How much did Power outage at Delta cost?| Reuters

In the world of technology, it is often very hard to put a $ to an event. A power outage is particularly hard, but when that outage impacts the physical world (people flying) and your customers (those people flying) there is an opportunity to do some math.

Now I don’t know the full math, but the idea of a Skymile credit seems like a good start – and THANK YOU Delta for the credit. It wasn’t expected and is an awesome surprise.

So “As a valued Medallion® member, you expect more, which is why we’ve added 20,000 bonus miles to your SkyMiles account.” and we know that roughly 451 flights were canceled. Now I was on a flight canceled WED! Which is pretty far removed from the Monday event, but we’ll keep the numbers conservative and state the total flight disruptions from the power outage was 451.

451 Planes w/ 110 (average passenger guestimate) * (20% with enough status to get a credit) * 20,000 miles = 198,440,000

…1 skymile is roughly equal to 1.3 cents

So …198,440,000 * 1.3cents = $2,579,720

… Of course, if we assume EVERYONE got the miles, that would cost Delta $12,898,600 in Skymile credits alone.

Article on the power outage:

Atlanta-based Delta, the second-largest U.S. airline by passenger traffic, said it had canceled 451 flights after a power outage that began around 2:30 a.m. EDT (0630 GMT) in Atlanta. Flights gradually resumed about six hours later.

Source: Power outage at Delta causes flight cancellations, delays | Reuters

CNBC shows how not to handle a security screwup

Sometimes the best lessons happen in public and are based on our mistakes. Take a look at the series of errors taken by CNBC related to collecting passwords from their online readers. The commentary is a bit wild, but I think the passion shows the level of expectation sought for such a reputable business.

When someone entered a password into the text box and hit the button, a lot more was going on than a test. The password was being sent over the site’s http (unencrypted) connection to CNBC’s third-party partners, such as ScorecardResearch and SecurePubAds (DoubleClick).

After posting the findings on Twitter, a researcher who works on Let’s Encrypt (free, easy https for websites) joined the dogpile. He added that — inexplicably — CNBC was also saving the passwords to a Google Docs spreadsheet when the user hit “submit.”

Source: CNBC shows how not to handle a security screwup

Two more healthcare networks caught up in outbreak of hospital ransomware through very old vulnerability | Ars Technica

I have been developing a cybersecurity exploitation and threat lifecycle model and this article caught my attention in it highlighting the evolution of the deployment of the ransomware tech. Initially spread through phishing, it is now being used as the payload in the attacks. Interesting.

This also creates an interesting base cost of not safeguarding a network environment. Consider that the attacks are becoming automated (automatic identification of a server running known vulnerability and then automatic installation of malware which then automatically takes over network for ransom) the attacks scale easily, and there is a bit of near certainty here. More thoughts, developed out with hard data, to come on this topic.

“This is really one of the first times we’ve seen ransomware spread by a network vulnerability,” Craig Wilson of Talos Research told Ars, …The malware, called “Samsam” by Talos, uses old, very public exploits right out of JexBoss—an open source vulnerability testing tool for JBoss. Once the malware has a foothold on the server, it spreads to Windows machines on the same network. “I wouldn’t be surprised if this [malware approach] was extended toward WordPress and other content management systems,” Wilson said. “This is really just the natural progression of ransomware.”

Source: Two more healthcare networks caught up in outbreak of hospital ransomware | Ars Technica

Best,

James

Make Sure You Don’t Miss These Peer2Peer Sessions at RSAC 2016 | RSA Conference: How not to be hacked highlighted

The largest information security conference is upon us and after some great reception at conferences and chapter meetings including InfraGuard, ISACA, the Technology Association of Georgia, and Fulton County I am ready for RSA. I have been following and building this research for nearly two years, and I can’t wait to hear fresh insights and perspectives at RSA to make everyone better. Curious about the session … here is some great Q&A about my session.  Please join me at the session or grab me for coffee during the event!

1. How Not to Be Hacked—Take the Advantage (P2P2-R08)

Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

  • Seeking Attendees who are: Trendsetters, change agents, visionaries, and passionates seeking to make a difference one life at a time
  • Proper titles of those who will contribute to the session: Product Security Leaders, Parents, and Directors of Security

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

  • Important to industry: Today 3.1 billion people are online and not empowered or informed making it impossible to secure every App and Device.
  • Important to you: Empowering people to protect themselves prevents human trafficking, enhances quality of life, and limits digital negative events

Challenge: Are YOUR family members, parents, children, and friends safe and secure online today because of your profession?

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion? 

  • What do you do habitually when navigating to a new website? What do you check? Do you type in URL? Do you Google it?
  • How do you protect your children on social media sites? Do you use manual reviews, monitoring software, account management, denial?

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

Desired outcome: A fresh look and optimism on how to transfer habits of highly knowledgeable security professionals to regular people.

Takeaways:  Specific simple and highly potent techniques and tips to make the digital world safer and happier for our friends, family, and colleagues.

See the book on Amazon here (best anti-hacking investment you’ll ever make for your parents): How Not To Be Hacked

Source, RSA Conference Official Site: Make Sure You Don’t Miss These Peer2Peer Sessions at RSAC 2016 | RSA Conference

Ten Principles of Opportunity and Crime – INDEPENDENT SECURITY CONSULTANTS

 

Preparing for the InfraGuard Keynote I have been digging in to criminal psychology and specifically the concept of Opportunity. If you’ve heard me speak recently this year you’ve been exposed to the concept as I’ve applied it to online crime.

Rutger’s School of Criminal Justice professors Marcus Felson and Ronald V. Clarke developed Ten Principles of Opportunity and Crime which describes how opportunities, or vulnerabilities, are the root cause of crime. I’ve highlighted the last two of their ten principles below. I’d welcome those in the cyber security industry and seeking to safeguard the sensitive data (private or IP) to read these with an open mind. I believe they expose an incorrect assumption and an opportunity for approaching cybersecurity differently.

Principle 9 is reducing opportunities does not usually displace crime. Crime displacement means that by blocking crime at one facility, security measures will force crime to another, less hardened facility. While displacement does occur, it is not absolute.

Finally, principle 10 is focused opportunity reduction can produce wider declines in crime. This is the concept of diffusion of benefits. Diffusion is a process where increased security measures at one location may also benefit neighboring facilities.

Source: Ten Principles of Opportunity and Crime – INDEPENDENT SECURITY CONSULTANTS

Best,

James

P.S. Buy to understand how to keep you and your family safe: – The definitive guide for regular people: How Not To Be Hacked today!

Chromium Blog: Introducing the Security Panel in DevTools

Love seeing the push from Google to their larger developer base to enhance transparency of iterate highly. The greatest advantage I see here (and consistent with my analysis of the leading product companies developing products) is the pressing forward of quality (security included) testing and activities to the developer.
This is a key attribute (developers owning security as they are closest to the product and the areas that develop into issues).
Look forward to seeing everyone at RSA this year as I speak on How Not To Be Hacked! I am looking for collaborators on my protecting children in a connected world effort.

IoT future: The world’s tiniest temperature sensor is powered by radio waves

All things technology interest me and in my research and professional work the development of products, building efficient technology operation centers, and managing vast cyber related assets allows a great view on where we are and where we need to be in the future. As our further dependence on technology continues to all levels of life – no we are not speaking just social connection through Facebook and Snaps, but technology today that is being embedded in our brains, hearts, homes, cars, managing the electricity to our homes, balancing the nuclear reactions at plants, and precisely throttling the water purification systems of our water the importance is paramount to survival.

It is our opportunity to ensure that technology continues to benefit life and enjoyment, but it comes at a cost of active persistence in striving for high quality performance. Yes, performance does include security. A car can be fully maintained and the best money can buy, but if the lock doesn’t lock it’ll quickly be stolen.

I have been tracking a technology being developed where tiny sensors are powered by radio waves allowing them to operate without ever requiring a recharge. These are extremely small (grain of sand small) and can be used for a vast amount of (currently) single purposes. A recent thesis and accomplishment was made by the researchers at TU/e, and I have highlighted the possibilities below, plus a bit of the article.  Enjoy

  • Sensor’s current range is 2.5 centimeters, but will be 1 meter in a year
  • Sensor size is 2 square millimeters
  • Can be painted onto walls, added to concrete, or added to latex (insert fantastic spy usage here)
  • Is powered by radio waves in the room / provided by a “router” that directs radio waves and receives data from sensor

The sensor stores that energy and, once there is enough, the sensor switches on, measures the temperature and sends a signal to the router. This signal has a slightly distinctive frequency, depending on the temperature measured. The router can deduce the temperature from this distinctive frequency. The same technology enables other wireless sensors to be made, for example to measure movement, light and humidity. The application areas are enormous, Baltus says, ranging from payment systems and wireless identification to smart buildings and industrial production systems. They won’t be expensive either: mass production will keep the cost of a sensor down to around 20 cents.

The project, called PREMISS, has received funding from the STW technology foundation. The title of Hao Gao’s thesis is ‘Fully Integrated Ultra-Low Power mm-Wave Wireless Sensor Design Methods’

Source: The world’s tiniest temperature sensor is powered by radio waves

Think outside the box,

James