To the Left and the Right… troubling times are here…

I found this draft blog post today after seeing another attempt of the Obama administration using coercion to try and override the Democratic process. Things haven’t changed in over a year. smh.

[cont. from almost a year ago]

This quote I ran into this afternoon is worth pondering… put the most recent ruling aside, because no matter which side you are on, you should smell danger.

Some of the most recent areas of contention: marijuana, Obama Care and equal rights based on sexual proclivities underlines a growing pattern: when the government overrules the democratic process, how long will it be before the people rise once again to say “enough is enough”?

Today, I can think of only one thing that is providing the glue that keeps us in a cohesive bond across this country… and that alone, is scary, given its ephemeral, coercive nature: money and the federal reserve bank.  How long will states allow their constitutional sovereignty to be overridden based on the color of printed paper?  How would the government respond if states decided to secede from the union?

We need to find a democratic way to bring us back to our democratic roots, because, based on history, our republic is not really “our” republic, and ‘our’ government, created by the people and for the people, will not hesitate to take unilateral action to remain in control… it’s the nature of humanity.

Definitely worth pondering…

Here is the quote:

“It appears the American Experiment (i.e. can man, acting in concert with his Maker, govern himself free of despots and tyrants) has largely terminated after only a couple of hundred years. I am thankful to God to have been given a fleeting glimpse of the tail end exiting freedom’s door.”

Layer 8 security: hacked by email.

Last week I received a letter in the mail claiming to be from the city of Suffolk.  They want me to pay a tax on my cars.  The tax is less than $100, but you know what; I already paid a fee to register my cars.  Perhaps the request is legit, but it seems just a little bit suspicious.  What if that letter came through email with a link to click for me to make a PayPal payment?  Is email any more secure than the US Postal service?  How do you know the letter, or the email, that claims to have come from a certain person actually came from that person.  The postal system, like the internet is kind of the wild, wild west.

There are plenty of technologies that can help solve this issue – if someone expresses interest, I would be happy to dig into those technologies in the near future.  However, as a quick way to raise your awareness of the dangers of trusting email (or snail mail) without a discerning eye, pop over to the New York Times and read the post about the Magazine Publisher that just lost 1.5 Million dollars due to an email scam.

The short story:

Someone hacked into the email of the CEO and sent an email to the Accounts Payable department to wire 1.5 million dollars to an offshore Chinese bank account.

The dutiful employee complied.

The problem here is not that someone hacked the CEOs email, this type of stuff happens every single day in the real world.  The problem is that the receiver on the other end didn’t apply any type of analysis or intelligence to the request (e.g. is this risky, is this unusual?).  It is interesting to note that the “CEO” sent a second email to Accounts Payable.  This second employee thought “Hey, this seems odd, maybe I should double check with the CEO”.

Result: 1.5 Million dollars saved.

Who knows, perhaps a 1.5 million dollar transfer request through email was a normal day in the Accounts Payable office of Bonnier Publications.  If so, shame on them (see the opening paragraph).

Summary:  Enterprise organizations need to eliminate email from their business processes, both from an efficiency and a security perspective.  As an individual, you need to approach email with a certain amount of discernment, even if they appear to come from a trusted individual (see the opening paragraph).

I promise not to send you email from your boss asking you to buy lunch for the office: but I can’t speak for everyone.

Asking a few additional questions might just save your company 1.5 million dollars.

Remember: Security is everyone’s responsibility.

Is security your responsibility? The case of the insecure security system.

I have recently contracted with a local security company to install a fairly extensive security system into my home. The system cost thousands upon thousands of dollars, and is made by one of the top brands in home security systems. This system provides full automation, including video monitoring and recording with coverage both outside and inside my home. I have large screen TVs that display every angle at the touch of a button, I have programming interfaces which allow me to extend the capabilities of the system limited only by what I am able to cook up in today’s Z-wave enabled IoT platforms. I can monitor my home from my bedroom or 2,500 miles away – it makes no difference. This is the ultimate enabler for the security conscious home owner.

There is however, one big problem about my home security system… the system is not secure.

Wait, what? I am saying that one of the top brands of home security companies is putting security systems onto the market that are not secure? Yes, that is what I am saying: my home security system has not been designed by the manufacturer nor configured by the installer in a secure fashion. In essence, the moat around my castle has multiple unprotected drawbridges by which a minimally savvy technical person could enter and plunder booty. My booty.

Interestingly, the installer has taken a fairly disinterested stance stating that technology changes so fast and they can’t be expected to understand how to secure computerized and network devices. I feel their pain. The manufacturer will (once I contact them) undoubtedly take the position that there are WAYS to secure the system, so the problem is due to the lack of knowledge and understanding of the installer. The homeowner is a consumer and expects that the security system they have contracted out for, will allow them to secure their homes. Everyone has been fooled.

Unfortunately, they are all right and all wrong at the same time. There are technologies and architectures that could be layered on the home security system that would ALLOW the installer to install and configure the security system in a secure fashion, and the homeowner should be savvy enough about their own personal security that they should spend some time asking questions and understanding the technology they are using. And yet, there is a significant lack of knowledge that intersects between understanding how information security and physical security need to coexist.

This has got to change.

This past week, I spent the week at Gartner’s 2015 Risk Management Summit. Gartner has decided it is now time to stress the fact that Physical Security and Information Security need to work together for the health and safety of the world. This is exacerbated by computerized healthcare devices, and computerized cars; and it is only going to get more and more challenging and risky as the physical and digital worlds amalgamate.

So, here is the question: when someone exploits the weaknesses of my home security system and breaks into my home and destroys or plunders whatever it is that I hold dear… who is responsible? Is it the manufacturer that has created a system that can easily be poorly installed and configured, is it the installer who trusts the manufacturer and knows only how to crimp the wires and program the interface, or perhaps it is the homeowner who has put their trust in the installer and only knows how to click a few buttons?

The answer is “yes”: the security of the home system is the responsibility of the installer, the manufacturer and the home owner.  It comes down to this:  trust, but verify.

Security is everyone’s responsibility.

Check back in a few weeks; once I have an opportunity to secure the vulnerabilities introduced by the manufacturer and the installer; I plan on documenting what the issues were, and if you have this security system, what you can do to protect your home, and more specifically, the types of questions you should continue to ask yourself as your digital lines continue to blur.

It is all about education.