We're Giving It All Away

Nice little video from Mandiant on "The anatomy of a cyber attack."

Despite the typical firewalls, antivirus, and intrusion detection system, cyber attacks can and do penetrate your systems.

This happens through social engineering (including phishing attempts), automated spam, and zero-day exploits.

Once inside your network, the cyber attacker takes command and control of your computers, surveys your assets, steals user names and passwords, hijacks programs, and accesses valuable intellectual property. 

Mandiant performs security incident response management (detecting breaches, containing it, and helping recovery efforts), and they are known for their report "APT1" (2013) exposing an alleged significant government-sponsored cyber espionage group that they state "has systematically stolen hundreds of terabytes of data from at least 141 organizations."

Another fascinating report on a similar topic of advanced persistent threats was done by McAfee on Operation Shady Rat (2011) that reveals over 70 organizations (governments, commercial entities, and more) that were targeted over 5 years and had terabytes of information siphoned off. 

The overall risk from cyber espionage is high and the McAfee report states:

- "Every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact."

- "What we have witnessed...has been nothing short of a historically unprecedented transfer of [intellectual] wealth - closely guarded national secrets...disappeared in the ever-growing electronic archived of dogged adversaries."

In short we can't keep a secret--we're putting endless gobs and gobs of our information online and are not adequately protecting it in cyberspace, with the result that our adversaries are able to access, exfiltrate, disclose, modify, or destroy it.

In short, we're giving it all away - why? 

We're Giving It All Away

Beware of Botnets

Interesting video demonstration of how botnets work and can literally take over your computer.

In essence, your computer becomes a zombie under the command and control of the botnet sender.

Computers get infected through a trojan or worm, and then the sender has you--they control your computer and information.

Generally, they do this to send spam, steal information, or send out other malware, all under anonymity. 

Once infected, the sender has complete control over your computer and can exfiltrate, delete, or change your data, turn on the keyboard lights, add a tail to your mouse, and even format your hard drive. 

The malware often can even disable your firewall.

The sender can turn on a keylogger and log your keystrokes, and capture your user ids and passwords to banking and financial institutions, and draw out your money. 

The video demos an example of botnets with a variant of the Zeus trojan. 

Worth a watch.

Makes me wonder whether our adversaries are infecting more and more computers, until they have almost everyone--eventually a virtual army.

Then at the time of their choosing, they can conduct one big massive attack, or incremental ones, logging into peoples accounts, stealing their identities and savings, sending out misinformation, destroying data and computers en masse. 

We need to be aware of what's possible, maybe even probable. 

Is your computer infected and you don't even know it yet?

Beware of Botnets

A Different Definition For IV&V

In IT circles, IV&V generally refers to Independent Verification and Validation, but for CIOs another important definition for leading is Independent Views and Voices.

Please read my new article on this: here at Government Technology -- hope you enjoy it.

Andy

(Source Photo: here with attribution to Joi)

A Different Definition For IV&V

Rejuvenate Like A Starfish

Good video on centralization vs. decentralization.

A spider is the model of a centralized organism or organization--cut of the head and the thing is dead. 

But a starfish is the epitome of one that is decentralized--if you cut off one of the arms (it doesn't have a head) of a Blue Linckia starfish, it just grows another one. And if you cut off all five arms, it grows five new starfish. 

So when it comes to organizations, do you want one like a spider, where all power, decision-making, and talent is concentrated at the top, and if you lose your senior executive(s), you've lost the innovation or operational effectiveness of the entire organization (think what happened when Apple lost Steve Jobs as an example)? 

Or do you want to be an organization that is more decentralized (less hierarchical) like the Starfish--where talent is widely dispersed and work is delegated to the many within. Here the organization's very survival is not threatened when something happens at the top or to somebody. 

In most cases, there is no perfect spider or starfish organization, but more of a hybrid model, where some functions (like HR, finance, communications) are centralized and others are decentralized (based on specific business expertise). 

To me the main point here is that an organization is made up of many individuals, and everyone in the organization is valuable; no one person can do everything and we should leverage each person according to their strengths and help them on their weaknesses. This gives each individual and the organization the best chance of rejuvenation and survival. ;-)

Rejuvenate Like A Starfish

Restraint or Recklessness?

Like many of you, as I watch the events unfold with the Russian military invasion of Ukraine, I am amazed at the "restraint" being shown by the West. 

But I can't help asking myself why a military invasion by the Great Bear into a sovereign nation that is leaning toward democracy is being met with restraint.

Sitting in Starbucks, I overheard one young women saying to an older gentlemen that she did not understand the reaction of the President in saying there would be "consequences" and that no one took that seriously as there was no specificity, almost as if their where no real consequences to even threaten Russia with. 

So why all the word-mincing, dancing around the subject, and restraint by the West in light of this very dangerous escalation in eastern Europe:

1) Surprise - Was the West completely taken by surprise by Russia's military intervention? Didn't something similar happen with Georgia in 2008--less than 6 years ago? Did we not foresee the possibility of Russia lashing out against Ukraine to protect its interests when Ukraine turned back toward European integration and away from the embrace of Russia that it had made only weeks earlier? After Pearl Harbor, 9/11, and with all our "Big Data," intelligence, and military planning--how did we miss this (again!)? 

2) Duped - Were we duped by the misinformation from Russia saying that the 150,000 troops they called on a "training exercise" was planned months ago and it just happened to coincide with the toppling of Ukraine's President?  Also, were we fooled when the "mysterious" soldiers showed up without national markings and Russia said they weren't their military--uh, where did they come from--did they float down from the heavens?

3) Apathetic - Are we just apathetic to Ukraine's plight? Are they just a poor country of little strategic value to us? Are we so war weary from Iraq and Afghanistan that we just want to place our heads in the sand like ostriches even when democracy and freedom is threatened in a European nation of some 45 million people?

4) Fear - Are we afraid of the military might of the nuclear-armed Russian Federation? Is America, the European Union, NATO, the United Nations all not willing to stand up and hold Russia accountable even if that means a military confrontation? Not that anyone wants World War III, but if we don't stand up and defend against wanton aggression, how can any country or anyone be safe going forward? 

5) Optionless - Are we just out of options? Russia got the upper hand on this one and they are logistically right there on the border and in the country of Ukraine now and what can we do? Despite the U.S. assertion that it can project military power anywhere around the world and a defense budget bigger than the 10 next largest combined--how can we be out of options? Are we out of options because we tacitly understand that one wrong miscalculation and we could end up with WMD on our homeland doorstep? 

6) Butter Over Guns - Have we retrenched from world affairs, downsized our military, and emphasized domestic issues over international ones? Have we forgotten the risk that comes from a world without a superpower that helps to maintain stability and peace? Are we just under so much financial duress with a growing mountain of national debt, a economic recovery still struggling, and the lowest employment participation in over 30 years that we can't even entertain spending more treasure to fight again? 

7) Leadership - Who is managing the crisis? We've seen our President speak, various other government officials from the U.S. and European Union, the Secretary General of the U.N., the Secretary General of NATO, and more?  Who is in charge--setting the tone--deciding the strategy? Who has point so that we and Russia know who to listen to and what is just background noise? 

What is so scary about this whole thing is how quickly things can escalate and seriously get out of control in this world, and this despite all the alliances, planning, and spending--at the end of the day, it looks like we are floundering and are in chaos, while Russia is advancing on multiples fronts in Ukraine and elsewhere with supporting dangerous regimes in Syria, Iran, North Korea and more. 

Whether we should or shouldn't get involved militarily, what is shocking is: 1) the very notion that there wouldn't be any good military options, and 2) that the consequences are not being spelled out with speed and clarity. 

In the streets, at the cafe, on the television, I am seeing and hearing people in shock at what is happening and what we are and are not doing about it. 

Even if we get Russia to stop advancing (yes, based on what happened with Georgia, I doubt they will actually pull back out), the question is what happens the next time there is a conflict based on how we've managed this one? 

I do want to mention one other thing, which is while I feel empathy for the plight of the Ukrainians seeking their freedom from Russia now, I also must remember the events of Babi Yar where, between 1941-1944, 900,000 Jews were murdered in the Soviet Union by Nazi genocide and Ukrainian collaborators. This is history, but not so long ago. 

All opinions my own. 

(Source Photo: here with attribution to Utenriksdept)

Restraint or Recklessness?

First We Must Live

I liked this advertisement for the movie sequel to the 300 coming out this week. 

Anyway, for this scary-looking dude, "War is in my blood"--that's who he is and these days, it seems like he is not alone in this crazy and violent world. 

Some people are like that...they always like to fight, be oppositional, or just be difficult. 

My belief is more like Ecclesiastes--that there is a time and place for everything..."a time for war and a time for peace."

Around the globe, there seems to be plenty of fighting, slaughter, and tensions going on...from Damascus to Kiev, from Iran to Venezuela, from Sudan to the South China Sea, and more. 

I heard what I thought was a good saying on the Game Of Thrones Season 3 (which by the way is totally excellent), it went like this:

"If we die, we die, but first we will live."

Let's hope and pray for more peaceful, stable, and pleasant times.

There is yet much to live for. ;-)

(Source Photo: Andy Blumenthal)

First We Must Live

Hanging By A Thread

This spool of cable has been hanging from this utility pole for days, maybe weeks. 

I have never quite seen anything like this. 

This huge spool hanging by a thread from this skinny little pole.

Of course, there is one warning cone sitting right underneath the overhead spool. 

Can't you just see that spool crashing down and flattening the cone? [Wonk!]

Then you have some sporadic red warning tape not doing much of nothing.

And cars and people regularly going up and down this street--which you don't really see in this photo.

Maybe the workers just left the spool of cable up there in case they need it again in the future.

Hey, less work lifting it all the way up there again. ;-)

(Source Photo: Andy Blumenthal)

Hanging By A Thread

Newspaper, Identity Thief

So, true story.

I know identify theft is a serious matter, but really...

I'm heading out of the driveway and I see the newpaper delivery guy just pulling up.

He's running a little late, but I figure I can still get the paper in time for morning reading on the Metro. 

I walk over to him and ask if I can get the Journal that he's deliverying to me.

He says, "No, I only deliver the Wall Street Journal and the Post."

I say, "Yeah, the Wall Street Journal, can I get it, since you're running a little late this morning."

He says. "I'm never late!"--actually, he is and sometimes doesn't deliver at all (the other week, I got 3 papers in one day). 

I say, "OK, but I can take it from here."

He says, "No, I only deliver to the door."

I say, "But I'm right here."

He says, "How do I know you are who you say you are?"

I say, "I am, and thank G-d, I really don't need to steal a $2 newspaper from you, Sir."

He says, "Okay, but I'll need to see an id!"

I say, "Are you serious?"

He says, "Yeah," pulling back to safety the pile of newspapers he is holding is his arms. 

Reluctantly, I flip open my wallet and flash my license to him.

Not good enough...he insists I take it out so he can read it. 

I finally got the paper, but we wasted what seemed like 5 minutes between the negotiation and proof of identity exercise. 

Don't get me wrong, I appreciate his diligence, but I think this type of scrutiny over access and identity would be better placed squarely on our cyber assets--somewhere where we really need them! ;-)

(Source Photo: Andy Blumenthal)

Newspaper, Identity Thief

March Of The Dangerous Penguins

This was a funny picture on the streets of Washington D.C.

Someone drew these "armed" and dangerous penguins on the back of a chair. 

The chair is translucent, but with the snow coming down and covering it, you can see this crazy drawing. 

Perhaps this is a message from the local NRA advocating for gun rights, who knows?

Anyway, these penguins are cute little fellows even carrying scoped rifles and staring down the everyday passerbys. ;-)

(Source Photo: Andy Blumenthal)

March Of The Dangerous Penguins

What A Waste Of Coin

Coming to work this week, I saw a penny on the ground...then another...and another.

I saw people passing the money, and instead of picking it up, they kicked in off the curb.

That's even worse than throwing them into the fountain where at least you might get some good luck from it. 

Thus, the state of our minting of coinage--it's essentially worthless.

After getting a pretty basic Venti Java Chip at Starbucks for a whopping $5.45, I quickly calculated, I would need 545 pennies,109 nickles, 54.5 dimes, or 21.8 quarters o pay for this--how ridiculous!  

And uh, how many of these would you need to pay someone one hour at the new proposed minimum wage of $10.10 if you did it in coins?

Otherwise, I could just give them a credit or debit card--yes, sort of a no brainer, right?

Why do we keep making coinage that no one wants or needs in the digital age?

We have direct deposit for payroll, automatic deductions for many expenses, online banking, ecommerce , credit and debit cards, paypal, and even bitcoin...let's just be honest and admit it, traditional money is basically obsolete. 

At Starbucks, I see many people now just use their Smartphone App to pay and get rewards--another advance. 

Someday soon, we will have embedded chips that simply add and deduct payments as we go along and live life--it's really not all that complicated. 

The funny thing also is that it costs more to make many coins then their intrinsic worth--and hence the drive towards making coins with cheaper materials. 

According to Business Insider, in 2012, a penny cost 2.4 cents to make and a nickle 11.2 cents--quite a losing proposition. 

While there truly are some valuable coins out there and I appreciate that there are many coin lovers and collectors--numismatists--perhaps there are alternate hobbies to consider. 

A colleague once told me that "If you watch your pennies, the dollars will follow"--and that may be some good investement advice, but in a 24/7 society and after decades of inflation, there isn't enough time or room to collect all the pennies we would need to make much of a difference. 

ABC News reports that while our northern brother, Canada, got rid of the penny in 2012, we still make something like 5 billion of these useless things a year. 

Full disclosure: my first job in Washington, D.C. was for the U.S. Mint, and while there were good things about it, I could never feel good about the mission--it just had no purpose. ;-)

All Opinions my own.

(Source Photo: here with attribution to Maura Teague)

What A Waste Of Coin

Google Fiber 4 The Nation's Capital

How About Google Fiber for Washington, D.C.? 

- Lead, by example, the rest of the nation forward.

- Speed up the functioning of the government.

- Helpful for Emergency Management

- The Patriotic thing to do! ;-)

All Opinions my own. 

(Source Photo: here with attribution to Cameron Yee, & no idea why it's in Spanish, but I like it!)

Google Fiber 4 The Nation's Capital

Tie Dye Cake

This is a fun cooking experience.

We're making tie dye cake.

It's not yet done--just went into the oven.

Frosting and sprinkles are also on the way. 

In 30 minutes we'll have a very colorful dessert. 

And yum!  ;-)

(Source Photos: Andy Blumenthal)

Tie Dye Cake

Don't Let Debbie Downer Take You Down

Saturday Night Live has a spoof about Negative Nellie's and they call her Debbie Downer. 

We all know people like this who are the Voice of Doom and the Doctor No's.

Whatever the topic is--they've been there, done it, and have seen it fail--"We tried that before," "That's not the way we do things here," "You just don't understand," "It will never work."

They see danger and bad everywhere and in everything, even in the face of positive and promise. 

These are the people who are obstinate, the naysayers, and are against change at all cost--they fear it or just don't want to deal with it. 

BusinessWeek has an interesting perspective on this--how even these people can be employed to have a beneficial impact on projects--by having them tell you everything that can go wrong, so you can take steps to plan and mitigate against these. 

Some people only want to have positive people around them--"yes men," who only tell them how smart and right they are all the time. 

However, the best leaders don't want kiss ups and brown nosers, but rather value"truth tellers," who will provide them solid advice and guidance on issues, tell them when they think something is wrong or risky, and even take an opposing point of view or play devil's advocate.

I remember when I was asked about whether a certain project was going to meet a very near deadline, and I said point blank, "Do you want me just to say yes or do you want me to tell you the truth?"

I got a big smile to that and the appreciation that I was real and truthful and there to make a difference and not just be another lump on the log. 

The point is not to be a Debbie Downer or a brown noser, but to be an Honest Joe or Jane. ;-)

Don't Let Debbie Downer Take You Down

National State Of Cyber Insecurity

This video is a wake up call on the state of our national cyber insecurity. 

It is the opening statement (about 6 minutes) of Chairman Michael McCaul (R-TX) of the Homeland Security Subcommittee of Oversight, Investigations, and Management.

What he describes is quite grave and every American should listen carefully about the state of our cyber insecurity that poses a real and significant threat to our economy and national security.

We are under attack by cyber criminals, terrorists, and hostile nation states. 

Our adversaries seek to and can paralyze our critical infrastructure, steal our intellectual property, conduct espionage, and access our personal and financial information. 

The collapse of our military networks, financial system, energy, transportation, and electricity "is not science fiction."

The cyber attacks are "real, stealth, and persistent, and can devastate our nation." 

It is "not a matter of if, but when a Cyber Pearl Harbor will occur."

And "we have been fortunate that up until this point that cyber attacks on our country have not caused a cataclysmic event."

I read from the Center for Strategic and International Studies (2011) that cybersecurity has taken a back seat after 9/11 to the War on Terror as well as the economic fight after the recession of 2008, with the result that "the United States is unprepared to defend itself."

Chairman McCaul critically states at the end of his opening statement, "Let's do something meaningful [now] because it is not a tolerable situation!"

National State Of Cyber Insecurity

Can You Trust Social Media?

Interesting article in BBC about a project underway to develop a system that will rate information on the Internet as trustworthy or not. 

Considering how quickly we get information from the Net and how easy it is to start crazy rumors, manipulate financial investors, or even cause a near panic, it would be good to know whether the source is legitimate and the information has been validated. 

Are we simply getting someone mouthing off on their opinions or what they think may happen or perhaps they are unknowingly spreading false information (misinformation) or even purposely doing it (disinformation)?

Depending how the Internet is being used--someone may be trying to get the real word out to you (e.g. from dissidents in repressive regimes) or they may be manipulating you (e.g. hackers, criminals, or even terrorists). 

To have a reliable system that tells us if information being promulgated is good or not could add some credibility and security online. 

What if that system though itself is hacked? Then lies can perhaps be "verified" as truth and truth can be discredited as falsehood. 

The Internet is dangerous terrain, and as in the life in general, it is best to take a cautious approach to verify source and message. 

The next cyber or kinetic attack may start not with someone bringing down the Internet, but rather with using it to sow confusion and disarm the masses with chaos. ;-)

(Source Photo: Andy Blumenthal)

Can You Trust Social Media?

Jewish History At A Glance

I really like this poster graphic outlining Jewish history and key figures from Genesis until modern times. 

While there is already a lot of information on here such major events in Jewish history, world events, Jewish historical figures, Jewish literature and Jewish population, I would suggest adding major Jewish contributions to the world from Einstein to Freud, from Columbis to Salk. 

Also, I found that 23% of all Nobel Prizes (or 193 people) between 1901 and 2013 were awarded to people of Jewish descent--and the awards were across the fields of chemistry, economics, literature, peace, physics, and medicine. 

We are not a very large people--just .2%--in terms of population, but we have a very rich history--a mixture of persecution and contribution. 

Thank you Minna Blumenthal for sending me the link to this!

(Source Photo: here with attribution to Odyeda)

Jewish History At A Glance

Alert, Alert, And More Alerts

No this is not an alert, but some strategic thinking about alerts. 

As a kid, we get our first alerts usually from the fire alarm going off in school and practicing the buddy system and safely evacuating. 

As adults, we are used to get so many types of alerts:

- Homeland Security threat alerts
- Breaking news alerts
- Emergency/Disaster alerts
- Severe weather alerts
- Smog alerts
- Transportation delay alerts
- Accident alerts
- Fraud alerts
- Economic and financial alerts
- Amber missing child alerts
- Internet security alerts
- Power loss alerts
- Home or business intruder alerts
- Fire alerts
- Carbon Monoxide alerts
- Medical/health alerts
- Chemical spill alerts
- Product safety or recall alerts
- Unsafe drinking water alerts
- Active shooter alerts
- Work closure alerts
- Parking garage alerts
- Dangerous marine life alerts
- Dangerous current or undertow alerts
- Air raid siren alerts
- Solar eclipse alerts
- Meteorite or falling space debris alerts
- Special sale or promotional event alerts

With the arrival of highly successful, mass social media applications like Twitter, we have alerts aggregated for us and listed chronologically as things are happening real-time. 

The brilliance of the current Twitter-type alerting is that we can sign up to follow whatever alerts we are interested in and then have a streaming feed of them.  

The alerts are short--up to 140 characters--so you can quickly see the essence of what is happening or ignore what is irrelevant to you. 

When more space is needed to explain the details behind an alert, typically a (shortened) URL is included, which if you click on it takes you to a more in depth explanation of the event or item. 

So alerts are a terrific balance between short, attention grabbing headlines and links to more detail, as needed. 

What is also great about the current alerting mechanism is that you can provide concise alert information, including:

- Message source (for ensuring reliability)
- Guidance (for providing immediate instruction on response). 
- Hazard (for specifying the type of incident)
- Location (for identifying geographic or mapping locality)
- Date/time (for implications as to its currency)
- Importance (for determining severity such as catastrophic, critical, etc.)

While we remain ever, hyper-vigilant, we need to be careful not to become anxiety-ridden, or at some point, simply learn to tune it all out, so we can actually live life and get stuff done.

It's good to know what's going on out there, but can too much information ever become a bad thing? ;-)

(Source Photo: Andy Blumenthal)

Alert, Alert, And More Alerts

Some Mighty Big Shoes To Fill

If you're ever feeling like a big shot--remember there are always others out there who are bigger than you. 

_________________________

We walk in the footsteps of the giants who came before us. 

We walk among colleagues who are superior to us.

We walk before future generations who will certainly humble us. 

We walk in the sight of G-d, our creator and master, who bestows all divine benevolence to us. 

_________________

Now those are some mighty big shoes! ;-)

(Source Photo: Andy Blumenthal)

Some Mighty Big Shoes To Fill

How Our Colony On Mars Will Get Built

Absolutely amazing development in robotics...

According to the Wall Street Journal, Harvard University researchers have developed autonomous robots inspired by termites or ants. 

They can build complex structures by working in a group or swarm.

Each robot is independent, yet by being programmed with the target structure, they work harmoniously together to build the structure without further guidance. 

They have sensors along with a set of rules that enable them to interact with each other and the environment to get the job done. 

They can even build stairs to enable themselves to get to higher levels of the structure and add the next set of building bricks. 

The robots are 8" by 4.5" with pinwheel tires for traction and are powered by off-the-shelf motors.

"Each robot 'walks around the structure until it sees something that needs to be done and then does it...they can recognize errors and correct them.'"

Perhaps, the robots can not only learn from the termites, but we can learn from the robots. ;-)

How Our Colony On Mars Will Get Built

Another Day In The Middle East

It can be hard for a regular person to understand the course of events in the Middle East--I certainly don't!

I recognize that I don't know what I don't know, but with all due respect, it would be great if we could all better understand where we are going there. 

- On the 9/11, we were attacked by Al Qaeda hijackers, 15 of 19 of whom were Saudi Arabian, yet after 9/11, we didn't go after Saudi Arabia, but instead overthrew Saddam Hussein in Iraq.

- However, early in the 1980's Iran-Iraq War, we supported Iraq against Iran and permitted the sale of American arms to Hussein. 

- By overthrowing Saddam, in effect we established a Shiite-lead Iraq, right next to a fundamentalist Shiite Iran with a history of conflict with America. 

- In subsequent conflicts, it is not clear whether we are supporting the secularists or the fundamentalists:

a) In Syria, we have been supporting "moderate" Sunni's (although often seen aligned to Al Qaeda) against Bashar al-Assad, and what is considered the "secular Ba'ath party."

b) In Egypt, we withheld military and economic support after the overthrew of the Muslim Brotherhood, whose aims include establishing a state ruled by Sharia law, and an organization that is aligned with Hamas and Hezbollah, both listed as terrorist organizations.

- In Iran, in an attempt to move towards peaceful nuclear disarmament, we are relaxing sanctions on a country that former President George W. Bush, in his State of the Union, declared part of the Axis of Evil (2002), and with an agreement that is viewed as not better than having a 50-50 chance of success. 

If you find this a lot to take in, you are not alone. ;-)

All opinions my own.

(Source Photo: Andy Blumenthal)

Another Day In The Middle East