Facebook Fails the Third Party Risk Test

Information security professionals often examine “third-party risk”. Simply put, associations with business partners and contractors can present outside risks to the data, financial, and/or physical security of an organization. The risk may be contractors with access to secure areas or sensitive business processes. The risk can be shared data in the temporary custody of a partner. The risk can be virtual access to a network or a facility without adequate audit.

Today I was informed by Facebook that my privacy could have been compromised because “friends” of mine used an application platform profiling app called “This is Your Digital Life”. I wish I could tell you more or show you the notification, but in typical arrogant Facebook fashion, the notification was a fly-by. It was presented on the screen of my smart mobile device. I put the phone in my pocket and headed to my office to compose this piece, but once the Facebook feed refreshed I can no longer find it. It is not on my notification list. So much for transparency. So much for ease of use. Now you see it, now you don’t.

So what does this mean? Well, in this case Facebook allowed a third party that I did not authorize to access my profile data. They allowed the third party because a second party (my Facebook friends) accessed an application that pulled the data. They allowed this even though I opted out of the Facebook application platform and therefore had a reasonable expectation of data privacy. Facebook fails. And my mom was right. You are impacted by the actions of your friends.

What is the answer? Take ’em down. Let’s see a class action lawsuit financially impact Facebook. There are enough of us in this potential class that have, by Facebook’s own admission, suffered harm. Congress is not likely to impose a satisfactory regulatory solution any time soon. So let’s take it to the courts and show companies that a willful direct and careless violation of our data privacy will be the most expensive mistake that their companies can make.

Wanna Cry Patches for XP

In case you still have an XP machine running somewhere that you just cannot upgrade right away, Microsoft has released a patch for the Wanna Cry vulnerability. This is the vulnerability that was exploited in recent days to hold up the United Kingdom’s National Health Service and many other organizations for for ransom.

Although Microsoft stopped official support for Windows XP some time ago, the release of this patch for an unsupported product underscores the severity of the matter. The tool used is said to have come out of the United States National Security Agency.

Here is a link to the official Microsoft download. Patch away!

Tracking North Korean Numbers

My Aussie mate, Mark Fahey, has spent a number of years studying the Democratic People’s Republic of Korea.  He passes on the following information about North Korean “spy numbers” stations:

“The Pyongyang numbers (designated V15) have either become less regular or changed their schedule since March. Its been a few months since I have personally received them – but I also haven’t been specifically tuning in for them lately so maybe I have simply missed noticing a timing change.

“If you want to find the North Korean numbers, they are read out in a block between songs within the regular programing of the Pyongyang Pangsong radio station. The choice of music immediately before the number block seems to indicate which recipient agent the transmission is directed to. For Agent 27 “We Will Go Together with a Song Of Joy” is played, whereas Agent 21’s song is “Spring of my Hometown.”

“The announcements typically take between 5 to 10 minutes to read dependent on the number of digits passed. The transmission schedule is variable; in early 2017 the broadcast alternated with a cycle of one week on Thursday night at 12:45AM Pyongyang Time (1615 UTC) and the following week on Saturday night at 11:45PM Pyongyang Time (1515 UTC).

“Pyongyang Pangsong can be heard on these shortwave band frequencies (it is also on MF & FM on the Korean peninsular):

3250 kHz Pyongyang 100KW Transmitter
3320 kHz, Pyongyang 50KW Transmitter
6400 kHa Kanggye 50KW Transmitter”

If you’re interested in learning about what life is like “Behind the Curtain“, Mark has compiled a detailed multimedia publication based upon his actual observations inside North Korea.  It is available at no cost via iTunes.

Some document management advice for the White House

USA Today reports that in at least 5 instances, copies of Executive Orders published at whitehouse.gov do not match the official versions published in the Federal Register. This is a practical use case where the White House staff should invest in two IT staples — document management software and digital signature software.

Document management software allows for tracking history of changes and approvals to content such as Executive Orders. Microsoft’s widely deployed Sharepoint is just one solution that can be used for document management. Digital signatures are a feature of Public Key Infrastructure and document signing certificates are widely available. Microsoft Word and Libre Office both support document signing.

Mr. President, your Chief Information Officer should be able to quickly help you manage this mess. If he cannot, please find one who can.

On the current unrest

The liberal-left media, it seems to me, fails to understand the motivation behind all of the on-the-street in-your-face unrest by progressives against the new Washington Republican regime. Yes, folks are angry about the policies, but that is not why they are taking to the streets in the cold of winter. I believe the unrest to be about hypocrisy, self-dealing, and ultimately, the bad behavior of Donald Trump.

Policy differences we can discuss. But would you raise your son to emulate Donald Trump? Would you leave your daughter alone with Donald Trump?

Donald Trump may already be on his way to impeachment. He has not been transparent in his finances. We do know that there is clearly a conflict of interest in his lease for his new DC hotel. We don’t know the extent of his dealings with foreign regimes. We know for sure that he thinks he can put a stack folders on a table at a press conference to try to fool and impress us.

The right wing controlled Congress is willing to suspend long standing rules to get their way. That is bad for the nation no matter who is in power. The Republicans have the nerve to demand speedy acquiescence in the approval of unqualified Cabinet Secretaries as they disregard our fresh memory of how they ignored a moderate and eminently qualified Supreme Court nominee for 10 months.

Their President has invited white supremacists into the seat of decision making. He cannot seem to be civil to friendly leaders of other nations. He has appointed Cabinet members who either have no experience in the function that they are supposed to manage or want to abolish that function. He is so insensitive to our friends that his appointee as Ambassador to the European Union is known to be an advocate for the dismantling of the EU and the Euro currency.

Trump is a nasty, insecure, narcissistic, lying, crooked shell of a leader. He does not care that the First Amendment precedes the Second Amendment in the interest of a free press. He can’t control his Tweets nor his outbursts. He shrugs off societal norms of behavior as an unnecessary impediment on his crusade to smother dissent. He is a loser and the nation loses.

Then, there are those false Christians who endorse this behavior because, they believe, Trump will make America great (again). I believe he will lead us straight to hell.

Progressives, however, know that this country is (and has been) great, despite its many flaws. And they want to make it better. They certainly don’t want this petulant child to destroy progress that we’ve made toward economic and racial equality. We are reminded every time he opens his ignorant mouth to attack the “media”, or to start a tweet war with a celebrity or foreign leader, that he and his ilk menace our nation.

That is why the fight has been taken to the street.

A Modern Manchurian Candidate?

Max Boot writes in the NY Times, “The fact that Mr. Trump seems to give greater credence to the Kremlin than to United States intelligence agencies is precisely what has set off so much speculation about his real motives in cozying up to Mr. Putin.”

The quote comes from his article covering the publication, by Buzzfeed, of unsubstantiated foreign intelligence about the next President of the United States, CNN’s reporting on the matter, and Mr. Trump’s reaction.

I think that Max has succinctly summarized a fundamental concern that Trump continues to raise with his Putin praise.

Grizzly Steppe

It should come as no surprise to anyone even slightly knowledgeable about information security that the human factor is the biggest risk to unwanted exposure of information. The most dangerous way that a human can put himself or his organization at risk is to read an email. It is way to easy to embed malicious content in an email that can get past the rudimentary security filters that are in place in many organizations and especially on personal devices.

Malicious content in an email can masquerade as a harmless web link. It may seem to be from your your bank or from an email provider. It can direct you to a forged page and ask you to update some personal information or to enter a password. Are you sure that email is legitimate?

Malicious content can be easily embedded in a graphic or a pdf. Take a look at your spam folder. See any files with attachments? Subject lines like “Invoice” or “Purchase Order” from people you were not expecting or don’t even know signal trouble. Do not open those files! You may have been spearphished, targeted because of who you are or where you work.

So with all the talk about “Russian hacking”, this Department of Homeland Security Release detailing what they believe to be an organized campaign against employees of critical infrastructure, academia, and business puts the talk in perspective.

It is probable that no vote tally was changed as a result of any “Russian hacking”, but to discount the real threat to American society of organized hacking campaigns by foreign governments is foolhardy.

The “Rigged” Presidential Debate System

The Republican and Democratic parties are part of a cartel that want to prevent American citizens from being exposed to any candidate other than their own. They do this through a nonprofit corporation called the Commission on Presidential Debates (CPD). This “governance body” was created in the late 1980s after the League of Women Voters, formerly the sponsor of presidential debates, would not agree to limit participation to the two dominant political parties.

Are debates under these rules serving the interests of the American people or serving the interests of the CPD cartel? Any time the ruling class attempts to limit discourse to those subjects and participants that they have defined as representing their interests, it is YOUR interests that are likely being harmed.

Libertarian candidate Gary Johnson will be on the ballot in all 50 states of the union come November. He is polling at roughly 10% in nationwide opinion surveys. Clearly, the unpopular candidates of the two major parties have much to lose if Johnson is permitted to participate in the Presidential Debates. That’s why the Elephant and Jackass won’t let him play in their sandbox.

Attorney friends, could the RICO statues be used against the CPD to force them to extend participation? It would be interesting to see a RICO based class action civil suit filed on behalf of American voters as the injured class.

VOA Radiogram

Remember the Voice of America? It presented an American point of view to the world and helped the West to win the cold war in Europe. Well, VOA is still transmitting and is embracing modern technology to stay relevant.

Kim Andrew Elliot produces a weekly “VOA Radiogram”, which uses audio tones to send digital information that can penetrate jamming and get through adverse reception conditions. You don’t need anything too sophisticated to start playing with this technology, just a radio that can receive shortwave, a computer with a sound card input, a patch cord, and a free program called FLDIGI.

Much of the content is transmitted in MFSK32, which provides good results. Some transmissions include pictures as well as text. Some folks have even reported decoding content by holding their smartphone up to the radio speaker, although I have not tried this approach myself.

Give “VOA Radiogram” a listen this weekend. Here’s the schedule information:

Here is the lineup for VOA Radiogram, program 177, 20-21 August 2016, all in MFSK32 centered on 1500 Hz:

1:31 Program preview (now)
2:42 China launches hack-proof satellite*
8:32 Twitter closes terror-linked accounts*
13:59 Why is Washington’s subway system falling apart?*
26:40 Closing announcements
29:09 Flmsg surprise (with audio)

* with image

Please send reception reports to radiogram@voanews.com .

VOA Radiogram transmission schedule
(all days and times UTC):
Sat 0930-1000 5745 kHz
Sat 1600-1630 17580 kHz
Sun 0230-0300 5745 kHz
Sun 1930-2000 15670 kHz
All via the Edward R. Murrow transmitting station in North Carolina.