Tag Archive | Security Incidents

Learning From Boston

The bombs that killed three people and wounded nearly 200 yesterday are a stark reminder that the odds are stacked against us when it comes to fighting crime.

While it appears that the response of the FBI, DHS, Boston Police Department, EMS and others was reasonably coordinated and effective, these situations inevitably raise recurring questions.

  • Were we prepared?
  • Who did this?
  • Why did this happen?
  • Could this have been prevented?

As the world puts its cities on high alert, many people revisit other dramatic and horrific crises, BostonMarathonBombreminded that it wasn’t long ago that we were in a situation just like this.

Governments, embassies, corporations and other entities have spent much time, money and energy in the hours since the Boston bombings reviewing (maybe panicking) and fortifying their protections.

And while this latest horror has caused all of us to ask these questions of ourselves, there is truly only one question that matters.

  • Is what we’re doing to protect ourselves really worth it?

At a time like this, when lives have been lost, Presidents are holding press conferences and emotions are high, this question seems callous.

This is not to suggest that we shouldn’t be putting protections in place – far from it. In fact, I’d argue that all too often we as human beings would rather “take our chances” than protect ourselves proactively. It’s exactly why we see businesses getting owned by hackers every day.

But oftentimes we see the knee-jerk reactions caused by these events distracting us from the real objective. If we had just stayed the course and done a decent job of understanding our risks all along we may not have been so vulnerable in the first place.

So we mourn our losses. These tragedies seem unavoidable, and perhaps they are.

But if we don’t learn from our mistakes it is all for nothing.

Advertisements

Doomsday Preppers – What’s Your Score?

Doomsday Preppers, National Geographic Channel’s new hit series – is awesome.

The show follows various survivalists through their daily lives as they prepare for the end of civilization as we know it, whether it be from massive economic collapse, nuclear war, the melting of the polar ice caps or the failure of the power grid.

Each prepper, and sometimes their families, friends and neighbors has undertaken serious precautions, from stockpiling months of non-perishable food and water, to training in self-defense to building bunkers in the desert. All based on their belief that at some point – in their lifetime – they will need it.DoomsdayPreppers

They are then scored by survival experts in five categories of survival; water, food, shelter, security and an x-factor.

Some score quite well. Others? No.

Most people find it entertaining due to the uniquely odd and dysfunctional nature of the preppers themselves.

I recall one episode specifically where one prepper had stockpiled nearly 50,000 rounds of ammunition, built a sniper nest in a tower, and then proceeded to have his ear blown off because his companion was had no experience with firearms and because he wasn’t wearing appropriate ear protection.

Sometimes it’s the little things.

But I find it entertaining for different reasons.

First, if you ask the experts that are closest to these scenarios – financial collapse, cyberterrorism, chemical and nuclear weapons – they’ll tell you that the likelihood of them making a significant impact on our lives is higher than most think.

The joke’s on us.

Second, human beings aren’t very good at identifying the real threats in any situation.

In the event that water, food and shelter become scarce due to some epic disaster, the threat isn’t going to be the flood waters, chemical agents or viruses. The real threat will be your neighbor.

People are always the biggest threat.

Hurricane Sandy was a massive storm, but one could argue that the worst damage was fairly localized. If you lived on the Jersey coast, lower Manhattan or Long Island, things were very bad, but outside of those areas you may have only gotten a little rain.

Yet inside of two weeks people were pulling guns and knives on each other, just to get in line for gas. What would it have been like if the damage was more widespread and the shortage sustained?

We saw the same behavior during Katrina. People were killed for food and guns. Society started breaking down. Quickly.

By nature we are all survivalists. It’s why we have a massive brain and opposing thumbs. The human race has endured for thousands of years because this is how we’re programmed. In many ways, we’re all Doomsday Preppers.

What’s your score?

The Walking Dead

It seems that everybody loves a good zombie apocalypse.

The Walking Dead has become the highest rated cable series ever. And for good reason. The thought of free gas, unlimited travel and zombie target shooting is appealing to many.

And regardless of how you feel about Rick and company’s impending doom, there is one thing that is pretty clear – they weren’t exactly prepared.

That being said, they haven’t exactly screwed everything up, either.

Let’s take a critical look at the team’s security strengths and weaknesses, zombie-style:

Strengths:

  1. Leadership – Although at times challenged by Shane, Merle, his wife, zombies and the occasional deer, Rick quickly established himself as the Incident Response Lead, and a reasonably effective one. Nevermind that he had to kill his best friend to get there.
  2. Escape and Evasion – You can’t argue with success. Even the elderly, ladies and children have made it through hordes of feasting undead. And zombie meatsuits? Brilliant.
  3. Conservation – I’ve never seen a group of newbies shoot with such deadly accuracy. Ammo may be free in the post-zombie-apocalyptic world, but why take two shots if you can get the job done in one? High ratings here.

Weaknesses:

  1. Tactics – How many times is Rick going to wander off by himself in the middle of the night in a heavily zombie-occupied zone searching for someone who likely died two episodes ago? Isn’t this guy a trained Sheriff?
  2. Communication – Seriously, Rick, next time you’re in town grab a walkie-talkie or something. Or a flare. Anything. Must you all wander about wondering what everyone else is up to?
  3. Planning – Oh and while you’re at, grab a pencil. And WRITE SOMETHING DOWN. Like where the exit is. Or where you found the beans last time. Or maybe come up with a plan. Like what you’re going to do for the next 40 years.

I have to admit I’m a huge fan of the show, and I have been since it debuted in 2010. I’d be lying if I wasn’t a little jealous – living out a zombie-apocalypse is sort of a fantasy of mine. I often wonder how I would fare. Baked beans and all.

The real lesson here is that we can’t exactly plan for everything. Preparation is important, but adaptation is critical. The ability to survive – in business or otherwise – depends on our ability to recognize our threats, weaknesses and the most effective ways to counteract them.

Bullets and beans don’t equal survival. You need people who know how to use them. And a plan.

One way or another, we’re all going to end up a Rick or a zombie.

The choice is yours.

Security is “No Easy Day”

The recently published book containing the details of the raid on and killing of Osama bin Laden has caused a firestorm in military and security circles.

In “No Easy Day”, Mark Owen (a pseudonym, his real name is Matt Bissonnette) provides a first-hand account of the planning and execution of the operation to kill the world’s most wanted terrorist.

The ex-Navy Seal gives a blow-by-blow in what is described as a vivid, and sometimes gruesome documentary.

The Pentagon claims that it contains “sensitive and classified” material. You may argue that the very honor, ethics and cultural values of America’s elite fighting force has also been compromised.

But this debate goes beyond disclosure of classified information, which is a crime.

These types of disclosures have very real parallels in information security, as well.

Some security experts argue that disclosure of security operations, particular during databreaches and other incidents, is critical to the successful handling and prevention of future incidents.

The concept is that the more that is published about how particular vulnerabilities were exploited, the better prepared other organizations can be to defend them.

Some claim that the disclosure of databreaches and their related vulnerabilities only invites copycats. After all, how many organizations will take action on advice, once given?

Still another argument suggests that disclosures weaken the defenders themselves, rather than the vulnerabilities. The more an attacker knows about our Tactics, Techniques and Procedures (TTPs), the better they can work around them.

Sharing information is critical, whether it’s done at the department, industry or nation level. The question then becomes, how can we share intelligence without compromising our own mission?

The concept of Operational Security (OPSEC) has existed for millennia. During times of war, mission plans are the most sought after of all artifacts.

During times of peace, they are surpassed only by the plans for war.

Many argue that Mark Owen has now put the lives of many Navy Seals in jeopardy. At a minimum it’s going to make their jobs a little harder for a while.

And if nothing else, it has brought visibility to the importance of Operational Security.

Irrespective of which side of the fence you sit, you need to know where the fence is. And you can be pretty damn sure that there’s somebody on the other side.

Now we know that they’ve got 23 other guys, dropped out of a stealth chopper and are carrying M4s.

More Tales From the (Unen)Crypt

You just can’t make this stuff up.

Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.

A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.

They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.

I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.

My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?

I couldn’t help myself.

Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.

We would soon find out.

Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.

Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…

021000322 XXXXXXXXXXXX XXXX

Don’t buy flowers in Florida.

Indian Food, Spartacus and Credit Card Fraud

Friday night was date night.

After five weeks of client meetings, traveling and conferences without a single day off, I was looking forward to a relaxing evening with my girlfriend enjoying some Indian food and downtime. We had been looking forward to fully exercising a $25 Groupon on a table-full of exotic curries and then catching up on one of our favorite new series.

The meal did not disappoint. We left properly stuffed and excited for the rest of the evening’s activities – three episodes of Spartacus.

As we walked home we noted how beautiful the evening had become. We made it to the block where I live when my girlfriend noticed something interesting on the ground. We stopped to take a closer look.

It was the customer copy of a credit card receipt.

Upon closer inspection we discovered that this was no ordinary receipt. In addition to the full credit card number, it had the CVV, expiration date, zip code, phone number, full name and customer signature.

And amazingly the retailer managed to write down the customer’s CVV and expiration date but not the total. You can’t make this stuff up.

Here it is, blurred for confidentiality.

As you can see it contains everything necessary to commit identity theft and card fraud, with the possible exception of one piece of data – the customer’s billing address. So I did what any self-respecting security professional would do – I called and asked for it.

The conversation went something like this:

“Daniel [name changed to protect the guilty] I live in [city deleted] and I found a credit card slip with your name on it. I’m really scared that someone will use it to steal your identity, if you give me your address I’ll send it to you.”

Of course, Daniel assumed that because I already had his name and number and that I appeared to be a good Samaritan, that I was worthy of his home address. This is exactly how card fraud is taking place at restaurants, retail stores and hotels across the country.

This is not just Daniel’s problem. Merchants are instructed to not write additional information on receipts for this very reason. The merchant where Daniel used his card is a prominent and highly regarded institution in the Capitol Region. Just like the Desmond.

This week I plan to send Daniel his receipt, along with a note to be more careful. Not just with his credit card and receipts, but with the information that he gives out over the phone. I was a good Samaritan, but the next person may not be.

I may also give the merchant a call and offer free advice on avoiding public relations nightmares.

And then I’ll just sit back and wait for the good karma to roll in.

Force Multipliers and Why You Need Your Own Seal Team 6

The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.

Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.

Imagine what you could get done if you had your own Seal Team 6.

Think it sounds crazy?

On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.

Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.

Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.

And yes, you can have your own.

Here’s what you need:

  1. Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
  2. Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
  3. Train, train, train – Training is the most important of all, and it should incorporate the following:
    1. The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
    2. Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
    3. Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.

Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.

You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.

What I Would Do if I Was Zappos

The Zappos hack this week made national headlines for a number of a reasons.

First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.

Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.

But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.

Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.

This is what I would do if I were Zappos:

  1. I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
  2. I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
  3. I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
  4. I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.

It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.

Maybe Zappos should start selling eyewear.

Weaponized Software – The New Assassin

There has been a lot of press lately regarding the assassination of Iran’s top nuclear scientist, or more accurately – the way in which the assassination was conducted.

On Wednesday, January 11, as the USS John Stennis and three other carrier battlegroups arrived in the Gulf region, two anonymous hitmen rode up alongside the Peugeot 405 being driven by Mostafa Ahmadi-Roshan and “pasted” magnetic shape charges to the cabin exterior. They exploded seconds later, destroying the interior of the vehicle and leaving their surroundings untouched.

This bold, high-tech act comes on the heels of two other attacks, both aimed at disabling or stalling Iran’s nuclear capabilities.

The first is a series of suspicious explosions at Iran’s nuclear facilities, one of which killed another top scientist. These explosions were documented by US satellites which clearly demonstrate the origin and impact of the blasts. These explosions occurred “around the time” that Iran was found to have in its possession an RQ-170 stealth drone.

It is suggested that the Lockheed Martin RQ-170 Sentinel is designed primarily for reconnaissance. Of course it’s 66 feet wide and weighs close to 10,000 pounds. That’s one mighty big camera. Oh and it also has modular bays that can be adapted for “strike missions”.

The second is a high-tech operator that executed missions on the ground. Using covert tactics and the latest intelligence, this foot-soldier infiltrated Iran’s top-secret nuclear facilities and quietly disrupted core processing. Rapidly moving from reactor to reactor, this highly trained assassin combined speed, stealth technology and the latest weapons to sabotage Iran’s nuclear capabilities.

It wasn’t until the damage was done that this assassin was given a name.

We called him Stuxnet.

Now we can speculate whether or not Israel or the United States was behind Stuxnet, but one thing has become alarmingly clear – someone wants to destroy Iran’s ability to produce nuclear assets and weaponized software was a key component of the campaign.

Stuxnet, at its time hailed as the most sophisticated piece of malware ever conceived, dawned a new era. It was not the first time that cyberwar had been waged, but it was the first time that cyber was elevated to that rarefied ether of air, land, sea and space. Even the decompiled code was classified for a time.

Today, nation states are hard at work developing weaponized software that will disable their enemies’ critical infrastructure, destroy military intelligence and render nuclear and other traditional weaponry useless. Cyberwarfare is young, but maturing in dog years. Stuxnet already has one child, and they’re multiplying fast.

In October of 2011, it was made public that the United States Air Force experienced an outbreak of malware on a network associated with assets used to control drones in the Mideast. The origin of the malware was never declassified, nor was the resolution of the incident. Some of us thought that perhaps it was a US Government concoction once again targeting Iran that escaped the labs.

  1. Step 1: Build Malware
  2. Step 2: Infect Drone
  3. Step 3: Crash Flying USB Stick in Iran and Watch From Satellites as it Blows Up Nuclear Plant

Looking forward, it’s clear that software has become part of our military arsenal. We will continue to see more frequent headlines telling stories of cyberattacks on military installations, cyberespionage and weaponized software. Let’s remember that just as China and other countries have stolen our blueprints for drones, tanks and fighter aircraft, they have also built their own cyberweapons.

For now though, I’d turn down that job as an Iranian nuclear scientist.

Life or Death Decisions in Information Security

On Friday an Albany police officer shot and killed a 19-year old male when a routine traffic stop turned violent.

The suspect and deceased allegedly reached for the loaded .22 caliber handgun that he was carrying after the SUV he was driving was stopped for a traffic violation. Officers shot and killed the man, claiming self-defense.

A public press hearing was held which quickly became explosive, a chaotic scene high with emotions.

While it is difficult to draw analogies between a shooting and cybercrime, one can draw some parallels between the physical and cyber realms. It is often difficult to know the best course of action in either. And in both cases, there is rarely enough time or information to make good decisions.

There are no absolutes in our business.

One can draw many conclusions about the potential outcomes of not neutralizing an allegedly enraged and armed suspect on the streets of downtown Albany. We can also make some assumptions about the effects of negligent or absent security controls in the workplace. When it comes to making difficult decisions about what to do or not to do and when to do it, things become hazy real fast.

On the street it can get you killed. In the workplace the worst is usually termination of a different sort.

And sometimes it’s hard to know what side you’re on.

Stratfor, Comodo, RSA and HB Gary all make a living securing other organizations, yet became targets themselves over the past year. According to public opinion, each of them became targets because of who they were – yet they became victims because they didn’t practice what they preached.

On top of that, each made bad decisions while under duress, whether it was latent customer communications or weak security remediation.

Friday’s press release in Albany was chaotic for a number of reasons. First, neither side had all of the necessary information and assumptions were made by both sides about what had happened. We saw this happen to RSA and the other victims in the court of public opinion, as well. It’s tough to know who’s to blame.

What we do know is that a young man is dead. And intellectual property worth hundred of millions of dollars was compromised. These are indisputable facts. Despite lengthy investigations, this may be as close as we ever get to the honest truth in either case.

There are no absolutes in our business.

Those committed to providing honest, effective security will work tirelessly to perfect their fundamentals and plan for the unexpected. Like good public defenders, good security providers will posess strong situational awareness, true aim and flawless decision-making ability.

Great security providers will be able to do all of that while taking enemy fire.

%d bloggers like this: