Steve McQueen’s Advice About Online Threats and Leaks

Steve McQueen’s Advice About Online Threats and Leaks

I saw the classic Hollywood disaster film The Towering Inferno in my twenties, two decades after it was released.  I watched it after I read Steve McQueen: Portrait of an American Rebel by author Marshall Terrill.  In fact, after reading TerriIl’s book, I watched just about every Steve McQueen film that I had not yet seen.  One tidbit from the book that I found interesting was that McQueen and Paul Newman were such fierce competitors that it led to McQueen counting the lines in the script and demanding to one-up his rival in order to flex his new-found star power by having one more line than Newman.  Egos aside, I’m glad he did.  This led to the final and, in my opinion, most poignant line in the entire film.  Newman plays the architect who designed the amazing spectacle of a building which, turns out, had some flaws due to corporate fat cats cutting corners.  Steve McQueen portrays the fire chief who saves the day.

The exchange is chilling:

McQueen: You know, we were lucky tonight. Body count’s less than two hundred. You know, one of these days, you’re gonna kill ten thousand in one of these firetraps, and I’m gonna keep eating smoke and bringing out bodies until somebody asks us how to build them.

Newman: Okay. I’m asking.

McQueen: You know where to reach me, architect.

This exact scenario proposes itself to me week after week.  Those who construct and develop companies and infrastructures do not always look at what it takes to keep it safe.  I know what you’re thinking.  This should be a given.  It isn’t.  As I’ve said over and over, security and convenience are natural enemies.  In other words, the more convenient it is to use a product, the less secure it is.  There is no exception.  So, when individuals, investors and the like are building a company, security (no mater what they admit) is an afterthought.  This is why you’ve seen so many data breaches including Equifax, Sony, and Neiman Marcus.  Did you know Neiman didn’t even have a CISO (Chief Information Security Officer) until months after the breach?!  Overlooking security in lieu of growth is an epidemic in this ‘race-to-a-billion-dollar-market-cap’ culture.  “So how can I prevent the next big hack?” you ask.  I’m glad you posed the question.

We work for many major corporations with a lot of assets to protect, and not a single one of those who trusted us have had a leak that led to negative publicity.  Nor has one of these companies had significant physical threat to a VIP.  “Impossible! How is that?” you say.  The answer is simple, but requires discipline and commitment:  You need to put out ever single small fire that comes along.  Every.  Single.  One.  Don’t wait for the big fires.  That’s it.  It’s that simple.

  • First, determine what is valuable within your organization.  This includes human capital (executives) as well as intellectual property (content).
  • Second, investigate every single threat no matter how insignificant it seems.
  • Third, follow up with every lead in succession based on priority determined by the results of the investigation.

If you follow these principles, with our guidance, you will never experience a towering inferno.

Hogwarts Should Conduct Background Checks

Hogwarts Should Conduct Background Checks

Background Checks – Who are the Slytherin anyway?  And why is Hogwarts teaching them the ancient and forbidden magic arts?  My wife is going through the process of re-watching all of the Harry Potter films.  She’s read all of the books ahead of the films, watched the films in the theater and now she has decided to see them all again.  Perhaps this is in preparation of the grand opening of The Wizarding World of Harry Potter next year at Universal Studios Hollywood.  Besides the first one that had Gary Oldman in it, I always encouraged Wifey to take a niece or nephew to see these movies.  Mission accomplished.  Somehow, though, I have a feeling I’m not going to be able to weasel out of attending the theme park.  To quote a great song of the 1970s “The Things We Do for Love”.  10cc had it right.  But this new homespun film festival has gotten me thinking.

Why would the world’s foremost school in witchcraft and wizardry accept students prone to evil?  It’s not like Harvard, where some of their alumni somehow end up managing hedge funds and bilk the poor.  Hogwarts actually has a major in Evil.  No kidding!  It’s called Slytherin.  The folks who major in this topic learn cunning, ambition and — no I’m not kidding — blood purity.  Yes, blood purity.  Voldemort, the Devil figure of the Harry Potter series, attended Hogwarts years prior and majored in Slytherin.  Throughout the entire series, Voldemart is the Grand Dragon of the purists and demands for “muggles” (non-wizards and mixed-breeds) to be eliminated.  You’d think that, after Voldemort became a problem, the (apparently) prestigious Hogwarts school would phase the Slytherin track out of its curriculum.  But no, they do not.  They continue to teach the most evil of their applicants the secrets of their power and actually sponsor games where they watch them all battle it out.  Did I forget to tell you this is a school for children?  Yeesh yiminy!  This makes me think that the ‘Lord of the Flies’ version of the New Jersey public schools in which I grew up was child’s play.

Let’s turn this around to non-fiction.  I remember reading many years ago after 9/11 that it was revealed that a number of the folks involved had originally met at a martial arts studio in Brooklyn.  This includes one of the alleged ringleaders, Mohamed Atta.  The hijackers, dubbed in intelligence training the ‘Hamburg Cell’, also attended flight schools here in the United States.  After a book was written making these connections, a number of martial arts and flight schools began conducting background checks on their students.  Nothing is absolute, but it does make sense to be sure you’ve done your due diligence to make sure your students do not have an apparent propensity for evil already dripping from their pores.

Now let’s elevate this thought to a more modern and hi-tech level.  Anyone with a credit card and a couple thousand dollars can attend classes to teach them how to hack innocent individuals.  Yes, the classes are presented with the disclaimer that all students must only use their new-found powers for the forces of good.  But it is ludicrous to believe that is the case.  I’ve attended numerous hacking courses, from online to real-life.  There is a general consensus that bad folks need not apply.  But this isn’t enforced.  Some of the best hackers on the planet I know personally.  And (for the most part) they are great folks with impeccable values that want nothing more than to find security flaws in their clients’ infrastructure and report directly to them with a plan to remedy said flaws.  I’m not saying this because they can all hack me right now.  I really mean it.  Seriously.  But it still needs to be noted that creeps and felons attend these courses.  Currently there is no good/evil benchmark for the hacking community.  But perhaps soon there will be.  Whether it’s magic, hacking or karate-chopping, it’s nice to know your student.

Now, I’m going to finish my coffee.

Stain on blog from Rob's coffee cup

Branch Offices for Counterfeit Luxury Goods

During one of my strolls through the dark alleys of the web I came across another interesting black hat search engine optimization technique: branch offices for counterfeit luxury goods installed within legitimate sites.  At first observation, the website I saw selling counterfeits looked like any other.  But, after a closer look, the URL appeared to be much longer than the typical domain-based URL like fakestuffseller.com.  Instead it looked like this: http://legitimatesite.com/includes/ice/ _vti_cnf/lib/ brand/boots/brand-boots.php.  I noticed an extra directory ‘/includes/‘ that looked out of place and perhaps would not be in the normal structure of this particular legitimate website.  My next step was to test my theory and delete the extra crap (/includes/ice/ _vti_cnf/lib/brand/boots/brand-boots.php) from the URL, leaving it to be simply legitimatesite.com.  As I has suspected this led me to a perfectly legitimate university website.

The two questions you are asking right now are “how?” and “why?”.  Allow me to enlighten you.  The “how” is similar to what I explained in another recent article I wrote regarding black hat search engine optimization techniques where hackers find weaknesses (like unlocked doors) in websites whose security software is not up to date.  Once that vulnerability is detected, the hacker can install thousands of his own websites within your website without your knowledge and, perhaps, for years before you even notice anything is strange.  The reason they do it is so that they can create tens of thousands of websites selling counterfeits.  Since this is done on a mass scale, the criminal is only minimally affected when your lawyer takes down poor old legitimatesite.com.  He has an unlimited supply.  Now I’m going to finish my coffee.

Hi-Tech P.I.

Helping people see the forest for the trees, online.

Holmes P.I.™

Can you dig it?