Incident responders know that communication is paramount. Even a few minutes might mean the difference between closing an issue (thereby minimizing damage) vs. allowing a risky situation to persist longer than it needs to. In fact, communication -- both within the team and externally with different groups -- is one of the most important tools at the disposal of the response team.

This is obvious within the response team itself. After all, there is a diversity of knowledge, perspective and background on the team, so the more eyes on the data and information you have, the more likely someone will find and highlight pivotal information. It's also true with external groups.

For example, outside teams can help gather important data to assist in resolution: either technical information about the issue or information about business impacts. Likewise, a clear communication path with decision makers can help "clear the road" when additional budget, access to environments/personnel, or other intervention is required.

What happens when something goes wrong? That is, when communication is impacted during an incident? Things can get hairy very quickly. If you don't think this is worrisome, consider the past few weeks: two large-scaledisruptions impacting Cloudflare (rendering numerous sites inaccessible) and adisruption in Slack just occurred. If your team makes use of either cloud-based correspondence tools dependent on Cloudflare (of which there are a few) or Slack itself, the communication challenges are probably still fresh in your mind.

Now imagine that every communication channel you use for normative operations is unavailable. How effective do you think your communication would be under those circumstances?

Keep in mind that the middle of an incident is exactly when communications are needed most -- but it also is (not coincidentally) the point when they are most likely to be disrupted. A targeted event might render critical resources like email servers or ticketing applications unavailable. A wide-scale malware event might leave the network itself overburdened with traffic (impacting potentially both VoIP and other networked communications), etc.

The point? If you want to be effective, plan ahead for this. Plan for communication failure during an incident just like you would put time into preparedness for the business itself in response to something like a natural disaster. Think through how your incident response team will communicate with other geographic regions, distributed team members, and key resources if an incident should render normal channels nonviable.

In fact, it's often a good idea to have a few different options for "alternate communication channels" that will allow team members to communicate with each other depending on what is impacted and to what degree.

The specifics of how and what you'll do will obviously vary depending on the type of organization, your requirements, cultural factors, etc. However, a good way to approach the planning is to think through each of the mechanisms your team uses and come up with at least one backup plan for each.

If your team uses email to communicate, you might investigate external services that are not reliant on internal resources but maintain a reasonable security baseline. For example, you might consider external cloud-based providers like ProtonMail or Hushmail.

If you use VoIP normally, think through whether it makes sense to issue prepaid cellular or satellite phones to team members (or to at least have a few on hand) in the event that voice communications become impacted. In fact, an approach like supplementing voice services with external cellular or satellite in some cases can help provide an alternate network connectivity path at the same time, which could be useful in the event network connectivity is slow or unavailable.

The next thing to think through is how responders will gain access to procedures, tools and data in the event of a disruption. For example, if you maintain documented response procedures and put them all on the network where everyone can find them in a pinch, that's a great start… but what happens if the network is unavailable or the server its stored on is down? If it's in the cloud, what happens if the cloud provider is impacted by the same problem or otherwise can't be reached?

Just as you thought through and planned alternatives for how responders need to communicate during an event, so too think through what they'll need to communicate and how they'll get to important resources they'll need.

In the case of documents, this might mean maintaining a printed book somewhere that they can physically access -- in the case of software tools, it might mean keeping copies stored on physical media (a USB drive, CD, etc.) that they can get to should they need it. The specifics will vary, but think it through systematically and prepare a backup plan.

Extend this to key external resources and personnel your team members may need access to as well. This is particularly important when it comes to three things: access to key decision-makers, external PR, and legal.

In the first case, there are situations where you might need to bring in an external resources to help support you (for example, law enforcement or forensic specialists). In doing that, waiting for approval from someone who is unavailable because of the outage or otherwise difficult to reach puts the organization at risk.

The approver either needs to be immediately reachable (potentially via an alternate communication pathway as described above) or, barring that, have provided approval in advance (for example, preapproval to spend money up to a given spending threshold) so that you're not stuck waiting around during an event.

The same is true for external communications. You don't want to find your key contact points and liaisons (for example to the press) to be MIA when you need them most. Lastly, it is very important to have access to legal counsel, so make sure that your alternative communication strategy includes a mechanism to access internal or external resources should you require their input.

The upshot of it is that the natural human tendency is to overlook the fragility of dependencies unless we examine them systematically. Incident responders need to be able to continue to operate effectively and share information even under challenging conditions.

Putting the time into thinking these things through and coming up with workarounds is important to support these folks in doing their job in the midst of a cybersecurity event.

The malicious code was added to StatCounter's site-tracking script last weekend, he reported Tuesday.

The malicious code hijacks any bitcoin transactions made through the Web interface of the Gate.io cryptocurrency exchange. It does not trigger unless the page link contains the "myaccount/withdraw/BTC" path.

The malicious code secretly can replace any bitcoin address that users enter on the page with one controlled by the attacker. Security experts view this breach as critical because so many websites load StatCounter's tracking script.

"This security breach is really important considering that -- according to StatCounter -- more than 2 million websites are using their analytics platform," Faou told TechNewsWorld. "By modifying the analytics script injected in all those 2 million websites, attackers were able to execute JavaScript code in the browser of all the visitors of these websites."

The attack also is significant because it shows increased sophistication among hackers regarding the tools and methods they use to steal cryptocurrency, noted George Waller, CEO of BlockSafe Technologies.

Although this form of hijacking is not a new phenomenon, the way the code was inserted was.

The growth of the cryptocurrency market and its emerging asset class has led hackers to increase their investments in devising more robust attempts and methods to steal it. The malware used is nothing new, but the method of delivering it is.

"Since the beginning of 2017, cryptocurrency exchanges suffered over (US)$882 million in funds stolen through targeted attacks across at least 14 exchanges. This hack adds one more to the list," Waller told TechNewsWorld.

In this instance, attackers chose to target the users at Gate.io, an important cryptocurrency exchange, said Eset's Faoul. When a user submitted a bitcoin withdrawal, attackers in real time replaced the destination address with an address under their control.

Attackers were able to target Gate.io by compromising a third-party organization, a tactic known as a "supply chain attack." They could have targeted many more websites, Faoul noted.

"We identified several government websites that are using StatCounter. Thus, it means that attackers would have been able to target many interesting people," he said.

Gate.io customers who initiated bitcoin transactions during the time of the attack are most at risk from this breach. The malware hijacked transactions legitimately authorized by the site user by changing the destination address of the bitcoin transfers, according to Paige Boshell, managing member of Privacy Counsel.

As a rule, the number of third-party scripts, such as StatCounter, should be kept to a minimum by webmasters, as each represents a potential attack vector. For exchanges, additional confirmations for withdrawals would have been beneficial in this case, given that the exploit involved swapping the user's bitcoin address for that of the thieves.

"Gate.io has taken down StatCounter, so this particular attack should be concluded, Boshell told TechNewsWorld.

The extent of the loss and the fraud exposure for this breach is not yet quantifiable. The attackers used multiple bitcoin addresses for the transfers, Boshell added, noting that the attack could have been deployed to impact any site using StatCounter.

StatCounter needs to improve its own code audit and constantly check that only authorized code is running on its network, suggested Joshua Marpet, COO at Red Lion. However, most users will not realize that StatCounter is at fault.

"They'll blame Gate.io, and anything could happen -- loss of business, run on the bank,' and even closing their doors," he told TechNewsWorld.

Checking the code is not always a workable prevention plan. In this case, the malware code looked like the Gate.io user's own instructions, noted Privacy Counsel's Boshell.

"It was not easily detectable by the fraud tools that Gate.io uses to protect against and detect malware," she said.

Network admins are not really affected in this type of breach, as the malicious code is processed at the workstation/laptop rather than on the webserver, according to Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust. It also does not provide any mechanism to gain control over the system.

"In essence, a lot of stars need to line up to make this a significant risk in that regard," he told TechNewsWorld. "Effective vulnerability and privilege management would naturally limit the impact of any intrusion."

That is a direction that admins need to look. There is nothing they can do to control the initial attack, assuming the targeted websites are accepted sites within their organization, Chappell added.

Even a well-protected website can be breached by compromising a third-party script, noted Eset's Faou.

"Thus, webmasters should choose carefully the external JavaScript code they are linking to and avoid using them if it is not necessary," he said.

One potential strategy is to screen for scripts that replace one bitcoin address with another, suggested Clay Collins, CEO of Nomics.

Using analytics services that have a good security reputation is part of that, he told TechNewsWorld.

"Folks with ad/script blockers were not vulnerable," Collins said.

Traffic analysis, website scanning and code auditing are some of the tools that could have detected that something was causing abnormal transactions and traffic, noted Fausto Oliveira, principal security architect at Acceptto. However, it would have been ideal to prevent the attack in the first place.

"If the Gate.io customers had an application that requires strong out-of-band authentication above a certain amount, or if a transaction is aimed at an unknown recipient, then their customers would have had the opportunity to block the transaction and gain early insight that something wrong was happening," Oliveira told TechNewsWorld.

Using script blocking add-ons like NoScript and uBlock/uMatrix can put a measure of personal control in the website user's hands. It makes Web browsing more challenging, noted Raymond Zenkich, COO of BlockRe.

"But you can see what code is being pulled into a site and disable it if it is not necessary," he told TechNewsWorld.

"Web developers need to stop putting third-party scripts on sensitive pages and put their responsibility to their users over their desire for advertising dollars, metrics, etc.," Zenkich said.

As a rule, the number of third-party scripts should be kept to a minimum by webmasters, suggested Zenchain cofounder Seth Hornby, as each one represents a potential attack vector.

"For exchanges, additional confirmations for withdrawals would also be beneficial in this case, given that the exploit involved swapping the user's bitcoin address for that of the thieves," he told TechNewsWorld.

Even third-party outsourcing solutions can open the door to cyber shenanigans, warned Zhang Jian, founder of FCoin.

"So many companies within the cryptocurrency space rely on third-party companies for different duties and tasks. The ramification of this outsourcing is a loss of accountability. This puts many companies in a tough spot, unable to locate attacks of this nature before it is too late," he told TechNewsWorld.

Instead, network admins should work toward creating in-house versions of their tools and products, from beginning to end, Jian suggested, to ensure that control of these security measures lies within their reach

I'm generally frustrated about how little technology is used to improve the presentations made by technology companies, but in this case both the preservation of the U.S. and perhaps the survival of the world are tied to the next election, and last week's effort fell well below what should have been done.

I'll suggest some ways technology could be used to improve events like the non-debate the Democrats put on last week. I'll close with my product of the week: Amazon's new Echo Show 5, which has taken the lead for price performance among digital assistants.

Given how much the Democrats complain about the U.S. president's inability to tell the truth, you'd think that if they put on something called a "debate" it would include some debating. The closest we got to that last week was when the folks on stage went off script and started yelling at each other. (That was more argument than debate but at least it was interesting.)

We used to have to watch things like this live, and there were time limits that created ugly compromises, much like we saw last week. No one got enough time. However, we are at critical mass for people who stream content now. Plus, our TVs are increasingly intelligent, and most of us have some digital device with us as we watch a debate.

This means debates could be more dynamic. For those who don't know a candidate, provide links so they can learn more without having to go off on their own and search Google (which happened a lot).

In addition, with an app you could allow viewers to stream a full argument from a politician they were interested in and get the complete picture of a position. You then could, through automatic transcription and the application of an AI, get near real-time comparisons between a number of politicians at once, so you could identify those you mostly agreed with and separate from those you thought were nuts. Granted, this doesn't help if they are all nuts.

You must believe that the political parties, not to mention the social networks, know all about you, and they could point out which candidates are the most aligned to your mindset and interests. I know a few years back when we had no incumbent, a similar analysis (I'm a Republican) indicated my views were closest to moderate Democrat Joe Biden.

With smart glasses, or simply a feed to their podiums, candidates could get real-time updates and help from their staff. Once they had the job, they would have the CIA, FBI, NSA, Secret Service, State Department and other organizations to rely on. They wouldn't need to rely on their memories alone, and they shouldn't be in the habit of doing that.

Many of our problems are the result of politicians unnecessarily firing from the hip because they failed to research their positions or to use their resources in a timely way. In a data-rich age, we should have fewer hip shooters, not more.

Demonstrating the capability to use technology in real time to improve positions and decisions should be a requirement of the job, and it isn't cheating in this instance. These people aren't competing in a game show -- they are trying to showcase that they would be the best candidate. The job will require them to use the vast resources of the U.S. -- not act like some old guy who only watches Fox News and chases kids off his lawn in his substantial free time.

There was a lot of wasted screen space during the debate, which could have been used to provide background on the candidates or display information about what people are searching on most frequently. Granted, you'd want to use a censoring AI to make sure folks didn't game that system to prank the speakers or do them harm. Just a running chart on what folks were searching on would tell the viewer, moderators and even speakers what was resonating so they could appeal to the audience more effectively.

Why is it necessary to have an audience in the room? That just forces a rigid timeline, and that timeline reduces understanding as well as the effectiveness and entertainment value of the result. Yes, an audience provides applause, but that tends to slow down the process anyway.

Now of the 10 people on the stage, chances are you are only interested in two or three of them. An AI could help you pick which two or three (and make recommendations for those who aren't on your list). Then it also could formulate and present a virtual debate surrounding issues you care about between the two candidates using an AI clone.

Recall that IBM Watson did a really good job of debating a real debate champion a few months ago. It lost, but it showcased that you could program an AI to perform as a debater. If you trained multiple AIs on the politicians, users could pick those they wanted and pit them against each other virtually. Granted, each campaign would need to train its own AI, but the AI also could answer questions from voters at scale.

Now we also can engage at scale through smartphone apps or websites. Moderators have choices of questions, and they could have the audience vote on the questions to ask and even which candidates to ask them of in real time. That way the event automatically would be optimized for the people who tuned in.

Coverage of the candidates went from around 10 minutes, which wasn't enough, to five minutes, which was a joke. I mean, why show up if you are only going to get five minutes out of two hours? Moderators can get running tallies that showcase who is getting the least coverage and then could direct more questions to those people.

Given what happened between Bernie Sanders and Hillary Clinton in the last election, special care should be taken at least to appear fairer so large numbers of voters wouldn't feel disenfranchised again and stay home.

It was cute to see some of the politicians speak Spanish, but there is a decent chance that most of their audience wasn't that impressed, because they didn't. We could do real-time translation, though, and either pop up subtitles or have a voiceover with the translation.

The politicians wouldn't have to repeat themselves, and viewers could hear or see the response in their preferred language. I think language skills are a plus in a politician, particularly when it comes to negotiations, and this would allow a politician to show off those skills without pissing off or losing the audience.

When you and I interview for a job we start with a resume and then sit for an interview focused on whether we have the skills for the job. We don't get on TV and get asked a bunch of wide-ranging questions, have little or no time to answer them, and then get sniped at by our competitors.

The interview process may have very little to do with the job we will get, but this fake debate format is even further from the job a president will do. In short, all these folks are attempting to showcase skills they may never use outside of the campaign.

A real debate would be closer to a negotiation they might have to do between countries, but wouldn't it be nice to hear some details from folks who worked with them on how well they did their past jobs?

Having a job and doing that job well are potentially two different things, and rather than just focusing on questions having to do with the next job, wouldn't it make more sense to focus on how well they did in the last one?

If it really isn't going to be a debate, why not just make this a job interview? You could show some of the questions in real time but provide links to more extensive interviews for audience members who might want to drill down.

I'm suggesting that with technology we could focus a bit more on competence and a ton less on BS. Maybe, just maybe, we'd get a final choice for president of both candidates being qualified rather than the more typical case of neither making the grade.

We have all this technology, and the information out there on each one of us could fill books, but it's not being used to improve our election process, in terms of fielding the best candidates for the job. Technology not only could make election events more interesting, but also could help us make better choices between candidates, and perhaps get us back to talking about issues rather than the latest ad hominem attack.

Whether in politics or in technology, the goal appears to be to just to get through the event when it should be to help us make better, more informed choices. Borrowing from The Six Million Dollar Man, we have the technology -- why don't we fricken use it to improve our world, starting with helping us make better political choices? Maybe, in the future, our governments would get the things done we want done. Right now, I doubt our government even knows what that is.

I was one of the early adopters for the Amazon Echo Show and it had some issues -- from a camera that made it iffy in the bedroom to a price that pushed it out of range for most of us.

Then came the Echo Spot, which was far more attractively priced but had a tiny display that was almost useless, along with a camera. Both had buttons to turn the cameras off, but it was easy to turn them back on again without the user knowing, which is problematic when it comes to privacy expectations and some laws.

Well the new Echo Show is priced like the Spot was (around US$89), has a larger and more useful display, plus a slider that physically blocks the camera and puts a white dot on the face to show you the camera has been blocked. Someone would have to come into the room to turn the camera on, and doing so would remove the white dot. (I'd still like a bigger alert that the camera is active myself, but this is an improvement.)

There still is a larger Echo Show for $229 with twice the screen and better speakers, but you can upgrade this Show with Bluetooth speakers for better sound, and the 5-inch display is fine for most things. (You aren't watching movies on a 10-inch device anyway). The larger one also has a Zigbee smart hub that most will never use.

This is likely the perfect Echo device for many, in that it is well-priced, has the full feature set (including video), and is useful in most of the places you'd use it. I'd still like more choices as to activation words, as every one of the Echos I have has a different word, and everyone fires up unintentionally from time to time. (My favorite is watching Star Trek and having the one in my living room, which answers to "computer," try to respond to the TV actors interacting with the computer in the Enterprise or Discovery).

I also anticipate a future app for the Echo Show 5 that would call out BS every time someone on the TV lied. Granted, when some politicians are talking, it might have a meltdown. Still, because this is the best Echo to date and I am up to my armpits in Echo devices, the new Amazon Echo Show is my product of the week.

During the coming Amazon Prime day, I'll bet you can buy one of these for closer to $50, which would be a huge deal. Christmas shopping early, anyone?

Not only is the act of relying on finite resources an intrinsically unstable and expensive way to depend on power for the things we rely on the most, it negatively impacts the world around us — and our own health and sustainability.

Large companies like Google and Amazon have amassed enough resources and capital to leverage lower rates for their clean energy solutions -- but Arcadia Power is helping disrupt that market for the average consumer. Here's how it works: Arcadia Power connects you to an online platform. When you can connect your utility bill, you're given access to low cost clean energy programs.

Arcadia Power partners with green electricity suppliers, pulled primarily from wind farms -- the primary currency of the green power market.

Once you connect to the platform, Arcadia Power monitors the energy market in your area, and pulls the lowest rates from local suppliers to ensure that you consistently get access to the least expensive rates available to you.

The free Price Alerts system lets you know when there's a better option available to you -- but you can opt-out any time, without worrying about cancellation fees or getting locked into an expensive contract.

You get an email with your new rate and estimated yearly savings -- so at the end of the day, you get a combination of offers and solutions, ranging from wind power, to community solar and price alerts.

So, how can Arcadia Power connect homeowners and renters to their membership for free? The answer is in negotiating power: the company's large customer base gave them the ability to access clean power priced at 10-25% less than the usual rates. So as the company grows in numbers and strength, so does the affordability of the solutions.

Arcadia Power offers utility billing at no transaction fee, meaning members can earn credit card rewards points every time they pay their bill -- so using clean energy solutions can help you pay for your next plane tickets for your next vacation. Sign up for free here today.