All posts by Cindy Ng

[Podcast] Are Cyber War Rooms Necessary?

[Podcast] Are Cyber War Rooms Necessary?

Leave a review for our podcast & we'll send you a pack of infosec cards.


While some management teams are afraid of a pentest or risk assessment, other organizations – particularly financial institutions – are well aware of their security risks. They are addressing these risks by simulating fake cyberattacks. By putting IT, managers, board members and executives who would be responsible for responding to a real breach or attack, they are learning how to respond to press, regulators, law enforcement, as well as other scenarios they might not otherwise expect.

However, other security experts would argue that cyber war rooms are financially prohibitive for most organizations with a limited budget. What’s more, organizations should keep in mind that not all attacks have to be complicated. If organizations curb phishing attacks or achieve a least privilege model, they would already significantly reduce their risk.

Other Articles Discussed:

  • Dark web marketplaces AlphaBay and Hansa shut down
  • Every voting machine gets hacked at DEF CON
  • Real life Minority Report
  • German judge rule that keylogging employees is illegal

Tool of the week: Reply All Podcast: Long Distance

Panelists: Mike Buckbee, Kris Keyser, Kilian Englert

 

 

[Podcast] Roxy Dee, Threat Intelligence Engineer

[Podcast] Roxy Dee, Threat Intelligence Engineer

Leave a review for our podcast & we'll send you a pack of infosec cards.


Some of you might be familiar with Roxy Dee’s infosec book giveaways. Others might have met her recently at Defcon as she shared with infosec n00bs practical career advice. But aside from all the free books and advice, she also has an inspiring personal and professional story to share.

In our interview, I learned about her budding interest in security, but lacked the funds to pursue her passion. How did she workaround her financial constraint? Free videos and notes with Professor Messer! What’s more, she thrived in her first post providing tech support for Verizon Fios. With grit, discipline and volunteering at BSides, she eventually landed an entry-level position as a network security analyst.

Now she works as a threat intelligence engineer and in her spare time, she writes how-tos and shares sage advice on her Medium account, @theroxyd

Transcript

Cindy Ng: For individuals who have had a nonlinear career path in security, Threat Intelligence Engineer Roxy Dee knows exactly what that entails. She begins by describing what it was like to learn about a new industry with limited funding, and how she studied security fundamentals in order to get her foot in the door. In our interview, she reveals three things you need to know about vulnerability management, why fraud detection is a lot like network traffic detection, and how to navigate your career with limited resources.

We currently have a huge security shortage, and people are making analogies as to the kind of people we should hire. For instance, if you’re able to pick up music, you might be able to pick up technology. And I’ve found that in security it’s extremely important to be detail oriented, because the adage is the bad guys only need to be right once and security people need to be right all the time. And I had read on your Medium account the way you got into security, for practical reasons. And so let’s start there, because it might help encourage others to start learning about security on their own. Tell us what aspect of security you found interesting and the circumstances that led you in this direction. –

Roxy Dee: Just to comment on what you’ve said. Actually, that’s a really good reason to make sure you have a diverse team is because everybody has their own special strengths and having a diverse team means that you’ll be able to fight the bad guys a lot better because there will always be someone that has that strength where it’s needed. The bad guys, they can develop their own team the way they want and so it’s important to have a diverse team because every bad guy you meet is going to be different. That’s a very good point, itself.

Cindy Ng: Can you clarify “diverse?” You mean everybody on your team is going to have their own specialty that they’re really passionate about? By knowing what they’re passionate about, you know how to leverage their skill set? Is that what you mean by diversity?

Roxy Dee: Yeah. That’s part of it. I mean, just making sure that you don’t have the same person. For example, I’ll tell my story like you asked in the original question. As a single mom, I have a different experience than someone that has had less difficulties in that area, so I might think of things differently, or be resourceful in different ways. Or I’m not really that great at writing reports. I can write well, but I haven’t had the practice of writing reports. Somebody that went to college, they might have that because they were kind of forced to do it, by having people from different backgrounds that have had different struggles.

And I got into security because I was already into phone phreaking, which is a way of hacking the phone system. And so for me, when I went to my first 2600 Meeting and they were talking about computer security and information security, it was a new topic and I was kind of surprised. I was like, “I thought 2600 was just about phone hacking.” But I realized that at the time…It was 2011, and phone hacking had become less of a thing and computer security became more of something. I got the inspiration to go that route, because I realized that it’s very similar. But as a single mom, I didn’t have the time or the money to go to college and study for it. So I used a lot of self-learning techniques, I went to a lot of conferences, I surrounded myself with people that were interested in the topic, and through that I was able to learn what I needed to do to start my career.

Cindy Ng: People have trouble learning the vocabulary because it’s like learning a new language. How did you…even though you were into phone hacking and the transition into computer security, it has its own distinct language, how did you make the connections and how long did it take you? What experiences did you surround yourself with to cultivate a security mindset?

Roxy Dee: I’ve been on computers since I was a little kid, like four or five years old. So for me, it may not be as difficult for me as other people, because I kind grew up on computers. Having that background helped. But when it came to information security, there were a lot of times where I had no idea what people were saying. Like I did not know what “Reverse Engineering” meant, or I didn’t know what “Trojan” meant. And now, it’s like, “Oh, I obviously know what those things are.” But I had no idea what people were talking about. So going to conferences and watching DEF CON talks, and listening to people. But by the time I had gone to DEF CON about three times, I think it was my third time I went to DEF CON, I thought, “Wow. I actually know what people are saying now.” And it’s just a gradual process, because I didn’t have that formal education.

There were a few conferences that I volunteered at. Mostly at BSides. And BSides are usually free anyway. When you volunteer, you become more visible in the community, and so people will come to you or people will trust you with things. And that was a big part of my career, was networking with people and becoming visible in the community. That way, if I wanted to apply for a job, if I already knew someone there or if I knew someone that knew someone, it was a lot easier to get my resume pushed to the hiring manager than if I just apply.

Cindy Ng: How were you able to land your first security job?

Roxy Dee: And as far as my first InterSec job, I was working in tech support and I was doing very well at it. I was at the top of the metrics, I was always in like the top 10 agents.

Cindy Ng: What were some of the things that you were doing?

Roxy Dee: It was tech support for Verizon Fios. There was a lot of, “Restart your router,” “Restart your set-top box,” things like that. But I was able to learn how to explain things to people in ways that they could understand. So it really helped me understand tech speak, I guess, understand how to speak technically without losing the person, like a non-technical person.

Cindy Ng: And then how did you transition into your next role?

Roxy Dee: It all had to do with networking, and at this point, I had volunteered for a few BSides. So actually, someone that I knew at the time told me about a position that was an entry-level network security analyst, and all I needed to do was get my Security+ certification within the first six months of working there. And so it was an opportunity for me because they accepted entry-level. And when they gave me the assessment that they give people they interview, I aced it because I had studied already about networking through a website called “Professor Messer.” And that website actually helped me with Security+ as well, and I was just able to do that through YouTube videos, like his entire website is just YouTube videos. So once I got there, I took my Security plus and I ended up, actually, on the night shift. So I was able to study in quiet during my shift every day at work. I just made it a routine, “I have to spend, you know, this amount of time studying on,” whatever topic I wanted to move forward with, which I knew what to study because I was going to conferences and I was taking notes from the talks, writing down things I didn’t understand or words I didn’t know and then later I was researching that topic so I could understand more. And then I would watch the talk again with that understanding if it was recorded, or I would go back to my notes with that understanding. The fact that I was working overnight and I was not interrupted really helped, and then from there…and that was like a very entry-level position. And from there, I went to a cloud hosting company, secure cloud hosting company with a focus on security and the great thing about that was that it was a startup. They didn’t have a huge staff, and they had a ton of things that they had to do and a bunch of unrealistic deadlines. So they would constantly be throwing me into situations I was not prepared for.

Cindy Ng: Can you give us an example?

Roxy Dee: Yeah. That was really like the best training for me, is just being able to do it. So when they started a Vulnerability Management Program, I have no experience in vulnerability management before this and they wanted me to be one of the two people on the team. So I had a manager, and then I was the only other person. Through this position, I learned what good techniques are and I was also inspired to do more research on it. And if I hadn’t been given that position, I wouldn’t have been inspired to look it up.

Cindy Ng: What does Vulnerability Management entail, three things that you should know?

Roxy Dee: Yeah. So Vulnerability Management has a lot to do with making sure that all the systems are up to date on patching. That’s one of them. The second thing I would say that’s very important is inventory management, because there were some systems that nobody was using and vulnerabilities existed there, but there was actually no one to fix them. And so if you don’t take proper inventory of your systems and you don’t do, you know, discovery scans to discover what’s out there, you could have something sitting there that an attacker, once they get in, they could use or they might have access to. And then another thing that’s really important in Vulnerability Management is actually managing the data because you’ll get a lot of data. But if you don’t use it properly it’s pretty much useless, if you don’t have a system to track when you need to have this remediated by, what are your compliance requirements? And so you have to track, “When did I discover this and when is it due? And what are the vulnerabilities and what are the systems? What do the systems look like? So there’s a lot of data you’re going to get and you have to manage it, or you will be completely unable to use it.

Cindy Ng: And then you moved on into something else?

Roxy Dee: Oh, yes. Actually, it being a startup kind of wore on me, to be honest. So I got a phone call from a recruiter, actually, while I was at work.

This was another situation where I had no idea how to do what I was tasked with, and the task was…So from my previous positions, I had learned how to monitor and detect, and how to set up alerts, useful alerts that can serve, you know, whatever purpose was needed. So I already had this background. So they said, “We have this application. We want you to log into it, and do whatever you need to do to detect fraud.” Like it was very loosely defined what my role was, “Detect bad things happening on the website.” So I find out that this application actually had been stood up four years prior and they kind of used it for a little while, but then they abandoned it.

And so my job was to bring it back to life and fix some of the issues that they didn’t have time for, or they didn’t actually know how to fix or didn’t want to spend time fixing them. That was extremely beneficial. I had been given a task, so I was motivated to learn this application and how to use it, and I didn’t know anything about fraud. So I spent a lot of time with the Fraud Operations team, and through that, through that experience of being given a task and having to do it, and not knowing anything about it, I learned a lot about fraud.

Cindy Ng: I’d love to hear from your experience what you’ve learned about fraud that most people might not know.

Roxy Dee: What I didn’t consider was that, actually, fraud detection is very much like network traffic detection. You look for a type of activity or a type of behavior and you set up detection for it, and then you make sure that you don’t have too many false positives. And it’s very similar to what network security analysts do. And when I hear security people say, “Oh, I don’t even know where to start with fraud,” well, just think about from a network security perspective if you’re a network security analyst, how you would go about detecting and alerting. And the other aspect of it is the fraudulent activity is almost always an anomaly. It’s almost always something that is not normal. If you’re just looking around for things that are off or not normal, you’re going to find the fraud.

Cindy Ng: But how can you can tell what’s normal and what’s not normal?

Roxy Dee: Well, first, it’s good to look up all sorts of sessions and all sorts of activity and get like a baseline of, you know, “This is normal activity.” But you can also talk to the Fraud team or, you know, or whatever team handles…It’s not specific to fraud, but, you know, if you’re detecting something else, talk to the people that handle it. And ask them, “What would make your alerts better? What is something that has not been found before or something that you were alerted to, but it was too late?” And ask just a bunch of questions, and then you’ll find through asking that what you need to detect.

Like for example, there was one situation where we had a rule that if a certain amount was sent in a certain way, like a wire, that it would alert. But what we didn’t consider was, “What if there’s smaller amounts that add up to a large amount?” And understanding…So we found out that, “Oh, this amount was sent out, but it was sent out in small pieces over a certain amount of time.” So through talking to the Fraud Operations team, if we didn’t discuss it with them, we never would have known that that was something that was an issue. So then we came up with a way to detect those types of fraudulent wire transfers as well.

Cindy Ng: How interesting. Okay. You were talking about your latest role at another bank.

Roxy Dee: I finished my contract and then I went to my current role, which focuses on a lot more than just online activity. I have more to work with now. With each new position, I just kind of layered more experience on top of what I already knew. And I know it’s better to work for a company for a long time and I kind of wish these past six years, I had been with just one company.

Each time that I changed positions, I got more responsibility, pay increase, and I’m hoping I don’t have to change positions as much. But it kind of gave me like a new environment to work with and kind of forced me to learn new things. So I would say, in the beginning of your career, don’t settle. If you get somewhere and you don’t like what you’re being paid, and you don’t think your career is advancing, don’t be afraid to move to a different position, because it’s a lot harder to ask for a raise than to just go somewhere else that’s going to pay you more.

So I’m noticing a lot of the companies that I’m working for, will expect the employees to stay there without giving them any sort of incentive to stay. And so when a new company comes along, they say, you know, “Wow. She’s working on this and that, and she’s making x amount. And we can take all that knowledge that she learned over there, and we can basically buy it for $10,000 more than what she’s making currently.” So companies are interested in grabbing people from other companies that have already had the experience, because it’s kind of a savings in training costs. So, you know, I try to look every six months or so, just to make sure there’s not a better deal out there, because they do exist. And I don’t know how that is in other fields, though. I know in information security, we have that. That’s just the nature of the field right now.

Cindy Ng: I think I got a good overview of your career trajectory. I’m wondering if there’s anything else that you’d want to share with our listeners?

Roxy Dee: Yeah. I guess, I pretty much have spent…So the first two or three years, I spent really working on myself, and making sure that I had all the knowledge and resources I needed to get that first job. The person that I was five or six years ago is different than who I am now. And what I mean is, my situation has changed a bit, to where I have more income and I have more capabilities than I did five years ago. One of the things that’s been important to me is giving back and making sure that, you know, just because I went through struggles five years ago…You know, I understand we all have to go through our struggles. But if I can make something a little bit easier for someone that was in my situation or maybe in a different situation but still needs help, that’s my way of giving back.

And spending $20 to buy someone a book is a lot less of a hit on me financially than it would have been five years ago. Five years ago, I couldn’t afford to drop to even $20 on a book to learn. I had to do everything online, and everything had to be free. I just want to encourage people, if you see an opportunity to help someone and, you know, for example, if you see someone that wants to speak at a conference and they just don’t have the resources to do so. And you think, “Well, this $100 hotel a night, a hotel room is less of a financial hit to me than to, you know, than to that person. And that could mean the difference between them having a career-building opportunity or not having that.” Just seek out ways to help people. One of the things I’ve been doing is the free book giveaway, where I actually have people sending me Amazon gift cards and there is actually one person that’s done it consistently in large amounts. And what I do with that is, like every two weeks, I have a tweet that I send out that if you reply to it with the book that you want, then you can win that book up until I run out of money, up until I run out of Amazon dollars.

Cindy Ng: Is this person an anonymous patron or benefactor? This person just sends you an Amazon gift card…with a few bucks and you share it with everyone? That’s so great.

Roxy Dee: And other people have sent me, you know, $20 to $50 in Amazon credits, and it’s just a really good…It kind of happen accidentally, and there’s the story of it on my Medium account.

Cindy Ng: What were the last three books that you gave away? – Oh, the last three? Well… – Or the last one, if you…

Roxy Dee: …the most popular one right now, this is just based on the last one that I did, is the Defensive Security Handbook. That was the most popular one. But I also get a lot of requests for Practical Packet Analysis by Chris Sanders and Practical Malware Analysis. And so this one, actually, this is a very recent book that came out called the Defensive Security Handbook. That’s by Amanda Berlin and Lee Brotherston. And that’s about…it says, “Best practices for securing infrastructure.” So it’s a blue team-themed book. That’s actually sold over 1,000 copies already and it just came out recently. It came out about a month ago. Yeah. So I think that’s going to be a very popular book for my giveaways.

Cindy Ng: How are you growing yourself these days?

Roxy Dee: Well, I wanted to spend more time writing guides. I just want to write things that can help beginners. I have set up my Medium account, and I posted something on setting up a honeypot network, which is a very…it sounds very complicated, but I broke it down step by step. So my goal in this was to make one article where you could set it up. Because a lot of the issues I was having was, yeah, I might find a guide on how to do something, but it didn’t include every single step. Like they assumed that you knew certain things before you started on that guide. So I want to write things that are easy for people to follow without having to go look up other sources. Or if they do have to look up another source, I have it listed right there. I want to make things that are not assuming that there’s already prior knowledge.

Cindy Ng: Thank you so much for sharing with me, with our listeners.

Roxy Dee: Thank you for letting me tell my story, and I hope that it’s helpful to people. I hope that people get some sort of inspiration, because I had a lot of struggles and, you know, there’s plenty of times I could have quit. And I just want to let people know that there are other ways of doing things and you don’t have to do something a certain way. You can do it the way that works for you.

 

[Podcast] Blackhat Briefings That Will Add to Your Tool Belt

[Podcast] Blackhat Briefings That Will Add to Your Tool Belt

Leave a review for our podcast & we'll send you a pack of infosec cards.


We’re counting down to Blackhat USA to attend one of the world’s leading information security conference to learn about the latest research, development and trends.

We’ll also be at booth #965 handing out fabulous fidget spinners and showcasing all of our solutions that will help you protect your data from insider threats and cyberattacks.

In this podcast episode, we discussed not only sessions you should attend, but also questions to ask that will help you reduce risk. We even covered why it isn’t wise to only rely on important research methods like honeypots save you from insider threats or other attacks.

Tool of the Week: Virtual Private Cloud (VPC)

Panelists: Kris Keyser, Kilian Englert, Mike Buckbee

[Podcast] Cyber Threats Are Evolving and So Must Two-Factor

[Podcast] Cyber Threats Are Evolving and So Must Two-Factor

Leave a review for our podcast & we'll send you a pack of infosec cards.


Finally, after years of advocacy many popular web services have adopted two-factor authentication (2FA) as a default security measure. Unfortunately, as you might suspect attackers have figured out workarounds. For instance, attackers that intercept your PIN in a password reset man-in-the-middle attack.

So what should we do now? As the industry moves beyond 2FA, the good news is that three-factor authentication is not on the shortlist as a replacement. Google’s identity systems manager, Mark Risher said, “One of the truths we’ve found is that people won’t accept more security than they think they need.”

There have been talks about using biometrics as a promising form of authentication. In the meantime, know that using 2FA is more secure than using just a password.

Other Articles Discussed:

Panelists: Rob Sobers, Mike Buckbee, Kilian Englert

[Podcast] Budgets and Ethics

[Podcast] Budgets and Ethics

Leave a review for our podcast & we'll send you a pack of infosec cards.


Right now, many companies are planning 2018’s budget. As always, it is a challenge to secure enough funds to help with IT’s growing responsibilities. Whether you’re a nonprofit, small startup or a large enterprise, you’ll be asked to stretch every dollar. In this week’s podcast, we discussed the challenges a young sysadmin volunteer might face when tasked with setting up the IT infrastructure for a nonprofit.

And for a budget interlude, I asked the panelists about the growing suggestion for engineers to take philosophy classes to help with ethics related questions.

Other Articles Discussed:

Tool of the week: honeyλ, a simple, serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway

Panelists: Kilian Englert, Mike Thompson, Mike Buckbee

[Podcast] Is Data Worth More Than Money?

[Podcast] Is Data Worth More Than Money?

Leave a review for our podcast & we'll send you a pack of infosec cards.


When it comes to infosecurity, we often equate treating data like money. And rightfully so. After all, data is valuable. Not to mention the human hours devoted to safeguarding an organization’s data.

However, when a well-orchestrated attack happens to destroy an organization’s data, rather than for financial gain, we wondered if data is really worth more than money.

Sure you can quantify the cost of tools, equipment, hours spent protecting data, but what about intellectual and emotional labor? How do we assign proper value to the creative essence and spirit of what makes our data valuable?

Other Articles Discussed:

Panelists: Mike Buckbee, Kilian Englert, Mike Thompson

[Podcast] In the Dark about Our Data

[Podcast] In the Dark about Our Data

Leave a review for our podcast & we'll send you a pack of infosec cards.


It’s been reported that 85% of businesses are in the dark about their data. This means that they are unsure what types of data they have, where it resides, who has access to it, who owns it, or how to derive business value from it. Why is this a problem? First, the consumer data regulation, GDPR is just a year away and if you’re in the dark about your organization’s data, meeting this regulation will be a challenge. Organizations outside the EU that process EU citizens’ personal data, GDPR rules will apply to you.

Second, when you encounter attacks such as ransomware, it’s a bit of a mess to clean up. You’ll have to figure out which users were infected, if anything else got encrypted, when the attack started, and how to prevent it from happening in the future.

However, what’s worse than a ransomware attack are ones that don’t notify you like insider threats! These threats don’t present you with a ransomware-like pop-up window that tells you you’ve been hacked.

It’s probably better to be the company that got scared into implementing some internal controls, rather than the one that didn’t bother and then went out of business because all its customer data and trade secrets ended up in the public domain.

In short, it just makes good business and security sense to know where your data resides.

Other articles discussed:

Tool of the week: DNSTwist

Panelists: Mike Thompson, Kilian Englert, Mike Buckbee

The Complete Guide to Ransomware

The Complete Guide to Ransomware

Table of Contents

Overview

Ransomware – malware that encrypts a victim’s data, extorting a ransom to be paid within a short time frame or risk losing all his files – has been around for quite some time. In 1989 the first known ransomware, dubbed the AIDS Trojan,  infected 20,000  floppy diskettes –remember those? The diskettes supposedly contained AIDS information on the virus, and were handed out during a conference. Upon loading the DOS-based software from the disk, the program counted the number of times the computer was rebooted. Once it reached 90, it would hide the directories, encrypt the names of the files and requested $189.00 to decrypt the files.

Ransomware has since evolved from its early sneaker-net roots, leveraging the Internet and email to spread to different computers. However, it still follows a predictable script, not all that different from the original AIDS Trojan. After entering our networks via a phishing attack, files get encrypted, and the user sees a notification with instructions on how to submit bitcoins in order to decrypt files.

Unfortunately, ransomware attackers have seen how lucrative ransom payments can be. With each attack worth hundreds to thousands of dollars or more, they’ve become even more ambitious with the amount they’re demanding, and how they’re demanding it.

How’s this for ambition: some attackers, even after you’ve paid them the ransom, only partially unlock the files in an effort to demand even more from vulnerable businesses. In one case, a hacker even demanded a ransom as high as one million dollars.

They’re also pushing the boundaries to see how quickly they’re able to extort from unprepared individuals and organizations. Recently, we were introduced to a different attack vector with WannaCry. Instead of a phishing attack, attackers used the NSA’s ETERNALBLUE exploit, allowing it to spread peer-to-peer within an organization, impacting vulnerable Windows machines – laptops, desktops, tablets, and servers.

The result? WannaCry was the fastest and largest ransomware attack we’ve seen so far. However, some security experts are already debating whether the latest NotPetya attack is even deadlier than WannaCry.

By experimenting with how an attack is released, how much to extort, the intensity and velocity in which they spread harm, hackers advance their knowledge base, changing how they develop new strains as well their attack vector.

What hasn’t changed is that it is still possible to detect and prevent a zero-day ransomware attack – that’s according to a Northeastern University ransomware research paper.  In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, this research team analyzed 1,359 ransomware samples between 2006 and 2014, and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”1

In this guide, we’ll help you better understand the role that bitcoin plays in ransomware, various types of ransomware, attack vectors, and cover a few mitigation methods.

What Bitcoin Has to Do With Ransomware

Bitcoin is often associated with ransomware because attackers typically request payments to be submitted in that form of currency. But what exactly is bitcoin?

Bitcoin is digital currency that lets you anonymously buy goods and services. You can send bitcoins digitally using a mobile phone app or computer. It’s as easy as swiping a credit card.

Bitcoins are stored in a digital wallet, which resides in the cloud or on a user’s computer. It’s similar to a bank account, but they’re not insured by the FDIC. Also, bitcoins aren’t tied to any country, subject to regulation, and there are no credit card fees.

Each bitcoin transaction is on a public log. Names of buyers and sellers are anonymous – only their wallet IDs are revealed. And it allows buyers or sellers do business without easily tracing it back to them. As a result, it’s become a popular choice for cybercriminals to choose bitcoin as a form of payment. To evade identification, many bitcoin addresses used by cybercriminals have no more than 6 transactions.2

To make a bitcoin payment, victims are often alerted to download anonymous browsers, such as Tor2web or Torproject, in order to visit a URL hosted on anonymous servers. Tor (The Onion Router) makes it difficult to trace the location of the server or the identity of its operators.

Should You Pay?

The short answer is: it depends.

But Some Say, Yes

At a Cybersecurity Summit, Joseph Bonavolonta, the Assistant Special Agent in charge of the FBI’s CYBER and Counterintelligence Program said, “To be honest, we often advise people just to pay the ransom.”

He explained, “The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word. You do get your access back.”

If you pay, the FBI stated that most ransomware payments are typically between $200 and $10,0003.

But there have been instances where the payment has been much higher. In 2014, the City of Detroit’s files were encrypted and the attackers demanded a ransom of 2,000 bitcoins, worth about $800,000.4 Luckily, the ransom was not paid because the database wasn’t used or needed.

There might be times when you’re faced with other considerations. The Tennessee Dickson County Sheriff’s Office paid $622.00 in bitcoin to hackers who encrypted the department’s criminal case files, making them inaccessible to investigators.5 Detective Jeff McCliss said, “It really came down to a choice between losing all of that data – and being unable to provide the vital services that that data would’ve assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data.” The department was lucky; it got back access to its files.6

Thou Shall Not Pay

Some security experts disagree with Mr. Bonavolonta’s remarks and urge you not to pay the ransom because there’s no guarantee that even after you pay the ransom, your files will return to its original state. Moreover, paying perpetuates an ongoing problem, making you a target for more malware.

In 2016 it was reported that a Kansas hospital hit with ransomware paid the ransom in hopes of getting back to business as soon as possible, but the payment only partially decrypted their files. Instead, the cybercriminals demanded more money to decrypt the rest. As a result, the hospital refused to pay a second ransom because it was no longer “a wise maneuver or strategy.”

Worse, if you get infected with a defective strain such as Power Worm you won’t get your files back regardless what you do. Even with the intent of paying the ransom, this attack will inevitably destroy the victim’s data during the encryption of their data.

Alternatively, if you encounter an attack like NotPetya where the intention wasn’t about financial gain, but destroying data, even if you stockpile bitcoins to pay the ransom, you won’t get your data back.

The Department of Homeland Security has also advised victims not to negotiate with hackers. Conflicting advice has prompted a debate about whether the FBI is encouraging behavior that will lead to more hacking.

In a Wall Street Journal interview, FBI spokeswoman Kristen Setera declined to say if FBI officials recommend paying a ransom to hackers, as Mr. Bonavolonta stated.7

Why You Should Work With Law Enforcement

John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division acknowledged in a recent podcast that there remains confusion at the FBI on whether or not you should pay.

He confirmed that the FBI officially does not encourage paying a ransom. However, similar to a kidnapping case, that doesn’t mean that if you go to law enforcement, that they’re going to recommend you not to pay.

But one thing is for certain. If you do go to law enforcement, they will be able provide a few insights that you wouldn’t otherwise know.

First, law enforcement can provide you with valuable information. Carlin advised “If it’s a group they’ve been monitoring, they can tell you…whether they’ve seen that group attack other actors before, and if they have, whether if you pay they’re likely to go away or not. Because some groups just take your money and continue.”

Secondly, he also identified a major benefit to working with law enforcement – you’ll be hedging against the risk of inadvertently paying off a terrorist when you pay the ransom. He advised, “You can end up violating certain laws when it comes to the Office of Foreign Assets Control by paying a terrorist or another group that’s designated as a bad actor. But more importantly, you do not want to be in a situation where it becomes clear later that you paid off a terrorist.”

But Before You Pay, Find Out If There’s A Decryption Tool

Finally, if you are faced with managing a ransomware attack, go online to see if a decryption tool exists. If you’re able to find the keys, there’s no need to pay. Sometimes, when the police and security experts investigate cybercriminal activity, they can potentially obtain decryption keys from malicious servers and share them online, like for CoinVaultTeslaCrypt, or the popular CryptoLocker.

Keep in mind, whether or not you pay the ransom, the cumulative cost of a ransomware attack is typically greater than the ransom. The cost to the brand, loss of productivity, legal fees, etc all accrue once the attack vector is triggered.

Perhaps another way that might help you decide is to understand the type of ransomware you’re dealing with.

Major Ransomware Types

Let’s get started. In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, researchers identified three major types: encryption, deletion, and locking.

Encryption

CryptoLocker and CryptoWall have a reputation for being strong encryption ransomware. Encryption is the process of applying an algorithm (also known as ciphers) to data so it is unintelligible to anyone. And to decrypt the data, you’ll need keys. There are two types: symmetric and public.

Symmetric Keys

Advanced Encryption Standard (AES), Rivest Cipher 4 (RC4), and Data Standard Encryption Standard (DES) are examples of a symmetric-key algorithm. With symmetric, the same key is used for both encryption and decryption. It’s only effective when the symmetric key is kept secret by the two parties involved.

symmetric-key

Public Keys (Asymmetrical Key)

Rivest, Shamir, & Aldeman use two different keys in their famous RSA algorithm. A public key that everyone has access to, and  a private key that is controlled by the person who you wish to communicate with.

public-key

Strength of an Encryption

To understand the strength of the encryption, you have to look at both the type of encryption being used –whether symmetric or public/asymmetric – and the key length.

Two important facts: the longer the key, the stronger the encryption,  and key length is measured in bits.

Breaking an Encryption

For a symmetric algorithm, you’ll need a couple of hours of computer time for something like a 20-bit key or years for a 128-bit key (2128 = 340282366920938463463374607431768211456 possible keys of 128-bits)

For a public key algorithm, a key length of 32-bits would only require 232 combinations.  Even a 512-bit can be easily broken (within a few months), but 2,048-bit is far harder.

Comparing public and symmetric keys can be confusing. Here’s a rough benchmark:  a 350-bit RSA key is roughly considered the same strength to 40-bit RC4, and 512-bit AES.

The wonky reasons for these differences in key-breaking speeds has to do with the fact that in RSA, you have to factor a number—don’t ask!

Ransomware Encryptions

The first ransomware variants used a symmetric-key algorithm and eventually upgraded to public-keys. Today, more advanced ransomware use a combination of symmetric and public.

Most cybercriminals probably wouldn’t use a public key to encrypt large file system because it is much slower than a symmetric key encryption. And taking too long to encrypt files could thwart the ransomware operation before the encryption process is fully completed.

So a better idea is to use symmetric techniques to quickly encode the file data, and asymmetric to encode the key.  In CryptoLocker, for example, AES (symmetric) was used for file encryption, and RSA (public) for AES key encryption.

Another blend you might see in the near future is elliptical curve cryptography (ECC) and RSA. ECC is described as the next generation of public key, in which you can create faster, smaller, and more efficient cryptographic keys. Some researchers say that ECC can yield a level of security with a 164-bit key that other systems require a 1,024-bit key to achieve.8

Deletion

With deletion, attackers threaten and warn: any of your attempts to decrypt files would only result in an “irrevocable loss of your data.”9 Or if you don’t pay, the files get deleted. Popular examples of deletion include Gpcode and FileCoder.­

Typically when we delete something, we wipe it off the disk. But in analyzing all the samples, the researchers learned that lots of data remained on disk because attackers were lazy, often choosing the easiest path. However, they’re also very clever. The researchers found that while the NTFS Master File Table indicated that files were deleted, the files were actually still on disk, so recovery is potentially possible. However, depending on the strain and how ransomware evolves, there’s also the potential that your data might be destroyed.

Locking

With locking, attackers create a new login screen or html page that makes it appear as though a law enforcement agency has taken over the computer. They display a warning pertaining to laws such as copyrighted materials or child pornography. Or they might disable other components, typically keyboard shortcuts. Examples include: Winlock and Urausy.

Attack Vectors

You can bet that new types of ransomware are constantly being developed, including attack vectors that aren’t like the usual garden variety, such as malvertising, ransomworm, and peer-to-peer file transfer programs.

As I was once reminded by a security pro, attacks don’t need to be complicated. It can be something as simple as a link in an email or an email attachment and that’s what most ransomware strains rely on to get in your network. Therefore curious individuals who can’t resist clicking on links or opening attachments would benefit from security awareness training.

Let’s not forget the devastating effects of WannaCry and NotPetya, so make sure your software is up-to-date so that your security updates are also up-to-date!

We’re also seeing more instances of Ransomware-as-a-Service, where hackers sell their malware to other cybercriminals, increasing the frequency and reach of ransomware. Ransomware authors can enlist anyone to sign up and everyone would earn a percentage of the profits. To combat this problem, organizations might benefit from a few mitigation strategies, which we’ll cover later.

What to Do After You’ve Been Infected

Most people don’t realize they’ve been infected until your screen displays a ransom note, notifying that your files have been encrypted. If you discover that your computer has been infected, shutdown your computer or disconnect from the network.

If you’ve decided against paying the ransom, scan your computer with an anti-virus or anti-malware program and let it remove everything. You can potentially use PowerShell or other tools to identify encrypted files, but with a new ransomware variant popping up every week, there isn’t a one size fits all identification and decryption tool. What most experts recommend is to restore from a backup.

One caveat is that backups aren’t 100% fail safe. Some ransomware strains will either encrypt your backups or worse, hide in your backups so that after you restore files they will attack again.

However, if you decide to pay the ransom, you have our sympathy! We empathize and understand what a pain it must have been and hope that once you pay, all your files get decrypted. Don’t forget to scan your computer with an anti-virus or anti-malware program and let it remove everything. Also review the mitigation methods below!

Mitigation Methods

Monitor File System Activity

After looking at 1,359 ransomware samples, the Northeastern University researchers learned that it is possible to stop a large number of ransomware attacks, even those using deletion and encryption capabilities.

Significant changes occur in the file system (i.e., large number of deletions in the log) when the system is under attack. By closely monitoring the file system logs and configuring your monitoring solution to trigger an alert when this behavior is observed, you can detect the creation, encryption, or deletion of files.

User Behavior Analytics or Signature-Based?

Some IT pros have turned to endpoint security solutions in the hope that it will detect and stop crypto-malware. However, the industry is catching on to the fact that, as one observer put it, “signature-based antivirus software that most organizations still rely on to defend them can’t cope with modern attacks.”

A recent CIO article described the drawback best:

 “… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can’t defend against.”

Bottom line: endpoint security solutions can’t block unknown ransomware variants by, for example, blacklisting connections to a current (but outdated) list of C&C servers. They’re also bound to a device/user/process, and so don’t provide any anti-heuristics or debugging techniques.

Instead, User Behavior Analytics (UBA) has become an essential go-to ransomware prevention measure. It’s also been known to detect zero-day ransomware attacks as well.

Defending the inside from legitimate users is just not part of the equation for perimeter-based security, and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gain access as users.

Once in, cybercriminals have become clever at implementing a ransomware attack that isn’t spotted by anti-virus software.

In fact, to an IT admin who is just monitoring their system activity, the attackers appear as just another user.

And that’s why you need UBA!

UBA really excels at handling the unknown. In the background, the UBA engine can baseline each user’s normal activity, and then spot variances and report in real time – in whatever form they reveal themselves. For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows.

UBA takes a cross-system approach, too. i.e., it can notice abnormal file behavior combined with weird email actions combined with weird login behavior (from AD). We should mention that: the best UBA benefits from having the most context. Think of UBA as File System Monitoring 2.0 – and keep in mind that the best UBA benefits from having the most context.

Create Honeypots

Cybercriminal may avoid encrypting all files and start by encrypting recently accessed files. Create a decoy by creating fake files and folders and monitor regularly.

This is also a good method for organizations that don’t have an automated solution to monitor file access activity. That also means you might be forced to enable file system native auditing. However, it unfortunately taxes your monitored systems. Instead, prioritize sensitive areas and set up a file share honeypot.

A file share honeypot is an accessible file share that contains files that look normal or valuable, but in reality are fake. As no legitimate user activity should be associated with a honeypot file share, any activity observed should be scrutinized carefully. If you’re stuck with manual methods, you’ll need to enable native auditing to record access activity, and create a script to alert you when events are written to the security event log (e.g. using dumpel.exe).

Least Privilege Model

Another approach is to control access to data and work towards achieving a least privilege model.  Your goal is to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups such as “Everyone,” “Authenticated Users,” and “Domain Users” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company.  In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares”—where  both file system and sharing permissions are accessible via a global access group.

Additional Resources


1 http://seclab.ccs.neu.edu/static/publications/dimva2015ransomware.pdf

2 http://seclab.ccs.neu.edu/static/publications/dimva2015ransomware.pdf

3 https://www.ic3.gov/media/2015/150623.aspx

4 http://www.detroitnews.com/story/news/politics/michigan/2014/11/17/north-american-international-cyber-summit/19162001/

5 http://www.nbcnews.com/nightly-news/security-experts-you-should-never-payransomware-hackers-n299511

6 http://www.nbcnews.com/nightly-news/security-experts-you-should-never-pay-ransomware-hackers-n299511

7 https://www.wsj.com/articles/paying-ransoms-to-hackers-stirs-debate-1447106376%0D

8 http://searchsecurity.techtarget.com/definition/elliptical-curve-cryptography

9 http://www.anti-spyware-101.com/remove-filecoder-ransomware

[Podcast] What Does the GDPR Mean for Countries Outside the EU?

[Podcast] What Does the GDPR Mean for Countries Outside the EU?

Leave a review for our podcast & we'll send you a pack of infosec cards.


The short answer is: if your organization store, process or share EU citizens’ personal data, the EU General Data Protection Regulation (GDPR) rules will apply to you.

In a recent survey, 94% ­of large American companies say they possess EU customer data that will fall under the regulations, with only 60% of respondents that have plans in place to respond to the impact the GDPR will have on how th­ey handle customer data.

Yes, GDPR isn’t light reading, but in this podcast we’ve found a way to simplify the GDPR’s key requirements so that you’ll get a high level sense of what you’ll need to do to become compliant.

We also discuss the promise and challenges of what GDPR can bring – changes to how consumers relate to data as well as how IT will manage consumer data.

After the podcast, you might want to check out the free 7-part video course we developed with Troy Hunt on the new European General Data Protection Regulation that will tell you: What are the requirements?  Who will be affected?  How does this help protect personal data?

[Podcast] Troy Hunt and Lessons from a Billion Breached Data Records

[Podcast] Troy Hunt and Lessons from a Billion Breached Data Records

Leave a review for our podcast & we'll send you a pack of infosec cards.


Troy Hunt is a web security guru, Microsoft Regional Director, and author whose security work has appeared in Forbes, Time Magazine and Mashable. He’s also the creator of “Have I been pwned?”, the free online service for breach monitoring and notifications.

In this podcast, we discuss the challenges of the industry, learn about his perspective on privacy and revisit his talk from RSA, Lessons from a Billion Breached Data Records as well as a more recent talk, The Responsibility of Disclosure: Playing Nice and Staying Out of Prison.

After the podcast, you might want to check out the free 7-part video course we developed with Troy on the new European General Data Protection Regulation that will be law on May 25, 2018. It will change the landscape of regulated data protection law and the way that companies collect personal data. Pro tip: GDPR will also impact companies outside the EU.

Transcript

Cindy Ng: Troy Hunt is a web security guru, Australian Microsoft Regional Director and author whose security writing has appeared in Forbes, Time Magazine, and Mashable. In this podcast, we talk about his popular website, Have I Been Pwned, the morals and ethics in the work we’re involved in, and one thing everyone should get when it comes to security.

I’d like to try to capture on a podcast things that we can’t do in writing or in visual format and I think there’s an emotional aspect in audio. It really helps people get to know more of who you are.

Troy Hunt: You know, those were the exact words that just came to mind as you were saying it because there’s a lot of feeling and sentiment that gets lost when you just throw things out, isn’t there?

Cindy Ng: Mm-hmm. Definitely. And you have a site, Have I Been Pwned, that notifies people when there’s a data breach. And I was listening to your recording that you did at RSA, “Lessons from a Billion Breached Records.” I thought it was really interesting that you were making the case that kids, they’re 18, 19, 20 years old that are hackers, then you’re mediating conversation with them. Do you talk to their parents?

Troy Hunt: No, I just tell them to go to their room and think about what they’ve done. And we…no, I can’t do that. I feel like doing that at times because you get the sense, and to be clear, when we say, “talk,” it is all text, right? This is not what you and I are doing. And to the earlier point, that, yeah, this doesn’t sort of convey emotion and sentiment and maturity in the same way as a voice discussion does. This is all sort of text-based chat. And you sort of get the impression from the style of chat, the words that are used, the references that are made, you build up this mental image of who you’re talking to, right? And time and time again, it’s like this is a young male, it’s either legally a child, you know, normally 15, 16, 17, or very young adult, maybe sort of early 20s at the eldest. And time and time again, we see that that plays out to be the case. And particularly when we look at historical incidents of the likes of “hacktivists” being arrested and charged and that’s a little bit of a liberally-used term, I suspect, hacktivist. Very often when we see people that have been breaking into systems and causing havoc for not necessarily for sort of monetary gain or personal advancement, but just because it was there, just for the lulz. We see this pattern time and time again. Look, I mean, certainly, at that age, people are independent enough that I’m not going to end up in conversations with their parents. That would be condescending for me to go, “Hey, is your mom or dad there?” You know, “Can I have a chat to them?” So, we don’t normally end up in that direction.

Cindy Ng: It’s just funny that you’re engaging with them in a very human way to verify a breach or in the process of.

Troy Hunt: You know, they are human.

Cindy Ng: Well, we really don’t know what hackers look like. We have a certain kind of image of them.

Troy Hunt: Well, I mean, yes and no. So we have put faces to them insofar as we have seen many previous incidents where we’ve seen these people, this, you know, class of person, charged and turn up publicly. I mean, some of very sort of high-profile ones have been the likes of some of the individuals from the LulzSec hacktivist group that were very active around 2011. So we know of people like Jake Davis who was about 18 at the time who was charged. We know it’s Jake because he was up there in the news as a sort of a high-profile catch, if you like, for the authorities. And we’ve also seen him and others as well in that group actually go on to do some really cool stuff in very productive ways. So, you know, I guess there is this part of us which knows in an evidence-based way who these individuals tend to be and the demographic they fit into. And then the point I make, particularly in the introduction of that talk about the billions of breached records, is that there’s this other side which is how hackers are portrayed online. Look, I mean, there’s lots of recordings of this talk, “Lessons from Billions of Breached Records,” that people can go and have a look at and see what I show, but when you go to, say, Google Images Search, and you search for “hacker,” it’s like hoodies and green screens and binary and stuff everywhere. And it’s all scary imagery. And we’ve got probably the media to blame for a lot of that, we’ve got security companies to blame for a lot of that, because they like to make this stuff scary because the more scared you are, the more security stuff you buy. So we get this sort of portrayal which is very out of step with the individuals themselves. Now, part of that as well is blown up by those individuals, whilst they are anonymous, and they’re feeling invincible, and they feel that they sort of, you know, rule the world. Having a lot of sort of bravado in the way they present themselves, the way they talk. If we have a look at when we see things like attacks where data is held for ransom and we see individuals asking for money. The language they use, and the way they conduct themselves seems enormously confident, they feel infallible, they sound kind of scary. And we sort of see these three aspects, so the way they present themselves, the way the media categorizes them, and then who they actually are once they’re unveiled, and those three stories tend to actually be quite different.

Cindy Ng: And do they work with others, say, if you get an encounter with ransomware, and you go to their site and there’s tech support, customer support, are those people working independently, and are they 18 years old?

Troy Hunt: You know, the way I like to explain it, and certainly, it’s not just me, I see other people use these categories as well, is, there are sort of three particular demographics that we regularly see time and time again. And one demographic is this class of individual that I’ve just been discussing, which is sort of your hacktivist, your individual who’s out there in pursuit of a greater cause, very often just bored kids with time on their hands. And, you know, they’re dangerous because they’re bored kids. Bored kids can be pretty dangerous. But they’re not necessarily overly sophisticated, their attention spans can be a little short on the target, if there’s not something fun and easy there, and then they move on.

There is this other category of attacker which is those that are actually out there for commercial gain, so those that have an ROI. And these are the sort of the career criminals. And, you know, this is a really interesting group, and it speaks more to the ransomware-style class of attacker where they are out there to try and make money. Now, very often, your hacktivist is out there because something was there or it was fun, it was, again, for the lulz. But these guys are saying, “Look, we’ve actually got an ROI here. We’re going to invest in vulnerabilities, we’re going to invest in exploits, we’re going to invest in botnets. We’ll spend money where it makes sense to make money. We will target organizations with the expectation of getting a return. They’re not necessarily out there to get press and media, they’re out there to make money. And something like ransomware is a really good example there. They’ll indiscriminately target anyone that can be infected. So I shouldn’t laugh, but I was actually in a dentist’s just two days ago and whilst I was there they were busily discovering that they had ransomware. And, oh, man, watching that unfold. But inevitably, there’s someone behind that who’s out there to make money. And that’s sort of the second category and I suspect we’ll spend a bit more time there, and then in this third category we speak about state actors and sort of nation state hackers, which, of course, is also becoming a very big thing these days.

Cindy Ng: Well, I’d like to tie it into a future event that you’ll be presenting. I think it’s called “Playing Nice and Staying Out of Prison.” And I want to hear more about that event because it reminds of these investment bankers who got caught doing insider trading, and they said that everyone inside the community, they were doing it and making money. And then the FBI reminded them that these bankers that, just because you disagree with a law, it does not mean you can break it. And so I feel like we are treading in these interesting territories where you’re sitting in front of a computer. You don’t necessarily have to be in a suit, but it’s still considered like a white-collar crime? Is this something that you’re presenting on, or?

Troy Hunt: No, look, you’re pretty much right there. In fact, the talk I’m doing, it’s at the AusCERT Conference in Australia. And it’s the only conference I go to that I can walk to, which I’m very happy about. Because normally I’ve got to get on airplanes. But this talk is called “The Responsibility of Disclosure, Playing Nice and Staying Out of Prison.” And it’s actually a talk that AusCERT asked me to do. So AusCERT is a national computer emergency response team, it’s an organization that provides services to companies in Australia to help them deal with things like security incidents. And in fact, I worked with them quite a bit last year when the Red Cross blood bank service inadvertently published their database backups publicly. So I’ve had quite a bit to do with them, and they really wanted me to talk about, how do we do responsible disclosure in a responsible fashion? So I talk a lot about the way individuals need to go about their responsible disclosure, and I’ve got an example here, I’ll give everyone a highlight before I talk about it. I got an email the other day from a guy, and the guy says, “I’m a fledgling IT professional that likes to delve into web development and security.” It’s like, “Oh, that’s very nice, thank you for emailing me.” And then he goes on and he says, “I recently discovered a bug in an American company’s website which reveals the names, birthdates, email addresses, physical addresses, and phone numbers of their customers.” And you’re sort of going, “Okay, well, that’s bad, but he’s discovered it,” so now he’s at this crossroads where he can do the right thing and get in touch with the organization or he can go down various shades of gray and do the wrong thing. And the next thing he says is, he says, “This may have been dumb,” that turns out to be a very insightful comment, “But I wrote a script to grab the first 10,000 records to confirm the exploit is what I thought it was.” And this is a really good example of where the guy could have grabbed the first one record and said, “Hey, look at this, I can see someone else’s record, now I’m going to get in touch with the company and let them know.” And they would’ve gone, “Okay, well, look, he’s gone far enough to see one record.” And let’s say they did want to get all legal, and he’s gotta stand there in front of the judge and go, “Look, mate, I saw one record, I reported it, I handled it ethically.” But instead, he’s gone and grabbed 10,000 records of other people’s personal data. And as soon as you go down that road, now you’ve got a big problem. Because the entity involved is going to be accountable or certainly is going to be held accountable for contacting those 10,000 people and saying, “Hey, someone else grabbed your data.” And that’s going to invoke all sorts of other legal obligations on their behalf as well. So even though I don’t think this individual had malicious intent, obviously he went way, way, way beyond what he actually needed to. And it’s just interesting how…and, you know, look, maybe the script took him 20 minutes to write, but it’s interesting how there’s just these continual crossroads where it’s so easy to do the right thing, but it’s also so easy to put yourself in serious risk of legal action.

Cindy Ng: We’ve talked about this on our podcast a couple of times about having maybe like a technologist Hippocratic Oath in the same way that doctors might take an oath. And also, a possible problem with the law not necessarily having been caught up with how fast technology is changing. Is there something that you’ve seen that’s helpful for people? Because it’s complicated.

Troy Hunt: I think the analogies that try to compare what we do in this industry with other industries often don’t fly real well. And say if we want to sort of compare ourselves to doctors, look, when you’ve got 15-year-old kids at home sort of doing heart surgery on an ad hoc basis, well, then, you know, then we make comparisons. But it is very different because to be a doctor you’ve got, you know, years and years and years of training, you’ve got to have qualifications, there’s enormous amounts of oversight and regulation and everything else. And by the time you’re actually out there practicing as a doctor and doing things that impact people’s health, obviously, we have a huge amount of confidence that these are going to be people doing the right thing, that, you know, properly experienced.

Now, when we compare that to… I mean, let’s look broader than just security, let’s look at IT. When you compare that to what do you have to do to get involved in IT, read a book? You know, like, very, very little. And that’s kind of a…what both makes it great and makes it horrifying. Where we can have people out there building systems, leaving people at risk, or conversely, people out there that have got enough capability to find vulnerabilities, but maybe not quite enough in the sort of ethics front to handle them properly.

I don’t think anything around the sort of IT Hippocratic Oath or anything around IT certifications that everyone should have is ever going to be a feasible thing.

Cindy Ng: I don’t know, I’m thinking, too, though, that it takes years and years to figure out how to build a layered security system, for instance, and it takes a lot of manpower.

Troy Hunt: Yeah. Yeah. Yes and no. Yeah, part of the challenge here is that we operate on such a global scale as the internet. And one of the things that organizations and the industry is always concerned about is that if we’re overly burden… I mean, let’s say…in the U.S. we’ve said, “Okay, anyone who’s going to produce software that runs on the internet has to go and do X, Y, Z certifications. And then they become burdened to do that, regardless of what the upside is, there’s a time and a financial cost to do it. And then, someone goes, “Well, we could offshore it to India, and they don’t have to do that, it’d be a lot cheaper.” You know, so unless you get consensus on a global scale because we are talking about a global resource, being the internet, it’s just not going to happen. So it is a complex problem but, you know, by the same token as well, when we look at…and we’re probably sort of talking more about the defensive side here than the offensive, but when we look at where most software goes wrong, in terms of the vulnerabilities, and certainly when I look at the data breaches that I see day in and day out, these are really low-hanging risks that one person could have secured very easily if they just didn’t write that code that was vulnerable to SQL injection or if they just didn’t put their database back up in a publicly-facing location. It’s very often very low-hanging fruit in terms of the problems that are introduced, and consequently, they’re problems that could be easily fixed.

Cindy Ng: Is that part of your “Hacking Yourself” course that’s super-popular and remains to be one of your most popular courses?

Troy Hunt: No, you’re right, and the premise of hacking yourself first is that it’s very much targeted at people building systems, and it’s saying, “Hey, guys, it would be really good if you actually understood how things like SQL injection work.” So not just, you know, do you understand how TSQR works and how you query a database, but do you understand how people break into the software that you’re writing?

So I have an online course with Pluralsight, it’s, I think, about 9 or 10 hours’ worth of content on “Hack Yourself First” and I also do these workshops around the world where I sit with developers for a couple of days and we go through all of these aspects of building software and where the vulnerabilities are. And developers get this sort of first-hand experience of breaking their own things. And it’s amazing to watch the lightbulbs go on in people’s minds as they see how their beautiful software gets abused in all sorts of ways they never expected. And by hacking themselves first, that gives them this much more sort of defensive mindset. And as well as having a lot of fun doing it, developers do actually like breaking stuff. It also means that when they go forward and they build new software, that they’re thinking with a much more defensive mindset than what they ever had before.

Cindy Ng: When you say, “lightbulbs go off,” what are some common things that they go, “Oh, I never really thought about it that way,” or, “This really changed my worldview?”

Troy Hunt: Well, a really good example is enumeration risks. So when you go and let’s say when you register on a website. You put in an email address that already exists on the site, and the site says, “You can’t use this, someone already has that email address.” Now, we see that behavior day in and day out, but the thing to think about is, well, what that means is that someone can go to your website and find out if someone has an account or not. Now, what if I take a large number of email addresses, and I keep throwing them at the registration page, and I start to build up a profile of who has accounts or not. And it suddenly starts to seem not so much fun anymore. And you say to people, “How would your business feel if they were disclosing everyone who was a member of the service?” And they sort of start to go, “Well, that wouldn’t be a really very good idea.” “So, why are you doing it?” You know? Because the defensive pattern around this is very straightforward, you know. You’ve just gotta give the same response whether the account exists or not, and then you send them an email. And you say, “Well, you’ve already got an account, go and log in,” or, “Thank you for signing up.” So there are really sort of easy ways around that, and that’s more of a sort of a logic issue than it is even a coding flaw.

Cindy Ng: If you were to share this talk with the business, what would they do?

Troy Hunt: Well, what it tends to do is prompt different discussions much earlier on in the design of the system. So in the case of something like enumeration, what you really want to be doing is at the point where you’re sort of collecting those business requirements and having the discussion, you need to be saying to the business owner, how important is it to protect the identities of the customers of this service? Now, depending on the nature of the business, it may be more or less important. So, for example, if it is… I mean, let’s just say it’s Facebook. Just about everybody has a Facebook account. It’s not going to be a great big sensational thing if someone goes, “Hey, I went to Facebook and I just figured out you’ve got…” Let’s subtly put this as a site for discerning adults. Would those discerning adults have an expectation that their significant other or their workmates or their boss would not be able to go to that site, enter their email address, and discover that they like that kind of content? Well, yes, I mean, that is a very good example of where privacy is much more important. So for the most part, I really don’t have a problem with either direction an organization goes, so long as it’s like an evidence-based decision and they arrive there having looked at the upsides and the downsides and gone, “Well, on balance, this is the right thing to do.”

Cindy Ng: You mentioned privacy. Even though people are sharing their information online, people are also worried about their privacy because you’ve heard 60 Minutes do a segment on data brokers selling our data, and all the data breaches that you hear almost every day, and I think technology’s held to a higher standard because we’re seen as progressive technology people who are basically reimagining how we’re interacting with the world, and we’re creating awesome wearables and apps, and what is your take on our worldwide debate on privacy? Are consumers worried enough? They’re not worried enough? Or, of course, you can’t speak for everyone in this world, but I want to hear from you.

Troy Hunt: It’s extremely nuanced and it’s nuanced for many reasons. So one of the reasons is, I first used the internet in 1995 and I was at university at the time, and for me, I’d sort of gone into adulthood without having known of an internet, and without having known of an environment where we shared this information day in and day out. And now we have situations where there are qualified adults in the workforce who have never known a time without the internet. They don’t really have a memory of a time without iPhones, or a time without YouTube, or any of these things that many of us that…and I don’t think I’m old, but, you know, many of us sort of remember a phase where we sort of gradually transitioned into this. And what it really means is that our tolerances for privacy and sharing are really different with younger generations than what they are with my generation, and certainly with older generations as well. And this makes things really interesting because those individuals are now starting to have a lot more influence, they’re getting involved in running businesses and getting into politics and all these other things that actually impact the way we as a society operate. And they are at a very different end of the spectrum to, say, my parents’ generation, who have a Facebook account so they can look at the photos that I post of the kids but would never put their own things on there. So I think that’s one of the big things with privacy. How different it is for different generations.

The other thing that’s really interesting with privacy now is the number of devices we have that are collecting very private information. So, you know, I have an Apple watch. And that collects a lot of data and it puts it in the cloud. We have people that have things like Alexa at home, you know, or an Amazon Echo. So, smart devices that are listening to you. We have this crazy IoT state at the moment where everything from TVs, which are effectively listening to us as in your lounge room, and we’ve seen the likes of the CIA exploiting those, all the way through to adult toys that are internet-connected and have been shown to have vulnerabilities that disclose your private usage of them. So this is the sort of interesting paradox now, we’ve got so much collection of this very, very personal, very private data. Yet, on the other hand, we’re also seeing increasing regulation to try and ensure we have privacy. So we’ve got things like GDPR hitting in about a years’ time. Which is very centered around putting the control of personal data back into the hands of those who own it. And stuff like that becomes really interesting. Because we’re saying, “Hey, under GDPR, you might have a smart fridge, and the organization that holds the data from your smart fridge needs to recognize that it’s your data and you can have it erased and you can have access to it and do whatever you want. And there’s going to be more of it than ever because the fridge is constantly talking about, I don’t know, whatever it is a smart fridge talks about.” So it’s a really interesting set of different factors all happening at the same time.

Cindy Ng: What’s a question that you get over and over again that you get tired of explaining that, “I wish people would just get this right.”

Troy Hunt: I would say, why do you need a password manager? This week, I loaded more than a billion records into Have I Been Pwned from a couple of what they call combo lists. So, these are just big lists of email addresses and passwords built up from multiple different data breaches, we don’t even know how many. And they’re used for these credential stuffing attacks where attackers will take these lists, they’ll feed them into software which is designed to test those credentials against services like anything from your Gmail to your Spotify account, to whatever else they can figure out to do. And they go and find how many places you’ve reused your password. Because if you use the same password in LinkedIn, which got breached or we saw the data come out last year, but it got breached a few years earlier, if you use that same password on LinkedIn and Spotify, and then someone’s got your LinkedIn password and they go to Spotify, well, you know, now you’ve got a problem. Now they’re in your Spotify account. And they might sell that for some small number of dollars along with hundreds of thousands of other ones. So people sort of go, “Well, yeah, but it’s hard to have unique passwords that are strong.”

Cindy Ng: You’re no doubt extremely influential in this security space and there has been endless talk about how to bring a more diverse group into the space, and I’m wondering if you would like to provide a statement of support so that women and minorities aren’t just self-organizing?

Troy Hunt: So this is an enormously emotionally-charged subject. You know, like let’s just start there and I’m always really, really cautious because sometimes I’ll see things said on both sides of the argument, and I’ll just go, “Well, you’ve lost the plot.” But as soon as you weigh in on these things publicly, it can get very nasty.

So I guess for context, I mean, I’ve got a son and a daughter so I’ve got a foot in both camps there. I’ve got a wife who is becoming more active as a speaker who is actually on a security professionals panel in that same event I just mentioned in a couple of weeks’ time talking about diversity in security. And I’ve been involved in organizing conferences where we have to choose speakers as well. It’s a very difficult situation, particularly in that latter scenario because we all want to have diversity of people because the diversity gives you a richer experience. It gives you many different perspectives and backgrounds, rather than seeing the same cast of people over and over and over again.

On the other hand, we’re also really cautious that we don’t end up in a situation where we’re saying, “We’re going to choose someone because of their gender or their race or their political view or their sexuality or whatever it may be. Not because they have good content, but because of some other attribute which they’ve inherited.” And we’re very, very cautious with that, and interestingly, for my wife and for other women I speak to, the last thing in the world they want is to be chosen just because of their gender as opposed to their capabilities. So, it becomes a really, really difficult situation.

And what I find is that we know that in technology in general, women are massively underrepresented as a gender, and anecdotally, I would say within security, it’s even more significant than that. It’s a very, very male-dominated sector. So I think it’s a really difficult thing, and interestingly, there are parts of the world where that bias is very, very different. So apparently, Egypt has a really, really strong representation of women. I think I heard it was about half or even more. So there seems to be some cultural biases that come into play, too.

Honestly, I don’t have good answers for this other than trying as parents to give our kids equal opportunities and see what they’re drawn to. Obviously, trying to have cool, inclusive environments, we certainly see behavior at times which would be very uncomfortable for women, and that’s not cool, that’s not going to make anyone feel happy. So certainly, the conferences I’m involved in really put a lot of effort into not sort of creating that environment. And to be fair as well, we’re not saying to fundamentally change normal behaviors, we’re saying, “Like, let’s just not be dicks.” You know? “Like, let’s all be nice people.” And this is very often what it boils down to.

Ultimately, though, is that until that this sort of pipeline of professionals coming through, until that balance changes such that it’s more evenly represented, we are going to have a significant bias towards genders and races and nationalities that simply are way, way upstream and something that we have no immediate control over at the moment.

[Podcast] John P. Carlin, Part 4: Emerging Threats

[Podcast] John P. Carlin, Part 4: Emerging Threats

Leave a review for our podcast & we'll send you a pack of infosec cards.


In this concluding post of John Carlin’s Lessons from the DOJ, we cover a few emerging threats: cyber as an entry point, hacking for hire and cybersecurity in the IoT era.

One of the most notable anecdotes are John’s descriptions of how easy it was to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and most destructive botnets are widely available to shoppers. Also, expect things to get worse before they get better. With the volume of IoT devices now available developed without security by design, we’ll need to find a way to mitigate the risks.

Transcript

Cindy Ng: You may have following our series on John Carlin’s work during his tenure as Assistant Attorney General for the U.S. Justice Department. He described cyber as an entry point as one of our threats using our latest election process as an example. But now, John has a few more emerging threats to bring to your attention, hacking for hire and cyber security in the IoT era. One of John’s striking descriptions is how easy it is to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and the most destructive botnets are widely available to shoppers. Expect things to get worse before they get better. With the volume of IoT devices created without security by design, we’ll need to find a way to mitigate the risk.

John Carlin: Let me move to emerging threats. We’ve talked about cyber as an entry part, a way that an attack can start. Even when the cyber event isn’t really the critical event in the end, our electoral system and confidence in it wasn’t damaged because there was an actual attack on the voting infrastructure, if there’s an attack where they steal some information that’s relatively easy to steal and then they get to combine with the whole campaign of essentially weaponizing information, and that caused the harm. The other trend we’re seeing is the hacking for hire. I really worry about this one. I think over the next five years, what we’re seeing is, the dark web now, it’s so easy to use, well, I don’t recommend this necessarily, but when you go on it, you see sophisticated sales bazaars that look as customer-friendly as Amazon.

And when I say that I mean it literally looks like Amazon. I went on one site and it’s complete with customer reviews, like, “I gave him four stars, he’s always been very reliable, and 15% of the stolen user names and passwords that he gives me work, which is a very high rate.” Another one will be like, “This crook’s botnet has always been really good at doing denial-of-service attacks, five stars!” So that’s the way it looks right now on the dark web, and that’s because they’re making just so much, so much money they can invest in an infrastructure and it starts to look as corporate as our private companies.

What I worry about, is because those tools are for rent, use the botnet example, you know, one of the cases that we did was the Iranian Revolutionary Guard Corps attack on the financial sector. They hit 46 different financial institutions with the distributed denial-of-service attack, taking advantage of a huge botnet of hundreds and hundreds of thousands of compromised computers. They’d knocked financial institutions, who have a lot of resources offline, effected hundreds of thousands of customers, cost tens of millions of dollars.

Right now, on the dark web, you can rent the use of an already made botnet. So the criminal group creates the botnet, they’re not the ones who necessarily use it. Right now they tend to rent it to other criminal groups who will do things like GameOver Zeus, a case that we did, you know, they’ll use it for profit, they’ll use it for things like injecting malware that will lead to ransomware or injecting malware for a version of extortion, essentially, where they were turning on people’s video cameras and taking naked pictures, and then charging money, or all the other criminal purposes you can put a botnet to.

But it doesn’t take much imagination to see how a nation stayed or a terrorist group could just rent what the criminal groups are doing to cause an attack on your companies. In terms of emerging threats, you’re certainly tracking the Internet of Things era. I mean, you think about how far behind we are given where the threat is just because we moved very, very quickly from putting everything we value, from analog to digital space, connecting it to the internet over a 25-year period roughly. We’re now on the verge of an even more transformative evolution, where we put not just information, but all the devices that we need from everything, from the pacemakers in our heart, the original versions that were rolled out, actually this is still an issue, for good medical reasons they wanted to be able to track in real-time information coming out of people’s hearts, but they rolled it out un-encrypted, because they just don’t think about it when it comes to the Internet of Things.

They were testing whether it worked, which it did, but they weren’t testing whether it would work where they had security by design, if a bad guy, a crook, a terrorist, or a spy wanted to exploit them. Drones in the sky, they were rolled out, same problem, rolled out originally not encrypted commercial drone. So, again, a 12-year-old could kill someone by taking advantage of the early pacemakers, they could with drones as well. And then the automobiles on our roads, forgetting the self-driving vehicle already, estimates are 70% of the cars on the road by 2020 are essentially gonna be computers on wheels.

One of the big cases we dealt with was the proof of concept hack where someone got in through the entertainment system through the steering and braking system, then led to 1.4 million car recall of Jeep Cherokees. So that’s the smart device used to cause new types of harm, from car accidents, to drones in the sky, to killing people on pacemakers. But we also just have the sheer volume, it’s exponentially increasing and we saw the denial-of-service attack that we’ve all been warning about for a period of time take place this October, knocked down essentially internet connectivity for a short period of time. Because there were just so many devices, from video cameras, etc., that are default being rolled out and can be abused. So, hopefully there will be regulatory public policy focus to try to fix that.

In the interim though, my bottom line is, things are gonna get worse before they get better on the threat side, which is why we need to focus on the risk side. We won’t spend too much time on what government’s been doing. We’ve talked about some of it a little bit already, but this is…the idea is, we need to, one, bring deterrents to bare, make the bad guys feel pain. Because as long as they’re getting away completely cost-free, offense is gonna continue to vastly outstrip defense. Number two, we gotta figure out a way to share information better with the private sector.

And I think you’re hopefully seeing some of that now, where government agencies, FBI, Justice, Secret Service are incentivized to try to figure out ways to increase information sharing for information that, for many, many years now, has been kept only on the classified side of the house. And that’s a whole new approach for government, and it just in its early steps. But, we’ve been moving too slowly given where the threat is, we need to do more, faster. You know, just a couple weeks ago they heard the Director of the FBI said, “Okay, they came after us in 2016 in the Presidential election, but I’m telling you they’re gonna do it again in 2020,” and the head of National Security Agency agreed. That’s in just one sphere, so I think we’re definitely in a trend now where we need to move faster in government.

What’s law enforcement doing? They’re increasing the cooperation. They’re doing this new approach on attribution. When I was there, we issued towards towards the end a new presidential policy directive that tried to clarify who’s in charge of threat, assets, intel support to make it easier. That said, if any of you guys actually looked at the attachment on that, it had something like 15 different phone numbers that you’re supposed to call in the event of an incident. And so, right now, what you need to do is think ahead on your crisis and risk mitigation plan, and know by name and by face who you’d call law enforcement by having an incident response plan that you test when the worst happens.

And there’s reasons…I’m not saying in every case do it, but there are reasons to do it, and it can increase the intelligence you get back. It’s a hedge against risk, if what you thought was a low level act, like a criminal act, the Ferizi example, turns out to be a terrorist, at least you notified somebody. You also want to pick a door, and this requires sometime getting assistance, you want to pick the right door in government, that ideally minimizes the regulatory risk to your company, depending on what space that you’re in, that the information that you provide them, as a victim, isn’t used against you to say that you didn’t meet some standard of care.

Even if…with the shift of administration, I know generally there’s a talk about trying to decrease regulations under this administration, but when it comes to cyber, everyone’s so concerned about where the risk is, that for a period of time I think we’re gonna continue to see a spike, that’ll hopefully level off at some point as each of the regulators tries to figure out a way they can move into this space. So, what can you do? One, most importantly, treat this as an inevitability. You know there’s no wall high enough, deep enough to keep the dedicated adversary out, and that means changing the mindset.

So, where…just like many other areas, this is a risk management, incident response area. Yes, you should focus front end on trying to minimize their ability to get in but you also need to assume that they can, and then plan what’s gonna happen when they’re in my perimeter. That means knowing what you got, knowing where it is, doing things like assuming they can get into my system. If I have crown jewels, I shouldn’t put that in a folder that’s called “Crown Jewels,” maybe put something else in there that will cause the bad guy to steal the wrong information. Have a loss of efficiency, which is why it’s a risk mitigation exercise. I mean, you need to bring the business side in to figure out, how can I, assuming they get in, make it hardest for them to damage what need but most to get back to business. Sony, despite all the public attention, their share price was up that spring, and that’s because they knew exactly who and how to call someone in the government. They actually had a good internal corporate process in place in terms of who was responsible for handling the crisis and crisis communication.

Second, assuming again that there are sophisticated adversaries that get more sophisticated, they can get in if they want to, you need to have a system that’s constantly monitoring internally, what’s going on from a risk standpoint, because the faster you can catch what’s going on inside your system, the faster you can have plan to either kick them out, remediate it, or if you know the data is already lost, start having a plan to figure out how you can respond to it, whether it’s anything from intellectual property, to salacious emails inside your system. And that way, you quickly identify and correct anomalies, reduce the loss of information.

Implement access controls, can’t hit this hard enough. This is true in government as well, by the way, along with the private sector. The default was just it’s just easier to give everybody access. And I think people, when it came very highly regulated types of information, maybe literally, if you know, you had source code, key intellectual property, people knew to try to limit that. But all that other type of sensitive peripheral information, pricing discussions, etc., my experience, a majority of companies don’t implement internally controls as to who has access and doesn’t, and part of the reason for that is because it’s too complicated for the business side so they don’t pay attention to doing it, and you can limit access to sensitive information and others.

Then you can focus your resources, for those who have access, on how they can use it, and really focus on training them and target your training efforts to those who have the access to the highest risk information. Multi-factor authentication, of course, is becoming standard. What else can you do? Segmenting your network. Many of the worst incidents we have are because of the networks were essentially flat and we watch bad guys cruise around the network. Supply chain risk, large majority, Target, Home Depot, etc., a different version of the supply chain but the same idea. Once you get your better practices in place, the risk can sometimes be down the supply chain or with a 3rd party vendor, but it’s your brand that suffers in the event of a breach.

Train employees. We talked about how access controls can help you target that training. And then have an incident response plan and exercise it. Some of them will be, you’ll go in and there will be an incident response plan, but it’s like hundreds of pages, and in an actual incident, nobody’s going to look at it. So it needs to be simple enough that people can use, accessible both on the IT, technical side of the house, and the business side of the house, and then exercise, which is, you start spotting issues that really are more corporate governance issues inside the company as you try to do table top exercises. And we’ve talked a lot about building relationships with law enforcement, and the idea is know by name and by face pre-crisis who it is that you trust in law enforcement, have that conversation with them. This is easier to do if you’re a Fortune 500 company to get their attention. If you’re smaller, you may have to do it in groups or through an association, but have a sense of who it is that’d you call, and then you need to understand who in your organization will make that call.