The Mixed Up World of Hola VPN

Have you heard about, or maybe you use, the “free” services of Hola VPN?

This is, of course, a VPN, in that it routes your traffic over a “protected” network, provides some level of privacy to users and can be used to skirt IP address focused restrictions, such as those imposed by streaming media systems and television suppliers. There are a ton of these out there, but Hola is interesting for another reason.

That other reason is that it turns the client machine into “exit nodes” for a paid service offering by the company:

In May 2015, Hola came under criticism from 8chan founder Frederick Brennan after the site was reportedly attacked by exploiting the Hola network, as confirmed by Hola founder Ofer Vilenski. After Brennan emailed the company, Hola modified its FAQ to include a notice that its users are acting as exit nodes for paid users of Hola’s sister service Luminati. “Adios, Hola!”, a website created by nine security researchers and promoted across 8chan, states: “Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or “unblocker”, but in reality it operates like a poorly secured botnet – with serious consequences.”[23]

In this case, you may be getting a whole lot more than you bargained for when you grab and use this “free” VPN client. As always, your paranoia should vary and you should carefully monitor any new software or tools you download – since they may not play nice, be what you thought, or be outright malicious. 

I point this whole debacle out, just to remind you, “free” does not always mean without a cost. If you don’t see a product, you are likely THE PRODUCT… Just something to keep in mind as you wander the web… 

Until next time, stay safe out there!

Artificial Intelligence – Let’s Let Our Computers Guard Our Privacy For Us!

More and more computer devices are designed to act like they are people, not machines. We as consumers demand this of them. We don’t want to have to read and type; we want our computers to talk to us and we want to talk to them. On top of that, we don’t want to have to instruct our computers in every little detail; we want them to anticipate our needs for us. Although this part doesn’t really exist yet, we would pay through the nose to have it. That’s the real driver behind the push to achieve artificial intelligence. 

Think for a minute about the effect AI will have on information security and privacy. One of the reasons that computer systems are so insecure now is because nobody wants to put in the time and drudgery to fully monitor their systems. But an AI could not only monitor every miniscule input and output, it could do it 24 X 7 X 365 without getting tired. Once it detected something it could act to correct the problem itself. Not only that, a true intelligence would be able monitor trends and conditions and anticipate problems before they even had a chance to occur. Indeed, once computers have fully matured they should be able to guard themselves more completely than we ever could.

And besides privacy, think of the drudgery and consternation an AI could save you. In a future world created by a great science fiction author, Charles Sheffield, everyone had a number of “facs” protecting their time and privacy. A “facs” is a facsimile of you produced by your AI. These facs would answer the phone for you, sort your messages, schedule your appointments and perform a thousand and one other tasks that use up your time and try your patience. When they run across situations that they can’t handle, they simply bring you into the loop to make the decisions. Makes me wish this world was real and already with us. Hurry up AI! We really need you!

Should MAD Make its Way Into the National Cyber-Security Strategy?

Arguably, Mutually Assured Destruction (MAD) has kept us safe from nuclear holocaust for more than half a century. Although we have been on the brink of nuclear war more than once and the Doomsday clock currently has us at three minutes ‘til midnight, nobody ever seems ready to actually push the button – and there have been some shaky fingers indeed on those buttons! 

Today, the Sword of Damocles hanging over our heads isn’t just the threat of nuclear annihilation; now we have to include the very real threat of cyber Armageddon. Imagine hundreds of coordinated cyber-attackers using dozens of zero-day exploits and other attack mechanisms all at once. The consequences could be staggering! GPS systems failing, power outages popping up, banking software failing, ICS systems going haywire, distributed denial of service attacks on hundreds of web sites, contradictory commands everywhere, bogus information popping up and web-based communications failures could be just a handful of the likely consequences. The populous would be hysterical! 

So, keeping these factors in mind, shouldn’t we be working diligently on developing a cyber-MAD capability to protect ourselves from this very real threat vector? It has a proven track record and we already have decades of experience in running, controlling and protecting such a system. That would ease the public’s very justifiable fear of creating a Frankenstein that may be misused to destroy ourselves.

Plus think of the security implications of developing cyber-MAD. So far in America there are no national cyber-security laws, and the current security mechanisms used in the country are varied and less than effective at best. Creating cyber-war capabilities would teach us lessons we can learn no other way. To the extent we become the masters of subverting and destroying cyber-systems, we would reciprocally become the masters of protecting them. When it comes right down to it, I guess I truly believe in the old adage “the best defense is a good offense”.

Thanks to John Davis for this post.

14 Talks I Would Like to Attend This Summer

Here is just a quick list, off the top of my head, of some of the topics I would like to see someone do talks about at security events this summer. If you are in need of a research topic, or something to dig into for a deep dive, give one of these a try. Who knows, maybe you will see me in the audience. If so, then feel free to sit down for a cup of coffee and a chat! 

Here’s the list, in no particular order:

  1. machine learning,  analytics in infosec
  2. detection capabilities with nuance visibility at scale
  3. decision support from security analytics & automated systems based on situational awareness
  4. rational controls and how to apply them to different industries
  5. crowdsourcing of policies and processes – wiki-based approaches
  6. internal knowledge management for security teams
  7. tools for incident response beyond the basics
  8. tools and processes for business continuity after a breach – show us your guide to “Ouchies!”
  9. attacker research that is actually meaningful and that does NOT revolve around IOCs
  10. skills and capability mapping techniques for security teams and their management
  11. new mechanisms for log management and aggregation beyond Splunk & SEIM – how would the death star handle logs?
  12. near-real time detection at a meaningful level – even better if admins can make decisions and take actions from their iPhone/iWatch, 😛
  13. extrusion/exfiltration testing capabilities & metrics-focused assessment approaches for testing exfil robustness
  14. network mapping and asset discovery techniques and tools – how would the death star map their IT networks? 🙂
Give me a shout on Twitter if you want to explore these together – @lbhuston.

Three Things That Need Spring Cleaning in InfoSec

Spring is here in the US, and that brings with it the need to do some spring cleaning. So, here are some ideas of some things I would like to see the infosec community clean out with the fresh spring air!

1. The white male majority in infosec. Yes, I am a white male, also middle aged…. But, seriously, infosec needs more brains with differing views and perspectives. We need a mix of conservative, liberal and radical thought. We need different nationalities and cultures. We need both sexes in equity. We need balance and a more organic talent pool to draw from. Let’s get more people involved, and open our hearts and minds to alternatives. We will benefit from the new approaches!

2. The echo chamber. It needs some fresh air. There are a lot of dropped ideas and poor choices laying around in there, so let’s sweep that out and start again. I believe echo chamber effects are unavoidable in small focused groups, but honestly, can’t we set aside our self-referential shouting, inside jokes, rock star egos and hubris for just one day? Can’t we open a window and sweep some of the aged and now decomposing junk outside. Then, maybe, we can start again with some fresh ideas and return to loving/hating each other in the same breath. As a stop gap, I am nominating May 1, a Friday this year, as Global Infosec Folks Talk to Someone You Don’t Already Know Day (GIFTTSYDAKD). On this day, ignore your peers in the echo chamber on social media and actually go out and talk to some non-security people who don’t have any idea what you do for a living. Take them to lunch. Discuss their lives, what they do when they aren’t working, how security and technology impacts their day to day. Just for one day, drop out of the echo chamber, celebrate GIFTTSYDAKD, and see what happens. If you don’t like it, the echo chamber can come back online with a little fresh air on May 2 at 12:01 AM EST. How’s that? Deal? 🙂

3. The focus on compliance over threats. Everyone knows in their hearts that this is wrong. It just feels good. We all want a gold star, a good report card or a measuring stick to say when we got to the goal. The problem is, crime is an organic thing. Organic, natural things don’t really follow policy, don’t stick to the script and don’t usually care about your gold star. Compliant organizations get pwned  – A LOT (read the news). Let’s spring clean the idea of compliance. Let’s get back to the rational idea that compliance is the starting point. It is the level of mutually assured minimal controls, then you have to build on top of it, holistically and completely custom to your environment. You have to tune, tweak, experiment, fail, succeed, re-vamp and continually invest in your security posture. FOREVER. There is no “end game”. There is no “Done!”. The next “bad thing” that visits the world will be either entirely new, or a new variant, and it will be capable of subverting some subset or an entire set of controls. That means new controls. Lather, rinse, repeat… That’s how life works.. To think otherwise is irrational and likely dangerous.

That’s it. That’s my spring cleaning list for infosec. What do you want to see changed around the infosec world? Drop me a line on Twitter (@lbhuston) and let me know your thoughts. Thanks for reading, and I hope you have a safe, joyous and completely empowered Spring season!

3 Things I Learned Talking to InfoSec People About Crime

Over the last several years, I have given many many talks about the behavior of criminal rings, how the criminal underground operates and black market economics. I wanted to share with my audiences some of the lessons I have learned about crime. Many people responded well and were interested in the content. Some replied with the predictable, “So what does this have to do with my firewall?” kind of response. One older security auditor even went so far as to ask me point blank “Why do you pay attention to the criminals? Shouldn’t you be working on helping people secure their networks?”  I tried to explain that understanding bad actors was a part of securing systems, but she wouldn’t hear of it…

That’s OK. I expected some of that kind of push back. Often, when I ask people what they want to hear about, or where my research should go, the responses I get back fall into two categories: “more of the same stuff” and “make x cheaper”, where x is some security product or tool. Neither is what I had in mind… 🙂 

Recently, I announced that I was taking this year off from most public speaking. I don’t think I will be attending as many events or speaking beyond my podcast and webinars. Mostly, this is to help me recover some of my energy and spend more time focused on new research and new projects at MicroSolved. However, I do want to close out the previous chapter of my focus on Operation Aikido and crime with 3 distinct lessons I think infosec folks should focus on and think about.

1. Real world – i.e.” “offline” crime – is something that few infosec professionals pay much attention to. Many of them are unaware of how fraud and black markets work, how criminals launder money/data around the world. They should pay attention to this, because “offline” crime and “online” crime are often strongly correlated and highly related in many cases. Sadly, when approached with this information – much of the response was – “I don’t have time for this, I have 156,926 other things to do right now.”

2. Infosec practitioners still do not understand their foes. There is a complete disconnect between the way most bad guys think and operate and the way many infosec folks think and operate. So much so, that there is often a “reality gap” between them. In a world of so many logs, honeypots, new techniques and data analysis, the problem seems to be getting worse instead of better. Threat intelligence has been reduced to lists of IOCs by most vendors, which makes it seem like knowledge of a web site URL, hash value or IP address is “knowing your enemy”. NOTHING could be farther from the truth….

3. Few infosec practitioners can appreciate a global view of crime and see larger-scale impacts in a meaningful way. Even those infosec practitioners who do get a deeper view of crime seem unable to formulate global-level impacts or nuance influences. When asked how geo-political changes would impact various forms of crime around the world, more than 93% of those I polled could only identify “increases in crime” as an impact. Only around 7% of those polled could identify specific shifts in the types of crime or criminal actors when asked about changes in the geo-political or economic landscapes. Less than 2% of the respondents could identify or correlate accurate trends in response to a geo-political situation like the conflict in Ukraine. Clearly, most infosec folks are focused heavily ON THIER OWN STUFF and not on the world and threats around them.

I’m not slamming infosec folks. I love them. I want them to succeed and have devoted more than 20 years of my life to helping them. I will continue to do so. But, before I close my own chapter on this particular research focus, I think it is essential to level set. This is a part of that. I hope the conversation continues. I hope folks learn more and more about bad actors and crime. I hope to see more people doing this research. I hope to dig even deeper into it in the future.

Until then, thanks for reading, stay safe out there, and I will see you soon – even if I won’t be on stage at most events for a while. 😉

PS _ Thanks to all of the wonderful audiences I have had the pleasure to present to over the years. I appreciate and love each and every one of you! Thanks for all the applause, questions and, most of all, thanks for being there!  

Malware Can Hide in a LOT of Places

This article about research showing how malware could be hidden in Blu-Ray disks should serve as a reminder to us all that a lot of those “smart” and “Internet-enabled” devices we are buying can also be a risk to our information. In the past, malware has used digital picture frames, vendor disks & CD’s, USB keys, smart “dongles” and a wide variety of other things that can plug into a computer or network as a transmission medium.

As the so called, Internet of Things (IoT), continues to grow in both substance and hype, more and more of these devices will be prevalent across homes and businesses everywhere. In a recent neighbor visit, I enumerated (with permission), more than 30 different computers, phones, tablets, smart TV’s and other miscellaneous devices on their home network. This family of 5 has smart radios, smart TVs and even a Wifi-connected set of toys that their kids play with. That’s a LOT of places for malware to hide…

I hope all of us can take a few minutes and just give that some thought. I am sure few of us really have a plan that includes such objects. Most families are lucky if they have a firewall and AV on all of their systems. Let alone a plan for “smart devices” and other network gook.

How will you handle this? What plans are you making? Ping us on Twitter (@lbhuston or @microsolved) and let us know your thoughts.

Podcast Episode 2 is Now Available

In this episode we sit down with Mark Tomallo, from Panopticon Labs, and RSA’s Kevin Flanagan. We discuss mentoring, online crime, choosing infosec as a career and even dig out some tidbits from Mark about online gaming fraud and some of the criminal underground around the gaming industry. I think this is a very interesting and fun episode, so check it out and let us know what you think on Twitter (@microsolved, or @lbhuston). Thanks for listening! 

Listen Here:

Keep Your Hands Off My SSL Traffic

Hey, you, get off my digital lawn and put down my binary flamingos!!!!! 

If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…) 

First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.

That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? 🙂

There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.

In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? 🙂

As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter! 

Podcast Episode 1 is Now Available

This episode is about 45 minutes in length and features an interview with Dave Rose (@drose0120) and Helen Patton (@OSUCISOHelen) about ethics in security, women in STEM roles and career advice for young folks considering Infosec as a career. Have feedback, let me know via Twitter (@lbhuston).

 
As always, thanks for listening and reading stateofsecurity.com!
 
Listen here: 
 
PS – We decided to restart the episode numbers, move to pod bean.com as a hosting company and make the podcast available through iTunes. We felt all of those changes, plus the informal date-based episode titles we were using before made the change a good idea.