“Welcome to the new world of risk: Microsoft cuts off services to energy company without notice.”

Link to article below, but first: story time.

I once helped a company set up a satellite controlled data distribution system with a footprint covering the entire continental United States. The first thing I had to do was educate them so they could make informed decisions. I escorted the two company owners to a trade show and arranged meetings with several satellite service providers and equipment suppliers. After their introductory education, back in corporate HQ in Washington State, we were sitting in the President’s office and I summarized: “There are basically two ways we can do this. We can lease the services of a satellite uplink facility, or we can build an uplink facility here on your property.” The Vice President said, “I want the solution that gives us the most control over our own destiny.”
Put that in all caps: “I WANT THE SOLUTION THAT GIVES US THE MOST CONTROL OVER OUR OWN DESTINY.”
You see, if they built their own system, they’d have a large capital investment up front, but lower costs in the long term. If they rented a portion of someone else’s facility, their cost of entry would be lower, but in the long term they’d pay more.
They didn’t choose based on cost.
They chose based on control.
Think about this.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

https://www.cio.com/article/4030789/welcome-to-the-new-world-of-risk-microsoft-cuts-off-services-to-energy-company-without-notice.html

This LinkedIn Direct Message was included with a connection request yesterday:
“Hi Bob, our clients indicated interest in solutions that align with what you offer at FIFO Networks. Any chance we can jump on a quick call to discuss this further?”

Today I accepted the connection request, and made this reply:
“Hi <name redacted>. Thanks for the connection request.
We don’t know each other, and you’ve asked for the opportunity to have a call with me.
What you did not say is that you’re inquiring about purchasing my services.
I’ll be honest, when someone’s profile says “business development” or “sales,” and they want to talk with me but don’t say exactly why, it’s because they want an opportunity to sell me something.
Your message is slightly different, in that you talked about meeting your clients’ needs with my involvement. But still, it sounds a lot like a sales pitch is your intention.
Before I agree to a conversation, two things:
1) Understand that no money will ever flow from me to you.
2) Send me information that is significantly more specific about how working together will help FIFO Networks make money.
Why do you want to speak with me? Don’t be vague; show potential value.
I hope you understand my caution. I get requests for meetings EVERY DAY on LinkedIn. Most of them, I just block. Your message sounds like there may be real potential for collaboration, so I’m taking time to reply.
--Bob Young”

THE LESSON
“Don’t be vague; show potential value.”
When my son was a teenager I would tell him, “Vagueness breeds suspicion.” (If you’ve ever raised a teen, you know exactly what I mean).

#CallMeIfYouNeedMe #FIFONetworks

#collaboration #teamwork #entrepreneurship

Highly technical post of limited interest: SPF, DMARC, and DKIM.

On my domain I’ve configured SPF, DMARC, and DKIM. They’ve been configured for a long time. Two days ago I realized something was wrong. Email headers were showing SPF=Fail, and it was happening on my actual emails – not from a spam account trying to spoof my domain. DKIM passed, BTW.

Yesterday I logged into my domain settings to check it out. There were a couple of problems.
I had three DMARC records. You’re only supposed to have one.
I had no SPF record.
What the...?

I re-did my SPF and DMARC config, and then changed my hosting account password. The hosting account has good security; I have 2FA and they notify me of every login. I doubt that a malicious actor gained access. I think it’s more likely that something went bonkers with the hosting company’s system. For example, the two extra DMARC records were previous versions of my current DMARC record. Maybe they screwed up a backup/restore operation. I don’t know.

Anyway, the lesson here, for the small group of people who actually configure this stuff, is to verify your email security settings periodically.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity #email

If you miss the non-tabbed, non-AI version of Windows Notepad, you'll be happy to learn that you can copy it from Windows 10 and save it to Windows 11.

You don't need to install it. Just retrieve the notepad.exe file from an older computer.

You'll find it on an older computer at C:\Windows\System32\notepad.exe.

On your Windows 11 computer, copy it into the same location.

Windows 11 Notepad will still work. All your standard menu links will still take you to Win 11 Notepad. Create a shortcut on your desktop to the Win 10 Notepad, and it will run. See the picture, which shows both of them open on one of my Windows 11 Pro computers at the same time.

#CallMeIfYouNeedMe #FIFONetworks

The best security doesn't come from a certain SIEM, or XDR, or AI enhanced product.

The best security doesn't come from choosing the right CSP, or framework, or audit.

The best security comes from well-developed security policy lived out in a well-developed security culture.

It’s not something you buy. It’s a way of life.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

‘All US forces must now assume their networks are compromised’ after Salt Typhoon breach | IT Pro https://share.google/r3Ys913UW0FTdrfz9

From the article:
“This data also included these networks’ administrator credentials and network diagrams — which could be used to facilitate follow-on Salt Typhoon hacks of these units,” the DoD warned.

One more time: “This data also included these networks’ administrator credentials..."

Any advice, from any so-called authoritative source (including NIST), recommending that you no longer need to enforce a password change policy, is absolute folly.

Change your passwords.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

(Q) How do cybercriminals beat SMS, authenticator apps, and passkeys?

(A) Website spoofing.

The site looks exactly like an online payment portal that you use all the time. Or at least, it’s so close to perfect that you don’t notice the difference.

Spoofed Website: “Enter the code from your authenticator app.”

User: Enters the code.

Spoofed Website: [Ignores the code as a useless random number input]: “Perfect! You may now pay your bill.”

OR...

Spoofed Website: “Perfect! Our database is undergoing maintenance right now, so we can’t display your account balance, but you can still make a payment. How much would you like to pay?”

OR...

Spoofed Website: “Perfect! Continue shopping. Add stuff to your cart. You can pay us when you’re done.”

THE LESSON
The authentication process can be spoofed. All authentication inputs are ignored. This means it’s up to you to make sure you’re really on the correct website. This is why you shouldn’t click on links in emails or text messages. You receive the notice that it’s time to pay your bill. Great. Now use the company’s app, or use your browser’s bookmark, to visit the site to make your payment.

To state the problem another way: authentication methods typically prove who you are. They don’t prove who you’re connecting to. There are exceptions, but in general, for the average user, this is a good statement. (“But Bob, the padlock in the browser’s address bar – the website certificate... you know, that stuff!”)

News flash: cybercriminals use spoofed sites with https and certificates. In other words, that padlock can be your assurance that you really are connected to the cybercriminal’s playground.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

What you need to know about messaging apps in case of a natural disaster, like the flash floods in Texas:

1) Carrier-based messaging apps generally don’t include location information directly in the message’s metadata. Include your location in your message text.
2) Internet-based messaging apps like WhatsApp may include location information in a couple of different ways: either in the metadata, or via a specific “share my location” option.
3) Both carrier-based and Internet-based apps have advantages and disadvantages in an emergency. For example, in some situations you may have a signal from the carrier’s network, but no useable Internet signal. In other situations you may have Internet access via Wi-Fi even if the carrier’s network is offline.
4) Messaging apps (either type) may work when signal quality is too weak to support voice calling. Even if you can’t get a call through, try to communicate with your messaging apps.
5) Maybe you have location sharing disabled on your phone right now. In an emergency or natural disaster, go into your phone settings and turn on all location sharing permissions.
6) When you establish communications with the 911 center or first responders, consider sending a picture with details about your location and surroundings. Help them be prepared.
7) Some 911 centers support text messaging, but it may not always be available in every location. Check the websites of your local emergency agencies to learn about your communications options, and add them to your phone’s contacts.
8) Some communities use emergency information systems like Everbridge. This is one-way communications, from the emergency management agency to you, but it’s a good idea to find out what’s available in your area and sign up now, before there’s an emergency.

#CallMeIfYouNeedMe #FIFONetworks

Any advice? For the last few months I’ve been getting requests from people looking for jobs – but not in information technology or cybersecurity. The problem has to do with my company name.

FIFO is a term that has multiple meanings. In accounting and software, it stands for First In, First Out. But in the mining industry, including offshore oil rigs, it stands for a labor category: Fly In, Fly Out.

When someone searches for things like “FIFO jobs,” my website is showing up. They call, and I don’t recognize the number, so it rolls to voicemail and they leave me a message. Or they use the “Contact Us” form on my website.

I respond to every one of them, because it’s the right thing to do. It’s tough when you’re looking for work. I let them know what I actually do, and that I’m not looking for employees, and wish them luck in their job search.

I modified my “Contact Us” page to say that there are no jobs here, but I have to be careful about the wording. If I use the phrases “FIFO jobs” or “fly in fly out” that will increase the search hits and make the confusion even worse.

Can you think of anything else I might try to minimize the confusion – short of changing my company name?

#FIFONetworks #CallMeIfYouNeedMe #ButNotForJobs

Over the weekend I set up an air-gapped computer for use with certain clients. The increasing use of Artificial Intelligence (AI) to analyze data of all types warrants this new operational procedure for my clients with Non-Disclosure Agreements (NDAs).

Examples of privacy violations are too numerous to count. To give you one example (that doesn’t even use AI), companies have been found guilty of violating user preferences regarding location tracking. Another example: so-called anonymized data has been connected back to the associated sources many times through the use of many methods. The analysis of anonymized data with AI tools makes it even easier to de-anonymize information.

Major software companies, operating system companies, device manufacturers, and cloud service providers are all actively working to obtain your data.

Legal protections are lagging behind technology advances.

Privacy policies are written to confuse. They deliberately include doublespeak and ambiguity.

Default opt-in is normalized.

AI systems are leaky. They have information they obtain without your informed consent, and they leak that information in ways the system owners can’t even predict.

You cannot avoid working with AI-enabled networks, hardware, software, and systems. Even when you try to minimize it, disable it, or reject it, your information is at risk.

For these reasons, I’m applying the following operational policies for information from any company for which I’ve signed an NDA:

1) I’m making available file transfer systems that are end-to-end encrypted. The use of these systems is at the client’s option. If they want to send a document as an unencrypted email attachment, they can still do that. I’ll support, and work with, any encryption methods the client chooses.

2) All information received under an NDA will be moved to the air-gapped system for processing. Even if they send me a document as an unencrypted PDF, I won’t open it with any application until it’s on the air-gapped system.

These steps don’t protect the client from all risks, but they do allow me to prove due diligence in protecting information provided to FIFO Networks under an NDA.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity #privacy #NDA #NetworkArchitecture #policy