Category Archives: Opinion

Blameshifting is not a good defense strategy

Today, in my newsfeed, two stories about breaches caught my attention.

In this first story, a class-action lawsuit is filed against Waste Management for failing to protect PII in the trash.

In the second story, a South Africa port operator declares force majeure as a result of a security breach, in essence declaring that nothing could have been done to prevent the breach.

In both of these situations, the victim organizations attempt to shift the blame for the failure to protect sensitive information on others. Those of us in the profession have seen victim companies do this in the past, and it generally does not work out well.

Back to the Waste Management story. Here, I argue that when an organization places something in dumpsters, they should take steps to ensure that no recoverable information is discarded. Unless the business arrangement between companies and Waste Management is more akin to secure document shredding by companies like Shred-It, I assert that the garbage company has no obligation to protect anything of value placed in the trash.

On to the South Africa port operator. Declaring force majeure as a result of a security breach is an interesting tactic. In my opinion (note that I am not a lawyer and have had no formal law education), this strategy will backfire. There are numerous examples of organizations that successfully defend themselves against attacks like this. Granted, these attacks are a global plague, and defense – while challenging – is absolutely possible.

Disruption of branch banking is of their own making

An experience late last week was an epiphany for me.

While managing the financial affairs of a relative, I needed to get a one-page document notarized. I live in a small town, where there are only two or three local bank branches.

One of the branches is K** Bank. On their website, K** Bank makes available the capability of making an appointment at a nearby branch. I filled in the appointment form, including the specific nature of the visit. Another relative who was visiting a few weeks ago got a document notarized there, so I knew that this branch of K** Bank had a notary.

I showed up, was greeted by branch staff, and invited to have a seat while someone came to assist me. Soon, another branch employee came over and said she was ready. I presented my document and my photo ID. The employee asked for my K** Bank account number, and I replied that I was not a customer. She replied that Key Bank only notarizes documents for customers. When I asked whether K** Bank would notarize my one-page document for a fee, the answer was, no, sorry. The branch was not busy: there were six employees in the branch, and I saw one or two customers come and go in the ten minutes that I was there.

I left and drove two blocks to the town’s professional building, where a lawyer, an accountant, a marriage counselor, and a financial advisor have small offices. I poked my head into the CPA’s office and asked, do you know of a notary here in town? The CPA got up, greeted me, and took me across the hall to the financial advisor’s office, where she introduced me to an independent financial advisor. He gladly took a couple of minutes to notarize my document. He refused to accept a fee. Since he was conversational and polite, I asked him about his business, asked for some business cards, and may have some business to refer to him.

Branch banking is going the way of the bookstore. Key Bank had an excellent opportunity to take a few minutes to meet a new potential customer by showing a bit of goodwill. Instead, they turned me away, and frankly, I will probably never set foot in that branch again.

The Breaches Will Continue

As I write this, it’s been one day since news of the latest LinkedIn breach hit the news. To summarize, about 92% of LinkedIn users’ information was leaked via LinkedIn’s API. LinkedIn is officially denying this is a breach but is just a data scrape that violated the API’s terms of use. Interesting twist of terms. This reminds me of a former President who explained, “It depends upon what your definition of IS is.”

During my six years as a strategic cybersecurity consultant, I learned that most organizations do not take cybersecurity seriously. Breaches are things that happen to other companies, those with larger and more valuable troves of data.

Organizations, up to and including boards of directors, are locked in normalcy bias. No breach has occurred (that they are aware of), and therefore no breach will occur in the future. It is normalcy bias that is also responsible for the fact that most citizens fail to prepare for emergencies such as extended power outages, fires, floods, hurricanes, tornadoes, identity theft, serious illness, and so many other calamities. I’d be lying if I said that I’m immune to this: while we’re well prepared for some types of events, our preparedness could be far better in certain areas.

A fellow security leader once told me, “Cybersecurity is not important until it is.” Like in our personal lives, we don’t implement the safeguards until after being bitten. Whether it’s security cameras, better locks, bars on windows, bear spray, or better cyber defenses, it’s our nature to believe we’re not a target and that such safeguards are unnecessary. Until they are.

2021: The Summer of Unions and Reunions

Last summer, I started a new job as Senior Director of Cyber GRC for GCI Communications, an Alaska-based telecommunications company. Being a resident of central Washington State, this was to be a mostly WFH job with occasional (monthly-ish) travel to Anchorage and elsewhere to meet with GCI personnel and others.

image from tcsp360.com

The COVID-19 pandemic lockdown was in full swing when I was hired, and non-essential business travel was prohibited. So our days were consumed with video meetings on Teams and Zoom. I met and managed my team of 13 managers, analysts, and specialists, worked with my director, senior director, and VP peers, and was accustomed to full days of video conversations and a bit of time to do real work. And over the past year, I hired five additional team members (including two managers) via video calls. WFH and remote work was the only way.

This week, I met my security department leadership peers in person for the first time, the director of security architecture and planning, and the senior director of security operations. None of us had met in person before, ever. Later, our CISO joined us (our CISO had not met the secops leader in person either).

We spent two long days understanding each others’ departments better, and we spent a lot of time doing some strategic planning. We had bits of time telling stories, and there was plenty of laughter as well.

Meeting and working face-to-face is definitely better than WFH and Zoom meetings. I always knew it, but after 15 months of hunkering down, finally meeting some of my colleagues face to face was confirmation for me. While the three of us live in three different states, we’ll spend most of our working time on video calls, but occasional in-person work is valuable and strengthens and improves work relationships.

I’m certain that thousands of you are having the same experience – as business travel and office work slowly return, you’re meeting many of your colleagues in person for the first time. Relish it.

Checkbox CPEs

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events. 

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm.  They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind.  While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

Controlling the WFH Genie

As we turn the corner in the COVID-19 pandemic, many companies are beginning to bring their workers back on site. This return to the workplace phenomenon is starting a conversation at the worker level, the company level, and in society as a whole.

Many companies have succeeded with the transition to WFH. It may have been awkward at first, but millions of workers have tasted a better quality of life without a commute, and without many other related costs of money and time. Many workers do not want to give up WFH, now that they’ve seen that they can be effective while working from home.

I’ve been part-time WFH for almost twenty years, but I’ve also had jobs where I was commuting three to four hours each day, so I’m intimately familiar with both ends of the spectrum, as well as the middle. I am working today for an Alaska-based company while living in Washington State, so I’m a living subject in the great WFH experiment. And in the nine months since starting this job, I’ve hired workers on my team who live in Idaho, Texas, Arizona, Washington, and, yes, Alaska.

For workers, WFH represents a savings of hard money in terms of vehicle, mass transit, work wardrobe, lunches out, but also expenses to equip and maintain a home office. The soft benefits include commute time, quality of life, but also there’s the ability to work in person with colleagues and develop better in-person relationships than can be done only on video calls.

One can draw up a long list of WFH pros and cons. For most of 2020, we had no choice. But from now on, better organizations realize that WFH has many benefits:

  • Workers often put in more hours.
  • Organizations’ office space expenses are lower.
  • Employers can draw from a significantly larger labor pool when looking for new employees.
  • Existing staff have the freedom to relocate their families to other communities while keeping their same jobs.

Organizations unwilling to consider WFH workers will have a more difficult time finding qualified workers, as they will be drawing from a far smaller labor pool. Employers will have to pay more for people to work in the office to compensate for their additional time and hard expenses – AND employers will have the added cost of providing workspace for those workers they require to be on-site (and those workers who want to). Many workers will be willing to work for less if they can WFH as it is a fair exchange for a better quality of life.

One thing is for sure: the WFH genie will not be going back into the bottle. Ever.

In terms of cybersecurity and ransomware, most organizations are anti-vaxxers

Prologue: There are many opinions and points of view with regards to the origin and nature of COVID, response to the pandemic (or plandemic if you prefer) and vaccinations. I’m not here to express any opinion, but will borrow from these events as I briefly use vaccinations as a metaphor. And thanks for my former colleague Jason Popp for coining the phrase that I’m borrowing.

In a comment to a LinkedIn post about ransomware, Jason said, “If ransomware is a pandemic, then most organizations are anti-vaxxers.”

Brilliant.

I’ll state this another way: the tools and techniques for ransomware prevention have been around for decades. Decades. By and large, organizations hit with ransomware are not employing these techniques effectively, if at all. Implicitly, most organizations choose not to employ the safeguards that would prevent most ransomware attacks.

Why? Good question. Perhaps it’s normalcy bias. Or that cybersecurity is too expensive, or inconvenient to users, or that it’s too hard to find good cyber persons. Or, cybersecurity is a distraction from the organization’s mission (and ransomware isn’t?).

Ransomware presents several challenges. First, most companies that pay ransoms still don’t get their data back. And, more recently, the U.S. Treasury department Office of Foreign Assets Control (OFAC) has cited that paying ransoms to cybercriminals is a violation of OFAC laws.

The solution? Perform or commission a risk assessment. Hire cybersecurity professionals who knows how to fix deficiencies and manage effective security governance, operations and response.

Or, just stop using computers.

Where Are You Going?

While hiking in the hills near our mountain cabin one day, I realized that I was looking down at each step. The terrain was unlevel, full of brush, rocks, critter holes, and other obstacles. In a moment of realization, I stopped and looked out in front of me. I realized that, for several minutes, I was not looking at where my walking was taking me.

Our jobs and our careers are like a hike on uneven ground. We make small and large decisions, interact with people, often only in the moment, without pausing to look up to see where these daily activities are taking our careers. When working only in the moment, we are surrendering control of our careers to others and to chance, rather than taking the reins and going where we want.

Like walking or hiking, it’s essential to make good in the moment decisions, but we must occasionally stop to see where our steps are taking us, and change direction when needed.

Also, remember to stop and enjoy the view.

FPRM is the new TPRM

The recent Accellion-related breaches (a recent one here) are shining a light not just on third party risk management (TPRM), but fourth party risk management (FPRM).

When we bring on a new service provider, in a healthy TPRM program, we assess the service provider’s security (and maybe privacy) programs to see whether their security posture is something we can live with. I see a new set of questions to be asking our third parties, including:

  • What third-party service providers do your third-parties send your data to?
  • What third-party service providers are used to facilitate data transfer and other aspects of your service?

TPRM managers – these recent incidents should be sending us back into our methodologies to ensure we don’t have blind spots.

That is all.

Do Not Use Browsers to Store and Deliver Passwords

Since their inception in the 1990s, web browsers have been packed full of useful features like bookmarks, tabs, granular cookie control, and so much more. It’s no surprise, then, that most browsers now include the ability to store your passwords and to manually or automatically insert them into website login pages. Talk about convenience.

Don’t do it.

The browser makers mean well. However, when a single program accepts untrusted input from the Internet and that same program has access to sensitive login credentials, one can imagine that it would be possible to craft malware that can reach across and pluck out those credentials at will, possibly without the user’s knowledge.

A browser that stores passwords is vulnerable to attack. First, passwords are often stored in plaintext (see this article and also this article, and here is a useful article from the University of Minnesota that instructs users on how to retrieve stored passwords). Malware that has access to your computer’s file system may be designed to look for, and retrieve, these stored passwords.

Also, you should be aware of autofill attacks that trick browsers into pasting in sensitive information on hidden variables in otherwise-innocent looking forms. One day, such an attack may be able to trick a browser into auto-filling login credentials into hidden fields without your awareness or consent.

As long as we use login-and-password to log in to websites, you need to be the air gap between your stored credentials and your browser.

What I Was Doing On 9/11/2001

In 2001, I was the security strategist for a national wireless telecommunications company. I usually awoke early to read the news online, and on September 11 I was in my home office shortly after 5:00am Pacific Time.  I was perusing corporate e-mail and browsing the news, when I saw a story of a plane crashing into a building in New York.

I had a television in the home office, and I reached over to turn it on. I tuned to CNN and watched as smoke poured from one of the two towers in the background, as two commentators droned on about what this could be about. While watching this I saw the second airliner emerge from the background and crash into the second tower.

Like many, I thought I was watching a video loop of the first crash, but soon realized I was watching live TV.

I e-mailed and IM’d members of our national security team to get them aware of these developments. Before 6am Pacific time, we had our national emergency conference bridge up and running (and it would stay on all day). Very soon we understood the gravity of the situation, and wondered what would happen next.  We were a nation under attack and needed to take steps to protect our business.  Within minutes we had initiated a nationwide lockdown (I cannot divulge details on what that means), and over the next several hours we took more steps to protect the company.

——–

Since being a teen-ager I had a particular interest in World War Two. My father was a bombardier instructor, and his business partner and best friend was a highly decorated air ace.

——–

We are under attack and we are at war, I thought to myself early that morning, and while I don’t remember specifics about our national conference bridge, I’m certain that I or someone else on the bridge said as much.  Like the sneak attack on Pearl Harbor on December 7, 1941, we all believed that the 9/11 attacks could have been the opening salvos of a much larger plan. Thankfully that was not the case. But in the moment, there was no way to know for sure.

For many days, I and probably a lot of Americans expected more things to happen. The fact that they didn’t was both a surprise and a relief.

Neat Receipts Has Forgotten (or never knew) How to Earn Customer Loyalty

I’ve been a happy user of Neat Receipts for years, having purchased one of their portable scanners. It has worked pretty much  trouble free on PCs and Macs since I purchased it. But that was all about to change.

I upgraded my Mac to El Capitan a couple of months ago, and today needed to scan some diagrams that I’ll be using in an upcoming book. The Neat software did not recognize the scanner, so I went through the usual troubleshooting, including special steps on the Neat website for El Capitan users. Still, no luck.

Neat

I went to Neat’s customer support page, and found that their chat function was working (today is Saturday). I discussed the matter with the support rep, who asked me for the model of my scanner (it’s NR-030108). The rep told me that this model was no longer supported and would not work any longer. Oh great.  I asked whether there was any kind of a trade-in allowance, and he answered that there was not.

So, Neat has obsoleted my scanner.  I can get over it – it’s a part of the regular improvements in information technology. I get that. But, Neat is offering nothing in order to keep me as a customer.  There is nothing keeping me from considering other good products such as Fujitsu ScanSnap S1100i, for instance. In fact the Fujitsu is a little less expensive, it works with Mac, does everything I need, and has a slew of good online reviews.

Apparently Neat is going to just let me walk.

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

IT Lacks Engineering Discipline and Rigor

Every week we read the news about new, spectacular security breaches. This has been going on for years, and sometimes I wonder if there are any organizations left that have not been breached.

Why are breaches occurring at such a clip? Through decades of experience in IT and data security, I believe I have at least a part of the answer. But first, I want to shift our focus to a different discipline, that of civil engineering.

Civil engineers design and build bridges, buildings, tunnels, and dams, as well as many other things. Civil engineers who design these and other structures have college degrees, and they have a license called a Professional Engineer. In their design work, they carefully examine every component and calculate the forces that will act upon it, and size it accordingly to withstand expected forces, with a generous margin for error, to cover unexpected circumstances. Their designs undergo reviews before their plans can be called complete.  Inspectors carefully examine and approve plans, and they examine every phase of site preparation and construction. The finished product is inspected before it may be used.  Any defects found along the way, from drawings to final inspection, results in a halt in the project and changes in design or implementation.  The result: remarkably reliable and long-lasting structures that, when maintained properly, provide decades of dependable use. This practice has been in use for a century or two and has held up under scrutiny. We rarely hear of failures of bridges, dams, and so on, because the system of qualifying and licensing designers and builders, as well as design and construction inspections works. It’s about quality and reliability, and it shows.

Information technology is not anything like civil engineering. Very few organizations employ formal design with design review, nor inspections of components as development of networks, systems, and applications. The result: systems that lack proper functionality, resilience, and security. I will explore this further.

When organizations embark to implement new IT systems – whether networks, operating systems, database management systems, or applications – they do so with little formality of design, and rarely with any level of design or implementation review.  The result is “brittle” IT systems that barely work. In over thirty years of IT, this is the norm that I have observed in over a dozen organizations in several industries, including banking and financial services.

In case you think I’m pontificating from my ivory tower, I’m among the guilty here. Most of my IT career has been in organizations with some ITIL processes like change management, but utterly lacking in the level of engineering rigor seen in civil engineering and other engineering disciplines.  Is it any wonder, then, when we hear news of IT project failures and breaches?

Some of you will argue that IT does not require the same level of discipline as civil or aeronautical engineering, mostly because lives are not directly on the line as they are with bridges and airplanes. Fine. But, be prepared to accept losses in productivity due to code defects and unscheduled downtime, and security breaches. If security and reliability are not a part of the design, then the resulting product will be secure and reliable by accident, but not purposely.

So Long, Microsoft, And Thanks For All The Fish

Word Version 1.1a

Word Version 1.1a

I have been using Microsoft software since 1985 when I purchased Microsoft Word and Microsoft Multiplan for my new Zenith Z160 “portable” PC. I’ve used Word continuously for thirty years at home, at work, as a university instructor, and as a published author.

I wrote my first three books in FrameMaker, a superior but far more expensive word processor ($500 per user in 1998) as required by my publishers at the time. But by the early 2000’s most had moved to Word since Microsoft had sufficiently closed the feature gap.

I’m coming to realize that this weekend might be the last time I use Microsoft software – at home anyway (I use a PC running Windows 7 and Office for work).

z160

Zenith Z160 portable computer

I ordered a new MacBook Pro yesterday, and it will arrive on Monday. The MBP comes with Apple’s versions of office programs, called Pages, Keynote, and Numbers. Next week I will try them out on my university teaching and on my current writing project. If it goes alright and I figure out all of the subtle differences, I will probably not purchase Office for the new Mac.

Part of this comes down to economics. Office for Mac costs $150 or more, and the same programs from Apple cost $20 apiece (if you don’t have a new Mac that came with them), or free with your Mac since some time in the past year or two.

I’ll post a review of Pages, Keynote, and Numbers in a month or so after I’ve been using them a while.

Still, I can’t help but feel somewhat nostalgic, as I’ve had Word with me nearly all of my adult life. But as the dolphins exclaim in Hitchhiker’s Guide to the Galaxy, “So long, and thanks for all the fish.”

In air travel and data security, there are no guarantees of absolute safety

The recent tragic GermanWings crash has illustrated an important point: even the best designed safety systems can be defeated in scenarios where a trusted individual decides to go rogue.

In the case of the GermanWings crash, the co-pilot was able to lock the pilot out of the cockpit. The cockpit door locking mechanism is designed to enable a trusted individual inside the cockpit from preventing an unwanted person from being able to enter.

Such safeguards exist in security mechanisms in information systems. However, these safeguards only work when those at the controls are competent. If they go rogue, there is little, if anything, that can be done to slow or stop their actions. Any administrator with responsibilities and privileges for maintaining software, operating systems, databases, or networks has near-absolute control over those objects. If they decide to go rogue, at best the security mechanisms will record their malevolent actions, just as the cockpit voice recorder documented the pilot’s attempts to re-enter the cockpit, as well as the co-pilot’s breathing, indicating he was still alive.

Remember that technology – even protective controls – cannot know the intent of the operator. Technology, the amplifier of a person’s will, blindly obeys.

DSL Hell

I am a CenturyLink DSL customer in Seattle, WA. CenturyLink advertises 1 Gig Internet, but in our neighborhood, 10MB is all that is available.  Countless inquiries to customer support and tech support have not identified a soul who knows if or when faster DSL is coming to my neighborhood.

Often, the DSL is so bad that simple tasks such as loading web pages often times out. Speed tests typically show < 1MB of download speed. Here is a typical test from earlier today.speednot

CenturyLink techs have been out to the house numerous times. I’ve tried several different modems. I’ve bypassed my internal wiring altogether. Nothing they have done has made any difference.

I am a work from home (WFH) security consultant. However, on bad days, WFH is more like “wait from home”. Some days it seems like a miracle if my VPN connection stays up for more than an hour.

Here in Seattle, my only choices are CenturyLink for DSL and Comcast. CenturyLink has had two years to get the DSL service working right. Comcast, you’re next. My neighbors all say their Comcast Internet rocks and is really fast. Let’s hope so.

Don’t let it happen to you

This is a time of year when we reflect on our personal and professional lives, and think about the coming years and what we want to accomplish. I’ve been thinking about this over the past couple of days… yesterday, an important news story about the 2013 Target security breach was published. The article states that Judge Paul A. Magnuson of the Minnesota District Court has ruled that Target was negligent in the massive 2013 holiday shopping season data breach. As such, banks and other financial institutions can pursue compensation via class-action lawsuits. Judge Magnuson said, “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.” I have provided a link to the article at the end of this message.

Clearly, this is really bad news for Target. This legal ruling may have a chilling effect on other merchant and retail organizations.

I don’t want you to experience what Target is going through. I changed jobs at the beginning of 2014 to help as many organizations as possible avoid major breaches that could cause irreparable damage. If you have a security supplier and service provider that is helping you, great. If you fear that your organization may be in the news someday because you know your security is deficient (or you just don’t know), we can help in many ways.

I hope you have a joyous holiday season, and that you start 2015 without living in fear.

http://www.infosecurity-magazine.com/news/target-ruled-negligent-in-holiday/

Padding Your Resume

It’s a popular notion that everyone embellishes their resume to some extent. Yes, there is probably some truth to that statement. Now and then we hear a news story about people “padding their resumes”, and once in a while we hear a story about some industry or civic leader who is compelled to resign their position because they don’t have that diploma they claimed to have on their resume.

Your resume needs to be truthful. In the information security profession, the nature of our responsibility and our codes of ethics require a high standard of professional integrity. More than in many other professions, we should not ever stretch the truth on our resume, or in any other written statements about ourselves. Not even a little bit. Those “little white lies” will haunt us relentlessly, and the cost could be even higher if we are found out.

– first draft excerpt from Getting An Information Security Job For Dummies

iOS Apps That Improve My Professional Life

I rarely write publicly about apps I use on my iPhone and iPad, but there are a few I have been raving about with my colleagues and clients lately.

1. Sleep Cycle

sc1This is a unique alarm clock that tracks my sleep quality. It uses the iPhone’s motion sensors to track whether I’m tossing and turning, or sleeping more soundly.  But my favorite feature is the intelligent wake-up alarm that gently wakes me up when my sleep is shallower.  How it works: say that I want my alarm to go off at 6:00am; sleep cycle will monitor my sleep “depth” for the 20 minutes (configurable) prior to 6am and awaken me when I’m almost awake anyway.  The result: since starting to use Sleep Cycle three months ago, I have not been shocked out of a deep sleep by my alarm. Instead, I’m nudged awake and, as the first thing I experience during the day, it makes for a better day.

2. Waze

w1This is the navigation app that sort of “crowdsources” traffic conditions and hazards. Like Google Maps, it speaks turn by turn directions to my destination. But where it’s different: Waze is aware of the speeds of other drivers on my route, and if traffic suddenly slows (on the interstate as well as on city streets and country roads), Waze will navigate me around it.

Another cool feature: if there is a hazard ahead (accident, vehicle in road, vehicle on shoulder, debris), Waze will warn me with remarkable accuracy.  How this works: as you are traveling your route, if you see one of these, two or three taps will mark the hazard and warn others behind you.  When the hazard is gone, you just tap “not there” and drivers behind you won’t be warned.

Another nice feature for me is that the turn by turn directions can be transmitted via Bluetooth to my so-equipped motorcycle helmet, with my iPhone in my jacket pocket. I get turn by turn directions in audio only, and I can still find my way to a new client location in nice weather when I’m motorcycling.

3. Uber

Perfect for my business travel. I really don’t need to say any more.

4. Urban Spoon

As a frus1equent business traveler, I’m often trying new restaurants and looking for something new for internal or client dinners. You can filter by cuisine, distance, rating, cost, or just randomly select someplace nearby if you are feeling adventurous.