The Equifax data breach that was revealed last week has so far been an unmitigated disaster – for the company. While we could spend the entire show talking about the firm’s missteps, we just touch quickly on the lowlights, including poor IT management, the lousy breach notification, a confusing website that was constructed in haste and with overwrought legalese, the lack of quality reporting from the general and security trade press about the incident, and how hard it is to find out whether your own personal information has been compromised. Sadly, this breach will be a case study of what not to do in marketing communications for years to come.

We move on to something that we both have spoken and written about frequently, keyed to a piece that ran this week on Sam Whitmore’s Media Survey (We’d give you a link, but the site is behind a paywall.) It’s about David’s attitude toward PR pitches. He and Paul go over some of his their preferences on things like the length of pitches, whether to mention competitors, how pitch use metaphors and the value of third-party support endorsements. One thing we agree on: Re-pitching – or following up on an earlier pitch – is a good way put yourself in the doghouse. and end up in the deleted email pile.


HPE Enterprise.Nxt: The rise of ransomware

Ransomware is a troubling trend. Novice criminals with little technical savvy and cheap software can generate big payouts and impact enterprise operations. Here’s what you need to know about the changing ransomware landscape. Ransomware happens to be the fifth most common form of malware, and is expected to see a 300 percent increase this year, according to MWR InfoSecurity. 

You can read my analysis here on HPE’s Enterprise.Nxt site. I review some of its history, highlight a few of the recent innovations with ransomware-as-a-service (such as this web dashboard from Satan shown here), and make a few suggestions on how to prevent it from spreading around your company.

Time to really go paperless when it comes to boarding passes

I have been a big fan of paperless airline boarding passes almost since their introduction, and a recent post reminded me of yet another reason: they can become an easy way to compromise your identity. The reason is a combination of the low and high technology, all leveraging your smart phone’s camera.

The issue has to do with the way the airlines make it easy to use the printed bar code information to gain access to your flight details. Brian Krebs first wrote about this several years ago, and if you still use the printed boarding passes, the first thing you should know is that you shouldn’t post pictures of them on any of your social media outlets. Krebs found more than 90,000 such images exist when he did a quick search.

So here is what could happen. Criminals look for these photos, and could then use the QR code or the booking reference number to gain access to your flight details. Think about this for a moment. Let’s say you are on vacation, and you post your “here I am at the airport about to take off for a long trip on the other side of the planet” obligatory photo. Now someone comes along, and can change your return flight, or use this information to leverage more identity theft since the booking contains information such as your passport number and birthdate.

And of course, posting flight details is another way that criminals could decide to pay your unoccupied home a visit while you are away too.

Some folks purposely blur out the details about their name, but leave the barcode visible, such as this photo above, where we can find out her full name by scanning the barcode. Oops.

This method works for dumpster diving too. How many of us leave our used boarding papers on board the aircraft that we are leaving, thinking no use to me? I have done that several times. Again, someone could use that information to hijack my account. So avoid leaving your boarding pass in the trash at the airport or tucked into that seat-back pocket in front of you before deplaning. Instead, bring it home and shred it. And don’t take pictures of your boarding pass. Finally, be careful of spreading your “real” birthday around on social media. My “birthday” has been January 1 for several years: my real friends know when it actually is.

So go paperless when you can. And be careful what you post online.

Estonia leads the way in digital innovation

My father’s father emigrated to America from Lithuania about a hundred years ago, and one day I intend to visit the Baltic region and see the land for myself, as my sister and I did earlier this year when we visited my mother’s homeland in northeast Poland. In my mind, the next best thing is to follow the activities of Estonia, a neighboring nation that is doing some interesting things online. (I know, my mind works in strange ways. But bear with me, I needed an intro for this essay.)

One reason why I am interested in Estonia is something that they have had in place for many years called the e-Resident program. Basically, this is an ID card issued by their government, for use by anyone in the world. You don’t have to ever live there, or even want to live there. More people have signed up for this ID than are actual residents of the country, so it was a smart move by their government to widen their virtual talent pool. Once you have this ID, you can register a new business in a matter of minutes. Thousands of businesses have been started by e-Residents, which also helps to bring physical businesses there too. In many countries, offshore businesses are required to have a local director or local address. Not Estonia.

So last week, after thinking more about this, I finally took the e-Resident plunge. It costs about $100, you need to take a picture of your local passport and fill out a simple form. When the ID card is ready, you have to physically go and pick it up at a local Estonia embassy (either NYC or DC would be the closest places for me).

Well, as usual, it was bad timing for me. I should have waited a little bit longer. This week we learned that there are potential exploits with the ID cards, at least the cards that have been circulating for the past several years. Almost 750,000 cards are affected. According to Estonian officials, the risk is a theoretical one and there is no evidence of anyone’s digital identity actually being misused. It might change how the IDs are used in next month’s national elections, although they haven’t decided on that. About a third of their voters do vote online. I am confident that they will figure out a fix. Hopefully before my next DC business trip.

Estonia is leading the world in other digital matters too. Lots of companies have disaster recovery data centers located far from their headquarters, but that is an issue with Estonia, which is small enough that far is a just a few minutes’ drive. So they came up with another plan to make Estonia the first government to build an off-site data center in another country. The government will make backup copies of its critical data infrastructure and store them in Luxembourg if agreements between the two countries are reached. My story in IBM’s Security Intelligence blog goes into more details of what they call their “data embassy.” They have lots of other big digital plans too, such as using 100% digitized textbooks in their education system by the end of the decade and a public sector data exchange facility with Finland they are putting in place for this year.

Earlier this year, I read about a course they offered called “Subversive Leverage and Psychological Defense” to master’s degree students at their Academy of Security Sciences. The students are preparing for positions in the Estonian Internal Security Service. The story from CSM Passcode goes into more details about how vigilant they have to be to fight Russian propaganda. These aren’t isolated examples of how sophisticated they are. They also were the first EU country to teach HTML coding in its elementary schools back in 2012, and the Skype software was developed there.

Their former Prime Minister Taavi Rõivas has even appeared on the The Daily Show with Trevor Noah to talk about these programs. Clearly, they have a strong vision, made all the more impressive by the fact that they had almost no Internet access just a few years ago when they were still part of the Soviet empire. Certainly a place to keep an eye on.

iBoss blog: What is OAuth and why should I care?

The number of choices for automating login authentication is a messy alphabet soup of standards and frameworks, including SAML, WS-Federation, OpenID Connect, OAuth, and many others. OAuth began its life about seven years ago as an open standard that was created to handle authorization by Twitter and Google.Today I will take a closer look at this standard, and you can read the rest of my post on iBoss’ blog here.

Stopping malicious website redirects

In my work as editor of Inside Security’s email newsletter, I am on the lookout for ways that criminals can take advantage of insecure Internet infrastructure. I came across this article yesterday that I thought I would share with you and also take some time to explain the concept of the malicious redirect. This is how the bad guys turn something that was designed to be helpful into an exploit.

A redirect is when you put some HTML code on a web page because that URL is no longer in service, but you don’t want to lose that visitor. The most likely situation is that someone could have clicked on an old link and gotten to that location. So you direct them to the appropriate place on your website. Simple right?

Now the bad guys have used this, but instead of being helpful, they use the redirect code to point you to a place that contains some malware, in the hopes that you will not notice that the new web page is a trap and in an instant, your computer is now infected with something. Surprise! Sadly, this happens more and more.

In a post on Sucuri’s blog, researchers describe several ways the malicious redirect can happen. One way is by leveraging configuration files such as .htacess or .ini files. These are files associated with web servers that control all sorts of behavior and are usually hidden from ordinary browsing. Usually, your website security prevents folks from messing with these files, but if you made setup errors or if you aren’t paying attention, the configuration files can be exposed to attackers. Another way is by having an attacker mess with your DNS settings so that visitors to your site end up going somewhere else. How does some attacker gain access to your DNS servers? Typically, it is through a compromised administrative account password. Do you really know who in your organization has access to this information? Probably more people than you realize. When was the last time you changed this password anyway?

My office is in a condo complex that has several doors to a public alley. Each of the doors has a combination lock and all of the doors have the same combination. A year or so ago, the board was discussing that it might be time to change the combination because many people – by design – know what this combination is. This is just good security practice. Now the analogy isn’t quite sound – by design a lot of people have to know this number, otherwise no one can get out to the alley to take their trash out – but still, it was a good idea to regularly change the access code.

Neither of these exploit methods is new: they have been happening almost since the web became popular, sadly. So it is important that if you run websites and don’t want your reputation ruined or have some criminal spreading malware that you at least understand what can happen and make sure that you are protected.

But there is another way redirects can happen: by an attacker grabbing an expired domain name and leveraging its associated WordPress plug-in. Since a lot of you run WordPress sites, I want to take a moment to describe this attack method.

  • Attacker finds a dormant plug-in on the WordPress catalog. Give the thousands of plug-ins, there are lots of them that haven’t been updated in several years.
  • Check the underlying domain name that is used for the plug-in. If it isn’t active, purchase and register the name.
  • Set up a website for this domain that contains malicious Javascript code for the redirect.
  • Change the code on your plug-in to serve up the malware whenever anyone uses it.
  • Hope no one notices and sit back as the Internet spread your nasty business far and wide.

Moral of the story: Don’t use outdated plug-ins, and limit the potential for attacks by deleting unused plug-ins from your WordPress servers anyway. Make use of a tool such as WordFence to protect your blogs. Update your blog with the latest versions of WordPress and the latest plug-in versions too while you are at it.

When I first started using WordPress more than a decade ago, I went plug-in crazy and loaded up more than a dozen different ones for all sorts of enhancements to my blog’s appearance and functions. Now I am more careful, and only run the ones that I absolutely need. Situations such as this malicious redirect are a good reason why you should follow a similar strategy.

FIR B2B podcast #79: How to find the right CMO for your startup

This week Paul Gillin and I talk to Crowded Ocean’s partners Carol Broadbent and Tom Hogan. The two have written The Ultimate Startup Guide, the foundation of which is their work with 47 different startups over the past 10 years. Ten of those companies have had successful exits, and only two went out of business, so our guests have credibility.

We invited them to join us after we read their piece in VentureBeat about “marketing-as-a-service.” Most organizations hire their CMOs first, but the duo recommend that this should actually be the last position to be filled by a startup. “Most CMOs have a bulls-eye painted on their backs, they have the shortest tenure, and often startups hire the wrong species,” they said.

Instead, Carol and Tom suggest that you examine more closely the different component skills that make up marketing, and staff accordingly. These include product management, corporate marketing, product marketing and IT fluency. The evolved CMO has the backbone of the marketing department, the breadth and understanding of the customer experience and the depth of a new key organizational growth pillar that shapes their point of view. Our guests suggest that the initial full-time marketing insider should be someone that they call “Seth” who is a 28-year-old numbers jockey who can give their sales organization demand generation data.

Other recommendations: Hire a stable of reliable contractors rather than fulfilling every need with full-timers. Simplify your website’s message. “Too many startups want to display all their great ideas and technology on their website, turning it into a library of brochure-ware that a prospect has to wade through,” they wrote in VentureBeat. And design online content and structure that can be useful on mobile devices.

Carol and Tom’s recommendations challenge a lot of the conventional wisdom, but they have the track record to justify them. Listen to our 21 min. podcast here: