…it probably is.”

It’s an old, well-worn saying for sure, but it holds as true today as it did way back whenever the anonymous, cynical, amateur philosopher came up with it.

Recently in New Zealand, there have been an increase in phishing attempts trying to get people to open email attachments which then deploy malware onto the computer, and recruit your PC into a global network of compromised machines.

A few weeks ago, there were a number of emails arriving to various mailboxes I hold claiming to be from DHL or UPS and containing details of a package delivery, over the last few days – this threat has evolved to include messages purporting to be from Amazon and including details of a paid order.

The short version of this post is simply:  “Don’t open attachments from people you do not know” but we can also extend this advice to “Treat any attachments or links from people you think you may know with a healthy dose of caution”.

For those who are interested in a little more information:

The biggest risk around phishing attacks is they take advantage of our human nature of curiosity, implied trust of people (especially those we believe we know) and, dare we say it – greed. These ‘social hacks’ are useful in that it’s relatively simple to change the appearance of an email so it looks like it comes from a friend or colleague, or to obscure a link to make it appear that is comes from your bank, or favourite social networking site.

The very nature of how we as humans operate is once we recognise a name we believe we can trust, we instinctively lower our defences to being scammed and are often convinced to click that link, or open that email attachment. The best defence against such attempts is a healthy dose of scepticism, look closely at the link, does it look long and complicated, does it redirect through a web domain that you don’t recognise? Scan your email attachments – and if you are in any doubt, contact your friend/colleague to check on the validity, or visit the website directly rather than clicking on the link within the message – if it is your bank contacting you, you’ll still be able to access the information directly from the bank website, if it is a message from Facebook – you’ll also be able to get those updates direct from the site.

In terms of viruses and malware, we don’t have anything near the same level of protection that we may enjoy on a corporate network – it’s up to us whether we’re at work or home to make the right decisions when dealing with any communications which may expose us, our machines, our data to risk. Email, Instant Messenger links, Social Network links/messages/applications, the list goes on.

The best advice I can offer is:

• Keep your operating system and applications updated with the latest patches as they are released
• Invest in a good anti-virus/anti-malware program, keep it updated daily – and use it to perform regular full scans on your systems, as well as checking out those suspicious files
• Access websites from your browser rather than via emailed links
• Perform regular backups of your important files (don’t forget your digital photos & video)
• If you think you may have been compromised, scan your systems, change your passwords and seek help.

Above all, employ a healthy dose of skepticism when dealing with communications that you are not expecting, even when you believe you know the sender – and be careful out there…

Honestly, this is brilliant – while the clip itself has been mashed up to cover everything from Hitlers replacement motorbike to his choice in gaming consoles, this subtitling by Laurel Papworth (original article) has a bunch of agencies across the ditch resorting to ad-hominems – a classic sign of “oh-bollocks-what-do-we-do-now”.

Disclosure: I have met and spent time with Laurel during a workshop a few years back and was well impressed then, as I have continued to be as I’ve followed her commentary on all things social media. For those interested, I’d recommend following her posts, and subscribing to her podcasts.

Second to the stage was a ‘Reluctant Futurist’ namely Wendy McGuinness from Sustainable Future, an “independent think tank specialising in research and policy analysis.”
Wendy spoke on “The Danger of Now” which, in summary, was about ensuring you take into account whereabouts you (or your project/strategy) fits in the grander scheme of things. Some takeouts from the talk were as follows:
There are three types of futures:

• Probable
• Possible
• Preferred

When testing a scenario or future one should:

• Define: Parameters, Trends, Drivers, Assumptions
• Explore: Uncertainties (and rank them)
• Build: Scenario Worlds / Write Stories / Test
• Use: Consider Implications / Review / Communicate

I found the talk to be somewhat disjointed, yet filled with amazingly wordy slides with paragraphs of text which may have reinforced a point if they had have been on screen long enough to read. It was always going to be tough to follow the first (very engaging) speaker – however, with some practice, feedback and basic presentation learning under the belt, this could have been a lot better received – so I hope I am not seen as being too harsh in my summary.

---

For another summary of the talk, click here to see what Missing Link said.

As I alluded in my initial TEDx Redux, the inaugural Auckland event was awesome. In the next three posts I will briefly cover my perspectives on the presentations delivered at this, the first TEDx event in Auckland, New Zealand.

The first speaker was a fascinating guy called Michael Henderson [UPDATE: Looks like something 'weird' is happening with his domain,try here for his cached page in the interim] , a Corporate Anthropologist. As well as being unemployable (who want’s an Anthropologist anyway?), he is never bored – because people are so interesting to study. Some observations:

• Organisations are the modern tribes
• CEO – Interesting title
  • Chief – Head of the tribe
  • Executive – Head of Structure
  • Officer – Very Militaristic – Head of Strategy
• The difference between a cult and a culture is:
  • In a cult, the leader sees greatness in themselves
  • In a culture, the leader sees greatness in people
  • Silo mentality never occurs in a tribe
• Engagement Studies
  • Organisations:
    • Engagement = email sort
    • Worldwide ~20% of employees are engaged and 80% sit on the fence
  • Tribes
    • Engagement = contact sport
    • No tribes run engagement surveys, all members are engaged 100% as you are either learning, doing or teaching

“Why is no one teaching GenY to respect those who came before them as sources of learning?”

Executives go on a ‘retreat’ (never an advance?) then return to proclaim new company values to their employees.

• Employees don’t hear values, they hear violations;

“Integrity, really?? Aren’t you the CxO trying to set up XYZ to fail so you can get more headcount/budget?”

“Language is the bloodline of a tribe”

His parting observation was on the two dynamic forces of organisations: Relationship versus Results

“Measure yourself on Relationship versus Result – is the win [on this point] worth more than the long term relationship?”

The interesting observation I made about his talk was that, not only was I noting the same points as one of my colleagues, these same points were also being noted by a number of other ‘corporate types’ around where we were seated.

---

For another summary of the talk, click here to see what Missing Link said.

---

Update: A TED talk on this theme of Anthropology and Tribes was posted recently “David Logan on Tribal Leadership”

Update: Domain seems to be back – have adjusted links & text

TED. Three letters, a veritable treasure trove of new ideas, challenging thinking and incredible people with finely honed presentation skills.

I first stumbled across the TED initiative in 2006 when I was shown a presentation by Hans Rosling using Gapminder to do some incredible data visualisations. From that day onward, they have been a regular both in my RSS feed readers and in my browser as I immersed myself in the site from which I have gained so much.

It was with huge excitement then that I saw that TED was not only allowing independently organised events (under it’s banner of TEDx), but one of these events was going to be in Auckland, New Zealand – my home town.

I must admit I was initially reluctant to fill out the registration form, as chest puffery and self promotion doesn’t sit well with New Zealanders. Encouraged by some colleagues, and with the knowledge that the official event attendee spots are so coveted I did sit myself down and force my fingers to the keyboard to tap out an introspective view of what I have achieved to date, and why I should be amongst those fortunate enough to sit in attendance. The exercise in itself was worthwhile as it gave me an opportunity to cast back over many years in the technology industry, and to re-celebrate a number of the awesome innovations that I had been involved in over that time. The submit button was clicked, the “Thank you for registering” page loaded – and then all there was to do was wait.

In the fullness of time, I received an acceptance email and, excitedly, I checked in with my other colleagues to find they too had secured their place – timing-wise, the TEDx Auckland event was scheduled for the day before a weekend away at TelecomONE, a FOO style “Innovation Unconference”, so I knew that we would be in for one heck of a lot of brain stretching. We made our plans to meet up and attend together, and then again we waited for the beginning of the first ever TEDx Auckland, October 01, 2009.

I was reading a CIO Magazine article this morning on ‘The Cloud’, and found this wee video embedded in the article of Larry Ellison (CEO Oracle) talking about ‘The Cloud’, he certainly calls a spade a spade…

I’ve had a couple of decent articles come through my various feeds this morning in regards to IT Security and how companies are gaining traction for the acceptance and adoption of policies.

Another point of interest raised by Forrester is the shift in spending toward security, but rather than defensive spending, the money is tending toward protecting the DATA. In an age where the security perimeter has shrunk from the outside of the business, to the connected systems, to any accessing device and right down to cheap, plentiful and high capacity USB storage devices, a perimeter approach seems unnecessarily costly to say the least (of course, this must be tempered with assurance of systems availability).Where this falls down however is in the belief structure of an organisation. Don O’Neill states :

“Cost is a function of perceived value.”

Thus, if you are unable to convince your financial stakeholders to invest in security, you are unlikely to be able to implement worthwhile preventative measures. On the flip side of this argument, it your company is entrenched in a border protectionism mindset, then a shift to focus on data protection (whilst maintaining systems availability via reduced defensive spending), again – you’re unlikely to succeed in implementing worthwhile preventative measures.

However, all is not lost – the other article discusses how we can use Social Psychology (PDF 213KB) to help encourage colleagues and influencers to adopt policies that we’d like to implement. For the most part, this is done via encouraging prosocial behaviors – that is, getting people to adopt the behaviors that they believe others are following. For instance, if I were to wish to encourage a Corporate to focus on data protection I would cite other companies such as Microsoft who are reducing their corporate firewalls on the perimeter, and doing more to authenticate users prior to allowing data to be used (i.e. check I’m an employee before you let me open, read, edit, print, email this document).

The Network World article goes on to suggest some measures to encourage adoption:

Post statistical information about the rate of compliance with various security measures where people can see the information…

Use comparison statistics about compliance rates to encourage healthy competition among work groups…

Provide individual information to each user in a periodic report…

Have rotating messages appear about different applications…

The article ends with a call to action – so be sure to actually click through

I’m sure that readers will have lots of ideas for how to apply Cialdini’s research findings. I suggest that everyone pitch in using the comment feature of this column to share these ideas…After all, 82% of all readers are cooperating with….

With all of the above in mind then – what can we do as Security Professionals to help protect our people from themselves and the big bad and nasty outside world? Well, like many others, my current soapbox is to get people to secure their files and encrypt their hard drives – do you have an area you’re focusing on? Discuss…

Here’s a great presentation by Joakim Vars Nilsen on the Power of People (why empowering people is key in marketing).

There are more than a few companies who could benefit from watching this deck – and it doesn’t (really) matter what size your business is, the principals remain true, it’s just the speed of uptake which will be the variable.

Discuss.

Below is an interesting video for those caught up in the swine flu (which it isn’t) hype.
As a bit of background, Hans Rosling is a doctor and researcher who I first ’saw’ when he presented at TED 2006 – in this video he demonstrates some really interesting data from the World Health Organisation using Gapminder to illustrate the information in an incredibly captivating manner.

Now while Hans doesn’t discount the potential future risk of Influenza A (H1N1), he does point out the hype the media is attaching to the virus when compared to other preventable causes of death.

So, the point of the post (I guess) is that while it’s great that places such as my sons day care center are reinforcing basic preventative measures such as:

• Regular hand washing and drying
• Covering your cough or sneeze with your arm not your hand
• Keeping children with any symptoms at home until they are well.

The reality is, these are life skills which don’t need a hyped up flu variant to be taught – especially in countries with ready access to medical care, and for patients who are neither very young, nor very old.

On average, the (generic) ‘flu is caught by between 3-5 million people each year, and between 0.8 to 1% (or 250,000 to 500,000 people) die from it annually. As the video points out, Influenza A (H1N1) can only claim a mortality rate of around 0.06 to 0.25%… so where were the news stories last year, and the year before that, and the year before that? As molecular virologist Dr Christopher Olsen says in the article linked above;

‘Let’s not lose track of the fact that the normal seasonal influenza is a huge public health problem that kills tens of thousands of people in the U.S. alone and hundreds of thousands around the world,’

Calm down, wash your hands and wait for the media to start reporting on something more worthwhile like, ooh – the global financial issues which actually ARE affecting a large number of people in very real ways.

Those crazy French have declared access to the Internet is a “fundamental human right” as part of its decision in overturning the recent, and controversial “three strikes” anti-piracy law. The Constitutional Council, France’s highest court appear to agree with Corey Doctorow who wrote the following:

Here’s a prediction: in five years, a UN convention will enshrine network access as a human right (preemptive strike against naysayers: “Human rights” aren’t only water, food and shelter, they include such “nonessentials” as free speech, education, and privacy). In ten years, we won’t understand how anyone thought it wasn’t a human right.

Philosophically I can’t agree with the ruling or Corey here, we have no rights other than the right to what we can create for ourselves – these creations can be traded for things such as food, water and shelter – or even bandwidth.

While I really dislike being ‘disconnected’ from the grid, my social networks and the sources of information/opinion that I use to educate, entertain and improve myself – I can’t accept that this access is something that must be provided for me. I think the French have overstepped on this one – I love the outcome, but I think their artistic, socialist side is showing here.

There’s a good discussion on this taking place over on  ReadWrite Web who are covering this story – what say you?