victims if one or more teachers at Columbine High School were trained sheepdogs equipped with their own guns?
The federal government understands how valuable trained and armed citizens can be. After September 11, the Federal Flight Deck Officer (FFDO) program was established to train eligible flight crew members on the use of firearms, use of force, legal issues, defensive tactics, the psychology of survival and program standard operating procedures. These sheepdogs are authorized to use firearms to defend against an act of criminal violence or air piracy attempting to gain control of an aircraft.
40 states have laws that require the issuance of concealed carry (CCW) permits to any eligible citizen. Eligibility varies, but in my opinion, only people who have the appropriate mindset and training should carry a weapon, both to protect themselves and others—and next time I’ll talk about the mindset and training that a sheepdog should have before they even think about carrying a concealed handgun.
Unless I quote someone else, these are my opinions and I am not speaking for any organization, including those that I am employed by or a member of.
Many active shooter situations seem to happen in schools and the traditional response is a lockdown. Teachers pack their students into classrooms and wait for further instructions from administrators. Some schools are adding lock down drills to their fire, and earthquake training.
But is a lockdown the best way to protect students from an active shooter inside the building? E. Brian Normandy, the Director of Training & Chief Instructor at Jackson Arms Shooting Range & Training Facility near San Francisco, thinks that it is not.
Normandy believes that students should evacuate and scatter so that they don’t become easy targets for a gunman intent on killing as many students as possible and he has trained his teenage children to pick up the closest heavy object, break a window, get the heck out, and deal with the consequences later.
Do you really want kindergarten through 6th graders scattering to the winds to get away from an active shooter? Well, maybe sixth graders. It really depends on how old and how responsible your children are whether or not they should stay put or try to evacuate.
If you have young students, then a lockdown that follows these guidelines might be the best approach, but Lt. Joe Hendry, an administrative lieutenant at Kent State University, has other ideas for you, like not herding all of your students into one corner where they become easy targets, but having them hide in different locations around the room. Others say that large pads with fluorescent markers can be used to make notes to show to emergency reponders outside.
But what if teachers were able to either protect their students, or safely lead them out of the building? What else can higher education and businesses do to protect their employees from an active shooter inside the building? Next time I’ll talk about Lt. Col. Dave Grossman’s take on sheep, sheepdogs, and wolves.