Drone Vandalism – Really

Wired reported today that the age of drone vandalism has come.  Early Wednesday morning, the graffiti artist/vandal known as KATSU used a hacked Phantom drone to deface a 6 story tall Calvin Klein billboard on Houston Street in New York City and posted the tagging of the billboard on You Tube.  Given what he did was completely illegal, it is not clear if You Tube is going to take it down (for the moment, the video is below).

What KATSU figured out how to do is (a) hack a drone, (b) attach a spray can to the drone, (c) control the spray can remotely and (d) tag the face of Kendall Jenner on the billboard, 7 stories up, in a very busy intersection in lower Manhattan, all the while videoing the episode.  Then he posted it on You Tube and got Wired to write about it.  As an exercise in how to get PR for yourself, that rates an A.

Whether the NYPD will arrest him is another matter because it is not clear that they have any evidence, admissible in court, against him.  In the video, you don’t see his picture, you don’t see anyone controlling the drone and the video is obviously edited.

I am sure that Calvin Klein is not happy.  I do not know if they have already redone the billboard as I doubt there is any way to clean the graffiti off, even if you were hanging off the roof of the building 7 stories up.

The entire episode took about a minute.

From the security perspective, at this point in time, it is not surprising that he was able to hack the drone.  Why he hacked the drone is not clear (maybe deniability – it wasn’t his drone?), but what is of concern is that, as the FAA starts to license drones to businesses, will Amazon’s drones, for example, deliver packages as well as tag billboards.  If you cannot keep control of the drones, you cannot assure people that this won’t happen.

And, given that someone was able to land a gyrocopter on the front lawn of the Capitol last week, could you program a hacked drone to deliver some sort of payload into say, the Super Bowl.  The possibilities are endless and I am sure that the various authorities are losing sleep over it. The Secret Service was flying drones over the White House at 2 AM in an effort to figure out countermeasures.  If the drone is hacked to disable things like remote recall and ignore GPS signals, it would be likely hard to take control of it by the authorities, if you even had enough time to round up the troops to do it.  If the drone contains, for example, an altitude controlled detonator and you shoot it down, have you in fact done the terrorist’s job for them?  Unfortunately, there are no simple answers.


How Much Is Your Privacy Worth? How About $29/Month?

AT&T rolled out its Google Fiber competitor (see article) in the Kansas City, Mo.  area (Leawood, Lenexa, Olathe, and Overland Park, Kan. ) for the same price that Google charges – $70 a month.

However, if you would prefer that AT&T not track the web pages you visit, the time you spend at each, the links or ads you see and follow and the search terms you enter — THAT will cost you an extra $29 a month.  They call this Big Brother service “AT&T Internet Preferences” and if you would prefer not to be preferenced, plan to fork over another $29 each month.

One would assume that this number is close to the amount of revenue they get from selling that data to advertisers.

Google says that they don’t collect browsing history on Google Fiber customers.  Google says that it collects additional data for Google Fiber customers, but that it doesn’t NECESSARILY combine that with data that they collect when you visit all those other Google services like You Tube, Picasa, GMail and many others.

Although AT&T warned that they might pause their fiber rollout to get even with the FCC for their net neutrality ruling, apparently that is not happening just yet since they just announced a list of 100 cities which are new candidates to join Kansas City with gigabit fiber.

This, of course, has nothing to do with the tracking that individual web sites like Amazon or Walmart do – that will continue no matter how much you pay.

So, remember, there is no such thing as a free lunch – even if you pay $70 a month for it.  $99 a month is as close as we come to a free lunch.  Gotta pay for that fiber some how.

The Insider Risk

In January Morgan Stanley caught one of it’s financial advisors, Galen Marsh,  after he stole data on 350,000 clients and someone posted part of it on the Internet.

This month a JPMorgan employee, Peter Persaud, was arrested for selling customer data to an undercover FBI snitch.

While both of these people were in the financial services world, insiders taking information is certainly not limited to that industry.

We hear stories all the time of sales people taking their Rolodex with them when they leave a company.

We hear stories of tech people taking code with them and to a lesser extent, taking customer lists.

The scary question is the part that we do not hear about.

In the case of Marsh (see WSJ article), he admitted to taking the data.  He did, however, claim that he did not post it online (where it was found), nor did he try and sell it.  The information which did appear on the Internet included names, account numbers, state of residence and asset values.  These were all high net worth clients, with balances in the hundreds of thousands to millions of dollars.  He had been an employee since 2008 .

In the other case, Persaud was paid $2,500 by an FBI snitch in exchange for information on an account with a $19,000 balance.  The snitch was supposed to pay him an additional $7,500 after he emptied the bank account.  Also also tried to sell information on 4 other accounts with a combined balance of $150,000.  (see Bloomberg article).

For every story that we hear about, where someone is discovered, arrested and prosecuted, there are thousands that we don’t know about.  In some cases, companies find out about it but choose not to prosecute because they do not want customers or investors to find out that the data that they entrusted the company with is not safe.  Not to pick on law firms, but they are a hot target, and there are few circumstances that require them to disclose breaches to their clients unless it contains health or credit information.

The questionS to ask yourself ARE this:



For most companies, the answer is no.  Chase spends about $250 million a year on cyber security and after the loss of 75,000,000 client accounts to hackers late last year, CEO Jamie Dimon promised to double that to $500 million.

In most cases, internal controls are lose and employees would not trigger any alarms if they copied data.  After all, they are trusted – we hired them didn’t we?

A 2012 study found that almost half of the employees questioned would sell their corporate credentials for $150.  Whether half or $150 are exactly correct or not, the fact that any would sell it for a few hundred dollars speaks to the fact that employees don’t have much loyalty to companies who, they think, will show them the door if it is convenient to the company.

How much do you spend on cyber security?



The Real Cost Of Cyber Breaches

The CPA association (AICPA)  in their Chartered Accountants Magazine (GGMA.Org) wrote about a survey that they did regarding consumer’s spending habits (see article).  Below is a summary of the survey results:

  • 25% of Americans said they were victims of cyber attacks this year, up from 11% last year.
  • 86% of Americans are concerned about whether businesses are adequately safeguarding their personal information and financial data.  51% say they are extremely or very concerned, up from 39% last year.
  • 82% say their cyber security fears have changed their shopping and Internet habits, up from 69% last year.  56% said they used cash or checks more often;  40% said they reduced their online presence by visiting fewer sites or turning off social media accounts.
  • Millennials were least likely to be victimized and least like to scale back their online presence.  Still 42% said they were extremely or very concerned that businesses were not up to the task.
  • 20% said an attack had lowered their credit score, while 26% said their credit score prevented them from doing something such as getting credit.

If people are more scared, spend less, visit less sites and blame the Internet for them not being able to get credit, this cannot be good for business.


Google Search Rules Changed Last Week

For those of you depend on Google search engine position for your business, the world changed last week.

As of April 21st, 2015, Google is using mobile friendliness as a criteria in search engine rankings.  This affects mobile search (not your desktop) in all languages, world wide.

Google has been saying that mobile friendliness is important for several years.  Now they are sort of “emphasizing” that point.

If your web site is not mobile friendly according to their criteria, your ranking will drop like a rock (see Google changes ranking criteria).

Google has even created a mobile friendliness ranker to see if your web site passes muster.  I just checked my site and it passes.  WHEH!

The good news is that this is all fixable and when you fix it, if you  need to, your position will return to a normal place.

Check things out.  See where you are.  Fix things if you have to.  Otherwise, consider that you are likely to “disappear” from Google.

LinkedIn “Reference Search” Is Legal

LinkedIn has a service called a LinkedIn Reference Search that allows someone to search for people who worked at the same companies that you did at the same time you did.  While LI does not give employers direct access to those people who worked with you, they do “recommend” that prospective employers use the LinkedIn tools to connect with those people to get information from them.

Some people weren’t too happy with LinkedIn about this and sued them, suggesting that what they were doing was providing a consumer report as defined in the Fair Credit Reporting Act or FCRA  (see LinkedIn is not a reporting agency says court).

The court took apart the claims about what LinkedIn does and said, basically, that it is not illegal.

One thing that LinkedIn does NOT do is tell you when someone runs a reference search on you, which would be nice.

So, the moral of the story is that networking has its positives and negatives and this might be a negative if you are looking for a job.