Random Thoughts – Randocity!

Rant Time: Bloomberg and Hacked Servers

Posted in best practices, botch, data security, reporting by commorancy on October 5, 2018

Bloomberg has just released a story claiming SuperMicro motherboards destined for large corporations may have been hacked with a tiny “spy” chip. Let’s explore.

Bloomberg’s Claims

Supposedly the reporters for Bloomberg have been working on this story for months. Here’s a situation where Bloomberg’s reporters have just enough information in hand to be dangerous. Let’s understand how this tiny chip might or might not be able to do what Bloomberg’s alarmist view claims. Thanks Bloomberg for killing the stock market today with your alarmist reporting.

Data Compromise

If all of these alleged servers have been compromised by a Chinese hardware hack, someone would have noticed data streaming out of their server to Chinese IP addresses, or at least some consistent address. Security scans of network equipment require looking through inbound and outbound data logs for data patterns. If these motherboards had been compromised, the only way for the Chinese to have gotten that data back is through the network. This means data passing through network cards, switches and routers before ever hitting the Internet.

Even if such a tiny chip were embedded in the system, many internal only servers have no direct Internet access. This means that if these servers are used solely for internal purposes, they couldn’t have transmitted their data back to China. The firewalls would prevent that.

For servers that may have had direct access to the Internet, these servers could have sent payloads, but eventually these patterns would have been detected by systems administrators, network administrators and security administrators in performing standard security checks. It might take a while to find the hacks, but they would be found just strictly because of odd outbound data being sent to locations that don’t make sense.

Bloomberg’s Fantasy

While it is definitely not out of the realm of possibility that China could tamper with and deliver compromised PCB goods to the US, it’s doubtful that this took place in the numbers that Bloomberg has reported.

Worse, Bloomberg makes the claim that this so-called hacked hardware was earmarked for specific large companies. I don’t even see how that’s possible. How would a Chinese factory know the end destination of any specific SuperMicro motherboard? As far as I know, most cloud providers like AWS and Google buy fully assembled equipment, not loose motherboards. How could SuperMicro board builders possibly know it’s going to end up in a server at AWS or Google or Apple? If SuperMicro’s motherboard products have been hacked, they would be hacked randomly and everywhere, not just at AWS or Google or whatever fantasy Bloomberg dreams up.

The Dangers of Outsourcing

As China’s technical design skills grow, so will the plausibility of receiving hacked goods from that region. Everyone takes a risk ordering any electronics from China. China has no scruples about any other country than China. China protects China, but couldn’t give a crap about any other country outside of China. This is a dangerous situation for China. Building electronics for the world requires a level of trust that must exist or China won’t get the business.

Assuming this alleged “spy chip” is genuinely found on SuperMicro motherboards, then that throws a huge damper on buying motherboards and other PCBs made in China. China’s trust level is gone. If Chinese companies are truly willing to compromise equipment at that level, they’re willing to compromise any hardware built in China including cell phones, laptops and tablets.

This means that any company considering manufacturing their main logic boards in China might want to think twice. The consequences here are as serious as it can get for China. China has seen a huge resurgence of inbound money flow into China. If Bloomberg’s notion is true, this situation severely undermines China’s ability to continue at this prosperity level.

What this means ultimately is that these tiny chips could easily be attached to the main board of an iPhone or Android phone or any mobile device. These mobile devices can easily phone home with data from mobile devices. While the SuperMicro motherboard problem might or might not be real, adding such a circuit to a phone is much more undetectable and likely to provide a wealth more data than placing it onto servers behind corporate firewalls.

Rebuttal to Bloomberg

Statements like from this next reporter is why no one should take these media outlets seriously. Let’s listen. Bloomberg’s Jordan Robertson states, “Hardware hacking is the most effective type of hacking an organization can engineer… There are no security systems that can detect that kind of manipulation.” Wrong. There are several security systems that look for unusual data patterns including most intrusion detection systems. Let’s step back for a moment.

If the point in the hardware hacking is to corrupt data, then yes, it would be hard to detect that. You’d just assume the hardware is defective and replace it. However, if the point to the hardware hack is to phone data home, then that is easily detected via various security systems and is easily blocked by firewalls.

The assumption that Jordon is making is that we’re still in the 90s with minimal security. We are no longer in the 90s. Most large organizations today have very tight security around servers. Depending on the role of the server, it might or might not have direct trusted access to secured data. That server might have to ask an internal trusted server to get the data it needs.

For detection purposes, if the server is to be used as a web server, then the majority of the data should have a 1:1 relationship. Basically, one request inbound, some amount of data sent outbound from that request. Data originating from the server without an inbound request would be suspect and could be detected. For legitimate requests, you can see these 1:1 relationships in the logs and when watching the server traffic on a intrusion detection system. For one-sided transactions sending data outbound from the server, the IDS would easily see it and could block it. If you don’t think that most large organizations don’t have an IDS even simply in watch mode, you are mistaken.

If packets of data originate from the server without any prompting, that would eventually be noticed by a dedicated security team performing regular log monitoring and regular server security scans. The security team might not be able to pinpoint the reason (i.e. a hardware hack) for unprompted outbound data, but they will be able to see it.

I have no idea how smart such tiny chip could actually be. Such a tiny chip likely would not have enough memory to store any gathered payload data. Instead, it would have to store that payload either on the operating systems disks or in RAM. If the server was cut off from the Internet as most internal servers are, that disk or RAM would eventually fill its data stores up without transfer of that data to wherever it needed to go. Again, systems administrators would notice the spike in usage of /tmp or RAM due to the chip’s inability to send its payload.

If the hacking chip simply gives remote control access to the server without delivering data at all, then that would also be detected by an IDS system. Anyone attempting to access a port that is not open will be blocked. If the chip makes an outbound connection to a server in China and leaves it open would eventually be detected. Again, a dedicated security team would see the unusual data traffic from/to the server and investigate.

If the hacking chip wants to run code, it would need to compiled it first. That implies having a compiler in that tiny chip. Doubtful. If the system builder installs a compiler, the spy chip might be able to leverage it, assuming it has any level of knowledge about the current operating system installed. That means that chip would have to know about many different versions of Linux, BSD, MacOS X, Windows and so on, then have code ready to deploy for each of these systems. Unlikely.

Standards and Protocols

Bloomberg seems to think there’s some mystery box here that allows China to have access to these servers without bounds. The point to having multi-layer security is to prevent such access. Even if the motherboards were compromised, most of these servers would end up behind multiple firewalls in combination with continuous monitoring for security. Even more than this, many companies segregate servers by type. Servers performing services that need a high degree of security have very limited ability to do anything but their one task. Even getting into these servers can be challenge even for administrators.

For web servers in a DMZ which are open to the world, capturing data here might be easier. However, even if the hacker at SuperMicro did know which company placed an order for motherboards, they wouldn’t know how those servers would ultimately be deployed and used. This means that these chips could be placed into server roles behind enough security to render their ability to spy as worthless.

It’s clear, these reporters are journalists through and through. They really have no skill at being a systems administrator, network engineer or security administrator. Perhaps it’s now time to hire technical consultants at Bloomberg who can help you guide your articles when they involve technical matters? It’s clear, there was no guidance by any technical person who could steer Jordan away from some of the ludicrous statements he’s made.

Bloomberg, hire a technical consultant the next time you chase one of these “security” stories or give it up. At this point, I’m considering Bloomberg to be nothing more a troll looking for views.


If you enjoy reading Randocity, please like, subscribe and leave a comment below.

↩︎

 

Advertisements

‘Tis the season to be breached

Posted in botch, business, california, data security by commorancy on December 8, 2014

As we roll into another holiday season just having passed through Black Friday, it’s wise to understand how to best protect yourself from these accidental data breaches at retailers (see: Bebe’s Data Breach). Let’s explore.

What is a data breach anyway?

A lot of people shop with credit cards without first understanding what they are or how they really work. By this statement I mean, I think people understand that the purchase extends credit for the items in advance and then pay the actual bill later to the credit card company. But, that’s not what I’m talking about. I’m talking about what happens when you swipe your card at a terminal. Let’s understand payment processing.

When you enter a store and swipe your card, information is exchanged between the terminal and the cash register. That information is whatever is on the back of the card (the card number, expiration, name, etc). All of that information is now accessible by the register (and cashier). Additionally, stores have networks that connect all of their registers (a type of computer system) to a central controller and ultimately to a company wide network. The company wide network may be connected to the Internet, but may only have direct connections to payment authorization providers.

When you swipe your card and that information is exchanged by the register, a program takes your card info along with the payment amount, securely asks a remote payment authorization service whether the card has sufficient funds to support the transaction (at least this part is secure). If your bank says yes, the transaction is approved and given a transaction number. This is a payment authorization and it instructs your bank to hold this dollar amount aside until the closing paperwork arrives (around 24 hours). If the paperwork never arrives, the authorization falls away and the money being held is released back into your account.

Now, if you don’t have enough funds (or for other reasons), the payment service receives a decline from your bank. The retailer and payment authorization service never know the reason for the decline, only that the transaction was declined. You will need to contact your bank to find out the reason for the decline. Declines can range from not enough funds to bad expiration dates on cards to reissued cards to fraud detection holds. Again, you will need to contact your bank to determine the reason and then rectify it. Note that if you are significantly over your limit and your card hasn’t seen a payment for several cycles, the screen may request the cashier call into a number. The person on the other end might request the card be taken and cut up. This typically means the account has been closed by the card issuer and you are no longer authorized to use the card. It is always wise to pay your bills if you value using that card.

Card Info Data Transit

The problem with data transit on a network is that, depending on the network and who built it, it could be designed to transmit your data as encrypted or in clear text. Let’s understand the difference. Encrypted data means that a key is needed to unlock the data to view it. This means that only devices that have the proper key can view and use the data. However, many network operators don’t use this type of security. A lot of people who build internal networks for corporations feel they are inherently ‘safe’ and choose to use clear text transit. What is clear text? Clear text is just like this blog article. It’s humanly readable without any extra work. Thus, many companies fail to adequately protect data transit between internal network devices under the assumption that no one should have internal access except authorized internal devices. In other words, because of the external border protections such as firewalls that prevent unauthorized inbound traffic, internal networks should be a ‘safe place’, thus adding extra safeguards only serves to slows down processing and, if you happen to be a retailer, could make the customers wait at the register longer.

Internal networks designed with limited or no encryption are a hacker’s paradise. If they happen to get into a network like this, everything is easy to read, easy to find and easy to download. It’s basically a dream come true for the malicious hacker. With little to no constraints on viewing data, it’s a kid in a candy store and that’s exactly how and why data breaches begin.

How do hackers get into a network then?

Because most companies today require their computers to have internet access, especially retailers who need access to payment authorization services, bugs in network and computer devices are impossible to squash. Internally, companies typically hire IT and operations teams to manage their network systems. They also typically hire security teams to help protect their networks. The security teams do their best to mitigate attacks and watch for data breaches, but it is the operations and network teams that manage the network gear and keep them updated. Because the security team and operations and network teams are separate sets of people, getting equipment updated with the latest-greatest version isn’t always expedient. This means that companies could be running one, two or five versions behind the latest version.

It happens for a lot of reasons. It could be old equipment that simply won’t support the latest update. It could be that there are thousands of servers that could be impacted by a single update. It could be that that single update might break custom software written by the company. There are a lot of internal factors as to why any piece of equipment is not on the latest version. Yes, sometimes it’s even a matter of complacence.

How do you protect yourself?

Before strolling into your latest big box retailer, you should arm yourself with knowledge. Knowledge like the above to better understand how your data gets moved around in company networks. Then, you can better understand when to take the risk to use your card and when to use another form of payment.

Use Store Cards

First and foremost, the safest card to use at a retailer is a store card without a Visa/Mastercard logo. These cards can only be used at the retailer where they were issued. They cannot generally be used anywhere else (unless the company owns several retail shops and shares the card among them). So, if you purchase at Target or Macy’s or Sears with a local store card, if there is a data breach, your ‘store card’ card number is no longer the lowest hanging fruit. The lowest hanging fruit are the Visa, Mastercard and Amex branded cards. With store cards, it will take time for a hacker to understand what that card is and how to use it. Also, once they realize that it only works at that single retailer or at that retailer’s web site, it’s much less appealing. Especially considering that many hackers today don’t live in the US. They might be living in China or Korea or Russia where that store may not exist and where they may not ship abroad.

So, sticking with store issued cards is really your safest bet when shopping at big box chains. Using a Visa or Mastercard or Amex branded card, if stolen, can be used anywhere around the globe (unless you call your bank an explicitly ask to prevent its use outside of your country). Note, not all banks can stop international transactions on branded credit cards, but most can. Call your issuing bank and ask.

Of course, should you plan travel abroad, you will need to make sure your bank authorizes international use before you leave. If you forget to call from home before you reach to your destination, you could have problems.

Limit transaction amounts

You can also limit your per day transaction amount to a much smaller amount. This can make it difficult if you want to buy a big ticket item with your card, so you’ll need to weigh just how often you make large purchase (and how big they are). However, lowering your per day transaction amount to $500 or less limits how much a hacker could put on the card per day. Again, your card would then no longer be low hanging fruit. Hackers want cards with high dollar amount transaction limits to they can spend a lot of money per day quickly and get away from it. As soon as a hacker tries to buy something expensive and they get a decline, that card is marked as not usable and they move onto trying another card.

Use gift cards

Because there are now Visa and Mastercard branded gift cards, you can put a dollar amount on the card that you wish to use while shopping. If this card number is lost to a hacker, it’s has limited liability (because of the logo) and it limits how much damage they can do to you financially. Also, because it’s a gift card, there’s limited personal information they could obtain about you in relation to this card. So, identity theft is much reduced by using gift cards. You should read Visa, Mastercard and Amex branded logo gift cards carefully. Some require fees after 1 year. So, you will need to use up the balance on the card within 1 year or you could start losing your balance to the monthly fees.

There are also store branded gift cards without any logos such as iTunes, Sears, Amazon, etc. These gift cards can only be used at their respective issuers. Again, these cards offer limited liabilities if stolen.

Though, if a gift card number is stolen, you will also want to read the terms and conditions with the card issuer. Not all of them assume replacement liability. So, if your gift card is stolen, you may be out whatever money was on them. So, you should always read gift card terms and conditions carefully.

Use good ‘ole cash instead

While cash does have its uses, I don’t believe holiday shopping is really one of those times. Because you’re typically buying large ticket items for holiday gift-giving, carrying a wad of crisp $100 bills around to pay for them can be downright dangerous. During the holiday season, you may be trading your financial safety for personal risk. For example, the first store you visit could lead someone seeing your cash, stalking you and taking your money and gifts from you by mugging…especially if you just happened to walk out of an Apple store. Depending on the city where you live, it’s sometimes not worth trading the potential safety of your financial security by putting your personal safety at risk. If you are mugged, they’ll likely steal your cards too, which also leaves your financial safety at risk.

And, if muggers rip off your cash, there is no replacement at all. It’s gone. Using credit cards, especially Visa, MC and Amex branded cards, these cards offer limited loss liability. So, if someone steals your card number and begins using it, your total loss is quite limited. The bank will pick up the tab on your behalf and then chase down the perpetrators for their involvement attempting to get the money or merchandise back.

Basically, cash is unsafe and insecure if carried in large amounts. Whipping out your wallet and flashing that set of crisp $100s once is all it takes during a busy shopping season to get you mugged.

Use a debit card

Last, but not least, use a debit card. Though, while liability on your debit card might be higher (check your debit card terms), you have a known pin code that is required to buy anything. A pin code is a lot stronger of a protection than a signature on a credit card. Basically, stores are not required to collect signatures from purchases. They can simply state ‘signature on file’ when that may not be true. This is how you can buy with a credit card from Amazon or Newegg without ever having to sign for your purchase. Even some retailers today are not asking for signatures on cards if the transaction amount is under $50.

Debit cards always require a pin for the transaction. With web site access today, pin codes are also relatively easily changed. You can also usually get the pin code changed long before the hackers are dipping into these cards to make purchases. Again, hackers prefer low hanging fruit. This means that most hackers would opt to use Visa, MC or Amex branded cards rather than trying to use someone’s personal debit card.

Though, keep in mind most debit cards issued by banks today contain a Visa or Mastercard logo. So, that means the card can be used like a credit card with a signature alone. Instead, you should ask your bank to send you a debit card without the logo. This card can only be used where debit cards are accepted or at ATM machines. It cannot be used to buy at places that don’t accept debit cards. Again, this keeps your card from becoming the lowest hanging fruit.

Limit your shopping days

When you do shop, keep your receipts so you know the date and time that you shopped and where. Keeping receipts is always smart if you need to return something, but it’s even smarter when there’s a data breach so you know if you may have been affected.

Also, limit your shopping to a limited number of places and keep record of when and where (use receipts or write it down). Four months after the holiday shopping season when a breach is announced, you might not remember that you shopped at that random store that lost data which then subsequently led to some random hacker racking up a large bill on your Visa card. In fact, you might only discover the breach yourself after you notice the large bill on your card.

If you limit the number of times you shop and use cards as suggested above, you can help eliminate your cards as being the easiest to rob.

Shop where breaches have previously occurred

This may seem counter to safe practices, but companies have have endured breaches are less likely to be breached again. This is especially true of big box retailers such as Target, Walmart and the like. These retailers have a whole lot to lose if they are breached a second time. It’s very likely that these companies networks are a whole lot more secure after the breach than before it.

Shopping at companies who have not yet had a breach doesn’t mean that their networks are insecure any more than they are secured. Yes, it could mean that. But, it could also mean that these yet breached companies are lucky not to have been targeted. If hackers focus their sights on a victim, they will chip away at the security until they find a way in. They also have plenty of time to do it. Let’s also note that way into a network may not be through the front door. The hackers could get in just as easily through an executive’s lost or stolen cellphone or notebook or a third party vendor (like HVAC, plumbing or other contractor who’s network might be less secure). Note that hackers may also work on several company networks at the same time until they find one to breach.

What about Sony?

Sony is a bit of an unusual case. Instead of strengthening their network security across the board, it seems their management team may have decided to only tightened security on the division that was compromised. Sony is a very large corporation containing many different entities all over the world. SCEA (the games division) was where the last breach occurred prior to this latest breach on the Motion Picture Group. So, anyone who has read through the MPG spreadsheet of salaries knows that there are at least 6 people in the US alone that are taking home well more than $1 million dollars a year in salary. You would think that these highly paid staff would understand the risks of computer networks and make it their top priority to secure their personnel and other records through best security practices. Nope. For example, an easy best practice is to use a password to open a spreadsheet. Sure, these can be easy to crack, but that’s extra effort required on the part of the hacker.

Unfortunately, these people are not doing their jobs. Some could argue, it isn’t their job. Their job is to be Senior or Executive VP of blah. Part of being a Vice President is to make sure your company is secure. If you can’t ensure that your division is secure, then you shouldn’t be taking home a million dollars in salary. It’s quite simple. These people are way overpaid for the job they perform for Sony. I digress.

Sony is clearly a situation where the left hand doesn’t know what the right hand is doing, and frankly they don’t care as long as they walk away with their pay. So, what about Sony? Here’s the takeaway.

For any company that has been double or triple breached (like Sony), you should stay as far away from that company (like Sony) as you possibly can. Sure, you can buy Sony products at a retailer because the retailer is responsible for the transaction. But, you should not use Sony products that require storage of credit cards for payment. You should also not purchase software from any site that Sony owns. It’s crystal clear, Sony cannot be trusted and they seriously don’t care about data security. If you must purchase something from Sony, use a Sony branded gift card, Paypal, Google or Amazon checkout. These payment systems are not owned or operated by Sony, but can send payment to Sony for whatever it is you need to buy. But, don’t buy directly from Sony (or any other company) that has repeatedly been breached.

Best Practices for Personal Finances

While these are but a few best practices to protect your home finances, there are plenty more common sense approaches to keeping your finances secure. Here are a few top examples of how to secure your own finances:

  • Keep your credit cards in a safe place.
  • Regularly check your bank statements for unauthorized transactions. Some banks now offer email notification of suspicious activity, use it.
  • During the holiday season, make sure you know what stores you shopped by keeping receipts in a handy place.
  • Open a second bank account to move small amounts of money in when you need to purchase items online or in stores. Secure your primary account using limited access to services like debit cards, ACH and other third party access. Use the second account much smaller account for these services. It’s easy to move money between accounts in the same bank using your phone app or on the web, so take advantage of this extra security.
  • Call the bank immediately if you’ve lost or stolen your card. You should write down the number on the back of the cards into your smart phone so you have it in case the card is stolen or lost. Don’t write the account numbers down next to the phone number.
  • Make use of the free credit report you can get once a year and check your credit every year.
  • Don’t purchase from any retailer where they are not following proper credit card practices. For example, they should not have to double swipe your card, write the numbers down or ask for any further information aside from looking at the back of the card.
  • Don’t allow any retail cashier to walk away with your card. They should only need to hold the card long enough to look at it or swipe it once at the register.
  • While it is a regular practice for waitstaff to walk way with cards and bring them back to the table as a convenience, you should be wary of this practice. In fact, it might be best to take the check to the cashier at the place where they ring up your meal and watch them ring up your bill. Allowing waitstaff to walk away with your card out of sight means it could be duplicated, swiped through a cell phone or written down.
  • Throughout the holidays, you should search through a major news site for data breaches at least once a week. As soon as you hear of any store that has breached where you may have shopped, you should ask for a replacement card if logo branded or change your pin immediately if debit. For Visa, Mastercard or Amex logo branded gift cards that may have been used at that retailer, you should call the number on the back to have a replacement sent immediately. Unused gift cards are not a problem.
  • Request your bank place a fraud watch on your account if you suspect anything amiss with your cards. You should also request a replacement card if you have any reason to believe your card number has been lost. Yes, I know that can be a hassle during the holiday season while you wait for a new card, but it can potentially save you thousands of dollars lost to a hacker.

Overall

It is up to you to secure your own home finances. Using the above best practices should help aid you in achieving that goal. But, you should immediately become suspicious of anyone who attempts to do anything out of the ordinary with your card. If a cashier asks to do something with your card that doesn’t make sense, you should immediately ask for the card back and call over the store manager to clarify what’s going on. If they are the only person in the store, you should leave without making the purchase, step out of the store and immediately call your bank and put a fraud watch on your card.

As the Holiday shopping season gets fully underway, you need to be ever vigilant over your finances because the stores won’t do this for you. Worse, because there are many people who need money to meet their own bills and cover holiday shopping expenses, fraud and theft can be anywhere from anyone. That’s not to say that most people working at retail establishments aren’t screened and trustworthy, but for some people, the temptation of all of that money gets the better of them and they resort to taking other people’s money. By far and away, though, data breaches are the biggest problems of all because you don’t know who or where the attacker is. So, this is where you need to watch your finances closely and use your card very limited amounts over the holidays. Use cash where you can, but don’t jeopardize your personal safety by carrying too much cash.

Wishing a Happy and safe holiday season to everyone from Randosity!

How not to run a business (Part 7): Communication

Posted in business, data security by commorancy on March 1, 2014

Internal business communication is a problem in any company, especially as a company grows. When you have a 10 person team, it’s easy for everyone to know what everyone else is doing. When you’re a 500 person team, that challenge becomes quite a bit harder. How do you solve this problem for a 500 person company? Let’s explore.

Don’t expect all team members to know everything that’s going on

Foster a company that values communication, knowledge, excellence and teamwork. One of the biggest problems facing any company is that people, in their zeal to get things done rapidly, gloss over explanations about critical points. In email, it’s really apparent when you get that miles-long email thread that effectively tells you, “Read the below 50 reply thread and figure out what’s going on”. You do this only to realize that no relevant customer information, times and/or dates of the ‘problem’ are even described in that thread. Worse, you’ve spent 15 minutes reading it twice. It’s no wonder things don’t get done quickly and that customers complain of slowness.

Team members should provide ALL necessary information to everyone properly for expediency. It is the originating employee’s responsibility is to describe all necessary information that identifies the customer in your company’s system. Without this basic information, someone will eventually have to stop and determine this. To solve this problem effectively, require the use of a ticketing system to track problems and make the ticketing system require input fields that force the employee reporting the problem to fill in all details properly. This completely avoids that 50 reply long thread where not one person defines the most basic things needed.

Wasting time on deciphering a miles long email thread is pointless. It’s much more useful to get to the heart of the problem immediately. Use ticketing systems to manage these communication problems. Email is for quick questions and small discussions. Ticketing systems are for resolving problems. Use the right tool for the right reason.

Don’t let your employees post internal company information to internet sites

Internal information flow is for employee use only. Twitter, Reddit, Quora or even your own external blog or discussion forums are not the place for employee communication. Hire people to manage external facing customer information. Saying or doing the wrong thing on public facing media, especially when you become a public company, can hurt your company and can become a permanent part of Google’s search database for years.

Your corporate communication’s team (you do have one, right?) should strictly control public messaging. On the other hand, employees posting their own personal views of non-company related matters is not to be restricted when not on the clock and when using personal assets and networks. As long as their posts have nothing whatever to do with company business, there should be no restrictions on use of employee after-hour use of social media.

Tweeting personal things while on-the-clock and using company equipment, should be frowned upon if for no other reason than it is reducing work productivity. If the employee does personal things during their break or lunch hour, it should not be restricted if performed from personal devices outside of company networks and not involving company business.

On the other hand, posting public communication involving the company or the company’s products on company time should be handled by the corporate communication team or by their approval. Saying the wrong thing on the wrong venue can cause irreparable damage to your company’s credibility or lose critical deals.

Don’t read every employee email or store them forever

While you can likely do this through auditing, it opens your business up to some legal issues. If the person reading another employee’s email becomes aware of something illicit that your team may or may not know about, it could lead to issues involving the company becoming an accomplice in whatever the act may have been. Not having the knowledge, it’s much easier to deny involvement and that the employee was acting on their own. That may or may not help your case, but it may prevent other personal lawsuits from arising.

Additionally, if you are reading employee email, that means it’s stored some place. Because it’s stored, it may fall under other problem areas like email retention. That doesn’t mean you shouldn’t archive all emails sent by your employees, but keeping the emails stored too long is probably just as bad as reading them, in terms of legal problems. However, you may need to know if an ex-employee made sales promises to a customer that may not have been documented anywhere else. However, when you have emails stored, they can be subpoenaed during discovery of a legal proceeding. If you purge them after required legal retention periods, they’re not there to be discovered. At the same time, you may lose some historical information about your company. You have to make the call where to draw the retention line.

If you intend to keep backups of email, you should really only keep them for as long as the law allows, then purge them irrevocably from disk and all backups. Not having the information around can save your company from legal issues if an employee did something not sanctioned by the company.

Don’t use Google Apps, Postini, Appriver or other third party email servers without knowing how they work

If you outsource your company’s email system to a third party, you could open yourself up to lawsuits, loss of trade secrets or spying. You should always read that third party’s contract terms very carefully and ask for revisions for items which you don’t agree. If that third party reserves the right to archive, store and possibly even read those emails, this could open your company up to not only lawsuit discovery, it could lead your company to lost company secrets, lost company contracts, lost revenue, hacked email or lost customers.

A third party does have the responsibility to maintain some levels of privacy over contracted services, but you can’t control who that third party hires. If they happen to hire a person or contractor of malicious intent, you’re vulnerable. Simply using a third party, you’re at risk. In other words, that third party could end up hiring your competitor to provide some fundamental service that is conflict of interest to your business. Also, email hosting providers selling services to large corporate entities are prime targets for an attack. Beware of these risks involving third party providers. While using such a third party service may appear less expensive, you have to understand the hidden costs of running your business through any third party service. Only you can weigh those risk-benefits.

Even more, you’re also at the mercy of that third party’s security processes. If their process is not as stringent as yours, your company secrets could be at risk. If you don’t know the level of security that that third party provider offers, you could be a world of hurt if their email server is compromised and a bunch of your private company email appears on internet forums or on CNN.

Don’t pass trade secrets or confidential company information in plain text email

While you can’t rule out a corporate mole within your own organization, it’s far far easier to lose your trade secrets through email communication than through any other medium. If that communication uses a third party, you’re really at risk since few companies require encrypted email. If you choose to use email communication through a third party cloud provider, you should require that each employee send and use encrypted communications when discussing trade secrets, large customer deals, financial information or even discussing customer lists.

Setting up GPG, while not necessarily trivial, is one way to combat sending such easily viewed emails. Even the simple act of someone reading an email at home on their iPhone will transfer that email data across the internet in a visible plain text which can be read by anyone along the way. Email encryption prevents prying eyes other than to the recipient it was intended. Not all email communication requires encryption, but for those that do, encryption can be the difference between a lost deal and winning that deal.

The bigger your company gets, the more targeted it will be for espionage.

Don’t rely on chat systems to take the place of email

Chat systems are fleeting. These messages are easily lost. If you need records to be stored for your employee’s time use, then you should require email or ticketing to manage this. Chat is not always productive, but can be helpful to get answers to questions rapidly. But, don’t have your employee rely on chat to execute sensitive system procedures, especially if your company is using AOL, YMessenger or any other third party hosted chat system. Instead, for new procedures, use a local phone conference system. Voice chat is much more interactive, less error prone and, when combined with screen sharing, can provide much better methods of disseminating information and communication. Once the process has been nailed down, place it into an onsite Wiki that can be reviewed as a knowledgebase. Use a chat system for what it’s best at doing, writing quick small fleeting messages.

Don’t rely on third party services to run your entire communication business

If you can afford it, you should build and operate your own corporate communication systems behind your own corporate network infrastructure. If you farm out any part of your corporate communications to a third party provider, your communication is at risk. Risk from theft, from espionage, from hacking and from data retention that’s all out of your control. Instead, to control all of your communications (both internal and external), you will want to own all communication systems including ticketing, email and chat services. While you can’t own mobile device networks, you can own when and how they are to be used for communication.

Don’t forget to encourage employees to communicate regularly

While meetings are great ways at getting a lot of people on the same page at once, those that aren’t in the room during that meeting won’t have any clue. It’s also easy to forget who attended a meeting after the meeting convenes, so always make sure to encourage people who attended the meeting to communicate to those who didn’t attend and to whomever needs to know.

Also, require someone to keep meeting notes at all meetings and post the notes to a common department page after the meeting concludes. Better, require recording of meetings and store the meeting recordings as mp3 files for easy access and download. This not only allows those not in attendance to catch up on what was said, it also keeps those who were in attendance from claiming something was or wasn’t said. Basically, recordings keep everyone honest and informed. Remember to apply data retention policies to all archived meeting recordings.

Don’t tolerate employees who claim ignorance on what they have previously said

For any manager, director, VP or regular employee, honesty is the best policy. Keeping your employees honest keeps the company functioning correctly. However, any employee that regularly uses the ‘I never said that’ defense, usually indicates that they did say that at some point. Employees should not be allowed to get away with that defense, especially when it is found via email (or through recordings) that they did say whatever they claim they didn’t.

Employees using that defense more than twice and who have been found to have said it, should be officially written up and placed on a performance plan. Any further transgressions should be met with swift removal from the position. Honest communication is the key. Anyone intentionally sabotaging that goal by using this defense, should be swiftly stopped and/or removed. Fewer things make a company more communicably dysfunctional and time wasting than having to deal with unnecessary diversions (e.g. having to prove someone else wrong).

Instead, employees should always focus on the business at hand, not on doing historical research projects to find out what someone may or may not have said.

Don’t encourage employees to keep other employees in the dark

Barring salary and compensation details and upcoming earnings information, there are very few business topics that cannot be communicated to any employee in the company. Granted, some information may not be necessary for a specific person’s job role. There is no reason, though, that a person who manages IT couldn’t know the DSO number of a collections associate in Finance. This is not secret information. It may not be necessary information for that IT person’s job, but it should not be in any way a secret. Not passing unnecessary information is considered okay, but if someone asks it’s not a secret.

In the spirit of this section, all critical business information needs to be sent to everyone who needs to know. Example, when sales deals are closing, sales employees need to disclose all promises made to the customer and that information needs to be disseminated to all employees potentially impacted by those promises. Passing the information is not necessarily in place to prevent the deal from happening, but to allow anyone with extenuating information to inform the sales person of those business constraints impacting those promises. In other words, sales people need a technical conscience. The only way to manage this is to involve a technical person to help reign in the sales person and set proper expectations. Barring the use of a technical person in every sales deal, then the promises need to be disseminated to the technical teams to ensure the deal can be closed without problems.

If special provisions are needed for some promises, then the prospect needs to be informed of when those special provisions may become available. The last thing you want your sales person doing is making a promise without telling anyone. That’s the quickest way to not only lose the deal, but also to face refunds months later when the promises cannot be kept (and the sales person has spent their commission check after having left the company).

Communication Reality

Checks and balances can only be performed with proper communication to all teams and by also not keeping employees in the dark. If you find your sales team making promises without informing people timely, this person should be reprimanded and written up. Further transgressions should be met by leading them to them the exit door.

Communication is always a challenge and keeping the communication flowing is the only way to ensure smooth business operations. It’s when communication stops, lags or is held back until it’s too late that it becomes a business continuity problem. As a company grows larger and larger, communication will suffer. When a company becomes divided by geographic boundaries, communication becomes not only worse, but compartmentalized. What one office may know, another won’t. That’s a recipe for problems all around. Unfortunately, that’s also the problem that most very large companies like AT&T and Verizon face today. With 10000 or more employees, communication between all of these employees will greatly suffer and is one of the reasons that ticketing and process flows become the single most important communication tool in a super sized company.

However, that you may only have 50 employees doesn’t mean your communication can’t suffer. Every company can improve communication by using the right tools.

Part 6 | Part 7.1 | Part 8 | Chapter Index Page

iPhone Risk: Your Employer and Personal Devices

Posted in best practices, cloud computing, computers, data security, Employment by commorancy on May 5, 2013

So, you go to work every day with your iPhone, Android phone or even an iPod. You bring it with you because you like having the convenience of people being able to reach you or because you listen to music. Let’s get started so you can understand your risks.

Employment Agreements

We all know these agreements. We typically sign one whenever we start a new job. Employers want to make sure that each employee remains responsible all during employment and some even require that employee to remain responsible even after leaving the company for a specified (or sometimes unspecified) period of time.  That is, these agreements make you, as an employee, personally responsible for not sharing things that shouldn’t be shared. Did you realize that many of these agreements extend to anything on your person and can include your iPhone, iPod, Android Phone, Blackberry or any other personal electronic device that you carry onto the property? Thus, the Employment Agreement may allow your employer to seize these devices to determine if they contain any data they shouldn’t contain.

You should always take the time to read these agreements carefully and thoroughly. If you don’t or can’t decipher the legalese, you should take it to an attorney and pay the fee for them to review it before signing it.  You might be signing away too many of your own personal rights including anything you may be carrying on your person.

Your Personal Phone versus Your Employer

We carry our personal devices to our offices each and every day without really thinking about the consequences. The danger, though, is that many employers now allow you to load up personal email on your own personal iDevices. Doing this can especially leave your device at risk of legal seizure or forfeiture under certain conditions.  So, always read Employment Agreements carefully. Better, if your employer requires you to be available remotely, they should supply you with all of the devices you need to support that remote access. If that support means you need to be available by phone or text messaging, then they should supply you with a device that supports these requirements.

Cheap Employers and Expensive Devices

As anyone who has bought an iPhone or an Android phone can attest, these devices are not cheap. Because many people are buying these for their own personal use, employers have become jaded by this and leech into this freebie and allow employees to use their own devices for corporate communication purposes. This is called a subsidy. You are paying your cell phone bill and giving part of that usage to your employer, unless your employer is reimbursing you part or all of your plan rate.  If you are paying your own bill without reimbursement, but using the device to connect to your company’s network or to corporate email, your device is likely at high risk should there be a legal need to investigate the company for any wrong doing. This could leave your device at risk of being pulled from your grasp, potentially forever.

If you let the company reimburse part or all of your phone bill, especially on a post-paid plan, the company could seize your phone on termination as company property.  The reason, post-paid plans pay for the cost of the phone as part of your bill. If the company reimburses more than 50% of the phone cost as part of your bill, they could legally own the phone at the end of your employment. If the company doesn’t reimburse your plan, your employer could still seize your device if you put corporate communication on your phone because it then contains company property.

What should I do?

If the company requires that you work remotely or have access to company communication after hours, they need to provide you with a device that supports this access. If they are unwilling to provide you with a device, you should decline to use your personal device for that purpose. At least, you should decline unless the employment agreement specifically states that they can’t seize your personal electronics. Although, most employers likely won’t put a provision in that explicitly forbids them from taking your device. Once you bring your device on the property, your employer can claim that your device contains company property and seize it anyway. Note that even leaving it in your car could be enough if the company WiFi reaches your car in its parking space.

Buy a dumb phone and use that at work. By this I mean, buy a phone that doesn’t support WiFi, doesn’t support a data plan, doesn’t support email, doesn’t support bluetooth and that doesn’t support any storage that can be removed. If your phone is a dumb phone, it cannot be claimed that it could contain any company file data.  If it doesn’t support WiFi, it can’t be listening in on company secrets.  This dumb phone basically requires your company to buy you a smart phone if they need you to have remote access to email and always on Internet. It also prevents them from leeching off your personal iPhone plan.

That doesn’t mean you can’t have an iPhone, but you should leave it at home during work days. Bring your dumb phone to work. People can still call and text you, but the phone cannot be used as a storage vehicle for company secrets (unless you start entering corporate contacts into the phone book). You should avoid entering any company contact information in your personal phone’s address book. Even this information could be construed as confidential data and could be enough to have even your dumb phone seized.

If they do decide to seize your dumb phone, you’ve only lost a small amount of money in the phone and it’s simple to replace the SIM card in most devices. So, you can probably pick up a replacement phone and get it working the same day for under $100 (many times under $30).

Request to Strike Language from the Employment Agreement

Reading through your Employment Agreement can make or break the deal of whether or not you decide to hire on. Some Employment Agreements are way overreaching in their goals. Depending on how the management reacts to your request to strike language from the Employment Agreement may tell you the kind of company you are considering. In some cases, I’ve personally had language struck from the agreement and replaced with an addendum to which we both agreed and signed. In another case, I walked away from the position because both the hiring and HR managers refused to alter the Employment Agreement containing overreaching language. Depending on how badly they want to fill the position, you may or may not have bargaining power here. However, if it’s important to you, you should always ask. If they decline to amend the agreement, then you have to decide whether or not the position is important enough to justify signing the Agreement with that language still in place.

But, I like my iPhone/iPad/iPod too much

Then, you take your chances with your employer. Only you can judge your employer for their intent (and by reading your employment agreement).  When it comes down to brass tacks, your employer will do what’s right for the company, not for you. The bigger the company gets, the more likely they are to take your phone and not care about you or the situation. If you work in a 1000+ employee company, your phone seizure risk greatly increases.  This is especially true if you work in any position where you have may access to extremely sensitive company data.

If you really like your device, then you should protect it by leaving it someplace away from the office (and not in your car parked on company property). This will ensure they cannot seize it from you when you’re on company property. However, it won’t stop them from visiting your home and confiscating it from you there.

On the other hand, unlike the dumb phone example above, if they size your iPhone, you’re looking at a $200-500 expense to replace the phone plus the SIM card and possibly other expenses. If you have synced your iPhone with your computer at home and data resides there, that could leave your home computer at risk of seizure, especially if the Federal Government is involved. Also, because iCloud now stores backups of your iDevices, they could petition the court to seize your Apple ID from Apple to gain access to your iDevice backups.

For company issued iPhones, create a brand new Apple ID using your company email address. Have your company issued phone create its backups in your company created Apple ID. If they seize this Apple ID, there is no loss to you. You should always, whenever possible create separate IDs for company issued devices and for your personal devices. Never overlap this personal and company login IDs matter how tempting it may be. This includes doing such things as linking in your personal Facebook, Google, LinkedIn, Yahoo or any other personal site accounts to your corporate issued iPhone or Apps. If you take any personal photographs using your company phone, you should make sure to get them off of the phone quickly.  Better, don’t take personal pictures with your company phone. If you must sync your iPhone with a computer, make sure it is only a company computer. Never sync your company issued iPhone or iPad with your personally owned computer. Only sync your device with a company issued computer.

Personal Device Liabilities

Even if during an investigation nothing is turned up on your device related to the company’s investigation, if they find anything incriminating on your device (i.e., child porn, piracy or any other illegal things), you will be held liable for those things they find as a separate case. If something is turned up on your personal device related to the company’s investigation, it could be permanently seized and never returned.  So, you should be aware that if you carry any device onto your company’s premises, your device can become the company’s property.

Caution is Always Wise

With the use of smart phones comes unknown liabilities when used at your place of employment. You should always treat your employer and place of business as a professional relationship. Never feel that you are ‘safe’ because you know everyone there. That doesn’t matter when legal investigations begin. If a court wants to find out everything about a situation, that could include seizing anything they feel is relevant to the investigation. That could include your phone, your home computer, your accounts or anything else that may be relevant. Your Employment Agreement may also allow your employer to seize things that they need if they feel you have violated the terms of your employment. Your employer can also petition the court to require you to relinquish your devices to the court.

Now, that doesn’t mean you won’t get your devices, computers or accounts back. But, it could take months if the investigation drags on and on. To protect your belongings from this situation, here are some …

Tips

  • Read your Employment Agreement carefully
  • Ask to strike language from Agreements that you don’t agree with
  • Make sure agreements with companies eventually expire after you leave the company
  • NDAs should expire after 5-10 years after termination
  • Non-compete agreements should expire 1 year after termination
  • Bring devices to the office that you are willing to lose
  • Use cheap dumb phones (lessens your liability)
  • Leave memory sticks and other memory devices at home
  • Don’t use personal devices for company communication (i.e., email or texting)
  • Don’t let the company pay for your personal device bills (especially post-paid cell plans)
  • Prepaid plans are your friend at your office
  • Require your employer to supply and pay for iDevices to support your job function
  • Turn WiFi off on all personal devices and never connect them to corporate networks
  • Don’t connect personal phones to corporate email systems
  • Don’t text any co-workers about company business on personal devices
  • Ask Employees to refrain from texting your personal phone
  • Use a cheap mp3 player without WiFi or internet features when at the office
  • Turn your personal cell phone off when at work, if at all possible
  • Step outside the office building to make personal calls
  • Don’t use your personal Apple ID when setting up your corporate issued iPhone
  • Create a new separate Apple ID for corporate issued iPhones
  • Don’t link iPhone or Android apps to personal accounts (LinkedIn, Facebook, etc)
  • Don’t take personal photos with a company issued phone
  • Don’t sync company issued phones with your personally owned computer
  • Don’t sync personal phones with company owned computers
  • Replace your device after leaving employment of a company

Nothing can prevent your device from being confiscated under all conditions. But, you can help reduce this outcome by following these tips and by segregating your personal devices and accounts from your work devices and work accounts. Keeping your personal devices away from your company’s property is the only real way to help prevent it from being seized. But, the company could still seize it believing that it may contain something about the company simply because you were or are an employee. Using a dumb prepaid phone is probably the only way to ensure that on seizure, you can get a phone set up and your service back quickly and with the least expense involved. I should also point out that having your phone seized does not count as being stolen, so your insurance won’t pay to replace your phone for this event.

Security tip: Don’t sign-up for sites without ‘delete account’ function

Posted in data security, security by commorancy on April 2, 2012

As security of data becomes more and more important and as security breaches become more and more frequent, the ‘delete account’ link becomes very important.  So many sites today allow you to import information such as credit cards, birth dates and other sensitive information, but many times they don’t allow you to delete that information (or your account) easily.  In some cases, you can’t delete your data at all.  It’s important to understand why it’s critical to have the option to delete your account (and all data associated with it). Let’s explore.

Account Security

Few people consider account security when signing up for an internet service like Facebook, Twitter, MySpace or even Yahoo or Google.  As more and more sites become victims of security breaches, without deletion of old dormant accounts, your data is sitting out there ripe for the picking.  In some cases, these accounts may have stored credit card, social security or other potentially sensitive or revealing data.  So, when you begin that sign-up process, it’s a good idea to check the help pages on how to delete your account information before you sign up.

Old Dormant Accounts

We all have them.  We signed up for a site 4 years ago and then either never used it or used it only a few times. Don’t leave old dormant accounts sitting unattended.  Delete them.  You don’t need some random hacker gaining access to the account or, worse, obtaining the password through a break-in to that site.  If they obtain an old password, it’s possible that they may now have access to all of your accounts all over the net (assuming you happen to use a single password at all sites).

If you are using a single password, change them to all be unique.  If you can’t do this, then find the delete button on all these old accounts.  If you can’t remember what you’ve signed up for, then that’s beyond the scope of this article.  Still, deletion is the best option at avoiding unintended intrusion into other important accounts, so delete old accounts.

No Delete Function?

Two ways to handle this one.

  1. Delete all data that you can from the account, then find a random password generator and change the password to a randomly generated password.  Do not keep a copy of the password and never use it again.  Basically, you have locked the account yourself.  If someone does access the account through the web, they won’t get anything.  If they break into the site and gain access to the passwords, they will get a randomly generated password that leads them nowhere.
  2. Contact the site administrator and ask to have the account completely deleted without a trace.  Sometimes they can, sometimes they can’t.  Depends on how the site was designed.  It’s always worth asking.

New Accounts at New Sites

When signing up with new accounts, if you cannot find a way to delete the account, then contact the administrator and explain that you would join the site, but you cannot find a way to delete the account when you no longer wish to have one.  If they state that there isn’t a deletion function, explain to them that until they implement this function, you can’t use the site.. and walk way.  Note that there is nothing more important than your own personal data security and you have to be the champion of that security because no one else will.  If sites refuse to implement deletion functionality, then don’t use the site.  There is no site functionality that is more important than your data security.

No Reason for Lack of Delete Function

In fact, there is absolutely no reason, other than sheer laziness, to not implement a delete function in any internet web site.  If it can be added, it can be deleted.  It’s very simple.  I know, some developers are going to say, “Well, it’s not that easy”.   That’s a total crock.  It is that easy.  If you have developed software that is incapable of deleting user account information, then you are either seriously inept as a programmer or you simply don’t understand what you are doing.  There is no excuse at all for not adding a delete function to any site (including deletion of a user account).  To my knowledge, there is no operating system or database that does not have the ability to delete data.  Not adding this feature is just not acceptable.  Always demand this feature if you cannot find it.

Pre-existing Site Accounts

I know that some of you may have joined sites ages ago when data security breaches were less common than today.  Back then, account delete functions may not have been available.  This may have been carried forward and these sites may still not have delete functions.  Demand that the developers add this functionality.  If you are an avid user, you should always demand this functionality.  You never know when something may change that may require you to delete your account at that site… like a data breach.  Security is important and your personal ability to delete your account is your right and should not be undermined.  Again, always demand this feature from the sites you frequent if it is not present.

I challenge you to visit all of the sites you regularly use and locate the delete account function.  I’ll bet that more than 50% of the time, it’s not there.  Demand that this feature be implemented if, for nothing else, than your own personal peace of mind in case you need it.  It’s like that insurance policy you buy, this is the same.  The delete account feature is your insurance policy to prevent unauthorized access whenever you need to exercise this option.  However, you cannot delete your data if the functionality is not there, so always make sure the delete feature exists before you sign-up.

%d bloggers like this: