3 PR disasters caused by innocent mistakes

badhillary31

What the Hillary Clinton email scandal proves is that you don’t even need a proven data leak to brew a public relations storm. The media will punish you nevertheless. It was recently discovered that Hillary Clinton ran a private email server from home for all emails, including work related ones. This makes it easy for eavesdroppers to obtain state secrets. (Which they can do without her knowing) Given that she is Secretary of State and in regular contact with the President, this is bad news for US national security. How bad? The backlash is severe and may affect her chances of securing Presidency at the next election. She is not alone though. History is littered with many examples of how disastrous, even a potential data leak may be.

1. Bank of America

In 2005, the Bank of America lost unencrypted backup tapes containing the banking and credit card details of 1.2 million federal employees (including senators). This was embarrassing. Technology executives were forced to issue public statements about the loss and regulators made fresh inquiries into whether new regulations were needed. 

2. NARA

In 2009, the National Archive and Records Administration lost two unencrypted hard drives. One contained the names and social security numbers of 76 million US military veterans. The other contained the private information and social security numbers of 250000 White House employees (including the daughter of Al Gore). They were thrashed by the media and had to compensate the victims. A $50,000 bounty was also offered for the missing hard drives. Not sure if that offer still stands. 

3. Emory Healthcare

In 2012, Emory healthcare misplaced 10 unencrypted backup discs containing 315,000 patient file records and social security numbers. These were misplaced or stolen after being placed in an unlocked cabinet. They were never found. The CEO of the company had to publicly apologise for the data breach. 

This may seem extreme but this is more commonplace than you would think, even in companies with solid IT Security controls. Voltage security found that 85% employees bypass security controls to get access to more data and 46% companies have breached security controls to avoid the possibility of a sales loss. The worst offenders are senior managers. Stroz Friedberg found that senior executives are the guiltiest culprits when it comes to sending work emails to their personal email and taking intellectual property with them when they leave the job.

To defend against this, classify information, encrypt your data and increase security awareness across all levels. 

3 Questions for Teachers. Are they adequately preparing young minds for the Internet of Things?

teacher_child_computer2

We have become so immersed in Technology that everyone from babies to retirees are online. My mum, who used to struggle with the most basic computer tasks (turning the computer on/off) is now addicted to her mobile and tablet devices. This phenomena will only increase as a plethora of new digital technologies emerge to disrupt traditional streams.

What this means is that Technology skills are no longer just limited to the domain of IT administrators, but in every business and industry. Some countries, like Australia, are already building Technology skills into their primary/ elementary school curriculum. Even from the perspective of a Generation Y-er, this is radical. As technologically savvy as we are, we received our education from the good ol’ textbook and pen. We had a classroom computer in primary school and maybe one shared computer at home, connected to dial-up. Our backs would ache from the heavy textbooks in our backpack.

To prepare the next gen for the digital revolution, our teachers need to set a good role model and embrace technology themselves.

1. Protecting online identities: Do teachers teach or preach?

Preaching is telling someone what to do and teaching is to share an experience. A teacher giving a lecture about online safety is even more powerful if they can back it up with their own experiences of setting up a personal brand online and protecting their own online identities.

2. Are female teachers setting good role models for girls?

I used to think technology was hard. If I told my teen self that I would be working in IT, my teen self would laugh, even though I was quite proficient with computers. When I was a little girl (around 6?), I managed to set the time on an oven, after all the adults had given up. It wasn’t because they were dull or I was bright, I was just more persistent than them.

So what happened?

In primary and secondary school, a lot of technology would fail during key presentations (VCRs, projectors, computers etc.) and if a female teacher was presenting, she would either call “one of the guys” to fix it or be taken over by one. Watching these smart, inspirational teachers get defeated by technology and needing to be rescued may have affected my own confidence in technology. Even if she tried to fix it, one of the boys would inevitably take over. He may fumble a bit but the class will wait for him to figure it out. Some female teachers would even complain that technology is just too difficult to understand. No wonder I felt that Technology was a guys domain!

3. Are teachers positively embracing digital? 

There is nothing more discouraging than to hear someone of authority complain about something being too difficult or hard. Teachers may make comments like “I don’t get coding” or “I can’t keep up with the changes” on the side and not realize how these comments affect the confidence of young minds. On the flip side, imagine how inspirational it may be for young people to hear about how their legal studies teacher created his/her own crowd-funded website and blog that has 1,000 followers!

5 Lessons from the SHA-1 deprecation

When Microsoft announced that they will no longer accept SHA1 certificates from 1 January 2017, and Google said that they will start showing warnings as early as 2015, a cold sweat ran down the backs of IT operators across the world. This was a ticking time bomb, one that would require many wires to be carefully cut before services dropped dead come 2017. For those working in environments which may be infested with hundreds of these SHA1 instances (possibly hidden in legacy servers, clients and applications), this was going to be one messy clean-up exercise.

Even as you are busily working away all your SHA-1 dramas, know that you are not alone! We can get through this together. In fact, the greatest thing is that there are tons of support out there. So let us grab a drink (non-alcoholic if you are on-call) and recap over what we have learnt over the past couple of months.

  1. Cuz Microsoft hurts too…

The fact that the active deprecation of SHA1 is Microsoft led and that even the Certification Authorities were ill-prepared for this change, bought a lot of questions to mind. Was this a joke just to show us how powerful they are? Will Microsoft take it back in time? Unfortunately, this isn’t a joke and Microsoft are deadly serious.

What may have contributed to this is the Flame virus, discovered by Russian antivirus firm Kaspersky in 2012. Attackers performed a hash-collision on a weak md5 certificate to create a fake certificate. In doing so, they were able to impersonate Microsoft and distribute malware through their Update Service. This was used for spying and espionage on infected targeted systems in Iran, Lebanon, Syria, Sudan and the Israeli Occupied Territories for an unknown period (2-5 years potentially). Although this was a rare and highly sophisticated attack requiring massive amounts of computing power and one that is difficult for the standard attacker to replicate, it is fair to say that this is probably something Microsoft doesn’t want a repeat of.

  1. Microsoft and Google ARE almighty.

When Google announced that they were going to begin showing warnings as early as 2015, from the “Secure, but with minor errors” to the flat-out “Insecure” warnings, many of us wanted to boycott Google Chrome and tell our users to use another browser. However, after additional thought (30 seconds), this was replaced by a sigh of resignation. After all, Google Chrome do own a huge slice of the pie when it comes to market share. In Australia, they own the majority of market-share and they ARE trying to do the right thing.

Their view is that, as long as SHA-1 continues to be supported, there will be little work to deprecate SHA1. Even though the CA/Browser Forum’s Baseline Requirements recommended an upgrade to SHA-2 in 2011, CA’s were reluctant to stop issuing SHA-1 certificates due to market pressure. The transition from MD5 to SHA-1 took ages and caused many headaches for Google when they finally removed support for the algorithm. Therefore, the only way to give this the push it requires is for a browser-led initiative.

  1. When it rains, it storms

As if SHA-1 deprecation wasn’t enough for IT operators to deal with, some versions of OpenSSL were bleeding with Heartbleed while POODLE killed SSLv3. Then after some reprieve, FREAK came along to remind us that the rain never really stops. It was like being in the middle of a heart transplant, when fluid starts leaking into the lungs and then the liver fails. I will explore some of these attacks in more detail in my next post.

  1. Migrating to SHA-2 is painful

In complex environments, it may be difficult to discover all the SHA1 certificates out there. Especially if there are certificates issued by multiple External and Internal Certification Authorities. It can also take a long time to identify the support teams and businesses that own the domains. There are some certificate discovery tools that can be purchased from your CA (e.g. Symantec or Digicert both issue them). These scan the network for any SSL certificates (issued by any CA). A good discovery tool should be fast to implement and easy to set-up (they may also be able to detect misconfigured certificates or other vulnerabilities (e.g. BEAST).

While most modern and commonly used clients, devices and servers support SHA-2, there are legacy clients, devices, applications and servers that do not support SHA-2 and may require additional patching before the migration can occur. For example, Windows Server 2003 will require further patching. Windows XP running on anything less that Service Pack 3 will require an upgrade (even though XP should no longer be used). Some applications running on supported systems may not be able to validate SHA2 certificates (e.g. Outlook 2003). The true impact will not be known until you begin testing.

  1. Getting support and prioritization from the business is hard

Let’s be honest here, nobody really cares about the insecurities of SHA-1, not really. Especially since the attacks are still practically infeasible and will take huge amounts of computing power to achieve. The CA browser community didn’t care enough to do anything about it until Microsoft and Google posed their challenge, so why would businesses care? In a large organization, where change is slow and budgets are spliced, coordinating an effort as big as this one, in a short timeline, is suffice to say, difficult. Success will require a coordinated effort by IT Support, customer support, business application owners, managers and security to collaborate effectively. To get all these teams on board and motivated to take action, there needs to be strong buy-in. It is all in or nothing. Therefore, Microsoft setting a review of this, sometime in July this year to “assess” whether to go ahead or not sets us in limbo and makes it hard to gather appropriate prioritization and support. There can be no “yes this may happen but maybe it won’t” scenarios to play out. Teams are busy enough. What helps is to have a clear deadline. What doesn’t help is any ambiguity. Meanwhile, time is ticking…