Prior password hygiene comes home to roost

This week I received a notice from https://haveibeenpwned.com/ suggesting that my user account from last.fm had been compromised. In this case, the breach was fairly significant, according to Have I Been Pwned, indicating that mail addresses, passwords, usernames,  and website activity were among the compromised data.

Image result for password memeWow. Last.fm. I hadn’t even thought of that service in years. A quick check at Wikipedia shows they are still in business, but I had forgotten about last.fm, probably because SomaFM.com and Pandora had garnered my music listening attention.

I looked in my password vault to see what my password was.  I found there was no entry for last.fm. This is especially troubling, since there is a possibility that the password I used for last.fm is used elsewhere (more on that in a minute).  I still have one more password vault to check, but I don’t have physical access to that until tomorrow. Hopefully I’ll find an entry.

In any event, I’ve changed my password at last.fm.  But not knowing what my prior password was is going to gnaw at me for a while.

Occurrences like this are another reason why we should all use unique, hard to guess passwords for each web site.  Then, if any web site is compromised and that compromise reveals your password, then you can be confident that no other web sites are affected.

What I Was Doing On 9/11/2001

In 2001, I was the security strategist for a national wireless telecommunications company. I usually awoke early to read the news online, and on September 11 I was in my home office shortly after 5:00am Pacific Time.  I was perusing corporate e-mail and browsing the news, when I saw a story of a plane crashing into a building in New York.

I had a television in the home office, and I reached over to turn it on. I tuned to CNN and watched as smoke poured from one of the two towers in the background, as two commentators droned on about what this could be about. While watching this I saw the second airliner emerge from the background and crash into the second tower.

Like many, I thought I was watching a video loop of the first crash, but soon realized I was watching live TV.

I e-mailed and IM’d members of our national security team to get them aware of these developments. Before 6am Pacific time, we had our national emergency conference bridge up and running (and it would stay on all day). Very soon we understood the gravity of the situation, and wondered what would happen next.  We were a nation under attack and needed to take steps to protect our business.  Within minutes we had initiated a nationwide lockdown (I cannot divulge details on what that means), and over the next several hours we took more steps to protect the company.

——–

Since being a teen-ager I had a particular interest in World War Two. My father was a bombardier instructor, and his business partner and best friend was a highly decorated air ace.

——–

We are under attack and we are at war, I thought to myself early that morning, and while I don’t remember specifics about our national conference bridge, I’m certain that I or someone else on the bridge said as much.  Like the sneak attack on Pearl Harbor on December 7, 1941, we all believed that the 9/11 attacks could have been the opening salvos of a much larger plan. Thankfully that was not the case. But in the moment, there was no way to know for sure.

For many days, I and probably a lot of Americans expected more things to happen. The fact that they didn’t was both a surprise and a relief.

Leaving the Comfort Zone

travel destinations

Jumping out of one’s comfort zone

Early in my career, I had seemingly regular opportunities to learn new skills and technologies. It was interesting, for sure, and sometimes challenging, but rarely in ways that I would consider the least bit scary or risky.  It was just plain fun.

Several years into my career, I found that my learning curve was steepening. I was apparently seen to have some good skills, and the small company that employed me seemed fit to thrust me into new situations with little supervision. This included teaching computing classes to county commissioners, being responsible for obtaining computers half a world away for international conferences (in the 1980s this was no mean feat), being asked to attend client executive business meetings to explain the software that my company had provided – or explaining yesterday’s outage.

Then came public speaking. My first real speaking gig was in 1988 where a colleague and I were presenting to a large audience. Before PowerPoint, producing slides for a presentation was difficult. You PowerPoint weanies have it way too easy.

That first speaking gig was a disaster. A real train wreck. I was beyond nervous. I’m sure it showed. But at least I knew it was a clear fail. And I was determined to not let that happen again.

As luck would have it, just weeks later a friend of mine mentioned his local Toastmasters club. I had heard of Toastmasters, and feeling the sting of my recent public speaking failure, I jumped at the chance.

The next year at Toastmasters was hard work. I had terrible bad habits and no good ones. My club consisted of really seasoned speakers, including local city officials and business owners. Really senior guys. Safe and friendly. But full of criticism, of the constructive kind.

I was nervous in all of my Toastmaster speeches. I was really terrible but desperately wanted to improve. I had a glimpse of my career’s future where I would be speaking before audiences again, but I was determined to never fail like that again.

A few short years later, I was asked to teach Unix concepts and skills to co-workers in semi formal classroom settings. I prepared and was less nervous. I did okay.

A few years after that, I was invited to speak at a global user conference on the business benefits of some software products. I did this two years in a row, and even recorded promotional testimonial videos for the company. I’m not sure whether they were ever used, though.

A couple of years later, opportunities to speak at conferences began. First it was once a year, then twice a year. These were great learning opportunities. Generally I did well, and slowly accumulated experience and added skills. I felt like I was going places. Not big places, but places nonetheless.

Last year I had the opportunity to keynote a regional security conference. I had the freedom to select my speaking topic, at least. But this was the first time I was formally introduced to a big stage before hundreds. Moreover, this was in my city, where probably half the audience knew me by first name.

No pressure.

Riiiight.

My animation acted up a bit, but I delivered.

FullSizeRender.jpgEight weeks later, I had another keynote opportunity to an even larger audience, around 800. Yes I was nervous. But I delivered fairly well. This was the first time I had “comfort monitors” (the big monitors down in front that I could look at, as opposed to turning around to look at the big screens behind me.

Wait, isn’t this supposed to be about my comfort zone?  Well yes, it has been all along.

Virtually all of my speaking gigs take me out of my comfort zone. Some, a little; others, quite a bit.

Two weeks ago, my boss’s boss called me up and asked if I would be interested in a speaking gig in Ottawa.  I told him, sure, sign me up.

Then we hung up. And I thought about it. And I realized, I don’t even know what I’ll be speaking about, to whom, or in what context. That was okay.

Yes it was okay.  Given the perspective of many years now, I realize that I thrive at the very edge, and often beyond, the boundaries of my comfort zone.

Public speaking is not the only context where I do this. In fact, every day when I’m asked to talk with a client, partner, or colleague, I almost never know what the conversation is going to be about. I might be praised in one conversation, bitched out in another, and asked my opinion in another.

So what am I getting at here?  Please be patient, I’m getting to it. This is not a rehearsed piece, but written stream of consciousness, much like an impromtu talk. Other than mis-spellings in mid-sentence, I’m not editing this.  These are my thoughts. Peter H Gregory unplugged.

For me this has been a great ride, the past few decades. I never know what’s around the corner. And that’s okay.

Those who know me know that I talk in metaphors a lot. Maybe too much. I liken my public speaking to bungee jumping. A few moments of terror, but what a ride. Only in my case, the chances of imminent death are remote. Embarrassment, or humiliation with no way out?  Absolutely. In any of my talks, whether keynote, small session, executive briefing, or a university class, I could blow it at any time and be a bufoon or worse.

It hasn’t happened since that first conference, many many years ago.

And it keeps happening. Today at 3:30pm I found out that I to give an executive briefing to a group of colleagues I’ve never met in person, tomorrow morning. Do I know exactly what I’m going to be talking about?  Somewhat.  Am I nervous?  Yes, somewhat.  Will it be okay?  Probably.

In high tech, if you want to grow, you’ve got to live on the edge of your comfort zone. Or near the edge anyway. Close enough so that you can see over the edge and see what potential failure looks like. Or gaze upward toward the brilliant blue sky and see what potential success looks like.

It’s worth it.

State University Gives Copies of Security Career Books to Students

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Will 2016 Be The Year Of The Board?

This year has exploded out of the gate, starting on Jan 4 (the first business day of the year) with a flurry of activity. Sure, some of this is just new budget money that is available. However, I’m seeing a lot of organizations in my part of the world (California, Oregon, Washington, Idaho, Montana, Alberta, British Columbia, and Alaska) asking for help on the topic of communicating to executive management and the board of directors.

It’s about time.

Really, though, this makes sense.  Boards of directors aren’t interested in fads in business management. They rely upon their tried-and-true methods of managing businesses through board meetings, audit and risk committees, and meetings with executives. Until recently, board members perceived information security as a tactical matter not requiring their attention. However, with so many organizations suffering from colossal breaches, board members are starting to ask questions, which is a step in the right direction.

Let me say this again. Board members’ asking questions is a big sign of progress. And it doesn’t matter, mostly, what those questions are. It’s a sign they are thinking about information security, perhaps for the first time. And they’re bold enough to ask questions, even if they fear they are asking stupid questions.

The National Association of Corporate Directors (NACD) has an excellent publication on the topic of boards of directors attention on information security, called the Cyber Risk Oversight Handbook. Last I checked, a soft copy is free. Whether you are a board member or an infosec staffer, I highly recommend this for your reading list in early 2016.

Neat Receipts Has Forgotten (or never knew) How to Earn Customer Loyalty

I’ve been a happy user of Neat Receipts for years, having purchased one of their portable scanners. It has worked pretty much  trouble free on PCs and Macs since I purchased it. But that was all about to change.

I upgraded my Mac to El Capitan a couple of months ago, and today needed to scan some diagrams that I’ll be using in an upcoming book. The Neat software did not recognize the scanner, so I went through the usual troubleshooting, including special steps on the Neat website for El Capitan users. Still, no luck.

Neat

I went to Neat’s customer support page, and found that their chat function was working (today is Saturday). I discussed the matter with the support rep, who asked me for the model of my scanner (it’s NR-030108). The rep told me that this model was no longer supported and would not work any longer. Oh great.  I asked whether there was any kind of a trade-in allowance, and he answered that there was not.

So, Neat has obsoleted my scanner.  I can get over it – it’s a part of the regular improvements in information technology. I get that. But, Neat is offering nothing in order to keep me as a customer.  There is nothing keeping me from considering other good products such as Fujitsu ScanSnap S1100i, for instance. In fact the Fujitsu is a little less expensive, it works with Mac, does everything I need, and has a slew of good online reviews.

Apparently Neat is going to just let me walk.

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.