Archive

Archive for the ‘Twitter’ Category

The Soylent Green of “Epic Hacks” – It’s Made of PEOPLE!

August 7th, 2012 3 comments

Allow me to immediately state that I am, in no way, attempting to blame or shame the victim in my editorial below.

However, the recent rash of commentary from security wonks on Twitter and blogs regarding who is to “blame” in Mat Honan’s unfortunate experience leaves me confused and misses an important point.

Firstly, the title of the oft-referenced article documenting the series of events is at the root of my discontent:

How Apple and Amazon Security Flaws Led to My Epic Hacking

As I tweeted, my assessment and suggestion for a title would be:

How my poor behavior led to my epic hacking & flawed trust models & bad luck w/Apple and Amazon assisted

…especially when coupled with what is clearly an admission by Mr. Honan, that he is, fundamentally, responsible for enabling the chained series of events that took place:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.

The important highlighted snippets above are obscured by the salacious title and the bulk of the article which focuses on how services — which he enabled and relied upon — however flawed certain components of that trust and process may have been, are *really* at the center of the debate here.  Or ought to be.

There’s clearly a bit of emotional transference occurring.  It’s easier to associate causality with a faceless big corporate machine rather than swing the light toward the victim, even if he, himself, self-identifies.

Before you think I’m madly defending and/or suggesting that there weren’t breakdowns with any of the vendors — especially Apple — let me assure you I am not.  There are many things that can and should be addressed here, but leaving out the human element, the root of it all here, is dangerous.

I am concerned that as a community there is often an aire of suggestion that consumers are incapable and inculpable with respect to understanding the risks associated with the clicky-clicky-connect syndrome that all of these interconnected services brings.

People give third party applications and services unfettered access to services like Twitter and Facebook every day — even when messages surrounding the potential incursion of privacy and security are clearly stated.

When something does fail — and it does and always will — we vilify the suppliers (sometimes rightfully so for poor practices) but we never really look at what we need to do to prevent having to see this again: “Those security lapses are my fault, and I deeply, deeply regret them.”

The more interconnected things become, the more dependent upon flawed trust models and the expectations that users aren’t responsible we shall be.

This is the point I made in my presentations: Cloudifornication and Cloudinomicon.

There’s a lot of interesting discussion regarding the effectiveness of security awareness training.  Dave Aitel started a lively one here: “Why you shouldn’t train employees for security awareness

It’s unfortunate the the only real way people learn is through misfortune, and any way you look at it, that’s the thing that drives awareness.

There are many lessons we can learn from Mr. Honan’s unfortunate experience…I urge you to consider less focusing blame on one link in the chain and instead guide the people you can influence to reconsider decisions of convenience over the potential tradeoffs they incur.

/Hoff

P.S. For you youngsters who don’t get the Soylent Green reference, see here.  Better yet, watch it. It’s awesome. Charlton Heston, FTW.

P.P.S. (Check out the sentiment of all the articles below)

Enhanced by Zemanta

March 16, 2012: @Beaker’s Tweets O’ the Week…

March 16th, 2012 No comments

Here they are…*some* of my favorite Tweets O’ the Week that I curated:

  • Unless you like fish, stop chasing red herrings.
  • The hypervisor is/should be the least of your security concerns in a virtualized environment. The ops & mgmt layer should be
  • The next 1 of you (us) who starts whining about how broken our industry is without doing anything about it gets posted to the hamster wall
  • This is the new norm I call anti-FUD FUD: security vendors shitting where they eat in an (em)pathetic attempt to gain cred. How ’bout fixin?
  • Congrats on $60MM funding @appirio. It’s great u’ll be able to afford to create even more BS marketing contests you rig the outcome to ;p
  • Protip: The state of the Security Industry always looks like shit in the middle of a “breaker” hacker con.  By design. You’re welcome.
  • More negativity, navel gazing & security apocalypse hype. Funny how “experts” doing the sky-is-falling chicken dance never propose solutions
  • Awkward moment today: someone presenting me slides re: Cloud Security that I built on an initiative I created and a group I lead. o_O
  • Oh! Right! Cloud security, visibility & transparency. Why didn’t I think of that?!
  • North by Northwest is basically the Hitchcock version of Anonymous, Wikileaks…with biplanes and better acting.
  • I will soon utilize HTTPS/SSL to encrypt all my tweets. Those of you who are not Beaker Certified will be unable to decipher my madness
  • Out of complete ignorance: is SXSW like Burning Man for nerds who only discuss things that are battery operated?
  • What a bunch of chicken shits. 20 DM’s later and 18 of you vote @MikD as the Ryan Seacrest of Infosec. Like that’s a bad thing?
  • My twitter follower count goal is 90210 – that way I can claim I am the Tiffany Amber Theisen of Twitter. It’s the little things…
  • Single best way to get uninvited back to weekly meetings is introduce the fact that the host’s model construct for an argument is flawed.
  • Oh $gawd. What a bunch of cockblocking going on with respect to $openwashing & who started what. Sigh. #getonwithitalready
  • I just sent the most awesome f’ing internal email ever.  If there was EVER a reason for REPLY-ALL, *this* would be it. GRAB YOUR RED STAPLER

Did I miss any? 😉

 

Off Topic: Southwest Airlines Monitoring Twitter For Customer Service/Brand Protection

April 29th, 2008 7 comments

Customerservice
Planes, Trains and Automobiles

My Southwest Airlines flight from New Hampshire to Philly yesterday sucked the big one.  Flying into Philly is always a gamble but yesterday I went all in and flew SWA for the first time instead of US Scareways.

My flight was supposed to take off at 5:20 PM.  It actually took off at around 7:45 PM.  Due to "weather," once we arrived over PHL airspace, those of us in the bovine express class then endured 30 minutes of low-earth orbit in a holding pattern awaiting vector approach clearance to land once we got there.

Upon landing, we waited almost 30 minutes for our luggage only to find that they had to go back for a second load since the first wasn’t large enough of a sweep to claim them all.  The baggage came…and went.  Mine wasn’t amongst them.  It was now 10:30pm.  At this point, one of my VP’s who was also traveling to the same locale wisely left.  Cue the violins.

I filed a claim next to a woman who was going apeshit over her drenched and soiled suitcases.  The migrant baggage helper person said that another flight was due in shortly (about 45 minutes) and I could wait to see if it was on that flight.  I made some remark about pitching a pup tent in baggage claim.  I could hear crickets chirping…

This was all friendly and helpful enough.  There was no reason to get medieval as the poor souls behind the counter can’t even track bags to tell if they landed — or so they say.  Upon filing my claim, I asked that my bag just be returned to NH or delivered to my hotel given the fact that I was staying only one night before returning home.  They would try the latter as the last run to "local" hotels was around midnight.

I was prepared for the old fake-finger-teeth-brushing and washcloth-the-armpits routine to get me through my meeting if need be.  Wow.

It was now almost 11pm.  I still had to collect my rental car and drive 45 minutes to my hotel.

As I was walking out, I saw a strange man return my bag to the carousel. I reckoned that if he took it, loaded it with explosives and put it back, that hopefully I would suffer a quick death.  No such luck.

I picked it up and wrung it out.  It was soaked.

I shrugged it off, got the rental and got to my hotel in one piece.

Corporate accounts payable, Nina speaking. Just a moment…

Of course I twittered the entire experience with my normal (lack of) withholding.  I didn’t address the tweet to @southwestair or anything, but I obviously mentioned them by name.

This morning I was quite amazed to see that someone (not something) from Southwest was monitoring Twitter feeds and responded to me.  I can tell it isn’t a bot because of the responses to the rather colloquial nature of some of my tweets.  Check it out:

Swatwitter

The plea to let them try again to earn my loyalty and prove that "Southwest=Awesomeness" came from a statement that "Southwest=Suckage."  😉

It’s pretty interesting that they have people monitoring Twitter for brand/reputation purposes — it comes across as a customer service effort, also.   I know it’s not as profound as some of the remarkable Twitter stories of late, but it was cool.

Cool and frightening at the same time.  So, thanks for the attention, SWA.  We’ll see how you do on my return flight today.

Anyone else have an experience such as this?

/Hoff

Update: The flight back was great.  It arrived early, to boot.  I have to say that my Southwest Twitter experience wasn’t just a single fire and forget incident as "they" twittered back again to check up on me:

Swatwitter2

😉

Categories: Twitter Tags:

I’m a Twit(terer) but did you know that the L.A. Fire Department is, too?

August 31st, 2007 8 comments

Twitterlogo
If you look over to the right under the Lijit widget, you’ll see that I use Twitter.  It’s addictive.  At first I thought it was stupid.  Now I’m having simplex "conversations" with myself and others(?) that are strangely satisfying.

If you don’t happen to know what Twitter is, it’s basically a "micro-blogging" (ugh) social-networking site.  Read more about it here.

If you were so inclined, you can feel free to bore yourself to tears by tapping into the ever-exciting neartime log of my activities — only to discover that all I do is eat and sit in airports.  Thrilling.

Lafd
However, as I was browsing the Twitter site today, I found that the L.A. Fire Department actually logs (all?) its calls to Twitter — it’s the web-based version of sitting in front of a scanner and listening to dispatch.  They also maintain a blog.  Imagine if the LAPD did the same…now that would be "fun."

Scoble covered this back in July and unfortunately I didn’t happen to see it at the time. 

This got me thinking about not only how interesting this is to those whose hobby in the analog world is following the LAFD’s actions and this obviously unique particular application for information dispersal and broadcast of information from and to these first responders as an alert/emergency service, but also that of potential applications in the DoD space.

I’m readying another post regarding some of the impacts that Web2.x and various collaboration and interactive technologies have had on the modern warfighter, but thus really struck me as interesting. 

With some of the various visualization tools coming to bear (Twitter is introducing one) one could take human-generated as well as automated feeds of unstructured, yet contextual theater updates (in addition to more structured data such as engagement, position, movement, number, etc.) and parse/visualize activity over time to arrive at some very interesting data points.  More on that later, but noddle on it.

Back to the LAFD’s Twitter and why I’m bringing this up on my "security" blog…while it appears that these logs are public record, check out the information you can glean from these entries — they appear to be unparsed.  Is anyone else concerned by the privacy implications of including personal information as part of these feeds…esp. when paired with the types of activities profiled in the abstracts?

/Hoff

Categories: Twitter Tags: