Category Archives: Opinion

3 Things I Learned Talking to InfoSec People About Crime

Posted on by
Reply

Over the last several years, I have given many many talks about the behavior of criminal rings, how the criminal underground operates and black market economics. I wanted to share with my audiences some of the lessons I have learned about crime. Many people responded well and were interested in the content. Some replied with the predictable, “So what does this have to do with my firewall?” kind of response. One older security auditor even went so far as to ask me point blank “Why do you pay attention to the criminals? Shouldn’t you be working on helping people secure their networks?”  I tried to explain that understanding bad actors was a part of securing systems, but she wouldn’t hear of it…

That’s OK. I expected some of that kind of push back. Often, when I ask people what they want to hear about, or where my research should go, the responses I get back fall into two categories: “more of the same stuff” and “make x cheaper”, where x is some security product or tool. Neither is what I had in mind… 🙂 

Recently, I announced that I was taking this year off from most public speaking. I don’t think I will be attending as many events or speaking beyond my podcast and webinars. Mostly, this is to help me recover some of my energy and spend more time focused on new research and new projects at MicroSolved. However, I do want to close out the previous chapter of my focus on Operation Aikido and crime with 3 distinct lessons I think infosec folks should focus on and think about.

1. Real world – i.e.” “offline” crime – is something that few infosec professionals pay much attention to. Many of them are unaware of how fraud and black markets work, how criminals launder money/data around the world. They should pay attention to this, because “offline” crime and “online” crime are often strongly correlated and highly related in many cases. Sadly, when approached with this information – much of the response was – “I don’t have time for this, I have 156,926 other things to do right now.”

2. Infosec practitioners still do not understand their foes. There is a complete disconnect between the way most bad guys think and operate and the way many infosec folks think and operate. So much so, that there is often a “reality gap” between them. In a world of so many logs, honeypots, new techniques and data analysis, the problem seems to be getting worse instead of better. Threat intelligence has been reduced to lists of IOCs by most vendors, which makes it seem like knowledge of a web site URL, hash value or IP address is “knowing your enemy”. NOTHING could be farther from the truth….

3. Few infosec practitioners can appreciate a global view of crime and see larger-scale impacts in a meaningful way. Even those infosec practitioners who do get a deeper view of crime seem unable to formulate global-level impacts or nuance influences. When asked how geo-political changes would impact various forms of crime around the world, more than 93% of those I polled could only identify “increases in crime” as an impact. Only around 7% of those polled could identify specific shifts in the types of crime or criminal actors when asked about changes in the geo-political or economic landscapes. Less than 2% of the respondents could identify or correlate accurate trends in response to a geo-political situation like the conflict in Ukraine. Clearly, most infosec folks are focused heavily ON THIER OWN STUFF and not on the world and threats around them.

I’m not slamming infosec folks. I love them. I want them to succeed and have devoted more than 20 years of my life to helping them. I will continue to do so. But, before I close my own chapter on this particular research focus, I think it is essential to level set. This is a part of that. I hope the conversation continues. I hope folks learn more and more about bad actors and crime. I hope to see more people doing this research. I hope to dig even deeper into it in the future.

Until then, thanks for reading, stay safe out there, and I will see you soon – even if I won’t be on stage at most events for a while. 😉

PS _ Thanks to all of the wonderful audiences I have had the pleasure to present to over the years. I appreciate and love each and every one of you! Thanks for all the applause, questions and, most of all, thanks for being there!  

Malware Can Hide in a LOT of Places

Posted on by
Reply

This article about research showing how malware could be hidden in Blu-Ray disks should serve as a reminder to us all that a lot of those “smart” and “Internet-enabled” devices we are buying can also be a risk to our information. In the past, malware has used digital picture frames, vendor disks & CD’s, USB keys, smart “dongles” and a wide variety of other things that can plug into a computer or network as a transmission medium.

As the so called, Internet of Things (IoT), continues to grow in both substance and hype, more and more of these devices will be prevalent across homes and businesses everywhere. In a recent neighbor visit, I enumerated (with permission), more than 30 different computers, phones, tablets, smart TV’s and other miscellaneous devices on their home network. This family of 5 has smart radios, smart TVs and even a Wifi-connected set of toys that their kids play with. That’s a LOT of places for malware to hide…

I hope all of us can take a few minutes and just give that some thought. I am sure few of us really have a plan that includes such objects. Most families are lucky if they have a firewall and AV on all of their systems. Let alone a plan for “smart devices” and other network gook.

How will you handle this? What plans are you making? Ping us on Twitter (@lbhuston or @microsolved) and let us know your thoughts.

Podcast Episode 2 is Now Available

Posted on by
Reply

In this episode we sit down with Mark Tomallo, from Panopticon Labs, and RSA’s Kevin Flanagan. We discuss mentoring, online crime, choosing infosec as a career and even dig out some tidbits from Mark about online gaming fraud and some of the criminal underground around the gaming industry. I think this is a very interesting and fun episode, so check it out and let us know what you think on Twitter (@microsolved, or @lbhuston). Thanks for listening! 

Listen Here:

Keep Your Hands Off My SSL Traffic

Posted on by
Reply

Hey, you, get off my digital lawn and put down my binary flamingos!!!!! 

If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…) 

First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.

That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? 🙂

There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.

In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? 🙂

As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter! 

Podcast Episode 1 is Now Available

Posted on by
Reply

This episode is about 45 minutes in length and features an interview with Dave Rose (@drose0120) and Helen Patton (@OSUCISOHelen) about ethics in security, women in STEM roles and career advice for young folks considering Infosec as a career. Have feedback, let me know via Twitter (@lbhuston).

 
As always, thanks for listening and reading stateofsecurity.com!
 
Listen here: 
 
PS – We decided to restart the episode numbers, move to pod bean.com as a hosting company and make the podcast available through iTunes. We felt all of those changes, plus the informal date-based episode titles we were using before made the change a good idea.

Cyber-Civic Responsibility

Posted on by
Reply

More and more we are a folk who expect others to protect us from society’s ills and to take care of our dirty work for us. We have police and courts to protect us from violence and larceny. We take it as certain that someone will pick up our garbage, keep our electricity flowing and make sure that our water is clean. And rightly so! After all, isn’t that why we elect officials? Isn’t that why we pay all those fees and taxes that hit us from every side? Life is so complex now that no one has the mental and emotional resources to think and care about every little thing that affects us. We have to draw the line somewhere just to cope and remain sane.

Unfortunately, most of us have put information security and the unrestricted use of our delightful new cyber-toys on the wrong side of that line. We dismissively expect the ISPs, the software developers, the anti-virus personnel, the government, and who knows all else to keep our information secure for us. And they try their best. The problem is that “they” simply can’t do it. Although computer use seems like old and well established technology to many of us, it is really in its infancy and is expanding explosively in unexpected directions. None of the regulations, devices or software packages designed to secure networked computers really work well or for long. They are always too limited, too weak and too late.

The only thing that really has a chance of working is if we all start taking responsibility for our own share of the problem. We need to change our complacent attitudes and realize that it is our civic duty to become actively involved in this concern. It won’t be easy or pleasant. We will need to keep ourselves well-schooled on the subject. We will need to endure security procedures that make computer use a little less convenient and free. And we will need to keep close tabs on the regulators and manufacturers and demand that effective security becomes an integral part of the system. Remember, our place in the world and even our physical safety depends on it! Isn’t that worth a little of our time and patience?

This post by John Davis.

Young IT Professionals, Cybercrime, Script Kiddies & CyberWarriors, OH MY!

Posted on by
Reply

Recently I came across a couple of articles that both centered on the potential roles that young people entering into the IT Security field may face. Some of them, for example, may be lured away from legitimate IT security jobs and into the world of cybercrime. Others may follow the entrepreneurial role and fight cybercrime alongside myself and other professionals.

I suppose such dichotomies have existed in other professions for quite some time. Chemists could enter the commercial or academic world or become underground drug cartel members, ala Breaking Bad. Accountants could build CPA tax practices or help bad guys launder money. Doctors could work in emergency rooms or perform illegal operations to help war lords recover from battle. I suppose it is an age old balancing act.

I am reminded of Gladwell’s Outliers though, in that we are experiencing a certain time window when IT security skills are valuable to both good and bad efforts, and a war for talent may well be waging just beyond the common boundary of society. Gladwell’s position that someone like Steve Jobs and Bill Gates could only emerge within a specific time line of conditions seems to apply here. Have we seen our IT security Bill Gates yet? Maybe, maybe not….

It is certainly an interesting and pivotal time isn’t it? These articles further solidified my resolve to close a set of podcast interviews that I have been working on. In the next couple of months I will be posting podcast interviews with teams of IT and Infosec leaders to discuss their advice to young people just entering our profession. I hope you will join me for them. More importantly, I hope you will help me by sharing them with young people you know who are considering IT security as a career. Together, maybe we can help keep more of the talent on the non-criminal side. Maybe… I can always hope, can’t I? 🙂

Until next time, thanks for reading, and stay safe out there! If you have questions or insights about advice for young security professionals, hit me up on Twitter (@lbhuston). I’ll add them to the questions for the podcast guests or do some email interviews if there is enough interest from the community.

Benefits of using TigerTrax to Monitor Your Industry

Posted on by
Reply

Have you ever wanted to know what is being said in regards to your business or product line on social media? How about getting the scoop on a company prior to your big merger or acquisition? Perhaps you have a need for continual code of conduct monitoring for your business or franchise. These are but a few of the things that we at MicroSolved, Inc can provide for you and your company! MicroSolved has a whole host of proprietary software including TigerTrax, that will give your company an edge over your competition!

With our TigerTrax platform we can help provide you with a competitive advantage by receiving actionable intelligence about your product line from the social media hemisphere. Imagine scouring the entire population of Twitter, which boasts some 645 million registered users with over 115 million active users monthly. That is an enormous market that you can tap into with our help. A market where you can see where you think that your product line may be heading versus what people are actually talking about in regards to your product line. Imagine being able to fine-tune your marketing campaign based on our intelligence gathering ability!

In every business there are times whether for a short duration or a long term one where you may want us to provide you with code of conduct information about your employees. Perhaps their contracts clearly state what sort of things they may or may not post on social media and the internet; but also and more importantly you may want to know what everyone else is posting about them. We can help provide you that information. Our TigerTrax platform does in minutes what takes a roomful of employees days or weeks to do and in a very short time you can have actionable information that may be used to help protect your companies brand!

As you can see TigerTrax is a wonderful tool in your arsenal for providing actionable data that will enable you to adjust your marketing campaign or perform ongoing code of conduct monitoring. We can also perform threat intelligence, assess whether your intellectual property has been leaked online, and of course perform brand intelligence. As you can imagine we are only scratching the surface of what we at MicroSolved, Inc and the TigerTrax platform can do for you. So please if you need any assistance for your company feel free to contact us by sending an email to: info@microsolved.com.

This post by Preston Kershner.

5 Ways My Medical Background Makes Me a Better Intelligence Analyst

Posted on by
Reply

When I first started for MicroSolved, Inc.(MSI), I wasn’t sure what to think, but now that I have been here for nearly three months I feel I am starting to get the hang of  what it is to be an intelligence analyst. At least a little bit anyhow. Now mind you I am not your typical intelligence analyst, nor am I a new college graduate, but rather I am coming to MSI from the health care industry with over twenty years of work experience in that industry. This was a completely different mindset, with a whole host of new things for me to experience and learn. For me this was totally refreshing and exactly what I wanted and more importantly, needed! There are a few things that I have noticed in my short time here that could be considered pearls of wisdom rather than actual characteristics of a good employee that I feel make me a good intelligence analyst for MSI. Perhaps they are one and the same. At least that is my hope 😉

First, while I am not a seasoned IT professional like so many others that I work with, I am not naive to the fact that there are deadlines and expectations thrust upon all of us. This in my opinion is no different than in being in the hospital setting where people expect you to act quickly and in the best interests of your patient at all times. Couldn’t we say the same is true working for a company like MSI?  In that it is the expectation to be professional, performing your best at all times, and the like? I would like to think that is what I strive for.

After thinking a bit longer perhaps it is that we share a tenacity for getting to the bottom of whatever mystery that we are looking at. Whether it is a series of questions that we may be asking our patients in an effort to try to figure out what ailment they be suffering from. This is not unlike when we are looking for a key bit of code for an algorithm to help us do our work more efficiently. Regardless, it is this mentality of never giving up! To keep fighting, keep looking, to keep trying. Just keep chipping away at it. 

I think the next characteristic would have to be patience. Something that we all have often heard from our grandparents growing up as children. Something that in my mind and in my experience has played a provocative role in both my dealings with patients, their families and with challenging projects in the IT world. Now while as I previously stated in the above paragraph that tenacity plays a role, I also think having a measure of patience does too. There are times in the medical world where even the most experienced physician stands there for a moment and scratches his or her head and says “I don’t know”. Now to a patient that is the last thing that they want to here, but sometimes we truly have to “wait and see”. Sometimes grandma was right! There have been times while working on projects with MSI, where sitting back even if it’s just a few moments, allowed me to gain a better “bird’s eye view” of a given project and really helped me figure out what it was that I was looking for and ultimately aided the project.

Another area that I think gives me an edge would be that I am willing to go the extra mile and I am not afraid to work hard to attain my goals. It isn’t enough to just punch a clock or be mediocre! I have told this to my children, my patients and my friends. Never give up, always work your butt off for what you want in life! It may take time for what you want to come to fruition, but if you’re willing to put the time, energy and effort into it, then it will come!  It takes sacrifice to get to your goals. Others will recognize your efforts and aid you in your path. That’s what I feel MSI has done and is continuing to do for me!

Lastly, laugh! I have not laughed so hard in any of my previous work experiences as compared to working for MSI these past few months. Don’t get me wrong there were plenty of wonderful times, but here at MSI it is a whole new animal! Yes, we work hard, but I think having a healthy sense of humor and a desire to see others laugh is what really sets MSI apart. If you are down, they help pick you up! So often we spend our work lives with people that aren’t our family for hours on end. Shouldn’t we have some fun while we work? If you are lucky enough you do. Then, by choice those people that aren’t your family start to become them and find a place in your heart. Then, your work doesn’t seem like work anymore. 

Yes it’s true that I am new to the world of information technology as a career choice, but that doesn’t mean that I don’t have some very real life experiences to draw upon. Remember, it is a combination of work ethic, tenacity, patience, a sense of humor and ultimately a willingness to never give up. These are the things that will make you successful, not only in your career path, but in life as well. These are my little pearls of wisdom, just a few tidbits of information to help you get to where you want to be in life. Who knows it might even be right here at MSI.

This post by Preston Kershner.

My Thoughts of Raising Teenagers While Protecting Their Online Privacy

Posted on by
Reply

As a parent, who has teenagers, it can be a somewhat complicated and mortifying world when it comes to trying to allow a teenager a small level of personal “freedom” of expression and allowing them to be curious and discover new things while also satisfying the need to protect their online privacy from those who may do them harm. In this blog segment we will discuss some of my thoughts on what we as parents can do to aid our child in this ever evolving world that is the internet.

To start of with I suppose we need to first look at the child’s age and I’m not speaking to their numeric age, but rather to their level of maturity. And so when my wife and I decide what applications (apps) our children may download, it depends heavily on the content of the application, but also to the child’s maturity level. Who would want a scary game or a very provocative application to be seen or played by a minor, especially if it is something that you fundamentally don’t agree with as a parent. Let alone a game or app with overtones of sexuality that is going to be played by your teenager for hours on end. Now I am not saying that they don’t hear it and see it in the world that we live in, I am not naive, but why put it on a silver platter and feed it to them. Those things can wait a bit longer, especially if we are talking the difference between a thirteen year old versus a seventeen year old. True it is only four years, but developmentally and cognitively there are vast differences between them. Particularly in their ability to make intelligent decisions as I am sure many of you would agree!

So lets start with the basics, remember that you are the parent and a good dose of common sense goes a long way. With that we all need to be able to reach our children and so perhaps you want be able to track where your child is and more importantly they are where they say they are. Have no fear there are apps for that, but most if not all smartphones have GPS built right in. However, apps like Find My iPhone and Find My Friends can be quite helpful. Perhaps you want to limit the amount of time that a child spends online or limit the sites that they can have access to there are apps for that too. Apps such as Screentime and DinnerTime Parental Control offer you the ability to not only limit their screen time, but also limit how much they are texting and playing games. All in an effort to help them refocus on working on homework, chores or spending quality time with the family. Some parents may elect to take it a step further and want to track who their child is communicating with, read emails, see all the pictures that are sent, received and perhaps more importantly deleted. Well they can do so with an app called Teensafe. I know this one sounds a bit like big brother, but if your child is being bullied, abused, or dating without your knowledge, some parents want the ability to intervene more quickly. Especially, if the child isn’t as forth coming as the parent feels they should be.

Next, comes the security of the websites and the apps themselves. I think we as parents have a responsibility to protect our children and that responsibility should include a healthy dose of cynicism. To that end, make sure you go through each setting on an app or website that you load or your child loads onto their device(s). Making sure that you turn on or off the security settings that you feel are appropriate for your child. Lets say we allow our child to use a social media website or app, we certainly wouldn’t want a thirteen year old exposed to the entire world, when all they want to do is connect with their friends. This would potentially expose them to threats that you may not recognize as a threat until it was too late. So lets go through those settings and turn off some of those features and lock it down to a level where you as a parent are comfortable with. It may seem like just a simple click of a button, but believe me it is a very important step in ensuring your child’s online safety.

Finally, remember that you may not want to give your child the ability to download or change the settings of their devices, so maybe keeping a log of all of their passwords. Perhaps in a password vault such as 1Password would be in order. You would do this for two reasons. One to make sure that they are using a strong password, and where possible to also turn on two-step verification, but also to make sure that they don’t forget the password that they just created, because a good password should be challenging, otherwise it’s pointless. Please remember you are in charge and ultimately responsible for the safety of your child both at home and online. Secure as much as you can, where you can. So let’s be safe out there!

It should be noted that some of the apps mentioned above are free and some are open source and some are at a cost to the consumer. It is up to you to research these applications and see what best fits your security needs. 

In no way do we endorse the applications that were presented in this article we are simply stating that they may be an option for you to consider for your device. Your particular security needs for your device are up to you to decide. Be safe out there.

This post by Preston Kershner.