Online Presence, Your Calling Card

In the age when Facebook has surpassed 800 million users, I still often hear people say that they don't like to join social networks or put any information about themselves on the Internet. 

Whether or not their apprehensions about their privacy being compromised is justified or whether they feel that "it's simply a waste of time" or that they "just don't get it," the impetus for us to all establish and nurture our online presence is getting more important than ever. 

In the competition for the best jobs, schools, even mates, and other opportunities, our online credentials are becoming key.

We've heard previously about jobs checking candidates backgrounds on the Internet and even bypassing candidates or even firing employees for their activities online.  

Numerous examples of people badmouthing their companies or bosses have been profiled in the media and even some politicians have been forced out of office--remember "Weinergate" not too long ago?

Now, not only can negative activities online get you in trouble, but positive presence and contributions can get you ahead.

The Wall Street Journal (24 January 2012) reports in an article titled No More Resumes, Say Some Firms that companies are not only checking up on people online, but they are actually asking "applicants to send links representing their web presence" in lieu of resumes altogether. 

What are they looking for:

- Twitter Accounts
- Blogs
- Short Videos
- Online Surveys/Challenges

The idea is that you can learn a lot more about someone--how they think and what they are like--from their history online, then from a resume snapshot.

Of course, many companies still rely on the resume to screen applicants, but even then LinkedIn with over 135 million members is sometimes the first stop for recruiters looking for applicants.

Is everything you do and say online appropriate or "fair game" for people screening or is this going over some sacred line that says that we all have professional lives and personal lives and what we do "when we're off the clock" (as long as your not breaking any laws or doing something unethical) is no one's darn business.  

The problem is that when you post something online--publicly--for the world to see, can you really blame someone for looking?  

In the end, we have to be responsible for what we disclose about ourselves and demonstrate prudence, maturity, respect, and diplomacy, perhaps that itself is a valid area for others to take into account when they are making judgments about us. 

When it comes to children--parents-beware; the Internet has a long memory and Facebook now has a "timeline", so don't assume everyone will be as understanding or forgiving for "letting kids be kids."

One last thought, even if we are responsible online, what happens when others such as hackers, identity thieves, slanderers, those with grudges, and others--mess with your online identity--can you ever really be secure? 

Being online is no longer an option, but it is certainly a double-edged sword. 

(Source Photo: here; Image credit to L Hollis Photography)

Online Presence, Your Calling Card

SCADA Beware!

In case you thought hacking of our critical infrastructure and SCADA systems only happens in the movies, like with Bruce Willis in Live Free or Die Hard, watch these unbelievable videos of what Max Corne seemingly does to the energy, maritime infrastructure, and highway transportation systems.


Max apparently is able turn off (and on) the lights in entire office towers--one and then another, control a drawbridge (up and down)--and has people and cars waiting and backed up, and even changes traffic signals--from speeds of 50 to 5 as well the message boards to motorists. 

While I understand some have questioned the validity of these videos and have called them hoaxes, the point that I come away with is not so much whether this guy is or is not actually hacking into these computer and control systems as much as that the people and organizations with the right skills could do these things.


And rest assured that there those out there that can perform these hack attacks--reference the Stuxnet worm that attacks Siemen industrial control systems such as those used in the nuclear industry (June 2010).


I also heard a story that I don't know whether it is true or not, about how a cyber expert personally dealt with a very loud and unruly neighbor who was playing Xbox 360 at 3 AM and keeping him awake. So the cyber expert simply hacked into his neighbor's Xbox game over the Internet and set off a program that whenever his neighbor tried to play it, a timer would automatically turn the Xbox back off again (neighbor turns it on again, hack turns it off again....), until at one point, the cyber expert heard the neighbor pick something up (presumably the Xbox) and throw it against the wall. 


In this story, the damage was limited, in other cases as the Max Corne videos demonstrate (in terms of the realm of the possible), when hackers attack our critical infrastructure and control systems, the results can truly be life threatening, majorly disruptive, and can cause widespread chaos.


Every day, there are digital natives (in terms of their advanced computer skills) that are proving what they can do to bypass our firewalls, antivirus protection, intrusion detection systems, and more.


While in the case of the hack attack on the Xbox, that was the end of the problem for the loud playing neighbor keeping this other guy up at night, but in general, the unbelievable ability of some hackers to break into major systems and manipulate controls systems and disrupt critical infrastructure is certainly no game, no laughing matter, and something that should keeps us up at night (Xbox playing or not). 


The takeaway is that rather than demonize and discourage those who have the skills to figure this "stuff" out, we should actually encourage them to become the best white hat hackers they can be with it, and then recruit them into "ethical hacking" positions, so that they work for the good guys to defeat those who would do us all harm. 

SCADA Beware!

Cyber War - The Art of The Doable

CBS 60 Minutes had a great episode this past June called Cyber War: Sabotaging The System.

The host Steve Kroft lays the groundwork when he describes information or cyber warfare as computers and the Internet that is used as weapons and says that "the next big war is less likely to begin with a bang than with a blackout."

This news segment was hosted with amazing folks like Retired Admiral Mike McConnell (former Director of National Intelligence), Special Agent Sean Henry (Assistant Director of the FBI's Cyber Division), Jim Gosler (Founding Director of CIA's Clandestine Information Technology Office), and Jim Lewis (Director, Center for Strategic and International Studies).  

For those who think that cyber war is a virtual fantasy and that we are safe in cyberspace, it's high time that we think again.  

Here are some highlights:

- When Retired Admiral McConnel is asked "Do you believe our adversaries have the capability of bringing down a power grid?"  McConnell responds "I do." And when asked if the U.S. is prepared for such an attack, McConnell responds, "No."

- Jim Gosler describes how microchips made abroad are susceptible to tampering and could "alter the functionality" of let's say a nuclear weapon that needed to go operational, as well as how they "found microelectronics and electronics embedded in applications that shouldn't be there." 

- Special Agent Henry talks about how thieves were able to steal more than a $100 million from banks in less than half a year, not by holdups but through hacking. 

- Jim Lewis tells of the "electronic Pearl Harbor" that happened to us back in 2007, when terabytes of information were downloaded/stolen from our major government agencies--"so we probably lost the equivalent of a Library of Congress worth of government information" that year and "we don't know who it is" who broke in.  

The point is that our computers and communications and all the critical infrastructure that they support--including our defense, energy, water, transportation, banking, and more are all vulnerable to potentially lengthy disruption.

What seems most difficult for people to grasp is that the bits of bytes of cyberspace are not just ephemeral things, but that thy have real impact to our physical universe.   

Jim Lewis says that "it doesn't seem to be sinking in. And some of us call it 'the death of a thousand cuts.' Every day a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody. And it's like little drops.  Eventually we'll drown. But every day we don't notice."

Our computer systems are vulnerable and they control virtually all facets of lives, and if the enemy strikes at our cyber heart, it is going to hurt more than most of us realize.  

We are taking steps with cyber security, but we need to quickly shift from a reactive stance (watching and warning) to a proactive posture (of prevention and protection) and make cyber warfare a true national priority.

Cyber War - The Art of The Doable

Losing The Edge, No More

For years, there has been all sorts of uproar about the U.S. and its citizens and businesses losing their edge.

From critics who point out to how our educational system (especially through high school) is not keeping up, how we are not attracting and graduating enough folks in science, technology, engineering, and math (STEM), how our inventions are freely copied overseas, and how innovation and entrepreneurship is suffering at home whether due to challenging economic or social conditions.

Yet, when it comes to losing our edge, nothing is more maddening than when the technological advances we do have are taken from us--this happens in numerous ways, including:

- Cyber Attacks: According to the Pentagon Strategy on Cyberwar as per the Wall Street Journal (15 July 2011) "each year a volume of intellectual property the size of the Library of Congress is stolen from U.S. government and private-sector networks." Cyber espionage has affected a broad range of our prized national assets: from Space Shuttle designs to the Joint U.S. Defense Strategy with South Korea as del as the plans for the F-35 Joint Strike Fighter and more. Moreover and unfortunately, this is only the tip of the iceberg. For example, this past August, McAfee disclosed a cyber spying operation dubbed Operation Shady Rat that infiltrated some 71 government and corporate entities of which 49 were in the U.S. and which included more than a dozen defense firms over five years, compromising a massive amount of information.

- Spies/Insider Threats: Spies and insider threats can turn over state secrets to foreign powers or entities causing a major lose to our competitive advantage. This has happened with convicted spies from Aldrich Ames to FBI agent Robert Hanssen, and more recently to Army Corporal Bradley Manning accused of turning over troves of restricted documents to WikLleaks. And despite the amazing efforts to catch these subversives, presumably, there are plenty more where they came from.

- Expropriations: We lose our edge to foreign nations and organizations when our high-technology or intellectual assets are used without our consent or otherwise seized and compromised. This can happen from having our copyrights trampled on, our designs simply copied and "knockoffs" produced and peddled, or even when we are in a sense forced to exchange our intellectual property for basic entry into foreign markets. But this also happens more explicitly and violently when our assets are literally taken from us. For example this happened in April 2001, when Chinese fighter jets intercepted (in international air space) and crashed a U.S. EP-3 reconnaissance plane and didn't return it until July in disassembled pieces. Similarly, when the tail of the stealth modified MH-60 Black Hawk helicopter, with sensitive military technology, used in the raid in Osama bin Laden's was recovered and held by Pakistan for weeks before it was returned to the U.S. And we saw this again this week when the Iranians showed off a prized RQ-170 Sentinel stealth drone they now have seized, and which secrets presumably may end up in Russian, Chinese, or ultimately terrorist hands.

Developing an edge is not something we should take lightly or for granted--It is based on lots of talent, experience, and hard work and we do not have an exclusive hold on any of these.

We must prize our scientific and technological advances and secure these the way a mother protects it's young--fiercely and without compromise.

No matter how much or fast we churn out the advances, it will not matter if we do not safeguard our investments from those who would take it right out from under us. We can do this by significantly increasing investment in cyber security, strengthening counterespionage efforts, and not letting any nation or organization take something that doesn't belong to them without consequences--economic or military--that restore our edge and then some.

Losing The Edge, No More

Cloud, Not A Slam Dunk

Interesting article in Nextgov about the deep skepticism of cloud computing by the Corporate IT Pros.

The vast majority of IT practitioners questioned did not "believe so-called infrastructure-as-a-service providers protect e-mail, documents and other business data.”

So while many business people think that Cloud Computing is more or less safe, the IT community is not so sure.

Of 1,018 professional surveyed (of which about 60% were from IT)--only 1/3 of the IT professionals thought the cloud was secure versus 50% of the business compliance supervisors.

Cloud is not a slam dunk and we need to evaluate every implementation very carefully.

(Source Photo: here)

Cloud, Not A Slam Dunk

Be Careful What You Point That At

By now many of you may or may not have pointed your smartphones at a QR ("Quick Response") code to get more information on products, places, events, and so forth.

A QR code is a barcode that that generally contains alphanumeric information and takes you to a website when you read the QR code with your smartphone (i.e. by taking a picture of it with a QR reader app).

QR codes remind me of the barcodes in the store at the checkout line, but QR codes look more like a squared-off roschach test compared to the barcodes on items you purchase which are rectangular straight lines from top to bottom.

By reading the QR code, you don't have to remember or type any information into your smartphone--your just zipped right off to wherever the QR points you (usually after you confirm on the screen that you are okay with going to the URL).

But QR codes like with any information technology, can be used for good or evil -- for some reason though people seemed to have been unsuspecting of the sort of innocuous looking QRs.

Kaspersky Lab has issued a warning on QR codes after finding consumers in Russia scammed when they thought they were downloading an Android app and where instead infected with malware that caused them to send SMS messages to a premium number that charged for each message sent.

So while QR codes can take a reader to a harmless website for information, like other computer code, they can contain instructions that cause you to send email, SMS messages, download applications, etc.

So unless you know what you are QR reading (i.e. you have a high-degree of confidence in whoever placed the advertisement with the QR code)--think twice before scanning that barcode, because you may get a surprise package in your smartphone that you weren't expecting causing infection of your device, loss of privacy to the information stored on it, or costing you money for things you never wanted or intended to spend on.

Scanning a QR code while as simple taking a picture of a sunset--may not have as beautiful consequences.

(Source Photo: here)

Be Careful What You Point That At

EMP Cybergeddon

Electromagnetic Pulses (EMPs) are the weapons of choice against electronics of all sorts, including cyber.

The Economist (15 October 2011) in an article called Frying Tonight describes how "warfare is changing as weapons that destroy electronics, not people, are deployed on the field of battle."

Here a brief summary:

During the Cold War, the notion was to explode an atom bomb high in the atmosphere (i.e. a High-Altitude EMP or HEMP) "to burn out an enemies electrical grid, telephone network, and possibly even the wiring of his motor vehicles."

Today, that principle is being applied in smaller weapons using microwaves---from powerful batteries or reactive chemicals that generate high-energy radio frequencies.

By zapping electronics, EMPs can take down enemy missiles, destroy command, control, and communications capability, and stop in their tracks everything from enemy tanks to planes and speed boats.

EMP weapons are already being deployed:

- Fighter planes are being developed with EMP capabilities using the active electronically scanned array (AESA) as defensive weapons against air-to-air and surface-to-air missiles, while other planes (like the "Growler") are being outfitted with offensive EMP capabilities.

- Ships too are being armed with EMP guns to defend against high-speed boat "swarms" or to defend against pirates.

- Land vehicles will be armed with EMP cannons such as the Radio-Frequency Vehicle Stopper that can stall enemy vehicles' engines or the Active Denial System used as a heat-ray to disperse crowds.

At the same time, defenses against EMPs are being deployed, such as Faradays cages--which are enclosures of conducting material often in a mesh pattern that protects electrical equipment from getting fried.

What is important to note though is that EMPs are not just battlefield weapons--they can take out our everyday electrical and cyber systems.

A Congressional Research Service (CRS) Report to Congress (21 July 2008) called High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments states "Several nations, including sponsors of terrorism, may currently have a capability to use EMP as a weapon for cyber warfare or cyber terrorism to disrupt communications and other parts of the U.S. critical infrastructure."

The EMP Commission reported that EMP "creates the possibility of long-term, catastrophic consequences for national security."

One of the major concerns is the "cascading effects" that a loss of electrical infrastructure would cause in terms of people being unable to obtain basic life necessities and thereby resulting in that "many people may ultimately die."

The report finds EMP weapons to be an "attractive asymmetric option" for our adversaries, and that analysts find that "it could possibly take years for the United States to recover fully from the resulting widespread damage."

Therefore, it is critical that we increase our cyber security capabilities not only in terms of fighting conventional malware attacks from within the cyber realm, but we must be thinking in ernest about energy weapons directed at us from without.

We must continue to harden our defenses, invest in new technologies and countermeasures to thwart the enemy, develop punishing offensive capabilities, as well as prepare for the possibility of a strike against our homeland.

Although called "human-safe" (and aside from the traditional weapons of mass destruction), EMPs may be actually one of the most devastating weapons of all to a society dependent of technology.

(Source Photo: here)

EMP Cybergeddon

Increase Security On Your Google Account

After reading the article Hacked! in The Atlantic (November 2011), I looked into Google's new security feature called 2-Step Verification (a.k.a. Two Factor Authentication).

This new extra layer of security--adding "something you have" to "something you know"--to your sign in credentials helps to better protect you and your information in Google (i.e. in the Google cloud), including your emails, documents, and applications.

While a little extra work to login to Google--you have to type in a verification code that Google sends or calls to your phone (this is the something you have), it provides an extra layer of defense against hackers, criminals, and identity thieves.

To protect your Smartphone, Google provides "Application-specific passwords" that you generate from the 2-Step Verification screen and then you enter those into the specific iPhone, Droid, or Blackberry device.

You can sign up for 2-Step Verification from your Google Account Settings page and help protect yourself, your information, and your privacy.

In the future, I hope that Google (and other cloud vendors) will improve on this and use biometrics, to add "something you are," to the authentication process and make this even sleeker and more secure yet.

Stay safe out there! ;-)

Increase Security On Your Google Account

Visualizing IT Security

I thought this infographic on the "8 Levels of IT Security" was worth sharing.

While I don't see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management - With limited resources, we've got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy - The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting - This is the eyes, ears, and mouth of the organization in terms of watching over it's security posture.

4) Virtual Perimeter - This provides for the remote authentication of users into the organization's IT domain.

5) Environment and Physical - This addresses the physical protection of IT assets.

6) Platform Security - This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance - This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management - This prevents unauthorized users from getting to information they are not supposed to.

Overall, this IT security infographic is interesting to me, because it's an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the "defense-in-depth" visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do's and don't, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)

Visualizing IT Security

Cloud Second, Security First

Leadership is not about moving forward despite any and all costs, but about addressing issues head on.

Cloud computing holds tremendous promise for efficiency and cost-savings at a time when these issues are front and center of a national debate on our deficit of $14 trillion and growing.

Yet some prominent IT leaders have sought to downplay security concerns calling them "amplified...to preserve the status quo." (ComputerWorld, 8 August 2011)

Interestingly, this statement appeared in the press the same week that McAfee reported Operation Shady RAT--"the hacking of more than 70 corporations and government organizations," 49 of which were in the U.S., and included a dozen defense firms. (Washington Post, 2 August 2011)

The cyber spying took place over a period of 5 years and "led to a massive loss of information."(Fox News, 4 August 2011)

Moreover, this cyber security tragedy stands not alone, but atop a long list that recently includes prominent organizations in the IT community, such as Google that last year had it's networks broken into and valuable source code stolen, and EMC's RSA division this year that had their SecurID computer tokens compromised.

Perhaps, we should pay greater heed to our leading cyber security expert who just this last March stated: "our adversaries in cyberspace are highly capable. Our defenses--across dot-mil and the defense industrial base (DIB) are not." (NSA Director and head of Cyber Command General Keith Alexander).

We need to press forward with cloud computing, but be ever careful about protecting our critical infrastructure along the way.

One of the great things about our nation is our ability to share viewpoints, discuss and debate them, and use all information to improve decision-making along the way. We should never close our eyes to the the threats on the ground.

(Source Photo: here)

Cloud Second, Security First

Getting To Swift Cyber Justice

The first Department of Defense Strategy for Operating in Cyberspace is out (July 2011).

Of course, like the plans that came before (e.g. Cyberspace Policy Review), it emphasizes the imperative for cyberspace protection. Some highlights:

• "DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial or service of access or service..., and the destructive action--including corruption, manipulation, or direct activity that threatens to destroy or degrade network or connected systems."

• "Cyber threats to U.S. national security go well beyond military targets and affects all aspects of society. Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks and systems that control civilian infrastructure."

• "Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies."

The strategies for cyberspace protection in the DoD plan include treating cyberspace as an operational domain; innovation; partnership; and so on. But we need to leverage our strengths even more.

As the Wall Street Journal pointed out on 15 July 2011: "The plan as described fails to engage on the hard issues, such as offense and attribution." If we can't even identify who's attacking us, and fight back with precision, then we're flailing.

Some may express the concern that we would have all-out war by attacking those who attack us. However, what is the alternative besides confronting our aggressors?

The concept of operations is straightforward: Any computer device that is used to attack us, would immediately be blocked and countered with equivalent or greater force and taken out of play.

This would mean that we are able to get past cyber-bot armies to the root computers that are initiating and controlling them, and dealing with them decisively. This would hold regardless of the source of the attack--individual or nation-state.

The DoD plan acknowledges our own unpreparedness: "Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity."

As in the Cold War, there must be no doubt with Cyber Warfare (as with nuclear) of our ability to inflict devastating second-strike or preemptive attacks with deadly precision.

Until we have unambiguous hunter-killer capability to identify and locate perpetrators of cyber attacks against us and the ability to impose swift justice, we are at the mercy of our aggressors.

We can only have peace in cyberspace when we have the strength to stand up and defend it.

Now we must move with cyber speed to build this capability and stand ready to execute our defenses.

Admiral Mike Mullen was quoted this week (18 July 2011) in Federal Times as saying: "The single biggest existential threat that's out there is cyber...It's a space that has no boundaries. It has no rules."

We must become even better--much better!

(Source Photo: here)

Getting To Swift Cyber Justice

Crashing The Internet--Are We Prepared?

Almost week after week, I read and hear about the dangers of cyber attacks and whether "the big one" is coming.

The big one is what some experts have called a pending "digital Pearl Harbor."

Just last week, the Federal Times (13 June 2011) wrote that the "U.S. government computer networks are attacked about 1.8 billion times per month."

The Center for New American Security (CNAS) states that deterring and preventing cyber attacks will require "stronger and more proactive leadership."

Charles Dodd, a cyber security consultant in D.C. warns that "You've bought a stick to a gunfight, and you're arrogant about your capabilities."

So the question is--are we really paying attention to and being realistic about the probability and magnitude of the impact of the cyber threat out there?

Certainly, with so much critical infrastructure--from government, military, and private industry--dependent on the Internet, the effects of a concerted or prolonged cyber attack on our country would be devastating as documented most recently in The Lipman Report (October 2010) on "Threats to the Information Highway: Cyber Warfare, Cyber Terrorism, and Cyber Crime" as follows:

--"There is a great concern regarding the types of destructive attacks that are already occurring, but an even greater concern for the unknown that is yet to happen but is almost certainly even now in development. Cyberspace touches nearly every part of our daily lives."

It is in this regard that I read with serious concern today in ID Magazine (August 2011) that the University of Minnesota has "demonstrated in a simulation how an attack with a large botnet (a network of remotely-controlled PCs) could shut down the Internet."

And it took only 20 minutes to trigger the chain reaction in which "manipulated routers overloaded all other Internet routers worldwide...mak[ing] it impossible for Internet address to be found."

Granted it would take around 250,000 computers to carry out such an attack, but with the billions of people online with computer devices of all sorts...that does not seem like an inordinate amount to press forward with for a coordinated attack.

So the Internet in theory can be crashed!

Just think for a moment about how that would impact you and what you do every day...would anything be the same? Could we even function normally anymore?

As we move more and more of our applications, data, and infrastructure online to the cloud, we need to consider what additional risks does this bring to the individual, the organization, and the nation and how we can respond and recover should something happen to the Internet.

In the Federal government there are many agencies, commands, task forces, and groups working to secure the Internet, and at the same time, there are separate efforts to modernize and reform IT and reduce unnecessary expenditures, so what we need to do is better integrate the drive to the cloud with the urgency of securing our data, so that these efforts are strong and unified.

This is one of the things that I was trying to achieve when I created the CIO Support Services Framework in synthesizing the functions of IT Security with the other strategic CIO functions for Enterprise Architecture, IT Investment Management, Project Management, Customer Relationship Management, and Performance Management.

If the Internet can indeed be crashed, we had all better be prepared and make the right IT investment decisions now, so that we won't be sorry later.

(All opinions are my own)

(Source Photo: Heritage and History.com)

Crashing The Internet--Are We Prepared?

Safeguard Your Location

Nice presentation by the Army called "Geotags and Location-based Social Networking."

It offers important information on the potential dangers of leaving on Global Positioning System (GPS) services on electronic devices (such as smartphones and cameras) and using location-based social networking services.

- "Geotagging is the process of adding geographical identification to photographs, videos, websites, and SMS messages. It is the equivalent of adding a 10-digit coordinate to everything you post on the Internet."

- Location-based social networking applications focus on 'checking-in' at various locations to earn points, badges, discounts" and even become mayor for the day.

Exposing your location is not only dangerous if your in the military and engaged on an operation. But rather, for all of us, broadcasting location and patterns of movement can be detrimental to personal privacy and security.

As the geotagging safety presentation advises, consider when (and when not) to:

1. Turn off the GPS on devices such as smartphones and cameras.
2. Keep geocoded photos offline from the Internet (i.e. Flikr, Picasa, etc.)
3. Avoid use of location-based social networking services (e.g. FourSquare, Facebook Places, Gowalla, SCVNGR, etc.)

Sharing information--including where you are, were and are going--with family, friends, and colleagues can be a healthy and fun interchange; but sharing that information with "the wrong" people can leave you exposed and sorry.

Think twice--think about your privacy and security.

Safeguard Your Location

When My Friend Got Hacked

True story.

So an old friend of mine had his account hacked on Facebook.

And the hacker is sending chat messages to my friend’s Facebook contacts—like me—pretending to be him—with his picture and name and all his online information.

He says that he is stuck in London, just got mugged—at gunpoint—losing his money and phone and needs my help.

At first, I’m thinking oh crap; my friend is in trouble and needs me. Then, I’m like wait a second, he’s pulling my leg. So I ask “are you joking?”

The hacker—pretending to be my friend—continues how it was such a terrible experience, but thank G-d they are still alive.

I’m on the other end of this chat—and questioning now if this person is really who they say they are—despite the REAL picture and profile.

I ask who are you with?

The hacker replies with the name of my friend’s wife. Her real name!

And the hacker continues with the mugging story and how they are leaving in a few hours for their return flight to the States, but need help.

Ok, I am happy to help my friends, but I want to know this is really my friend. Behind the scenes, I am contacting other mutual friends, family and so on to verify this story and resolve this.

On the chat, I ask—can you tell me something that only the two of us would know?

The hacker starts flipping out and gives me "?!?!?!...."

I repeat my question and ask if the hacker understands.

The hacker responds that they do.

And then ignoring my questioning, proceeds with the storyline asking me to wire money and that it will be okay, because they will need identification to retrieve the wire.

Now I ignore the hacker’s request and go back to my question about who this person on the other end of the chat really is?

No response.

"U there?"

Hacker is offline...for now.

When My Friend Got Hacked

Overcoming the Obstacles to Cyber Security

There continues to be a significant shortfall in our cyber security capabilities, and this is something that needs our determined efforts to rectify.

Often I hear a refrain from IT specialists that we can’t wait with security until the end of a project, but rather we need to “bake it into it” from the beginning. And while this is good advice, it is not enough to address the second-class status that we hold for IT security versus other IT disciplines such as applications development or IT infrastructure provision. Cyber Security must be elevated to safeguard our national security interests.

Here are some recent statements from some our most respected leaders in our defense establishment demonstrating the dire strait of our IT security posture:

· “We’re the most vulnerable, we’re the most connected, we have the most to lose, so if we went to war today in a cyber war, we would lose.”- Retired Vice Admiral Mike Mullen (Federal Computer Week 24 February 2010)

· The United States is "under cyber-attack virtually all the time, every day” - Defense Secretary Robert Gates: (CBS, 21 April 2009)

· “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.” (White House CyberSpace Policy Review, 2009)

Further, the number of attacks is increasing; for example, SC Magazine 20 November 2009 reported that the number of cyber attacks against the Department of Defense was increasing year-over-year 2009 to 2008 by some 60%!

And the penetration of our critical systems spans our industrial, civilian, and defense establishment and even crosses international boundaries. Most recently reported, these included the following:

· F-35 Joint Strike Fighter $300B program at Lockheed Martin,

· The Space Shuttle designs at NASA

· The joint U.S. South Korean defense strategy

· The Predator feeds from Iraq and Afghanistan and more.

Thankfully, these events have not translated down en-masse and with great pain to the individuals in the public domain. However this is a double-edged sword, because on one had, as citizens we are not yet really “feeling the pain” from these cyber attacks. On the other hand, the issue is not taking center stage to prevent further and future damage.

This past week, I had the honor to hear Mr. James Gossler, a security expert from Sandia National Labs speak about the significant cyber security threats that we face at MeriTalk Innovation Nation 2010 on the Edge Computing panel that I was moderating.

For example, Mr. Gossler spoke about how our adversaries were circumventing our efforts to secure our critical cyber security infrastructure by being adept and agile at:

· Playing strength to weakness

· Developing surprising partners (in crime/terror)

· Changing the rules (“of the game”)

· Attacking against our defenses that are “naïve or challenged”

In short, Mr. Gossler stated that “the current state-of-the-art in information assurance [today] is significantly outmatched” by our adversaries.

And with all the capabilities that we have riding on and depending on the Internet now a days from financial services to health and transportation to defense, we do not want to be outgunned by cyber criminals, terrorists, or hostile nation states threatening and acting in ways to send us back to the proverbial “stone-age.”

Unfortunately, as a nation we are not moving quickly enough to address these concerns as retired Navy vice admiral Mike McConnell was quoted in Federal Computer Week: “We’re not going to do what we need to do; we’re going to have a catastrophic event [and] the government’s role is going to change dramatically and then we’re going to go to a new infrastructure.”

Why wait for a cyber Pearl Harbor to act? We stand forewarned by our experts, so let us act now as a nation to defend cyber space as a free and safe domain for us to live and thrive in.

There are a number of critical obstacles that we need to overcome:

1) Culture of CYA—we wait for disaster, because no one wants to come out first—it’s too difficult to justify.

2) Security is seen as an impediment, rather than a facilitator—security is often viewed by some as annoying and expensive with a undefined payback, and that it “gets in our way” of delivering for our customers, rather than as a necessity for our system to work

3) We’ve become immune from being in a state of perpetual bombardment—similar to after 9-11, we tire as human beings to living in a state of fear and maintaining a constant state of vigilance.

Moreover, to increase our cyber security capabilities, we need to elevate the role of cyber security by increasing our commitment to it, funding for it, staffing of it, training in it, tools to support it, and establishing aggressive, but achievable goals to advance our capabilities and conducting ongoing performance measurement on our initiatives to drive results.

Overcoming the Obstacles to Cyber Security

How $26 Can Buy You A Billion-Dollar Surveillance System

If $26 software can give our enemies on the ground access to our drone feeds and cyber warfare can inflict indefinite havoc on our critical infrastructure, we need to rethink what technological superiority means and how we keep it.

No defense system is foolproof. That’s why we build redundancy into the system and layer our defenses with “defense in depth,” so that just because the enemy infiltrates one layer, doesn’t mean that our defenses are laid bare.

When in fact, we become aware that our systems have been compromised, it is only responsible for us to re-secure them, bolster them with additional defenses, or take those systems out of commission.

It was shocking to learn this week in multiple reports in the Wall Street Journal that our UAV drones and their surveillance systems that have been so critical in our fight against terror in Iraq and Afghanistan were compromised, and the feeds intercepted by $25.95 software sold over the Internet. These feeds were found on the laptops of the very militants we were fighting against. Reportedly, we knew about this vulnerability ever since the war in Bosnia.

It is incredible to imagine our massive multi-billion dollar defense investments and technological know-how being upended by some commercial-off-the-shelf software bought online for the price of a family dinner at McDonalds. But what makes it even worse is that we knew for nearly two decades that the enemy had compromised our systems, yet we did not fix the problem.

A number of reasons have been circulated about why the necessary encryption was not added to the drones, as follows:

- It would have resulted in an increase in cost to the development and deployment of the systems.

- There would be a detriment to our being able to quickly share surveillance information within the U.S. military and with allies.

- There was immediate battlefield need for the drones because of the immediate concern about roadside bombs and therefore there was apparently no time to address this issue.

Based on the above, one may possibly be able to understand why the Joint Chiefs “largely dismissed” the need to repair the drones’ security flaw. However, it also seems that they were overconfident. For any “Are You Smarter Than A Fifth Grader” contestant can tell you that if the enemy can see and hear what we see and hear, then they can take action to subvert our military and intelligence resources, and the critical element of surprise is gone—the mission is compromised.

Of course as civilians we are not privy to all the information that our leaders have. And one can say that if all you have are compromised drones, then those are what you must use. Nevertheless, officials interviewed by the Journal point to the hubris that influenced the decision in this situation – as the report states:

“The Pentagon assumed that local adversaries [in Iraq and Afghanistan] wouldn’t know how to exploit” the vulnerability. So, the result was that we kept building and deploying the same vulnerable systems, over a long period of time!

This is not the first time that we have both been overconfident in our technological superiority and underestimated competitors and opponents in foreign countries—with disastrous results. There are the human tragedies of Pearl Harbor and 9/11, to name just two. And then there are the economic challenges of global competition, such as in the automobile industry and overseas manufacturing in general.

And if some terrorist cells on the run can so clearly compromise our technical know-how, shouldn’t we be even more concerned about established nations who are well financed and determined to undermine our security? For example, just this week, a group calling itself the “Iranian Cyber Army” hacked and defaced Twitter and we were helpless to prevent it. Also noteworthy is that this same week, it was reported that our defense plans with respect to South Korea, including operational details, were hacked into and stolen by North Korea.

Unfortunately, however, we do not even seem to take threats from other nations as seriously as we should: As the Journal reported, “senior U.S. military officers working for the Joint Chiefs of Staff discussed the danger of Russia and China intercepting and doctoring video from the drone aircraft in 2004, but the Pentagon didn’t begin securing signals until this year.”

I am deeply respectful of our military and the men and women who put their lives on the line for our nation. It is because of that deep respect that I reach out with concern about our overconfidence that we are technologically superior, and about our dismissal and underestimation of the resolve of our enemies.

How $26 Can Buy You A Billion-Dollar Surveillance System