Monthly Archives: February 2014

News: Cars damaged by sinkhole at National Corvette Museum identified

Credit: National Corvette Museum


Eight Corvettes at the National Corvette Museum in Bowling Green are gone after a sinkhole opened under the Skydome portion of the facility Wednesday morning.

According to a news release, the museum’s security company alerted officials around 5:44 a.m. Wednesday when movement in the Skydome set off motion detectors.

Museum officials said when the arrived at the building they discovered the sinkhole and the Bowling Green Fire Department secured the area.

The release stated the following cars were affected:

  • 1993 ZR-1 Spyder on loan from General Motors
  • 2009 ZR1 “Blue Devil” on loan from General Motors

The other six vehicles were owned by the National Corvette Museum including:

  • 1962 Black Corvette
  • 1984 PPG Pace Car
  • 1992 White 1 Millionth Corvette
  • 1993 Ruby Red 40th Anniversary Corvette
  • 2001 Mallett Hammer Z06 Corvette
  • 2009 White 1.5 Millionth Corvette

 Stuctural engineers are being called in to survey the damage.

The museum is open to the public, but officials said the Skydome is closed to everyone, including employees, until it is deemed structurally sound.



Via: whas11

Study shows those responsible for security face mounting pressures

Trustwave report shows year-over-year increase of pressures on InfoSec leaders.

According to a recent study, security-related pressures in IT have climbed steadily year-over-year, as security professionals face the constant strain that comes with defending their organization’s network and data from assortment of threats from all sides.

The data comes from Trustwave’s 2014 Security Pressures report, which was provided to CSO Online exclusively ahead of its publication next week. In an attempt to understand the variety of pressures that those working in InfoSec face, Trustwave spoke to 833 security decision makers about the topic, including CIOs, CISOs, and IT Directors / Managers in the U.S., the U.K., Canada, and Germany.

Depending on where the respondent lived, the level of pressure experienced varied. In the U.S., 65 percent of the respondents said they expect to feel more strain this year, compared to the 43 percent in Germany who expected to feel an increase in stress.

Yet, when the data from 2013 is included, professionals in both locations reported a year-over-year increase perceived pressures, and Germany had the largest gain — jumping from 33 percent in 2013 to 43 percent in 2014. In comparison, the U.S. had a three percent increase, the U.K. showed a four percent increase, and Canada reported a seven percent bump.

CSO Online spoke to Trustwave’s Leo Cole, the General Manager of Security Solutions, and Chris Pogue, Director of Incident Response and Forensics about the study. One of the first questions asked of them addressed the source of the respondent’s stress.

Last year, the media was flooded with reports of data breaches, new attack vectors, and threats of various types. Recently, 2014 was off with the news of a security incident at Target that impacted come 70 million customers. So is the increase in pressure reported by the study’s respondents based on the uptick in security-related news coverage, or is it something else?

“When we speak to CIOs, CISOs, IT Managers/Directors, we almost always hear that their Board of Directors has asked them what they are doing to protect the companys valuable information. When the Board asks questions, there is more pressure. However, security has been a board-level issue for some time,” Cole explained.

Today, the difference is in the type of questions being asked by the board. It used to be a matter of answering the question, ‘what are we doing to prevent data loss?” Now, the question is focused on the fact that data breaches and other security incidents keep happening despite the purchase of products and solutions that are supposed to prevent them. So the question of “what are we doing?” has become “why does this keep happening?” and “what are we doing to make sure we don’t get breached next?”

“The Board is taking the questions to a whole new level and creating a more sophisticated conversation surrounding security. As a result, the in-house CIO feels more pressure because not only does he have to say, ‘I bought this security technology,’ but also ‘I bought this security technology and it will work,'” Cole added.

Asked the same question, Pogue felt the pressures were a mix of things, from news coverage, to the expanding scale of breaches, and a seemingly endless wave of attacks on all levels, from all sides.

“Security is like car insurance. People buy it hoping they will never have to use it,” he said.

“What do they get in return for their money? Help with protecting their valuable data from getting into the wrong hands. In light of the recent media coverage of data breaches, the ‘what if’ scenario is getting more attention. Now, it’s no longer ‘what if I get hacked,’ it’s ‘what if I’m next?’ It’s now more real. The threat hasn’t changed. The attackers haven’t changed. What has changed is the public perception and the subsequent fear brought on by possibly being the next big breach.”

When it comes to the types of threats and risks that generate the most pressure, the respondents in the U.S. (68 percent) and Canada (63 percent) said targeted malware, while the U.K. (64 percent) and Germany (60 percent) singled out Phishing and Social Engineering. That isn’t to say that targeted malware isn’t a concern for them, as it ranked close second in the U.K. and was listed as third in Germany.

Either way, the answers are interesting. In this case, targeted malware includes attacks that profile the victim and use multiple methods in order to get access to data that’s to be compromised. However, only 49 percent of the respondents in the U.S. listed viruses and worms as a threat that generates the most pressure, along with 36 percent in Canada.

In fact, Germany and the U.K., didn’t view them as problematic either. Moreover, none of the respondents ranked zero-day vulnerabilities as a top concern, despite the fact that targeted malware will often leverage all three of these attack surfaces during a given incident, as criminals will do whatever they can in order to assure success.

When it comes to an incident’s aftermath, customer data theft tops the list of worries, with 58 percent of the respondents picking this concern over IP theft, reputation damage, or fines and legal action. However, despite current events, and the growing attention given to security incidents over the last few years, five percent of the respondents felt that their organization was completely safe from security incidents, and thus had no concerns.

“Oftentimes, we speak to business leaders who simply dont think they are a target. They dont realize the wealth of information they have and how valuable that information is to a criminal,” Cole explained, when asked for an opinion on the five percent, and how such a belief could exist these days.

“Or, quite simply, they think they have nothing worth taking (which most likely isn’t true). However, even if that is the case, where the attackers target a business that may not have data they can profit from, they can still use that business as a pivot point into other organizations,” Pogue added.

Still, 58 percent of the respondents overall cited customer data loss as the top pressure point during an incident’s aftermath, but is this just a byproduct of risk assessment? Is the fact that data loss trumps fines and legal action because such a loss means perpetual damage to the business and its customers, versus a fine, which is often a one-off type of hit?

“Its all risk assessment. How much protection is enough? One breach could lead to losing the integrity of your business, whether it’s losing customers, intellectual property, customers’ trust and/or a financial loss. Small and mid-size businesses would suffer the most from this loss. They cannot afford to lose customers and still stay in business,” Cole said.

The topic of how much is enough was also referenced in the pressures related to features vs. resources. A majority of respondents said they feel pressure to select the latest security technologies, but at the same time, they also lack the proper resources to use them.

In addition, there’s a good deal of pressure to use cloud-based technologies and mobile applications, but those were also the top two items listed when it came to security risks from emerging technologies. Staffing was another pain point, with nearly half the respondents reporting that if they had twice the staffing levels currently available, they’d be able to lower the stress levels and improve job effectiveness.

The report also covered internal stress, specifically those who reported being pressured to rollout IT projects despite security concerns. When asked, 79 percent of the respondents said that they’ve had to launch an IT project despite security concerns at least once or twice, or worse, they’re frequently pressured to do so.

“Its logical business,” Cole said, when asked why something would be pushed with valid security concerns.

“Business leaders have to find new ways to market their products and those are at the forefront of their business decisions, not security. We often see companies launch websites that are not secure because they are solely focusing on selling their products.”

Adding to that, Pogue remarked, “Security still too often plays second fiddle to meeting a deadline. We used to have a saying in the Army: ‘you can have it fast, or you can have it right…you can’t have both.’ Fast seems to be the soup-de-jour.”

When asked for an opinion on the project rollout stat, Kim Jones, the CSO for Vantiv, a payment processing firm in Arizona, said that security risk should not stop or slow projects all the time, and in fact there are times when the risk calculus (risk vs. return) shows that the benefits outweigh the risk. However, he also suspects that security would win those battles more than 21 percent of the time.

“My input to a project is one of many drivers for a project’s success or failure. It is my responsibility to ensure that I (a) am properly injected into the project process at proper points in the process; (b) properly identify and where possible quantify the risks; (c) raise the risks to the appropriate levels within the organization; and (d) where risk isn’t mitigated, ensure that the risks are properly and formally accepted at the appropriate levels within the organization,” Jones said in an email to CSO Online.

In addition, Jones said it’s likely that many security organizations are not looped into the IT project cycle at appropriate points, or do not have the type of risk identification and acceptance process that he describes.

In those organizations, the security tends to be in a catch-up mode. Often they’re brought in at the eleventh hour to rubber stamp the project, and if they find something wrong the remediation timeframe would forcing the project to blow its deadline. Or worse, Jones added, without the risk acceptance process, the organization is hard pressed to find someone willing to sign off on accepting the risk.

“The pressure becomes that of delivering the project rapidly, on time, and not slowing down the effort to inject the security afterthought. Combine that with an inadequate risk acceptance process and you begin to see why many of my brethren either change jobs rapidly or choose to leave the profession.”

So what can be done to help? What would lower the perceived pressures, and ease the stress for those who took part in Trustwave’s study?

Asked to provide a wish list for 2014, the respondents said that bigger budgets, followed by more IT security skills and more time to focus on security, would be their top three requests. After that, they listed less complexity in technology, fewer requests from business line managers, and additional staffing.


Via: csoonline

Half of Companies Will Require BYOD By 2017, Gartner Says

But most IT executives surveyed believe they haven’t yet made a strong business case for BYOD.

About half of the world’s companies will enact BYOD (bring your own device) programs by 2017 and will no longer provide computing devices to employees, a new Gartner report predicts.

Ultimately, only 15 percent of companies will never move to a BYOD model, while 40 percent will offer a choice between BYOD and employer-provided devices, according to the report by Gartner analyst David Willis, which was announced Wednesday.

While mobile computing helps make on-the-go workers more productive, the average cost of more than US$600 per employee per year for company-provided devices has been difficult for many to shoulder, Willis wrote. This along with other factors, such as increased employee satisfaction, has helped drive the BYOD movement, he added.

So far, BYOD adoption is most common in companies with between $500 million and $5 billion in revenue, but there are significant differences according to geography, said Gartner. The U.S. adoption rate is double that of Europe, but the highest rate is in India, China and Brazil, according to the report.

Still, while most IT executives surveyed by Gartner think well of BYOD, only 22 percent “believe they have made a strong business case,” according to the report.

Mobility projects “are often exploratory and may not have a clearly defined and quantifiable goal,” the report adds. “While there are many mobile applications with a provable return on investment, stumbling onto a breakthrough does not seem like the right strategy.”

Meanwhile, although BYOD programs allow employees to use their preferred device, that doesn’t mean their employers don’t incur any costs.

“Workers with an essential need to use a mobile device in their business expect to be compensated for its use, just as companies typically reimburse for the incremental cost of mileage and travel expenses,” Willis wrote.

However, there are currently no standard practices for BYOD reimbursement, according to the report. Only about half of today’s BYOD programs provide some reimbursement, usually for the service plan associated with an employee’s device, and just 2 percent cover all costs, the report states.

Still, “no mobile worker is free,” Willis wrote. “More employees and more devices mean more security and management tool costs, more application licenses, more potential problems for an overtaxed help desk to deal with, and more confusion.”

Costs associated with that overhead “can easily exceed $100 per worker per year today,” he added. That figure will hit $300 by 2016,” largely due to license fees for mobile apps.”


Via: cio

US suspect possibly targeted for drone attack

A U.S. citizen and suspected al-Qaida facilitator has the Defense Department divided over whether he’s dangerous enough to be killed in a drone strike.

An American citizen who is a member of al-Qaida is actively planning attacks against Americans overseas, U.S. officials say, and the Obama administration is wrestling with whether to kill him with a drone strike and how to do so legally under its new stricter targeting policy issued last year.

The CIA drones watching him cannot strike because he’s a U.S. citizen and the Justice Department must build a case against him, a task it hasn’t completed.

Four U.S. officials said the American suspected terrorist is in a country that refuses U.S. military action on its soil and that has proved unable to go after him. And President Barack Obama’s new policy says American suspected terrorists overseas can only be killed by the military, not the CIA, creating a policy conundrum for the White House.

Two of the officials described the man as an al-Qaida facilitator who has been directly responsible for deadly attacks against U.S. citizens overseas and who continues to plan attacks against them that would use improvised explosive devices.

But one U.S. official said the Defense Department was divided over whether the man is dangerous enough to merit the potential domestic fallout of killing an American without charging him with a crime or trying him, and the potential international fallout of such an operation in a country that has been resistant to U.S. action.

Another of the U.S. officials said the Pentagon did ultimately decide to recommend lethal action.

The officials said the suspected terrorist is well-guarded and in a fairly remote location, so any unilateral attempt by U.S. troops to capture him would be risky and even more politically explosive than a U.S. missile strike.

Under new guidelines Obama addressed in a speech last year to calm anger overseas at the extent of the U.S. drone campaign, lethal force must only be used “to prevent or stop attacks against U.S. persons, and even then, only when capture is not feasible and no other reasonable alternatives exist to address the threat effectively.” The target must also pose “a continuing, imminent threat to U.S. persons” — the legal definition of catching someone in the act of plotting a lethal attack.

The Associated Press has agreed to the government’s request to withhold the name of the country where the suspected terrorist is believed to be because officials said publishing it could interrupt ongoing counterterror operations.

The officials spoke on condition of anonymity because they were not authorized to discuss the classified drone targeting program publicly.

House Intelligence committee chairman Mike Rogers, R-Mich., complained last week that a number of terrorist suspects were all but out of reach under the administration’s new rules that limit drone strikes based on the target’s nationality or location. Two of the U.S. officials said the Justice Department review of the American suspected terrorist started last fall.

The senior administration official confirmed that the Justice Department was working to build a case for the president to review and decide the man’s fate. The official said, however, the legal procedure being followed is the same as when the U.S. killed militant cleric and former Virginia resident Anwar al-Awlaki by drone in Yemen in 2011, long before the new targeted killing policy took effect.

The official said the president could make an exception to his policy and authorize the CIA to strike on a onetime basis or authorize the Pentagon to act despite the possible objections of the country in question.

The Justice Department, the Pentagon and the CIA declined to comment.

If the target is an American citizen, the Justice Department is required to show that killing the person through military action is “legal and constitutional”— in this case, that the Pentagon can take action against the American, as the administration has ruled him an enemy combatant under the Authorization for Use of Military Force, a resolution Congress passed a week after the 9/11 attacks to target al-Qaida.

Mary Ellen O’Connell, a professor of international law at the University of Notre Dame, said there is a school of thought that the Obama administration’s drone policy is “lawless.”

“Why should the Justice Department issue the execution warrant for anyone abroad? The fact that they give extra scrutiny only because he’s an American exacerbates this negative impression,” O’Connell said.

U.S. drones have killed four Americans since 2009, including al-Awlaki, who the administration said was actively plotting to kill U.S. citizens.

Attorney General Eric Holder said the three other Americans were killed by drones, but were not targeted. The three are Samir Khan, who was killed in the same drone strike as al-Awlaki; al-Awlaki’s 16-year-old son, Abdulrahman, a native of Denver who was killed in Yemen two weeks later; and Jude Kenan Mohammed, who was killed in a drone strike in Pakistan.

The case has galvanized congressional opponents of Obama’s plan to transfer drones from the CIA to the Defense Department. Before the plan was announced, either CIA or Pentagon drones could go after terrorist targets, even if they were U.S. citizens. The CIA could also fly drones in areas where host countries might object. But by law, the Pentagon can only strike in war zones, in countries that agree to U.S. counterterrorism action or in lawless areas like parts of Somalia where that government’s security forces cannot reach. Even then only al-Qaida-linked suspects can be targeted.

“It is very clear that there have been missed opportunities that I believe increase the risk of the lives of our soldiers and for disrupting operations underway,” Rogers said last week.

U.S. officials said both Senate and House appropriators have blocked funding to transfer the CIA’s stealth RQ-170 drone fleet to the Pentagon. Some lawmakers want the White House to come up with a fix for targeting suspects in areas where the Pentagon is banned from operating — either by leaving some part of the CIA operation running or by granting the Pentagon authority to strike covertly despite the location — meaning they could legally deny the operation.

Lawmakers like Senate Intelligence Committee Chairwoman Dianne Feinstein, D-Calif., have also objected to the shift to the Pentagon, arguing that the CIA has more experience flying drones.


Via: msn

Comcast servers compromised by same attackers as Bell Canada

Hacker group NullCrew claims to have broken into Comcast’s servers today, exploiting a vulnerability reported in December 2013, but not patched.

Over the weekend of 01 February 2014 the hacker group also claimed credit (?) for performing a SQL injection attack against telecom provider Bell Canada.

They were able to access account login and password details for more than 22,000 small business customers of Bell’s internet service.

The attackers allegedly contacted Bell customer support two weeks before the disclosure. The problem? Bell’s support staff seemingly didn’t know how to report the security incident upstream.

The customer service representative clearly didn’t understand the gravity, nor did they escalate to someone who did.

You need to be sure that your staff knows how to report an alleged security incident to the appropriate staff so it can be investigated and handled properly.

From what we can tell the same thing happened when NullCrew hacked Comcast.

It appears that Comcast, the largest internet service provider in the United States, uses Zimbra as an internal communications platform.

NullCrew exploited an unpatched security vulnerability, CVE-2013-7091, to gain access to usernames, passwords and other sensitive details from Comcast’s environment.

They posted the purloined data on pastebin and taunted the company on Twitter.

Sometimes it appears there is nothing we can do to protect ourselves, but in this case I think there is a valuable lesson.

The vulnerability exploited by the attackers was disclosed and fixed in December 2013. While that isn’t forever ago, it is enough time that it could have been remedied.

None of us can assume that it will take time, especially 60 days, for criminals to determine they can take advantage of flaws in our programs.

We may have had the luxury of waiting 30 or even 120 days in the past, but today we must maintain an accurate and up to date inventory of all software that is deployed and patch it immediately.


Via: nakedsecurity

Dropbox Alternative HubiC Now Offers 10TB For $13.50 Per Month

French hosting company OVH just updated its product offering for its Dropbox-like service called HubiC. Now, you get 25GB of storage for free, 100GB for $1.35 per month (€1), and you can opt for a whopping 10TB plan for $13.50 per month (€10).

Launched two years ago, HubiC has slowly but surely evolved into a full-fledged Dropbox alternative. It now provides a sync client on the desktop, mobile apps and an API. But it lacks mainstream appeal.

HubiC remains a newcomer, and when it comes to file hosting services nowadays, every big company has one. Microsoft has SkyDrive, Google has Google Drive, etc.

Dropbox has a powerful lock-in effect as well. Your files and photos are already on the service, you may have shared folders with other Dropbox users, and many apps now use the Dropbox API.

To differentiate itself, HubiC bets on its prices. The company doesn’t rely on Amazon S3 like Dropbox, it has its own server infrastructure and multiple data centers — the service probably has less operating costs.

TechCrunch Disrupt finalist Bitcasa is another service that tried to attract users by promising big accounts. For $9.99 a month, you were supposed to get infinite storage. But in November, the company had to change its plans. For $10 a month, you now get 1TB of storage, and the unlimited plan now costs $99 per month.

It’s not clear whether HubiC will be able to maintain the 10TB plan in the long run, but you can cancel any time. And maybe the NSA doesn’t know about HubiC yet.


Via: techcrunch

Iron Mountain fire in Buenos Aires kills 9, destroys corporate records

The company has had a half dozen fires in facilities over the past 17 years.

Nine first responders were killed and seven others injured when a fire swept through Iron Mountain’s business archive facility in Buenos Aires yesterday. The firefighters were killed or injured when a wall collapsed during the blaze.

According to an Associated Press report, investigators are looking into why a fire-prevention system failed to suppress the fire. The Buenos Aires facility was equipped with fire-detection and sprinkler systems, according to a statement by Iron Mountain.

The facility only held paper records, unlike many other of the company’s archives, which stores digital records in data centers, according to Iron Mountain spokesman Christian Potts. “We don’t yet know the cause of the fire in Argentina,” Potts said.

The fire yesterday is not a first for the company, which operates archives in 30 countries for storing digital and paper documents, film and other artifacts for both businesses and governments.

Over the past couple of decades, Iron Mountain archive facilities have experienced several fires that destroyed or damaged facilities.

In 1997, Iron Mountain’s document warehouse in New Jersey was damaged by fire. In 2006, the company’s London warehouse was totally destroyed by fire. According to an Iron Mountain spokesman, the cause of the fire was never discovered. However the London Fire Brigade blamed arson.

Also in 2006, a fire damaged part of Iron Mountain’s Ottawa, Canada storage facility. And, in 2011, Iron Mountain’s document warehouse in Aprilia, Italy suffered a fire.

Massive limestone columns support Iron Mountain’s man-made caverns

Click to view a slide show of Iron Mountain’s underground facility in a limestone mine in Pennsylvania.

Iron Mountain’s facilities are equipped with extensive fire warning and suppression systems. Its largest archive facility in Butler County, Pa. even has its own fire department, complete with full-sized fire trucks. That facility is located 22 stories underground in an abandoned limestone mine.

“This is a tragic event, and we are deeply saddened by the deaths of the brave first responders who rushed to save our facility,” Iron Mountain said in a statement. “Our thoughts are also with those who have been hospitalized, and we wish them a quick and complete recovery.”

Iron Mountain said all of its employees “are safe and accounted for.”

The company is working with local police and fire investigators to determine the cause of the massive blaze. The building had both fire-detection equipment as well as a sprinkler system.

“We recognize our customers will have concerns and questions, and we are in the process of contacting those who have been affected,” the company said.


Via: computerworld

Adobe releases unscheduled Flash update to patch critical zero-day threat

Attack code for integer underflow bug is already circulating in the wild.

Adobe has released an unscheduled update for its ubiquitous Flash media player to patch a critical vulnerability that may already be under active exploit in the wild.

The security flaw exists in Adobe Flash Player and earlier versions for Windows and OS X and and earlier versions for Linux, according to an advisory published Tuesday morning. The vulnerability stems from an integer underflow bug in the underlying code that could be exploited to execute arbitrary code on the affected system. Because attackers can typically trigger such vulnerabilities surreptitiously after luring victims to websites hosting attacks, Adobe rated the threat as “critical,” the company’s highest severity category.

“Adobe is aware of reports that an exploit for this vulnerability exists in the wild and recommends users update their product installations to the latest versions,” the Adobe advisory stated. It went on to thank Alexander Polyakov and Anton Ivanov of antivirus provider Kaspersky Labs for reporting the vulnerability, which was listed as CVE-2014-0497 under the standardized common vulnerabilities and exposure disclosure system.

An Adobe spokeswoman had no further details about the in-the-wild exploit mentioned in the advisory. Frequently, such zero-day attacks are waged in highly targeted campaigns against specific individuals in a corporation or government agency. Given the risk of complete system takeover, however, all readers are advised to update their systems as soon as possible, regardless of their risk profile or the operating system they use. Updates are available here.



Via: arstechnica

Making Virtual Teams Work: Ten Basic Principles

Consider this now familiar view from the field:

“I’ve run a virtual team for the past 18 months in the development and launch of [a website.] I am located in Toronto, Canada. The website was designed in Zagreb, Croatia. The software was developed in St. John’s, Newfoundland; Zagreb, Croatia; Delhi, India; and Los Angeles, USA. Most of the communication was via email with periodic discussions via Skype. I had one face-to-face meeting with the team lead for the technology development this past December.”

Could this be you? Virtual teams have become a fact of business life, so what does it take to make them work effectively? On June 10, 2013, there was a discussion around this question on LinkedIn. The result was an outpouring of experience and advice for making virtual teams work. (I define “virtual teams” as work groups which (1) have some core members who interact primarily through electronic means, and (2) are engaged in interdependent tasks — i.e. are truly teams and not just groups of independent workers). I distilled the results and combined them with my own work, which focuses on how new leaders should assess and align their teams in their first 90 days. Because that’s really when it’s most important to lay the foundation for superior performance in teams — virtual or otherwise. Here are ten basic principles for making this happen:

1. Get the team together physically early-on. It may seem paradoxical to say in a post on virtual teams, but face-to-face communication is still better than virtual when it comes to building relationships and fostering trust, an essential foundation for effective team work. If you can’t do it, it’s not the end of the world (focus on doing some virtual team building). But if you can get the team together, use the time to help team members get to know each other better, personally and professionally, as well to create a shared vision and a set of guiding principles for how the team will work. Schedule the in-person meeting early on, and reconnect regularly (semi-annually or annually) if possible.

2. Clarify tasks and processes, not just goals and roles. All new leaders need to align their team on goals, roles and responsibilities in the first 90 days. With virtual teams, however, coordination is inherently more of a challenge because people are not co-located. So it’s important to focus more attention on the details of task design and the processes that will be used to complete them. Simplify the work to the greatest extent possible, ideally so tasks are assigned to sub-groups of two or three team members. And make sure that there is clarity about work process, with specifics about who does what and when. Then periodically do “after-action reviews” to evaluate how things are going and identify process adjustments and training needs.

3. Commit to a communication charter. Communication on virtual teams is often less frequent, and always is less rich than face-to-face interaction, which provides more contextual cues and information about emotional states — such as engagement or lack thereof. The only way to avoid the pitfalls is to be extremely clear and disciplined about how the team will communicate. Create a charter that establishes norms of behavior when participating in virtual meetings, such as limiting background noise and side conversations, talking clearly and at a reasonable pace, listening attentively and not dominating the conversation, and so on. The charter also should include guidelines on which communication modes to use in which circumstances, for example when to reply via email versus picking up the phone versus taking the time to create and share a document.

4. Leverage the best communication technologies. Developments in collaborative technologies — ranging from shared workspaces to multi-point video conferencing — unquestionably are making virtual teaming easier. However, selecting the “best” technologies does not necessarily mean going with the newest or most feature-laden. It’s essential not to sacrifice reliability in a quest to be on the cutting edge. If the team has to struggle to get connected or wastes time making elements of the collaboration suite work, it undermines the whole endeavor. So err on the side of robustness. Also be willing to sacrifice some features in the name of having everyone on the same systems. Otherwise, you risk creating second-class team members and undermining effectiveness.

5. Build a team with rhythm. When some or all the members of a team are working separately, it’s all-too-easy to get disconnected from the normal rhythms of work life. One antidote is to be disciplined in creating and enforcing rhythms in virtual team work. This means, for example, having regular meetings, ideally same day and time each week. It also means establishing and sharing meeting agenda in advance, having clear agreements on communication protocols, and starting and finishing on time. If you have team members working in different time zones, don’t place all the time-zone burden on some team members; rather, establish a regular rotation of meeting times to spread the load equitably.

6. Agree on a shared language. Virtual teams often also are cross-cultural teams, and this magnifies the communication challenges — especially when members think they are speaking the same language, but actually are not. The playwright George Bernard Shaw famously described Americans and the British as “two nations divided by a common language.” His quip captures the challenge of sustaining shared understanding across cultures. When the domain of team work is technical, then the languages of science and engineering often provide a solid foundation for effective communication. However, when teams work on tasks involving more ambiguity, for example generating ideas or solving problems, the potential for divergent interpretations is a real danger (see for example this Anglo-Dutch translation guide). Take the time to explicitly negotiate agreement on shared interpretations of important words and phrases, for example, when we say “yes,” we mean… and when we say “no” we mean…and post this in the shared workspace.

7. Create a “virtual water cooler.” The image of co-workers gathering around a water cooler is a metaphor for informal interactions that share information and reinforce social bonds. Absent explicit efforts to create a “virtual water cooler,” team meetings tend to become very task-focused; this means important information may not be shared and team cohesion may weaken. One simple way to avoid this: start each meeting with a check-in, having each member take a couple of minutes to discuss what they are doing, what’s going well and what’s challenging. Regular virtual team-building exercises are another way to inject a bit more fun into the proceedings. Also enterprise collaboration platforms increasingly are combining shared workspaces with social networking features that can help team members to feel more connected.

8. Clarify and track commitments. In a classic HBR article “Management Time, Who’s got the Monkey?” William Oncken and Donald L. Wass use the who-has-the-monkey-on-their-back metaphor to exhort leaders to push accountability down to their teams. When teams work remotely, however, it’s inherently more difficult to do this, because there is no easy way to observe engagement and productivity. As above, this can be partly addressed by carefully designing tasks and having regular status meetings. Beyond that, it helps to be explicit in getting team members to commit to define intermediate milestones and track their progress. One useful tool: a “deliverables dashboard” that is visible to all team members on whatever collaborative hub they are using. If you create this, though, take care not to end up practicing virtual micro-management. There is a fine line between appropriate tracking of commitments and overbearing (and demotivating) oversight.

9. Foster shared leadership. Defining deliverables and tracking commitments provides “push” to keep team members focused and productive; shared leadership provides crucial “pull.” Find ways to involve others in leading the team. Examples include: assigning responsibility for special projects, such as identifying and sharing best practices; or getting members to coach others in their areas of expertise; or assigning them as mentors to help on-board new team members; or asking them to run a virtual team-building exercise. By sharing leadership, you will not only increase engagement, but will also take some of the burden off your shoulders.

10. Don’t forget the 1:1s. Leaders’ one-to-one performance management and coaching interactions with their team members are a fundamental part of making any team work. Make these interactions a regular part of the virtual team rhythm, using them not only to check status and provide feedback, but to keep members connected to the vision and to highlight their part of “the story” of what you are doing together.

Finally, if you are inheriting a team, take the time to understand how your predecessor led it. It’s essential that newly appointed leaders do this, whether their teams are virtual or not. Because, as Confucius put it, you must “study the past if you would define the future.” It’s even more important to do this homework when you inherit a virtual team, because the structures and processes used to manage communication and coordinate work have such an inordinate impact on team performance. You can use these ten principles as a checklist for diagnosing how the previous leader ran the team, and help identify and prioritize what you need to do in the first 90 days.


Via: hbr

11 sure signs you’ve been hacked

In today’s threatscape, antivirus software provides little piece of mind. In fact, antimalware scanners on the whole are horrifically inaccurate, especially with exploits less than 24 hours old. After all, malicious hackers and malware can change their tactics at will. Swap a few bytes around, and a previously recognized malware program becomes unrecognizable.

To combat this, many antimalware programs monitor program behaviors, often called heuristics, to catch previously unrecognized malware. Other programs use virtualized environments, system monitoring, network traffic detection, and all of the above at once in order to be more accurate. And still they fail us on a regular basis.

Here are 11 sure signs you’ve been hacked and what to do in the event of compromise. Note that in all cases, the No. 1 recommendation is to completely restore your system to a known good state before proceeding. In the early days, this meant formatting the computer and restoring all programs and data. Today, depending on your operating system, it might simply mean clicking on a Restore button. Either way, a compromised computer can never be fully trusted again. The recovery steps listed in each category below are the recommendations to follow if you don’t want to do a full restore — but again, a full restore is always a better option, risk-wise.

Sure sign of system compromise No. 1: Fake antivirus messages

In slight decline these days, fake antivirus warning messages are among the surest signs that your system has been compromised. What most people don’t realize is that by the time they see the fake antivirus warning, the damage has been done. Clicking No or Cancel to stop the fake virus scan is too little, too late. The malicious software has already made use of unpatched software, often the Java Runtime Environment or an Adobe product, to completely exploit your system.

Why does the malicious program bother with the “antivirus warning”? This is because the fake scan, which always finds tons of “viruses,” is a lure to buy their product. Clicking on the provided link sends you to a professional-looking website, complete with glowing letters of recommendation. There, they ask you for your credit card number and billing information. You’d be surprised how many people get tricked into providing personal financial information. The bad guys gain complete control of your system and get your credit card or banking information. For bad guys, it’s the Holy Grail of hacking.

What to do: As soon as you notice the fake antivirus warning message, power down your computer. (Note: This requires knowing what your legitimate antivirus program’s warning looks like.) If you need to save anything and can do it, do so. But the sooner you power off your computer, the better. Boot up the computer system in Safe Mode, No Networking, and try to uninstall the newly installed software (oftentimes it can be uninstalled like a regular program). Either way, follow up by trying to restore your system to a state previous to the exploitation. If successful, test the computer in regular mode and make sure that the fake antivirus warnings are gone. Then follow up with a complete antivirus scan. Oftentimes, the scanner will find other sneak remnants left behind.

Sure sign of system compromise No. 2: Unwanted browser toolbars

This is probably the second most common sign of exploitation: Your browser has multiple new toolbars with names that seem to indicate the toolbar is supposed to help you. Unless you recognize the toolbar as coming from a very well-known vendor, it’s time to dump the bogus toolbar.

What to do: Most browsers allow you to review installed and active toolbars. Remove any you didn’t absolutely want to install. When in doubt, remove it. If the bogus toolbar isn’t listed there or you can’t easily remove it, see if your browser has an option to reset the browser back to its default settings. If this doesn’t work, follow the instructions listed above for fake antivirus messages. You can usually avoid malicious toolbars by making sure that all your software is fully patched and by being on the lookout for free software that installs these tool bars. Hint: Read the licensing agreement. Toolbar installs are often pointed out in the licensing agreements that most people don’t read.

Sure sign of system compromise No. 3: Redirected Internet searches

Many hackers make their living by redirecting your browser somewhere other than you want to go. The hacker gets paid by getting your clicks to appear on someone else’s website, often those who don’t know that the clicks to their site are from malicious redirection.

You can often spot this type of malware by typing a few related, very common words (for example, “puppy” or “goldfish”) into Internet search engines and checking to see whether the same websites appear in the results — almost always with no actual relevance to your terms. Unfortunately, many of today’s redirected Internet searches are well hidden from the user through use of additional proxies, so the bogus results are never returned to alert the user. In general, if you have bogus toolbar programs, you’re also being redirected. Technical users who really want to confirm can sniff their own browser or network traffic. The traffic sent and returned will always be distinctly different on a compromised computer vs. an uncompromised computer.

What to do: Follow the same instructions as above. Usually removing the bogus toolbars and programs is enough to get rid of malicious redirection.

Sure sign of system compromise No. 4: Frequent random popups

This popular sign that you’ve been hacked is also one of the more annoying ones. When you’re getting random browser pop-ups from websites that don’t normally generate them, your system has been compromised. I’m constantly amazed about which websites, legitimate and otherwise, can bypass your browser’s anti-pop-up mechanisms. It’s like battling email spam, but worse.

What to do: Not to sound like a broken record, but typically random pop-ups are generated by one of the three previous malicious mechanisms noted above. You’ll need to get rid of bogus toolbars and other programs if you even hope to get rid of the pop-ups.

Sure sign of system compromise No. 5: Your friends receive fake emails from your email account

This is the one scenario where you might be OK. It’s fairly common for our email friends to receive malicious emails from us. A decade ago, when email attachment viruses were all the rage, it was very common for malware programs to survey your email address book and send malicious emails to everyone in it.

These days it’s more common for malicious emails to be sent to some of your friends, but not everyone in your email address book. If it’s just a few friends and not everyone in your email list, then more than likely your computer hasn’t been compromised (at least with an email address-hunting malware program). These days malware programs and hackers often pull email addresses and contact lists from social media sites, but doing so means obtaining a very incomplete list of your contacts’ email addresses. Although not always the case, the bogus emails they send to your friends often don’t have your email address as the sender. It may have your name, but not your correct email address. If this is the case, then usually your computer is safe.

What to do: If one or more friends reports receiving bogus emails claiming to be from you, do your due diligence and run a complete antivirus scan on your computer, followed by looking for unwanted installed programs and toolbars. Often it’s nothing to worry about, but it can’t hurt to do a little health check when this happens.

Sure sign of system compromise No. 6: Your online passwords suddenly change

If one or more of your online passwords suddenly change, you’ve more than likely been hacked — or at least that online service has been hacked. In this particular scenario, usually what has happened is that the victim responded to an authentic-looking phish email that purportedly claimed to be from the service that ends up with the changed password. The bad guy collects the logon information, logs on, changes the password (and other information to complicate recovery), and uses the service to steal money from the victim or the victim’s acquaintances (while pretending to be the victim).

What to do: If the scam is widespread and many acquaintances you know are being reached out to, immediately notify all your contacts about your compromised account. Do this to minimize the damage being done to others by your mistake. Second, contact the online service to report the compromised account. Most online services are used to this sort of maliciousness and can quickly get the account back under your control with a new password in a few minutes. Some services even have the whole process automated. A few services even have a “My friend’s been hacked!” button that lets your friends start the process. This is helpful, because your friends often know your account has been compromised before you do.

If the compromised logon information is used on other websites, immediately change those passwords. And be more careful next time. Websites rarely send emails asking you to provide your logon information. When in doubt, go to the website directly (don’t use the links sent to you in email) and see if the same information is being requested when you log on using the legitimate method. You can also call the service via their phone line or email them to report the received phish email or to confirm its validity. Lastly, consider using online services that provide two-factor authentication. It makes your account much harder to steal.

Sure sign of system compromise No. 7: Unexpected software installs

Unwanted and unexpected software installs are a big sign that your computer system has likely been hacked.

In the early days of malware, most programs were computer viruses, which work by modifying other legitimate programs. They did this to better hide themselves. For whatever reason, most malware programs these days are Trojans and worms, and they typically install themselves like legitimate programs. This may be because their creators are trying to walk a very thin line when the courts catch up to them. They can attempt to say something like, “But we are a legitimate software company.” Oftentimes the unwanted software is legally installed by other programs, so read your license agreements. Frequently, I’ll read license agreements that plainly state that they will be installing one or more other programs. Sometimes you can opt out of these other installed programs; other times you can’t.

What to do: There are many free programs that show you all your installed programs and let you selectively disable them. My favorite for Windows is Autoruns. It doesn’t show you every program installed but will tell you the ones that automatically start themselves when your PC is restarted. Most malware programs can be found here. The hard part is determining what is and what isn’t legitimate. When in doubt, disable the unrecognized program, reboot the PC, and reenable the program only if some needed functionality is no longer working.

Sure sign of system compromise No. 8: Your mouse moves between programs and makes correct selections

If your mouse pointer moves itself while making selections that work, you’ve definitely been hacked. Mouse pointers often move randomly, usually due to hardware problems. But if the movements involve making the correct choices to run particular programs, malicious humans are somewhere involved.

Not as common as some of the other attacks, many hackers will break into a computer, wait for it to be idle for a long time (like after midnight), then try to steal your money. Hackers will break into bank accounts and transfer money, trade your stocks, and do all sorts of rogue actions, all designed to lighten your cash load.

What to do: If your computer “comes alive” one night, take a minute before turning it off to determine what the intruders are interested in. Don’t let them rob you, but it will be useful to see what things they are looking at and trying to compromise. If you have a cellphone handy, take a few pictures to document their tasks. When it makes sense, power off the computer. Unhook it from the network (or disable the wireless router) and call in the professionals. This is the one time that you’re going to need expert help.

Using another known good computer, immediately change all your other logon names and passwords. Check your bank account transaction histories, stock accounts, and so on. Consider paying for a credit-monitoring service. If you’ve been a victim of this attack, you have to take it seriously. Complete restore of the computer is the only option you should choose for recovery. But if you’ve lost any money, make sure to let the forensics team make a copy first. If you’ve suffered a loss, call law enforcement and file a case. You’ll need this information to best recover your real money losses, if any.

Sure sign of system compromise No. 9: Your antimalware software, Task Manager, or Registry Editor is disabled and can’t be restarted

This is a huge sign of malicious compromise. If you notice that your antimalware software is disabled and you didn’t do it, you’re probably exploited — especially if you try to start Task Manager or Registry Editor and they won’t start, start and disappear, or start in a reduced state. This is very common for malware to do.

What to do: You should really perform a complete restore because there is no telling what has happened. But if you want to try something less drastic first, research the many methods on how to restore the lost functionality (any Internet search engine will return lots of results), then restart your computer in Safe Mode and start the hard work. I say “hard work” because usually it isn’t easy or quick. Often, I have to try a handful of different methods to find one that works. Precede restoring your software by getting rid of the malware program, using the methods listed above.

Sure sign of system compromise No. 10: Your bank account is missing money

I mean lots of money. Online bad guys don’t usually steal a little money. They like to transfer everything or nearly everything, often to a foreign exchange or bank. Usually it begins by your computer being compromised or from you responding to a fake phish from your bank. In any case, the bad guys log on to your bank, change your contact information, and transfer large sums of money to themselves.

What to do: In most cases you are in luck because most financial institutions will replace the stolen funds (especially if they can stop the transaction before the damage is truly done). However, there have been many cases where the courts have ruled it was the customer’s responsibility to not be hacked, and it’s up to the financial institution to decide whether they will make restitution to you.

If you’re trying to prevent this from happening in the first place, turn on transaction alerts that send text alerts to you when something unusual is happening. Many financial institutions allow you to set thresholds on transaction amounts, and if the threshold is exceeded or it goes to a foreign country, you’ll be warned. Unfortunately, many times the bad guys reset the alerts or your contact information before they steal your money. So make sure your financial institution sends you alerts anytime your contact information or alerting choices are changed.

Sure sign of system compromise No. 11: You get calls from stores about nonpayment of shipped goods

In this case, hackers have compromised one of your accounts, made a purchase, and had it shipped to someplace other than your house. Oftentimes, the bad guys will order tons of merchandise at the same time, making each business entity think you have enough funds at the beginning, but as each transaction finally pushes through you end up with insufficient funds.

What to do: This is a bad one. First try to think of how your account was compromised. If it was one of the methods above, follow those recommendations. Either way, change all your logon names and passwords (not just the one related to the single compromised account), call law enforcement, get a case going, and start monitoring your credit. You’ll probably spend months trying to clear up all the bogus transactions committed in your name, but you should be able to undo most, if not all, of the damage.

Years ago you could be left with a negative credit history that would impact your life for a decade. These days, companies and the credit reporting agencies are more used to cyber crime, and they deal with it better. Still, be aggressive and make sure you follow every bit of advice given to you by law enforcement, the creditors, and the credit-rating agencies (there are three major ones).

Malware vector trifecta to avoid

The hope of an antimalware program that can perfectly detect malware and malicious hacking is pure folly. Keep an eye out for the common signs and symptoms of your computer being hacked as outlined above. And if you are risk-adverse, as I am, always perform a complete computer restore with the event of a breach. Because once your computer has been compromised, the bad guys can do anything and hide anywhere. It’s best to just start from scratch.

Most malicious hacking originates from one of three vectors: unpatched software, running Trojan horse programs, and responding to fake phishing emails. Do better at preventing these three things, and you’ll be less likely to have to rely on your antimalware software’s accuracy — and luck.


Via: networkworld