My 3 Favorite Podcast Episodes (So Far…)

The State of Security Podcast has been a fun endeavor and I am committed to continue working on it. I am currently working on raising it to multiple episodes per month, so as I was reflecting, I thought I would share my 3 favorite episodes so far. There are so many great moments, and so much generosity from my guests, I am certainly thrilled with all of them – but everyone has to have favorites… 🙂 

#1 – Episode 1 – This one holds a special place in my heart. Thanks to the wonderful Dave Rose and the absolutely brilliant Helen Patton, they made this interview segment much more comfortable than it should have been. If you can get past my stumbling and bumbling, they share some pure magic with the audience. I hopefully have improved as an interviewer, but much thanks to them for helping SoS get off to a roaring start! 

#2 – Episode 6 – One of the most personal episodes ever, an anonymous friend shares a tale of what it is like to work for over year on a major breach. There is heartbreak and pain here, well beyond infosec. I still get chills every time I listen to it.

#3 – Episode 9 – This one is so personal to me, I get butterflies when people tell me they listened to it. Adam Luck interviews me, and the questions get very personal, very fast. We cover some personal history, why I am an infosec professional and some of the amazing friendships I have enjoyed over the years. Stark and raw, this is worth dealing with the crappy audio, or at least people tell me it is. (This episode is also why we hired audio professionals for our episodes.)

Those are my 3. What are yours? Hit me up on Twitter (@lbhuston) or @microsolved and let us know. Thanks for listening!

3 Reasons I Believe In #CMHSecLunch And Its Mission

I get asked quite often about why I started CMHSecLunch and what the goals behind it are. I wanted to take a moment and discuss it on the blog.

First, if you aren’t a security person in Columbus, Ohio, you might not have heard of the event. Here are the details about it.

Every month, on the second Thursday, my team loosely organizes a simple lunch meet up at one of the local mall foodcourts. It is free, open to all – including non-security folks, kids and interested parties. There is usually a topic like “physical security”, “supply chain”, “threat intelligence”, “pen-testing”, etc. We also usually have something for people to fiddle with while they talk, like locks and lock picks, Legos, smart bits, cards and readers, etc. We find that having something to play with physically seems to help the attendees converse more easily.

The mission of CMHSecLunch was to emulate the “hallway conversations” part of security conferences, and to open up the security community to even larger groups of folks that may be interested, but may not have an easy way to get involved. I wanted it to be less formal than something like an ISSA/ISACA event, be free, loose in organization and really help people make personal connections with each other and the community at large.

The mission started in roughly 2012, and while we took a couple of breaks, is over 4 years old. Sure, there a lot of other events and even a couple of knock off lunches – emulation is a compliment 🙂 – but those usually include some formal presentation, vendor sponsor pitches or some other form of noise as the center of the event. I wanted to avoid all of that and put people at the center of the event. No vendor pitches, no one buys your lunch – so you don’t owe anyone anything either implicit or implied – and since it is in an open public space like a mall food court – there is no separation of infosec from the general public. Everyone can see, talk and ask questions without all of the speed bumps and smoke/mirrors and sense of separation sometimes associated with the infosec community. We’ve had middle school kids, college students, IT folks, janitors at the mall, infosec practitioners, managers and executives join us, engage and ask questions.

So, the #1 reason that I support CMHSecLunch is just that – the open nature and open discussion that comes from it. Thus far, nearly everyone who sits down with us at these events leaves their ego at home or in their car. We’ve had honest discussions from technical to personal, jokes and explanations, stories and anecdotes and even some project launches. Overall, the sense of openness and community has been one of the most amazing parts of my career. Sometimes there are 3 people, sometimes 30 – but I always leave with a smile and a renewed sense of community.

The second reason I believe in CMHSecLunch is that I have seen it bring new talent and fresh energy to the community. People have personally told me that because it was an open, public space and there was nothing expected, that they had the courage to finally approach infosec folks. Many times, people are nervous that they may not fit in, or have the skill set or knowledge of security practitioners at the more focused meetings. They may not have the management or budget support to go to conferences, ISSA/ISACA/OWASP events or even know that they exist. But a lot of people are on Twitter. A lot of people aren’t nervous to go to a mall food court. A lot of people can afford to invest in a fast food or brown bag lunch to get to know people to get started. That’s the crucial ingredient – to make it easy for new folks to join and engage. We need them. The community desperately needs new talent, fresh ideas and new resources that aren’t already locked into the echo chamber of infosec. In fact, I would say new ideas and new talent will make or break infosec over the next 10 years. I believe CMHSecLunch is an easier way for those new people to get started.

Lastly, I love bringing security discussions out of closed business conference rooms and into the mall. I absolutely get thrilled when people around us ask about lock picking or smart bits or whatever we are playing with. I love it when people lean in to listen about hacking or about how credential theft works. We have seen so many surrounding tables clearly listening in – that I have made it a habit to simply ask them to join us and explain the mission. It’s a beautiful thing. Remove the smoke, mirrors and mysticism of infosec – and everyday people are suddenly interested again. They become a little less apathetic, a little less distant and a lot more aware. Isn’t that what we have always asked for as a community? Didn’t we always want everyday users to be more engaged, more aware and more security capable? I truly believe that it will take bringing the public into the fold to make that happen. I believe that events like CMHSecLunch – loosely organized, free, open to the public, held in common public locations and developed on a spirit of inclusion, just might be a way forward. Mostly, I believe in the open, honest and caring attitudes of people, regardless of what community they believe themselves to be a part of. Thus, I believe in CMHSecLunch and our mission…

Wanna give it a try? If you are around central Ohio, you can find the schedule, locations and times here. Want to start your own event, in your area? Ping me on Twitter (@lbhuston) and I’ll be happy to discuss what I did to promote it, and how I would go about it. If I can help you get a group started, I will. That’s it. That’s why I believe. I hope you will believe too… 

The Dark Net Seems to be Changing

The dark net is astounding in its rapid growth and adoption. In my ongoing research work around underground sites, I continue to be amazed at just how much traditional web-based info is making its way to the dark net. As an example, in the last few research sessions, I have noticed several sites archiving educational white papers, economic analyses and more traditional business data – across a variety of languages. I am also starting to see changes in the tide of criminal-related data and “black market” data, in that the density of that data has begun to get displaced, in my opinion, by more traditional forms of data, discourse and commercialization.

It is not quite to the level of even the early world wide web, but it is clearly headed in a direction where the criminal element, underground markets and other forms of illicit data are being forced to share the dark net with significantly more commercial and social-centric data. Or at least, it feels that way to me. I certainly don’t have hard metrics to back it up, but it feels that way as I am working and moving through the dark net in my research. 

There is still a ways to go, before .onion sites are paved and turned into consumer malls – but that horizon seems closer now than ever before. Let me know what you think on Twitter (@lbhuston).

Just a Quick Thought & Mini Rant…

Today, I ran across this article, and I found it interesting that many folks are discussing how “white hat hackers” could go about helping people by disclosing vulnerabilities before bad things happen. 

There are so many things wrong with this idea, I will just riff on a few here, but I am sure you have your own list….

First off, the idea of a corp of benevolent hackers combing the web for leaks and vulnerabilities is mostly fiction. It’s impractical in terms of scale, scope and legality at best. All 3 of those issues are immediate faults.

But, let’s assume that we have a group of folks doing that. They face a significant issue – what do they do when they discover a leak or vulnerability? For DECADES, the security and hacking communities have been debating and riffing on disclosure mechanisms and notifications. There remains NO SINGLE UNIFIED MECHANISM for this. For example, let’s say you find a vulnerability in a US retail web site. You can try to report it to the site owners (who may not be friendly and may try to prosecute you…), you can try to find a responsible CERT or ISAC for that vertical (who may also not be overly friendly or responsive…) or you can go public with the issue (which is really likely to be unfriendly and may lead to prosecution…). How exactly, do these honorable “white hat hackers” win in this scenario? What is their incentive? What if that web site is outside of the US, say in Thailand, how does the picture change? What if it is in the “dark web”, who exactly do they notify (not likely to be law enforcement, again given the history of unfriendly responses…) and how? What if it is a critical infrastructure site – like let’s say it is an exposed Russian nuclear materials storage center – how do they report and handle that? How can they be assured that the problem will be fixed and not leveraged for some nation-state activity before it is reported or mitigated? 

Sound complicated? IT IS… And, risky for most parties. Engaging in vulnerability hunting has it’s dangers and turning more folks loose on the Internet to hunt bugs and security issues also ups the risks for machines, companies and software already exposed to the Internet, since scan and probe traffic is likely to rise, and the skill sets of those hunting may not be commiserate with the complexity of the applications and deployments online. In other words, bad things may rise in frequency and severity, even as we seek to minimize them. Unintended consequences are certainly likely to emerge. This is a very complex system, so it is highly likely to be fragile in nature…

Another issue is the idea of “before bad things happen”. This is often a fallacy. Just because someone brings a vulnerability to you doesn’t mean they are the only ones who know about it. Proof of this? Many times during our penetration testing, we find severe vulnerabilities exposed to the Internet, and when we exploit them – someone else already has and the box has been pwned for a long long time before us. Usually, completely unknown to the owners of the systems and their monitoring tools. At best, “before bad things happen” is wishful thinking. At worst, it’s another chance for organizations, governments and law enforcement to shoot the messenger. 

Sadly, I don’t have the answers for these scenarios. But, I think it is fair for the community to discuss the questions. It’s not just Ashley Madison, it’s all of the past and future security issues out there. Someday, we are going to have to come up with some mechanism to make it easier for those who know of security issues. We also have to be very careful about calling for “white hat assistance” for the public at large. Like most things, we might simply be biting off more than we can chew… 

Got thoughts on this? Let me know. You can find me on Twitter at @lbhuston.

A Reminder About the IoT Future…

This article has been making the rounds about a researcher who has developed a tool set that can turn a Mattel toy into a “magic” garage door opener for most garage doors. The uses of opening someone else’s garage doors seem pretty obvious, so we will leave that to the reader….

But, this is an excellent moment to pause and discuss what happens when so many things in and around our lives become Internet connected, remotely managed or “smart”. Today, it seems everything from door locks, to watches and from refrigerators to toilets are getting embedded digital intelligence. That’s a lot of hackable stuff in your life. 

I have been doing some research on beacon technology recently, and how they are being used to track consumer behaviors. I have been working with some clients that use TigerTrax™ to track consumer data and some of that work is simply amazing. As vendor knowledge seeps into your home and everyday life, even more impacts, privacy issues (and lets face it…) cool features will emerge. The problem with all of these things is that they are a double edged sword. Attackers can use them too. They can be manipulated, mis-used, invasive, infected and some can be outright dangerous (consider refrigerator malware….). 

Once again, technology is becoming ubiquitous. It offers both benefits and some things to consider. My point here is just to consider both sides of that coin the next time you face a buying decision. The world, and you, could benefit from more privacy consideration at the point of purchase… 🙂 

Artificial Intelligence – Let’s Let Our Computers Guard Our Privacy For Us!

More and more computer devices are designed to act like they are people, not machines. We as consumers demand this of them. We don’t want to have to read and type; we want our computers to talk to us and we want to talk to them. On top of that, we don’t want to have to instruct our computers in every little detail; we want them to anticipate our needs for us. Although this part doesn’t really exist yet, we would pay through the nose to have it. That’s the real driver behind the push to achieve artificial intelligence. 

Think for a minute about the effect AI will have on information security and privacy. One of the reasons that computer systems are so insecure now is because nobody wants to put in the time and drudgery to fully monitor their systems. But an AI could not only monitor every miniscule input and output, it could do it 24 X 7 X 365 without getting tired. Once it detected something it could act to correct the problem itself. Not only that, a true intelligence would be able monitor trends and conditions and anticipate problems before they even had a chance to occur. Indeed, once computers have fully matured they should be able to guard themselves more completely than we ever could.

And besides privacy, think of the drudgery and consternation an AI could save you. In a future world created by a great science fiction author, Charles Sheffield, everyone had a number of “facs” protecting their time and privacy. A “facs” is a facsimile of you produced by your AI. These facs would answer the phone for you, sort your messages, schedule your appointments and perform a thousand and one other tasks that use up your time and try your patience. When they run across situations that they can’t handle, they simply bring you into the loop to make the decisions. Makes me wish this world was real and already with us. Hurry up AI! We really need you!

Should MAD Make its Way Into the National Cyber-Security Strategy?

Arguably, Mutually Assured Destruction (MAD) has kept us safe from nuclear holocaust for more than half a century. Although we have been on the brink of nuclear war more than once and the Doomsday clock currently has us at three minutes ‘til midnight, nobody ever seems ready to actually push the button – and there have been some shaky fingers indeed on those buttons! 

Today, the Sword of Damocles hanging over our heads isn’t just the threat of nuclear annihilation; now we have to include the very real threat of cyber Armageddon. Imagine hundreds of coordinated cyber-attackers using dozens of zero-day exploits and other attack mechanisms all at once. The consequences could be staggering! GPS systems failing, power outages popping up, banking software failing, ICS systems going haywire, distributed denial of service attacks on hundreds of web sites, contradictory commands everywhere, bogus information popping up and web-based communications failures could be just a handful of the likely consequences. The populous would be hysterical! 

So, keeping these factors in mind, shouldn’t we be working diligently on developing a cyber-MAD capability to protect ourselves from this very real threat vector? It has a proven track record and we already have decades of experience in running, controlling and protecting such a system. That would ease the public’s very justifiable fear of creating a Frankenstein that may be misused to destroy ourselves.

Plus think of the security implications of developing cyber-MAD. So far in America there are no national cyber-security laws, and the current security mechanisms used in the country are varied and less than effective at best. Creating cyber-war capabilities would teach us lessons we can learn no other way. To the extent we become the masters of subverting and destroying cyber-systems, we would reciprocally become the masters of protecting them. When it comes right down to it, I guess I truly believe in the old adage “the best defense is a good offense”.

Thanks to John Davis for this post.

Keep Your Hands Off My SSL Traffic

Hey, you, get off my digital lawn and put down my binary flamingos!!!!! 

If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…) 

First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.

That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? 🙂

There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.

In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? 🙂

As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter! 

Cyber-Civic Responsibility

More and more we are a folk who expect others to protect us from society’s ills and to take care of our dirty work for us. We have police and courts to protect us from violence and larceny. We take it as certain that someone will pick up our garbage, keep our electricity flowing and make sure that our water is clean. And rightly so! After all, isn’t that why we elect officials? Isn’t that why we pay all those fees and taxes that hit us from every side? Life is so complex now that no one has the mental and emotional resources to think and care about every little thing that affects us. We have to draw the line somewhere just to cope and remain sane.

Unfortunately, most of us have put information security and the unrestricted use of our delightful new cyber-toys on the wrong side of that line. We dismissively expect the ISPs, the software developers, the anti-virus personnel, the government, and who knows all else to keep our information secure for us. And they try their best. The problem is that “they” simply can’t do it. Although computer use seems like old and well established technology to many of us, it is really in its infancy and is expanding explosively in unexpected directions. None of the regulations, devices or software packages designed to secure networked computers really work well or for long. They are always too limited, too weak and too late.

The only thing that really has a chance of working is if we all start taking responsibility for our own share of the problem. We need to change our complacent attitudes and realize that it is our civic duty to become actively involved in this concern. It won’t be easy or pleasant. We will need to keep ourselves well-schooled on the subject. We will need to endure security procedures that make computer use a little less convenient and free. And we will need to keep close tabs on the regulators and manufacturers and demand that effective security becomes an integral part of the system. Remember, our place in the world and even our physical safety depends on it! Isn’t that worth a little of our time and patience?

This post by John Davis.

Never Store Anything on the Cloud that You Wouldn’t Want Your Mamma to See

It’s great now days, isn’t it?

You carry around devices with you that can do just about anything! You can get on the Internet and check your email, do your banking, find out what is new on Facebook, send a Tweet or a million other things. You can also take a picture, record a conversation, make a movie or store your work papers – and the storage space is virtually unlimited! And all this is just great as long as you understand what kind of risks this freedom poses to your privacy.

Remember that much of this stuff is getting stored on the cloud, and the only thing that separates your stuff from the general public is a user name, password and sometimes a security question. Just recently, a number of celebrities have complained that their photos (some of them explicit) have been stolen by hackers. These photos were stored in iCloud digital vaults, and were really very well defended by Apple security measures. But Apple wasn’t at fault here – it turns out that the celebrities themselves revealed the means to access their private stuff.

It’s called Phishing, and there are a million types of bait being used out there to fool or entice you. By clicking on a link in an innocent-looking email or answering a few simple questions, you can give away the keys to the kingdom. And even if you realize your mistake a couple of hours later, it is probably already too late to do anything about it. That naughty movie you made with your spouse during your romantic visit to Niagara Falls is already available from Peking to Panama!

Apple announced that they will soon start sending people alerts when attempts are made to change passwords, restore iCloud data to new devices or when someone logs in for the first time from new Apple devices. These are valuable controls, but really are only detective in nature and won’t actually prevent many data losses. That is why we recommend giving yourselves some real protection.

First, you should ensure that you educate yourself and your family about the dangers hackers and social engineers pose, and the techniques they use to get at your stuff. Second, it is really a lot better to store important or sensitive data on local devices if possible. But, if you must store your private data in the cloud, be sure it is well encrypted. Best of all, use some sort of good multi-part authentication technique to protect your stuff from being accessed easily by hackers. By that I mean something like a digital certificate or an RSA hard token – something you have or something you are, not just something you know.

If you do these things, then it’s a good bet your “special moments” won’t end up in your Momma’s inbox!

Thanks to John Davis for this post.