Posts

Trump Russia Investigation Update: Did Campaign HELP Russians Plot Disinformation Strategy?

Honestly, we don’t know yet. There was a time when our voting preferences, our political leanings, our policy choices were our own business. Now they are someone else’s business, quite literally. There are so many stories coming out about Donald Trump’s connections to and collusion with the Russians that it is getting hard to keep these accusations straight. Here’s the latest:

Trump Russia Investigation Update

The key word is help. As in, actively provide information that the Russians may not have been able to discover on their own. “Help” is not a synonym for encourage, appreciate or enjoy.

Without getting too political (because after all, this is a cyber security blog), here are the basics of the Trump-Russia Investigation from a cyber security perspective:

  1. The Trump campaign had possession of a huge amount of information about American voters from Cambridge Analytica, the data mining firm hired to help collect and use social media information to identify and persuade voters to vote (or not vote), through an activity known as political micro-targeting.
  2. Jared Kushner, the president’s son-in-law and now a senior adviser in the White House, was head of digital strategy during the campaign, meaning he was overseeing this effort to micro-target voters.
  3. The Russians unleashed bots, or robotic commands, that swept across the Internet and picked up fake news stories or harshly critical news stories about Hillary Clinton and disseminated them across the United States. By Election Day, these bots had delivered critical and phony news about the Democratic presidential nominee to the Twitter and Facebook accounts of millions of voters.
  4. Some investigators suspect the Russians micro-targeted voters in swing states, even in key precincts where Trump’s digital team and Republican operatives were spotting unexpected weakness in voter support for Hillary Clinton.

So the question is this: Did the Trump campaign, using what we assume to be lawfully-obtained micro-targeted voter intelligence, give access to the Russians so that they could point harmful disinformation campaigns at those vulnerable  jurisdictions?

Many top security analysts doubt Russian operatives could have independently “known where to specifically target … to which high-impact states and districts in those states.” As Virginia Sen. Mark Warner said recently, “I get the fact that the Russian intel services could figure out how to manipulate and use the bots. Whether they could know how to target states and levels of voters that the Democrats weren’t even aware (of) really raises some questions … How did they know to go to that level of detail in those kinds of jurisdictions?”

And that is Senator Mark Warner’s mistake – that the micro-targeting had to be so specific that it only hit potential Trump voters in certain jurisdictions. It did not. The campaigns could have been aimed at every person in that state, let alone the jurisdiction, only touching the opinions of those who were ready to hear the message. A phishing campaign isn’t sent only to those people in an organization most vulnerable to that type of social engineering – it is sent to everyone, and the most vulnerable are the only ones that respond. Similarly, it was good enough for Russia to cast their anti-Hillary message in the general vicinity of the target; there was no need for a bullseye to render the disinformation campaign to be effective. Those who received the message but were slightly outside of the voter profile or geographical jurisdiction simply recognized it for what it was, false news. The rest were unethically influenced.

But we don’t know yet if there is a connection between the micro-targeting big data purchased by the campaign and the Russian botnet disinformation attack.  We do know, however, that Russia attempted to influence the outcome of the election – and that is what we as cyber security experts, must focus on. 

Either way – collusion or not – the implications against our privacy (let alone the political ramifications of foreign entities influencing our election process) are huge. Remember, the Trump campaign had obtained this huge volume of information on every voter, maybe as much as 500 points of data from what kind of food do they eat to what are their attitudes about health care reform or climate change. And yes, I’m sure the Democrats had much of the same information and probably didn’t “play fair” either. The point is that we have gotten so far beyond just accepting that our personal information is readily available and easily manipulated that no one is even bringing up that part of the story.

We, America, have been lulled into allowing everyone else – corporations, our government, even foreign nations – to have more access to our data footprint than even we do. 

John Sileo is an an award-winning author and keynote speaker on cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Security Expert Hacks In-Flight Entertainment? 5 Cyber Lessons for Leaders

Did security expert Chris Roberts of Denver actually HACK INTO AND STEER AN AIRCRAFT from the inflight entertainment panel at his seat, as reported first by Wired?

Probably not. Though I did meet him at a conference of cybersecurity experts and he appeared to know his stuff. But it almost doesn’t matter, because the lessons we take away from it is the same. Here’s what I do know:

  • I’ve seen ethical white-hat hackers (the good guys) penetrate mission-critical corporate networks through the unlikeliest of devices, including photocopiers, vending machines, surveillance cameras, thermostats and industrial control systems.
  • In most of these cases, the breached organization vehemently (and incorrectly) assert that these devices were not connected to their “real” network. Further analysis shows that they were. Will the airlines claim the same?
  • I’ve seen a driverless car hacked and started from a mobile phone.
  • I’ve seen a pacemaker remotely accessed by a hacker and set to induce a deadly heart rate.
  • I’ve seen home networks breached through a video game console, a baby monitor and a garage door opener.

 Here’ s ultimately what matters: If it’s networked, it’s hackable.

The minute you hook a device to a network (whether that be the internet, an internal intranet, WiFi hotspots or any other network), it becomes hackable. Remote access is a wonderful tool of convenience and efficiency – it lets us work from other locations. But remote access also opens up digital doors to criminals who want to steal from other locations. In other words, the TV at your seat could be connected to the pilot’s controls.

Even if any security expert did execute the hack, we will likely never know. But that doesn’t lessen our responsibility to learn and apply something to our businesses (steps that many airlines are currently reviewing themselves):

  • Compartmentalize your network. Don’t connect non-critical systems (in-flight entertainment, guest WiFi, thermostats, networked appliances) to mission critical data (flight controls, customer information, employee records, sensitive intellectual property). Instead, host them on separate networks with separate usernames, passwords and access controls.
  • Implement User-Level Access. Only a very few authorized individuals should have access to the servers and computers that house your private information. Classify your data into Top Secret, Confidential, Internal and Public (if it’s good enough for James Bond, it’s good enough for you) and apply your user-level access settings to those classifications (e.g., only C-Level executives get Top Secret access.
  • Firewall the bad guys out. A firewall that is configured to Default Deny will restrict all access by default and only allow a few legitimate users who appear on a “white-list” to access the most valuable information). This limits most hackers’ backdoor access (and is when they will turn to social engineering to gain access – another lesson for another time).
  • Utilize communication encryption. Mobile access that is not encrypted (hidden from illegitimate users by scrambling the message) is like broadcasting your bank account number over the radio – everyone else is listening.
  • Closely monitor intrusions. No matter what steps you take, if you organization is being targeted, eventually you will be breached. Therefore, the greatest security is resiliency: detecting the intrusion (a human being has to be watching the monitoring system to do this), expelling the intruder before real damage is done and leaning from and resolving your previous mistakes.

Finally, and most importantly, make sure that you train your humans on the proper usage of the previous 5 steps! This is actually where most security fails, as the WEAKEST LINK IN CYBER SECURITY IS HUMAN ARROGANCE, IGNORANCE AND INACTION.

Right now, you have a chance to keep a hacker from changing the course of your vessel, be it airplane or corporation. If you don’t have the personal knowhow or internal resources to get it done right, hire the right team to do it for you

John Sileo speaks internationally on cyber security and identity defense. He specializes in making security engaging, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Book him for your next conference on 800.258.8076.

Baby Cam Hacked: What You Can Do To Protect Yourself and Your Children

The story about the Texas parents who were terrified when their child’s video baby monitor was hacked struck me at first as a minor incident when viewed in the whole scheme of the world of hackers.  After all, it is a rare event, no one was hurt, no threats were overtly made, and the child herself even slept through the event.  But when I read more about it, I became increasingly bothered by the fact that I was not initially bothered by it!  I mean, is that the creepiest of all feelings, to know that a stranger is watching your kids?

Here’s the summary for those who missed the story.  Marc and Lauren Gilbert were in another room when they heard strange sounds coming from their daughter’s monitor.  When they went into her room to investigate, they realized it was a strange man’s voice coming through the monitor and saying disturbing things, even using the child’s name, which could be seen above her bed.  The child, who was born deaf and had her cochlear implants turned off, slept through the entire incident.  Gilbert immediately disconnected the device, which was hooked up to the home’s wireless Internet system.

It is believed the webcam system, Foscam wireless camera, was compromised.  In April, a study was released revealing potential vulnerabilities; in it the researchers said the camera would be susceptible to “remote Internet monitoring from anywhere in the world” and that thousands of Foscam cameras in the U.S. were vulnerable.  A glaring flaw (which has since been “fixed” by a firmware update in June) is that users were not encouraged to have strong passwords and were not prompted to change from the default admin password.  Gilbert said he did take basic security precautions, including passwords for his router and the IP cam, as well as having a firewall enabled.

For an interview with Fox and Friends, they asked me to consider the following questions.  I’d like to share my answers with you in case you missed it.

How easy is it to hack a baby monitor?

It’s probably an apt cliché to say it’s as easy as taking candy from a baby. Just like with any device, an iPhone, laptop, home Wi-Fi, it’s only as secure as you make it. If you’ve taken no steps, it’s relatively easy to hack. You don’t make the problem go away by ignoring it.

Why would someone do this?

Some do it for the challenge, some for the thrill of controlling other people’s lives, and unfortunately, others do it because they are sick individuals that want to watch what you do in the privacy of your home.

Is this one of the more scary cases of hacking a household device you’ve seen?

This one hits close to home because it takes advantage of our kids, but I’ve seen pacemakers turned off, blood pumps shut down, brakes applied in cars, and all of it done remotely by outsiders who are never even seen. If the device is connected to a network, I guarantee you it can be hacked, and in most cases, you never know the bad guys are in control.

How can we avoid this type of hacking of our personal devices, whether it’s a video baby monitor, an iPhone or a pacemaker?  

The good news is that’s it’s the same steps you probably already take on your other devices, like laptops, smartphones and iPads:

  1. Buy Digital. Only buy a digital monitor that is password protected, not an analog version that operates on an open radio frequency.
  2. Change Default Passwords. During setup, change the factory defaults on the monitor so that the password is long, strong and device specific. This case we are talking about probably had a default password in place, making it easy to hack.
  3. Firewall Your Privacy. Install a firewall between your Internet connection and ALL devices to keep the peeping Toms out. Hire a professional to set it up properly.
  4. Lock Down Wi-Fi. Make sure your Wi-Fi network is locked down properly with WPA2+ encryption and SSID masking so it can’t be hacked.
  5. Turn Devices Off. If you are not using the device, turn it off, as hackers can more easily crack devices that are up 24/7.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

If You Hacked into Rupert Murdoch's Voicemail…

If you hacked into Rupert Murdoch’s voicemail, you would hear the message I just left him:

Thank you , Mr. Murdoch, I owe you one. I’ve spent the past five years trying to convince the world of something you managed to do with one simple scandal. I’m sorry that you will probably lose your reputation and much of your company and wealth because of it (not to mention your self-respect), but the world will be a better place for it. Why? Not just because our phone is ringing non-stop with companies and individuals that want to protect their private information.

It’s because you, Mr. Murdoch, awoke the PRIVACY BEAST! Two weeks ago, no one paid very much attention to voicemails being hacked. The average Facebook user was shrugging off the knowledge that their data was being systematically collected, aggregated and sold to the highest bidder all for Facebook’s financial gain. Android users ignored the warnings that malicious apps disguised as harmless games were funneling their bank account numbers, contact lists and geographic whereabouts to locations in Iran and North Korea. iPhone users continued to load their phones with as much data as a laptop without even password protecting the darn thing. Most of us lived in a comfortable, pitiful, stupor of privacy ignorance. But today, everyone suddenly cares .

Thank you for reminding us why privacy matters. You stole the voicemails of a murdered child, and that we cannot forget. For the sake of a pre-emptive scoop, you bribed officers who should have been focusing on capturing the culprit to feed your profit machine. You tempted the gods by abusing and misusing the Power of Information and now it is that very same power that will destroy you.

The emails of News of the World “reporters” discussing your phone-hacking exploits were backed up, archived, indexed and given a digital half-life of a million years. The smoking trail of digital DNA that you left behind while breaking the law, breaking our trust, breaking your business, will never disappear. And even if you didn’t do it, didn’t authorize it, didn’t know about it, it still happened under your watch.Most sadly of all, it happened under your son’s watch, who it appears more and more, takes after his father.

John Sileo speaks around the world on Privacy and Profitability to clients like the Department of Defense, Blue Cross and Homeland Security.