All posts by Cindy Ng

[Podcast] Troy Hunt and Lessons from a Billion Breached Data Records

[Podcast] Troy Hunt and Lessons from a Billion Breached Data Records

Leave a review for our podcast & we'll put you in the running for a pack of cards.


Troy Hunt is a web security guru, Microsoft Regional Director, and author whose security work has appeared in Forbes, Time Magazine and Mashable. He’s also the creator of “Have I been pwned?”, the free online service for breach monitoring and notifications.

In this podcast, we discuss the challenges of the industry, learn about his perspective on privacy and revisit his talk from RSA, Lessons from a Billion Breached Data Records as well as a more recent talk, The Responsibility of Disclosure: Playing Nice and Staying Out of Prison.

After the podcast, you might want to check out the free 7-part video course we developed with Troy on the new European General Data Protection Regulation that will be law on May 25, 2018. It will change the landscape of regulated data protection law and the way that companies collect personal data. Pro tip: GDPR will also impact companies outside the EU.

 

[Podcast] John P. Carlin, Part 4: Emerging Threats

[Podcast] John P. Carlin, Part 4: Emerging Threats

Leave a review for our podcast & we'll put you in the running for a pack of cards.


In this concluding post of John Carlin’s Lessons from the DOJ, we cover a few emerging threats: cyber as an entry point, hacking for hire and cybersecurity in the IoT era.

One of the most notable anecdotes are John’s descriptions of how easy it was to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and most destructive botnets are widely available to shoppers. Also, expect things to get worse before they get better. With the volume of IoT devices now available developed without security by design, we’ll need to find a way to mitigate the risks.

Transcript

Cindy Ng: You may have following our series on John Carlin’s work during his tenure as Assistant Attorney General for the U.S. Justice Department. He described cyber as an entry point as one of our threats using our latest election process as an example. But now, John has a few more emerging threats to bring to your attention, hacking for hire and cyber security in the IoT era. One of John’s striking descriptions is how easy it is to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and the most destructive botnets are widely available to shoppers. Expect things to get worse before they get better. With the volume of IoT devices created without security by design, we’ll need to find a way to mitigate the risk.

John Carlin: Let me move to emerging threats. We’ve talked about cyber as an entry part, a way that an attack can start. Even when the cyber event isn’t really the critical event in the end, our electoral system and confidence in it wasn’t damaged because there was an actual attack on the voting infrastructure, if there’s an attack where they steal some information that’s relatively easy to steal and then they get to combine with the whole campaign of essentially weaponizing information, and that caused the harm. The other trend we’re seeing is the hacking for hire. I really worry about this one. I think over the next five years, what we’re seeing is, the dark web now, it’s so easy to use, well, I don’t recommend this necessarily, but when you go on it, you see sophisticated sales bazaars that look as customer-friendly as Amazon.

And when I say that I mean it literally looks like Amazon. I went on one site and it’s complete with customer reviews, like, “I gave him four stars, he’s always been very reliable, and 15% of the stolen user names and passwords that he gives me work, which is a very high rate.” Another one will be like, “This crook’s botnet has always been really good at doing denial-of-service attacks, five stars!” So that’s the way it looks right now on the dark web, and that’s because they’re making just so much, so much money they can invest in an infrastructure and it starts to look as corporate as our private companies.

What I worry about, is because those tools are for rent, use the botnet example, you know, one of the cases that we did was the Iranian Revolutionary Guard Corps attack on the financial sector. They hit 46 different financial institutions with the distributed denial-of-service attack, taking advantage of a huge botnet of hundreds and hundreds of thousands of compromised computers. They’d knocked financial institutions, who have a lot of resources offline, effected hundreds of thousands of customers, cost tens of millions of dollars.

Right now, on the dark web, you can rent the use of an already made botnet. So the criminal group creates the botnet, they’re not the ones who necessarily use it. Right now they tend to rent it to other criminal groups who will do things like GameOver Zeus, a case that we did, you know, they’ll use it for profit, they’ll use it for things like injecting malware that will lead to ransomware or injecting malware for a version of extortion, essentially, where they were turning on people’s video cameras and taking naked pictures, and then charging money, or all the other criminal purposes you can put a botnet to.

But it doesn’t take much imagination to see how a nation stayed or a terrorist group could just rent what the criminal groups are doing to cause an attack on your companies. In terms of emerging threats, you’re certainly tracking the Internet of Things era. I mean, you think about how far behind we are given where the threat is just because we moved very, very quickly from putting everything we value, from analog to digital space, connecting it to the internet over a 25-year period roughly. We’re now on the verge of an even more transformative evolution, where we put not just information, but all the devices that we need from everything, from the pacemakers in our heart, the original versions that were rolled out, actually this is still an issue, for good medical reasons they wanted to be able to track in real-time information coming out of people’s hearts, but they rolled it out un-encrypted, because they just don’t think about it when it comes to the Internet of Things.

They were testing whether it worked, which it did, but they weren’t testing whether it would work where they had security by design, if a bad guy, a crook, a terrorist, or a spy wanted to exploit them. Drones in the sky, they were rolled out, same problem, rolled out originally not encrypted commercial drone. So, again, a 12-year-old could kill someone by taking advantage of the early pacemakers, they could with drones as well. And then the automobiles on our roads, forgetting the self-driving vehicle already, estimates are 70% of the cars on the road by 2020 are essentially gonna be computers on wheels.

One of the big cases we dealt with was the proof of concept hack where someone got in through the entertainment system through the steering and braking system, then led to 1.4 million car recall of Jeep Cherokees. So that’s the smart device used to cause new types of harm, from car accidents, to drones in the sky, to killing people on pacemakers. But we also just have the sheer volume, it’s exponentially increasing and we saw the denial-of-service attack that we’ve all been warning about for a period of time take place this October, knocked down essentially internet connectivity for a short period of time. Because there were just so many devices, from video cameras, etc., that are default being rolled out and can be abused. So, hopefully there will be regulatory public policy focus to try to fix that.

In the interim though, my bottom line is, things are gonna get worse before they get better on the threat side, which is why we need to focus on the risk side. We won’t spend too much time on what government’s been doing. We’ve talked about some of it a little bit already, but this is…the idea is, we need to, one, bring deterrents to bare, make the bad guys feel pain. Because as long as they’re getting away completely cost-free, offense is gonna continue to vastly outstrip defense. Number two, we gotta figure out a way to share information better with the private sector.

And I think you’re hopefully seeing some of that now, where government agencies, FBI, Justice, Secret Service are incentivized to try to figure out ways to increase information sharing for information that, for many, many years now, has been kept only on the classified side of the house. And that’s a whole new approach for government, and it just in its early steps. But, we’ve been moving too slowly given where the threat is, we need to do more, faster. You know, just a couple weeks ago they heard the Director of the FBI said, “Okay, they came after us in 2016 in the Presidential election, but I’m telling you they’re gonna do it again in 2020,” and the head of National Security Agency agreed. That’s in just one sphere, so I think we’re definitely in a trend now where we need to move faster in government.

What’s law enforcement doing? They’re increasing the cooperation. They’re doing this new approach on attribution. When I was there, we issued towards towards the end a new presidential policy directive that tried to clarify who’s in charge of threat, assets, intel support to make it easier. That said, if any of you guys actually looked at the attachment on that, it had something like 15 different phone numbers that you’re supposed to call in the event of an incident. And so, right now, what you need to do is think ahead on your crisis and risk mitigation plan, and know by name and by face who you’d call law enforcement by having an incident response plan that you test when the worst happens.

And there’s reasons…I’m not saying in every case do it, but there are reasons to do it, and it can increase the intelligence you get back. It’s a hedge against risk, if what you thought was a low level act, like a criminal act, the Ferizi example, turns out to be a terrorist, at least you notified somebody. You also want to pick a door, and this requires sometime getting assistance, you want to pick the right door in government, that ideally minimizes the regulatory risk to your company, depending on what space that you’re in, that the information that you provide them, as a victim, isn’t used against you to say that you didn’t meet some standard of care.

Even if…with the shift of administration, I know generally there’s a talk about trying to decrease regulations under this administration, but when it comes to cyber, everyone’s so concerned about where the risk is, that for a period of time I think we’re gonna continue to see a spike, that’ll hopefully level off at some point as each of the regulators tries to figure out a way they can move into this space. So, what can you do? One, most importantly, treat this as an inevitability. You know there’s no wall high enough, deep enough to keep the dedicated adversary out, and that means changing the mindset.

So, where…just like many other areas, this is a risk management, incident response area. Yes, you should focus front end on trying to minimize their ability to get in but you also need to assume that they can, and then plan what’s gonna happen when they’re in my perimeter. That means knowing what you got, knowing where it is, doing things like assuming they can get into my system. If I have crown jewels, I shouldn’t put that in a folder that’s called “Crown Jewels,” maybe put something else in there that will cause the bad guy to steal the wrong information. Have a loss of efficiency, which is why it’s a risk mitigation exercise. I mean, you need to bring the business side in to figure out, how can I, assuming they get in, make it hardest for them to damage what need but most to get back to business. Sony, despite all the public attention, their share price was up that spring, and that’s because they knew exactly who and how to call someone in the government. They actually had a good internal corporate process in place in terms of who was responsible for handling the crisis and crisis communication.

Second, assuming again that there are sophisticated adversaries that get more sophisticated, they can get in if they want to, you need to have a system that’s constantly monitoring internally, what’s going on from a risk standpoint, because the faster you can catch what’s going on inside your system, the faster you can have plan to either kick them out, remediate it, or if you know the data is already lost, start having a plan to figure out how you can respond to it, whether it’s anything from intellectual property, to salacious emails inside your system. And that way, you quickly identify and correct anomalies, reduce the loss of information.

Implement access controls, can’t hit this hard enough. This is true in government as well, by the way, along with the private sector. The default was just it’s just easier to give everybody access. And I think people, when it came very highly regulated types of information, maybe literally, if you know, you had source code, key intellectual property, people knew to try to limit that. But all that other type of sensitive peripheral information, pricing discussions, etc., my experience, a majority of companies don’t implement internally controls as to who has access and doesn’t, and part of the reason for that is because it’s too complicated for the business side so they don’t pay attention to doing it, and you can limit access to sensitive information and others.

Then you can focus your resources, for those who have access, on how they can use it, and really focus on training them and target your training efforts to those who have the access to the highest risk information. Multi-factor authentication, of course, is becoming standard. What else can you do? Segmenting your network. Many of the worst incidents we have are because of the networks were essentially flat and we watch bad guys cruise around the network. Supply chain risk, large majority, Target, Home Depot, etc., a different version of the supply chain but the same idea. Once you get your better practices in place, the risk can sometimes be down the supply chain or with a 3rd party vendor, but it’s your brand that suffers in the event of a breach.

Train employees. We talked about how access controls can help you target that training. And then have an incident response plan and exercise it. Some of them will be, you’ll go in and there will be an incident response plan, but it’s like hundreds of pages, and in an actual incident, nobody’s going to look at it. So it needs to be simple enough that people can use, accessible both on the IT, technical side of the house, and the business side of the house, and then exercise, which is, you start spotting issues that really are more corporate governance issues inside the company as you try to do table top exercises. And we’ve talked a lot about building relationships with law enforcement, and the idea is know by name and by face pre-crisis who it is that you trust in law enforcement, have that conversation with them. This is easier to do if you’re a Fortune 500 company to get their attention. If you’re smaller, you may have to do it in groups or through an association, but have a sense of who it is that’d you call, and then you need to understand who in your organization will make that call.

[Podcast] Tracking Dots, Movement and People

[Podcast] Tracking Dots, Movement and People

Leave a review for our podcast & we'll put you in the running for a pack of cards.


Long before websites, apps and IoT devices, one primary way of learning and sharing information is with a printed document. They’re still not extinct yet. In fact, we’ve given them an upgrade to such that nearly all modern color printers include some form of tracking information that associates documents with the printer’s serial number. This type of metadata is called tracking dots. We learned about them when prosecutors alleged 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. Rest assured the Inside Out Security Show panelists all had a response to this form of printed metadata.

Another type of metadata that will be discussed in the Supreme Court is whether the government needs a warrant to access a person’s cell phone location history. “Because cell phone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause,” said Nathan Freed Wessler, a staff attorney with the ACLU Speech, Privacy, and Technology Project.

Other articles discussed:

  • Malware installed on a router can take control over a device’s LEDs and use them to transmit data
  • Twitter product, Studio has vulnerability that allowed tweeting from any account
  • Commenting secret code on Britney Spears’ Instagram account

Inside Out Security Show panelists: Mike Buckbee, Kilian Englert, Forrest Temple

[Infographic] From Bad Report Cards to Insider Data Theft

[Infographic] From Bad Report Cards to Insider Data Theft

We’ve all read the news recently about employees and contractors selling internal customer data records or stealing corporate intellectual property. But insiders breaking bad have been with us as long as we’ve had computers and disgruntled humans who understand IT systems.

You may not know it, but academic researchers have also been studying the psychological insides of insiders.

Carnegie Mellon’s Computer Emergency Response Team (CERT) has an entire group devoted to insider threats. Based on looking at real cases, these academics have come up with, to our minds, a very convincing model of what drives insiders.

In short, it’s their belief that the root causes lie beyond just a raise or promotion denied, but rather in earlier traumas, likely starting in childhood.

For instance, it is thought that children who, during a famous psych experiment, immediately ate the marshmallow (instead of waiting for two marshmallows) had issues with parental and other authority figures that would later show up through impulsive behaviors. Or perhaps for a certain kind of child, not getting into the genius program for advanced 4-year-olds can have devastating consequences later!

We’ve turned the complex CERT multi-stage insider model into this more accessible infographic. Check out the original CERT paper (or read our incredibly informative series) to learn more.

 

[Podcast] John P. Carlin, Part 3: Ransomware & Insider Threat

[Podcast] John P. Carlin, Part 3: Ransomware & Insider Threat

Leave a review for our podcast & we'll put you in the running for a pack of cards.


We continue with our series with John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division. This week, we tackle ransomware and insider threat.

According to John, ransomware continues to grow, with no signs of slowing down. Not to mention, it is a vastly underreported problem. He also addressed the confusion on whether or not one should engage law enforcement or pay the ransom. And even though recently the focus has been on ransomware as an outside threat, let’s not forget insider threat because an insider can potentially do even more damage.

Transcript

Cindy Ng: We continue our series with John Carlin, former Assistant Attorney General for the U.S. Justice Department. This week we tackle ransomware and insider threats. According to John, ransomware is a vastly under-reported problem. He also addressed the confusion on whether or not one should engage law enforcement or pay the ransom. And even though, lately, we’ve been focused on ransomware as an outside threat, one area that doesn’t get as much focus is insider threat. And that’s worrisome because an insider can potentially do even more damage.

John Carlin: Ransomware, it was skyrocketing when I was in government. In the vast, vast, as I said earlier, majority of the cases, we were hearing about them with the caveat that they were asking us not to make it public, and so it is also vastly under-reported. I don’t think there’s anywhere near, right now, the reporting. I think Verizon attempted to do a good job. There’ve been other reports that have attempted to get a firm number on how big the problem is. I think the most recent example that’s catching peoples attention is Netflix.

Another area where I think too few companies right now are thinking through how they’d engage law enforcement. And I don’t think there’s an easy answer. I mean, there’s a lot of confusion out there as to whether you should or shouldn’t pay. And there was such confusion over FBI folks, when I was there, giving guidance saying, “Always pay.” The FBI issued guidance, and we have a link to it here, that officially says they do not encourage paying a ransom. That doesn’t mean, though, that if you go into law enforcement that they’re gonna order you not to pay. Just like they have for years in kidnapping, I think they may give you advice. They can also give back valuable information. Number one, if it’s a group they’ve been monitoring, they can tell you, and do as they’ve tried to move more towards the customer service model, they can tell you whether they’ve seen that group attack other actors before, and if they have, whether if you pay they’re likely to go away or not. Because some groups just take your money and continue. Some groups, the group who’s asking for your money isn’t the same group that hacked you, and they can help you on that as well. Secondly, just as risk-reduction, as the example I gave earlier of Ferizi shows, or the Syrian Electronic Army, you can end up, number one, violating certain laws when it comes to the Treasury, so called OFAC, and material support for terrorism laws by paying a terrorist or other group that’s designated as a bad actor. But more importantly, I think for many of you, then, that potential criminal regulatory loss is the brand. You do not want a situation where it becomes clear later that you paid off a terrorist. And so, by telling law enforcement what your doing, you can hedge against that risk.

The other thing you need to do has nothing to do with law enforcement, but is resilience and trying to figure out, “Okay, what are my critical systems, and what’s the critical data that could embarrass us? Is it locked down? What would be the risk?” The most recent public example Netflix has shown, you know, some companies decide season 5 of “Orange is the New Black,” it’s not worth paying off the bad guy.

We’ve been focusing a lot on outside actors coming inside, and something I think has gotten too little attention or sometimes get too little attention, is the insider threat. That’s another trend. As we focus on how, when it comes to outsider threats, the approach needs to change, and instead of focusing so much on perimeter defense, we really need to focus on understanding what’s inside a company, what the assets are, what we can do to complicate the life of a bad guy when they get inside your company. Risk mitigation, in other words. A lot of the same expenditures that you would make, or same processes that you put in place to help mitigate that risk, are also excellent at mitigating the risk from insider threat. And that’s where you can get a economy of scale on your implementation.

When I took over National Security Division, my first, I think, week, was the Boston Marathon attack. But then, shortly after that was a fellow named Snowden deciding to disclose, on bulk, information that was devastating to certain government agencies across the board. And one of my last acts was indicting another insider and contractor at the National Security Agency who’d similarly taken large amounts of information in October of last year. So, if I can share one lesson, having lived through it on the government end of the spectrum, that sometimes our best agencies, who are very good at erecting barriers and causing complications for those who try to get them from outside the wall, didn’t have the same type of protections in place inside the perimeter area, in those that were trusted. And that’s something we just see so often in the private sector, as well. In terms of the amount of damage they can do, the insider may actually be the most significant threat that you face. This is the kind of version of the blended threat, the accidental or negligent threat that happens from a human error, and then that’s the gap that, no matter how good you are on the IT, the actor exploits. In order to protect against that, you really need to figure out systems internally for flagging anomalous behavior, knowing where your data is, knowing what’s valued inside your system, and then putting access controls in place.

From a recent study that Varonis did, and this is completely consistent with my experience both in government, in terms of government systems in government, in terms of providing assistance to the private sector and now giving advice to the private sector, is that it did not surprise me, this fact, although it’s disturbing, that nearly half of the respondents indicated that at least 1,000 sensitive files are open to every employee, and that one fifth had 12,000 or more sensitive files exposed to every employee. I can’t tell you how many of these I’ve responded to in crisis mode, where all the lawyers, etc. are trying to figure out how to mitigate risk, who do they need to notify because their files may have been stolen, whether it’s business customers or their consumer-type customers. And then, they realize too late, at this point, that they didn’t have any access controls in place. This ability to put in an access control is vital, both when you have an insider and also, it shouldn’t matter how the person gained access to your system, whether they were outside-in or it’s an insider. It’s the same risk. And so, what I’ve found is that…and this was a given example of this that we learned through the OPM hack. But what often happens is the IT side knows how to secure the information or put in access controls, but there’s not an easy way to plug in your business side of the house. So, nearly three-fourths of employees say they know they have access to data they don’t need to see. More than half said it’s frequent or very frequent. And then, on the other side of the house, on the IT, they know that three-quarters of the issues that they’re seeing is insider negligence. So, you combine over-access with the fact that people make mistakes, and you get a witches’ brew in terms of trying to mitigate risk. So, what you should be looking for there is, “How can I make it as easy as possible to get the business side involved?” They can determine who gets access or who doesn’t get access. And the problem right now, I think, with a lot of products out there, is that it’s too complicated, and so the business side ignores it and then you have to try to guess at who should or shouldn’t have access. All they see then is, “Oh, it’s easier just to give everybody access than it is to try to think through and implement the product. I don’t know who to call or how to do it.”

OPM, major breach inside the government where, according to public reporting, China, but the government has not officially said one way or the other so I’m just relying on public reporting, it breached inside our systems, our government systems. And one of the problems was they were able to move laterally, in a way, and we didn’t have a product in place where we could see easily what the data was. And then, it turned out afterwards, as well, there was too much access when it came to the personally identifiable information. I have hundreds of thousands of government employees who ultimately had to get notice because you just couldn’t tell what had or hadn’t been breached.

When we went to fix OPM, this is another corporate governance lesson, three times the President tried to get the Cabinet to meet so that the business side would help own this risk and decide what data people should have access to, recognizing when you’re doing risk mitigation, there may be a loss of efficiency but you should try to make a conscious decision over what’s connected to the internet, and if it’s connect to the internet, who has access to it and what level of protection, recognizing, you know, as you slim access there can be a loss of efficiency. In order to do that, the person who’s in charge is not the Chief Information Officer, it is the Cabinet sector. It is the Attorney General or the Secretary of State. The President tried three times to convene his Cabinet. Twice, I know for Justice, we were guilty because they sent me and our Chief Information Officer, the Cabinet members didn’t show up because they figured, “This is too complicated. It’s technical. I’m gonna send the cyber IT people.” The third time, the Chief of Staff to the President had to send a harsh email that said, “I don’t care who you bring with you, but the President is requiring you to show up to the meeting because you own the business here, and you’re the only person who can decide who has access, who doesn’t and where they should focus their efforts.” So, for all the advice we were given, private companies, at the time, we were good at giving advice from government. We weren’t as good, necessarily, at following it. That’s simply something we recommend people do.

Continue reading the next post in "[Podcast] John P. Carlin"

[Podcast] Security Pros and Users: We’re All in This Together

[Podcast] Security Pros and Users: We’re All in This Together

Leave a review for our podcast & we'll put you in the running for a pack of cards.


The latest release of SANS’ Security Awareness Report attributed communication as one of the primary reasons why awareness programs thrive or fail. Yes, communication is significant, but what does communication mean?

“The goal of communication is to facilitate understanding,” said Inside Out Security Show(IOSS) panelist, Mike Thompson.

Another panelist, Forrest Temple expanded on that idea, “The skill of communication is the clarity through which that process happens. Being about to tell a regular user about the purpose behind the policy is the important part.”

However, IOSS panelist Kilian Englert pushed back on the report’s findings that insinuated users or security pros are to blame when a program fails. Yes, clear communication is vital, but also added, “We’re all in this together.”

Others echoed this sentiment as well when we discussed a recent report that 83% of Security Pros Waste Time Fixing Co-Workers Non-Security Problems.

Other articles discussed:

[Podcast] Taking The Long View, Investing in Technology and Security

[Podcast] Taking The Long View, Investing in Technology and Security

Leave a review for our podcast & we'll put you in the running for a pack of cards.


We’re living in exciting times. Today, if you have an idea as well as a small budget, you can most likely create it. This is particularly true in the technology space, which is why we’ve seen the explosion of IoT devices on the marketplace.

However, what’s uncertain is the byproduct of our enthusiastic making, innovating, and disrupting.

Hypothetical questions that used to be debated on the big screen are questions we’re now debating on our podcast. Will we be able to maintain an appropriate level of privacy within our homes? What are some positive and negative applications of a new technology? Should we extinguish our identification cards so that we can authenticate with biometrics?

On this week’s Inside Out Security Show, Kilian Englert, Kris Keyser and Mike Buckbee weigh in on these pressing questions.

Other articles discussed:

Course of the week: GDPR Attack Plan: What You Need To Know

[Podcast] John P. Carlin, Part 2: Economic Espionage & Weaponized Info...

[Podcast] John P. Carlin, Part 2: Economic Espionage & Weaponized Information

Leave a review for our podcast & we'll put you in the running for a pack of cards.


In part two of our series, John Carlin shared with us lessons on economic espionage and weaponized information.

As former Assistant Attorney General for the U.S. Department of Justice’s National Security Division, he described how nation state actors exfiltrated data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs.

He also reminded us how important it is for organizations to work with the government as he took us down memory lane with the Sony hack. He explained how destructive an attack can be, by using soft targets, such as email that do not require sophisticated techniques.

Transcript

Cindy Ng: In part two of John Carlin’s talk, we learn more about how nation state actors exfiltrate data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs. He also took us down memory lane, describing how the Sony hack showed us how successful an attack can be by using soft targets, such as email, that do not require sophisticated techniques.

John Carlin: Let me talk a little bit about economic espionage and how we moved into this new space. When I was a computer-hacking prosecutor prosecuting criminal cases, we were plenty busy. And I worked with an FBI squad, and the squad that I worked with did nothing but criminal cases. There was an intelligence squad who was across the hall, and they were behind a locked, secured compartmented door. The whole time I was doing criminal cases, about 10, 15 years ago, we never went on the other side of that door. If an agent switched squads, they just disappeared behind that locked, secured door. I then went over to the FBI to be Chief of Staff to the director, FBI Director Mueller. And when I was there, that door opened and we started to see day-in, day-out what nation state actors were doing to our country.

And what we saw were state actors, and we had a literal jumbotron screen the size of a movie theater where we could watch it through a visual interface in real time. And we were watching state actors hop into places like universities, go from the university into your company, and then we would literally watch the data exfiltrate out. As we were watching this, it was an incredible feat of intelligence, but we also realized, “Hey, this is not success. We’re watching billions and billions of dollars of what U.S. research and development, and our allies, have developed in losses. We’re seeing millions of jobs lost.” One estimate has it at more than two million jobs. “What can we do to make it clear that the threat isn’t about consumer data or IP, the threat is about everything that you value on your system? And how do we make clear that there’s an urgent need to address this problem?”

What we did is, when I came back to Justice to lead up the National Security Division, is we looked to start sharing information within government. So, for the first time, every criminal prosecutor’s office across the country, all 93 U.S. Attorneys’ offices now has someone who’s trained on the bits, and the bytes and the Electronic Communication Privacy Act on the one hand. On the other hand, on how to handle sensitive sources and methods, and encouraged to see, can you bring a case? This only happened in 2013. This approach is still very, very new. The FBI issued an edict that said, “Thou shalt share what was formally only on the intelligence side of the house with this new, specially-trained cadre.” They then were redeployed out to the field. It’s because of that change in approach that we did the first case of its kind, the indictment of five members of the People’s Liberation Army, Unit 61398.

This was a specialized unit who, as we laid out in the complaint, they were hitting companies like yours and they were doing it for reasons that weren’t national security, they weren’t nation-state reasons. They were doing things like…Westinghouse was about to do a joint venture with a partner in China, and right before they were gonna into business together, you watched as the Chinese uniformed members of the People’s Liberation Army, the second largest military in the world, went in, attacked their system and instead of paying to lease the lead pipe as they were supposed to do the next day, they went in and stole the technical design specifications so they could get it for free. That’s one example laid out in the complaint. Or to give another example, and this is why it’s not the type of information that is required to be protected by regulation, like consumer data or intellectual property. Instead, for instance, they went in to a solar company, it was a U.S. subsidiary of a German multi-national and they stole the pricing data from that company. Then the Chinese competitor, using this information stolen by the People’s Liberation Army, price dumped. They set their product just below where the competitor would be. That forced that competitor into bankruptcy.

To add insult to injury, when that company sued them for the illegal practice of price dumping, they went and stole the litigation strategy right out from under them. When people said, “Why are you indicting the People’s Liberation Army? It isn’t state-to-state type activity. Everybody does it, what’s the big deal? Criminal process is the wrong way to do it.” The reason why we made it public were a couple. One was to make public what they were doing so that businesses would know what it was to protect themselves. Second, what they were doing was theft and that’s never been tolerated. And so, there’s a concept in U.S. law of what’s called an easement. This is the idea that if you let someone walk across your lawn long enough, in U.S. law, they get what’s called an easement. They get the right to walk across your lawn. That’s why people put up no trespassing signs. International law, which is primarily a law of customary law, works the same way. And as long as we were continuing to allow them to steal day-in, day-out, the Director of the FBI called them like a drunken gorilla because they were so obvious in terms of who they were. They didn’t care if they got caught because they were so confident there’d be no consequence. Then, we are setting international law, we are setting the standard as one where it’s okay. So, in some respects, this case was a giant “No trespass” sign, “Get off our lawn.”

The other thing that we did, though, was we wanted to show the seriousness, that this was their day job. And so, we showed that the activity started at 9 a.m. Beijing time, that it went at a high level from 9:00 to noon Beijing time, it decreased from noon to 1:00, it then increased again from 1:00 to around 6 p.m. Beijing time, decreased on Chinese holidays, weekends. This was the day job of the military, and it’s not fair and it can’t be expected that a private company alone can defend itself against that type of adversary. This single case had an enormous impact on Chinese behavior, and I wanna move a little bit to the next major cases that occurred. So, that’s economic espionage, theft for monetary value.

We also started seeing some of the first destructive attacks. Everyone remembers Sony, and many people think of it as the first destructive attack on U.S. soil. It really wasn’t the first destructive attack. The first destructive attack was on Sands Casino by what the Director of National Intelligence called Iranian-affiliated officials. Those Iranian-affiliated actors, when they attacked Sands, they did so because they didn’t like what the head of Sands Casino had said about Iran and the Ayatollahs called on people within Iran to attack the company. They did a destructive attack that essentially turned computers into bricks. And it was only, actually, because there was someone quick thinking in the IT staff who was not authorized by their policy, by the way, who spotted what was occurring and essentially pulled the plug, and in that respect was able to segment the attack and keep it confined to a small to a small area, it didn’t cause more damage. That didn’t get nearly the attention of Sony, so let’s talk a little bit about Sony.

You know, I spent nearly 20 years in government working on national security criminal threats. We did enumerable war games where we war-gamed out, “What’s it gonna look like if rogue nuclear arms nation decides to attack the United States through cyber-enabled means?” And I don’t know about you guys but we all got it wrong, because not once did we guess that the first major incident was gonna be over a movie about a bunch of pot smokers. It’s the only time…I remember every morning I’d meet with the Director of the FBI, the Attorney General to go over at the threats. That Christmas we’d all watched the movie the day before, shared movie reviews. And it’s the only time in my career where I’ve gone into the Situation Room to brief the president on a serious national security incident and had to start by trying to summarize the plot of that movie which, for those of you unlucky enough to have seen it, not that I’m passing critical judgement, it is not an easy plot to summarize.

So, why did we do that? Why were we treating this like a serious national security event that had presidential attention? The attack had multiple parts. One was, just like the attack on Sands Casino, it essentially turned computers into bricks. Secondly, they stole, so this is like the economic espionage threat. They stole intellectual property and they distributed it using a third party, the WikiLeaks-type example. Using third parties, they distributed that stolen intellectual property and tried to cause harm to Sony. Nobody remembers those two. What everybody remembers, and this is the weaponizing of the information idea, is that by focusing on a soft target like email communications, it was the salacious email communications inside the company between executives that got such massive media attention. That and, of course, the fact that it’s a movie company. That lesson was not unnoticed, and so there’s a lot of focus on it and we’ll talk about it later. And it was used again, clearly, in the Russian attempt to influence elections not just here in the United States with our most recent election cycle, but both before that in elections across Europe. You can see them trying to use similar tactics and techniques right now when it comes to the French election. They clearly stumbled on the fact that, “Hey, it’s not the information inside a company that people put great safeguards around, like their crown jewel of intellectual property. It can be the softer parts like email, like routine communications that, if we gather them in bulk, we can use to weaponize and cause harm to the company.”

The reason why we treated that as such a serious national security concern in the White House was because of the reason behind the attack. Just like the attack on Sands Casino, this attack on Sony was fundamentally an attack on our values. It was an attack on the idea that we have free speech. And similarly, the Russian attempts are fundamentally an attack on the idea of democracy. That’s why they’re attacking democratic institutions not just here in the United States, but across the world.

For you, in the private sector, as we’re designing and you’re thinking about, you need to have products inside your system that can allow you to monitor broadly what type of attacks are occurring within your perimeter so you can get ahead of a weaponized information-type attack. That means fortifying defenses beyond those that are under legislation or regulation. In order to do that, that means figuring out and using products that are business-friendly. By that I mean, you may be the best information technology folks in the world, if your business side can’t understand the tools that you’re using or the risks that you’re trying to describe to them, then you can’t engage them on what could really harm the company most. And that’s what you need to do your job, to figure out what that is.

Another thing that we can work on now when it comes to responding quickly is how fast these events occur. And these days, the best practice is to monitor social media. Now, I know a couple companies that they’re monitoring social media. In part, it’s not just for cyber crisis, right? Every crisis moves that quickly. Some are monitoring it because a certain president of the United States right now, occasionally, will tweet something out in the middle of the night that can cause a company, if he singles you out, he can cause your share price to torpedo by the time the market opens. So certainly, a couple of companies who’ve actually been though that have rapid communications plans in place, and we’ve other clients now that just as a best practice have, essentially, a team monitoring that Twitter account from 3 a.m. to 6 a.m. so they can get a communication into the media mainstream before the stock market opens.

That’s the same idea when it comes to having systems in place, so you’re monitoring social media for mentions of your company and then having a rapid response plan in place. That can also be majorly benefitted by you and your understanding of the system. If you spot where the data is that was stolen and think through with your business side how it can be used, you can get in front of it suddenly appearing somewhere on social media through WikiLeaks or some other site, just through Twitter and so that you’re ready to have a rapid response that addresses your business risk.

I want to focus a little bit, as we did, on this idea of working together, government and the private sector. I’m gonna go back to the economic espionage case for a second, the China case. When we did that PLA case, for years before when I was doing the criminal cases, I think companies didn’t work with law enforcement because they figured, “What’s the upside?” And I’ll just talk about that China case, but that case, the indictment of the People’s Liberation Army, it changed Chinese behavior, maybe not forever, but for now. It caused President Xi, I think that case, plus the response to Sony where we used the same type of response when it came to North Korea, which was…look, it was incredibly beneficial to Sony when we were able to say that it was North Korea. Until then, all of the attention was on Sony, “What did they do wrong? Why weren’t their systems better? Isn’t it ridiculous what their executives were saying?” After we could say that it was North Korea, the narrative changed to, “Hey, Government, what are you doing to protect us against nation-state threats?” That is why attributions can matter.

And what did the government do? We applied now, for the second time, the approach that we’d applied for the first time with the People’s Liberation Army of, number one, figuring out who did it. And that required working closely with the company to figure out not just what they took, but why they would have taken it, what could have precipitated the event. Number two, collect information in a way that we can make it public. And number three, use it, cause harm to the adversary. And that’s why in Sony, unlike in the PLA case, we didn’t have a criminal case available to us, so instead of using a criminal case you saw us publicly announce through the FBI who did it, and use that as a basis, then, to sanction North Korea. We realized sitting around the Situation Room table, lucky it was North Korea. If it had been some other cyber actor, unlike North Korea, who hadn’t done so many other bad things, we wouldn’t have been able to sanction them the way you could terrorists or those who proliferate weapons of mass destruction.

So, going forwards, the president signed a new executive order that allows us to sanction cyber actors. The combination of that new executive order which significantly allows, to use the PLA example, you to sanction not just those who take it, but the companies who make money off of it, those who profit from the stolen information. I think it was that combination of the new executive order in place, the PLA case and the realization that we could make things public and would cause harm that caused President Xi, the leader of China, to blink and sign an unprecedented agreement with President Obama. He sent a crew, we negotiated with them day and night for several days. And they said for the first time, “Hey, we agree, using your military intelligence to target private companies for the benefit of their economic competitor is wrong, and we agree that that should be a norm that you don’t do that.” That caused the G20 to sign it, and since then we have seen in government and private group monitoring, there’s a decrease in terms of how China is targeting private companies. Now, as some of you may be seeing, though, their definition of what’s theft for private gain and ours might differ, and there’s certainly sectors that are still getting hit and traditional intelligence collection continues.

Continue reading the next post in "[Podcast] John P. Carlin"

[Podcast] Our Post WannaCry World

[Podcast] Our Post WannaCry World

Leave a review for our podcast & we'll put you in the running for a pack of cards.


After WannaCry, US lawmakers introduced the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act. If the bill gets passed, it would create a Vulnerabilities Equities Process Review Board where they would decide if a vulnerability, known by the government, would be disclosed to a non-government entity. It won’t be an easy law to iron out as they’ll need to find the right balance between vulnerability disclosure and national security.

Meanwhile Shadow Brokers, the hacking group that leaked the SMBv1 exploit that led to WannaCry, announced that they would create a subscription-based business that would give paying members a monthly data dump of zero-days and exploits.

Grounded in our post WannaCry world, the Inside Out Security Show panelists – Mike Thompson and Kilian Englert – mulled over a popular philosophical keynote by Cory Doctorow, The Coming War on General Purpose Computing.

We closed out the show by discussing another potentially deadly attack, Adylkuzz and whether not they’d prefer an attack like ransomware that notifies them or a cryptocurrency miner that consumes resources from their system and they wouldn’t even know it.

[Podcast] Pick Up Music, Pick Up Technology

[Podcast] Pick Up Music, Pick Up Technology

Leave a review for our podcast & we'll put you in the running for a pack of cards.


Last week, when the world experienced the largest ransomware outbreak in history, it also reminded me of our cybersecurity workforce shortage. When events like WannaCry happen, we can never have too many security heroes!

There was an idea floating around that suggested individuals with a music background might have a promising future in security. The thinking is: if you can pick up music, you can also pick up technology.

The Inside Out Security panelists – Mike Thompson, Forrest Template and Mike Buckbee – are in agreement. Their sentiments expanded to all artists and added that creative thinking along with attention to detail can go a long way.

Other articles discussed:

  • Intel Warns of Active Management Technology Vulnerability
  • Besides Netflix’s Orange is the New Black threat, hackers also helped ourselves to copies of titles from other companies
  • IoT companies keep building devices with security flaws
  • What nuclear security officers (and infosec pros) can learn from casino managers
  • IBM sends USBs with malware to customers

Tool of the week: Pi hole

Planet Ransomware

Planet Ransomware

If you were expecting a quiet Friday in terms of cyberattacks, this ain’t it. There are reports of a massive ransomware attack affecting computers on a global scale: in the UK, Spain, Russia, Ukraine, Japan, and Taiwan.

The ransomware variant that’s doing the damage is called WCry, also known as WannaCry or WanaCrypt0r. It has so far claimed some high-profile targets, including NHS hospitals in the UK, and telecom and banking companies in Spain.

Be calm and carry on, of course.

In the blog, we’ve been writing about ransomware over the last two years, and we have great educational resources to help you prevent or reduce the damage of an attack.

Here’s a quick overview of our content.

What is it?

Our ransomware guide: https://blog.varonis.com/the-complete-ransomware-guide/ 

Learning more

The Troy Hunt course: https://blog.varonis.com/introduction-to-ransomware-course/

How it spreads

Yes, it can have worm-like features: https://blog.varonis.com/next-gen-ransomware-ransomworm-gets-deadlier/

Can I make my own (for research purposes)?

Yes, but only under adult supervision:

https://blog.varonis.com/malware-coding-lessons-for-it-people-part-ii-more-fun-with-fud-ransomware/

https://blog.varonis.com/malware-coding-lessons-people-part-learning-write-custom-fud-fully-undetected-malware/

Reducing the risk

Limiting file access really, really helps: https://blog.varonis.com/the-best-ransomware-defense-dont-have-files/

Legal and Regulatory Implications

For US companies, this is what you need to know: https://blog.varonis.com/ransomware-the-legal-cheat-sheet-for-breach-notification/

Should you pay?

It depends:

https://blog.varonis.com/should-the-website-that-infected-a-pc-with-ransomware-pay/

https://blog.varonis.com/hospital-paid-ransom-didnt-get-all-files-back/

Is a decryption solution available?

Check here: https://www.varonis.com/ransomware-identifier/

The ultimate answer to ransomware

User Behavior Analytics (UBA): https://blog.varonis.com/why-uba-will-catch-the-zero-day-ransomware-attacks-that-endpoint-protection-cant/

And here’s proof:  https://www.varonis.com/ransomware-solutions