Finding (cyber) false flags

I am a big reader of spy novels and my latest fascination is the Red Sparrow trilogy, of which the first book has been made into an upcoming movie. In one of the novels the spies attempt to penetrate an Iranian nuclear project, with one of the characters, an American CIA operative, posing as a Russian nuclear engineer. This situation is called a false flag.

The idea behind a false flag is when a spy (or group of them) represent themselves as from some other country to confuse the enemy. Back in the days of naval warfare, ships changed their flag they were flying deliberately to sneak into an enemy’s midst. Hence the name.

While spy novels love to talk about false flags, they do have some basis in reality, at least some situations. One is the Lavon affair which refers to a failed Israeli covert operation that was conducted in Egypt in the summer of 1954 and run by Pinhas Lavon, shown here. There are numerous other ops that are on other lists that show the depths that intelligence agencies will go through to misrepresent themselves.

The same is true in the modern cybersecurity era. We have false flags all the time when malware attacks a target and mislead its origins. Then researchers try to pick it apart and figure out its attribution. Does the code resemble something they have already seen? Are the names of the variables or documentation written in a particular (non-coding) language, or using cultural or other references? Are there targets of a particular political or national significance? These and other factors make malware attribution more art than science.

I was reminded of this when I read this piece from the Talos blog about trying to figure out who was behind the Olympic Destroyer malware that we saw last month. Several security bloggers have come out with Russian attribution, but the Talos team says, not so fast. Yes, there are similarities to Russia state-sponsored sources, but it isn’t a slam dunk and there are also other suspects that could be the source of this malware.

Sadly, for cybersecurity it isn’t as easy as switching a flag to figure these things out. And reports about malware’s source need to be careful to ensure that we have the right attribution, otherwise we might be retaliating against the wrong people.

Security Intelligence blog: An Interview With IBM Master Inventor James Kozloski on His New Security Patent: The Cognitive Honeypot

What does a master IBM inventor who typically models brain activity have to do with enterprise security? If you ask James Kozloski, you won’t get a quick answer, but it will definitely be an interesting one.

Kozloski, who is a manager of computational neuroscience and multiscale brain modeling for IBM Research, is always coming up with new ideas. He was recently part of a team of IBMers that received a security patent for a cognitive honeypot. If you don’t know what that is, check out my story on IBM’s SecurityIntelligence blog for details with this very interesting inventor.

Time to listen to your corporate Cassandra

In Greek myths, Cassandra was able to see the future, but no one ever believed what she was saying. Richard Clarke has written a new book examining this in a very quantitative fashion, and it made me think about those among us that predict what is going to happen to our IT infrastructure but aren’t listened to by management. I know it is a bit of a reach, but bear with me.

I thought back to several moments when I worked in corporate jobs and had run up against some naysayer who didn’t like what I was saying. Sometimes, I got fired because my boss thought I was the naysayer. Sometimes, my prophecy came to pass and then my proposal was finally green-lighted. And sometimes I had to run another play through a proxy or convince some other department to carry my idea forward.

In Clarke’s book, he describes a series of various disasters (Katrina, Fukushima) and how in each case there was a Cassandra who warned about the potential issues but these warnings fell on deaf ears.  He then provides mechanisms and suggestions on how to reverse this and how to better pay attention.

Why are these warnings ignored? Several factors: inertia, character flaws of the participants, lack of planning, or ineffective leadership. Sometimes it is a combination of all of the above, making the issue too complex for a single individual or line of business to resolve. One of the things that I learned in my leadership class several years ago is how to assess various inputs, often conflicting ones, to determine a course of action. The best leaders know how to do this instinctively, and not just stick their heads in the sand and continue on. It is about listening critically to what the Cassandras are saying.

Wikipedia says in its entry that Cassandra is employed as a rhetorical device by many modern tales. One of my favorite ones is the Gilliam original movie Twelve Monkeys. There the character played by Bruce Willis is sent back in time to try to figure out the source of a pandemic that wipes out most of the world’s human population, only to be frustrated by not being understood by the people he interacts with. (If you haven’t seen the movie, make sure you see the 1995 original and not the remake — which is miserable.) Willis is considered crazy, but eventually enlists a shrink to help him with his investigations.

Pick up a copy of Clarke’s book, (re)watch the movie, and make a promise to listen the next time your corporate Cassandra speaks up.

FIR B2B podcast #91: All About Influencer Marketing with Marshall Kirkpatrick

Marshall Kirkpatrick leads influencer marketing at Sprinklr.  He and I worked together at ReadWrite long ago, and he subsequently started Little Bird, an influncer marketing platform that was acquired by Sprinklr in 2016. Since then, he has helped augment the combined platforms for the enterprise.

Marshall has been active in understanding how social media influence is acquired and measured for more than a decade, and likes to talk about this pyramid, in which influence is just one of several steps toward providing real insights into how a brand is understood in various media forms. While our discussion on this podcast is mostly about Twitter and measuring its influence and effects on marketing B2B brands, we also talk about how to find people within an organization that are more inclined to tell your story.

One key data point is to look at when someone started using social media networks: the earlier they did, the more potentially influential that person could be. It isn’t just about counting raw numbers of followers, Marshall says; an influencer has to be picky about who they follow. There are ways to suss this out. Social media is more about finding quality than quantity. 

You can listen to Paul Gillin and I talk about this here.

CSO Online: How to protect your network from PowerShell exploits

Hikers living off the land make use of existing nutrients and water sources to survive in the wilderness. In hacker parlance, the term “survive in the wilderness” means they cover their tracks and make use of tools and code that already exist on targeted endpoints. This hides their exploits by making them look like common administrative tasks so that detection tools can’t easily find them. Welcome to the world of PowerShell-based attacks.

PowerShell has become increasingly sophisticated and in an article I wrote for CSO Online, I show you how attackers can leverage this language for their own evil purposes.

When to think about a cyber security do-over

This is a piece that I co-authored with Greg Matusky and Mike Lizun of Gregory FCA. 

Imagine you’re on the precipice of greatness, some victory that will define you or your enterprise for eternity. Something important, game-changing, like going public, executing a merger, or something even bigger, like winning your first ever Super Bowl after 50 years of frustration.

And then it’s all lost. Stolen in the dark of night by someone who hacks your system and steals the secret sauce. Maybe it’s your IP or some market advantage. Or maybe it was simply the plays you plan to call that now will be used against your organization. ​

A lot of football fans, players, and coaches believe that is exactly what happened in 2005 when the New England Patriots beat the Philadelphia Eagles in Super Bowl XXXIX.

Even during that game, Philadelphia coaches knew something was amiss and tried to change set play calls. Every time the Eagles’ defensive coach blitzed, Tom Brady knew it and made a quick outlet pass. Two years later, the Patriots were fined $250,000 and draft picks for getting caught videotaping and the stealing the play calls from the New York Jets. A U.S. senator opened an investigation and found New England had been wrongly videotaping and stealing opponent play calls since 2000.

This year, after the Eagles beat New England, there’s been a lot of scuttlebutt about secret security measures the Eagles deployed to thwart any and all intrusions. One story holds that Philadelphia ran a fake practice the Saturday before the game, running plays and using a play call system they had no intention of using. Whether it happened or not, you gotta believe the Eagles weren’t going to be robbed again. Something did work. New England didn’t have a clue as to what the Eagles were doing on offense. They didn’t know about their calls and the result was Philadelphia putting up 538 total yards of offense.

Not every business gets to have a do-over like the Eagles. And in most cases, when it comes to cyber security and data breaches, hindsight is always 20-20. As an example, look at this recent Ponemon survey of 1,200 IT professionals. It found that the majority of them aren’t satisfied with cyber threat sharing tools in terms of timeliness, accuracy, and the poor quality of actionable information. Some of this has to do with a johnny-come-lately realization that threat intel could have been used to prevent a previous attack. Even UK-based telecom provider BT is now sharing its threat intel with its competitors, to try to stem attackers. So maybe the tide is changing.

There are lots of other cybersec lessons that could be learned from the latest Super Bowl matchup and what organizations can do when they get a second chance at defending their networks. They involve the role that revenge can play in motivating ex-employees, deliberate attempts to confuse attackers, and using specific traps to flush out intruders and confuse adversaries.

First, let’s look at revenge attacks.

These happen when insiders or former insiders get motivated by something that they experienced, and want to take out their frustration on their former employer.

The classic insider revenge scenario dates back to 1999, when Vitek Boden was applying for a job for the Maroochy county sewer district in Australia. He was a contractor for the district and the county decided not to hire him. To seek revenge, he caused thousands of gallons of raw sewage to be dumped into the local waterways, using a series of radio commands. He was eventually caught by a police officer with various RF equipment. What is important to note is that Boden had all this insider knowledge, yet never worked for the agency that he attacked. He was able to disguise his actions and avoid immediate detection by the agency IT department, which never had any security policies or procedures in place for disgruntled employees.

Ofer Amitai, the CEO of Portnox, has a more modern revenge tale. One of his customers is a big food company that didn’t pay attention to who was connected to its WiFi network. It had one employee who was fired, and came back to the vicinity of the plant with his own laptop. He changed temperatures on the refrigerators and destroyed hundreds of thousands of dollars of merchandize in revenge.

From these two examples, you can see it pays to be careful, even if a former employee never steps foot on your property or even if you never hired your potential attacker. Certainly, you should better screen insiders to prevent data leaks or willful destruction. And businesses should always monitor their wireless networks, especially as it is simple for an intruder to connect a rogue access point to your network and access data through it.

What about ways to obfuscate attackers?

Like in the Super Bowl, teams are now more careful about how they call plays during the game and practice times. Teams now use an array of sideline ruses to confuse prying eyes, everything from placards with pictures of Homer Simpson to using as many as three decoy sideline play callers.

That’s not too dissimilar to planting special “honeynets” on networks. Typically, they consist of a web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. These servers don’t contain any actual data, but appear to be a target to a potential attacker and can trap them into revealing their location, sources, or methods that can help network defenders strengthen their security. Honeynets have been around for more than a decade and have an active development community to make them more life-like to confound attackers.

“There will always be timely weaknesses during such events that hackers can exploit,” says Dudu Mimran, the CTO of Telekom Innovation Laboratories in Israel. “Public events such as the Super Bowl present an opportunity because many people will be using digital devices and posting pictures and opening emails around the event. Defenders need to understand the expected sequence of actions around these events and create pinpoint defenses and guidelines to reduce the expected risks. There needs to be a series of layered defenses coupled with user education and better awareness too.”

Good luck with your own do-overs.

FIR B2B #90: Learn the secrets of social media marketing from London’s top-rated restaurant today!

A social media firestorm has erupted over a fake restaurant that briefly became London’s top-rated eatery on TripAdvisor. But the restaurant never actually existed. This video explains how the Shed at Dulwich rose to the top of more than 18,000 restaurants over a seven-month extended campaign. While Paul Gillin and I don’t condone fakery, we commend journalist Oobah Butler (shown here), who pulled off the stunt, for using good social media marketing tactics to make it work.

There are lessons here for B2B marketers about how to use social media and appropriate word-of-mouth marketing to promote their own legit brands and products. In short, take the long view and frame your message from the start, sticking to key talking points and repeating them to reviewers who might be inclined to review your products and services. You should also concentrate on the most appropriate social networks to match your market; the Shed used Instagram and a series of carefully prepared food photos, since that is what resonates on that network. Butler understood the value of a good photo in his promotion, and that the look of the plate can be more important than the actual ingredients, which in many professional food photos is often inedible.

The Shed never cheated anyone, and the prank wasn’t intended to steal money. It was intended to show up TripAdvisor, and it succeeded masterfully. Butler did end up serving a meal to a few select folks, but didn’t charge them. He had a certain graceful charm that is appealing. The experiment demonstrates the value of knowing your market and being trendy but not going over the top. It also shows why having some fun with your social media accounts doesn’t hurt. You can listen to our 11 min. podcast here.

CSO Online: Mastering email security with DMARC, SPF and DKIM

Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages, or privilege escalation exploits. The three email security protocols SPF, DKIM and DMARC have been invented to reduce these opportunities. Like much in the IT world, the multiple solutions don’t all necessarily overlap. In this story for CSO Online, I explain the trio and how to get them setup properly across your email infrastructure. Spoiler alert: it isn’t easy and it will take some time.

What’s new with blockchain and security

The world of bitcoin, blockchain and cryptocurrencies is moving so fast that it is hard to keep up, even if you try to follow current events. Certainly, it has been some wild times lately as the trading prices of these currencies has escalated wildly. This post will review some of my own interests, namely some interesting places where you might want to read up more about blockchains and the intersection of these technologies with IT security.

Probably a good place to start is with my sister newsletter, Inside Bitcoin, researched and written by David Stegon three times a week. Like my own Inside Security newsletter, it comes packed with tons of great content, current events, trading prices of the leading currencies and more. For example, in today’s issue you can find out that soon the electricity used for bitcoin mining will account for the bigger power usage than for people’s homes in Iceland.

If you are looking to learn more about cryptocurrency basics, the VC firm Andressen Horowitz has put together this page of links it calls is Crypto Canon. There are a lot of beginner’s guides about privacy and security and tutorials for developers. Another really great source that goes into details about the actual mechanics of the blockchain protocols can be found in the current issue of the Internet Protocol Journal. Written by Bill Stallings, it is a clear and solid explanation of how the blockchain works to self-authenticate transactions, which are at the core of this brave new world.

If you haven’t gotten enough of a fix, I humbly suggest next taking a look at a blog post that I wrote for the iBoss blog about recent blockchain exploits. Criminals are coming online, stealing funds from digital wallets, attacking currency exchanges, deploying hidden miners and going after initial coin offerings. This latter event is similar to an IPO for blockchain companies, only instead of receiving dollars (or some other real currency), they get cryptocoins, often newly minted. The opportunity for abuse and fraud is limitless, and some companies have already “mysteriously” disappeared after their ICO.

The hidden cryptominers are particularly pernicious. An average exploit can generate $500 a day per PC that has been compromised. Set up a network of a few thousand machines and you are literally creating cash while you sleep.

But blockchains can be used for improving and innovating when it comes to IT security too. Here are a few examples:

  • Shocard uses blockchains to provide an identity authentication system so that people can share information with each other securely.
  • Hypr is similar, encrypting a user’s credentials but doing so without any centralized authority needed to vouch for them or store the information.
  • Microsoft is adding blockchain features so that its Authenticator app can manage all kinds of user identity data and cryptographic keys.
  • CertCoinis one of the first implementations of blockchain-based PKI. The project, developed at MIT, removes central authorities altogether and uses the blockchain as a distributed ledger of domains and their associated public keys.
  • Guardtime built the identity management platform for the Estonian government and now sells its KSI blockchain-based enterprise security tools. Changes to the network configuration have to be authorized, making it harder for malware to gain access.
  • Maidsafe has created an alternative Internet where users are able to run apps, store data, and do everything else they normally do online, but in a more secure environment.
  • And IBM and Maersk have built a blockchain-based digital trading system to track shipments of the global logistics company.

We have just seen the very tip of the iceberg when it comes to using these technologies, both for good and evil. Send me your favorite bitcoin/blockchain product or anecdote if you don’t mind sharing.





iBoss blog: The Many Forms of Cryptocurrency Exploits

While the prices on cryptocurrencies have been all over the place in recent months, it is certainly attracting a different kind of attention from the criminal world that views them as malware opportunities. These attacks take numerous forms, including stealing funds from digital wallets, attacking currency exchanges, deploying hidden mining and initial coin offering (ICO) exploits.

The first major exploit was seen by the DAO joint Ethereum investment fund back in 2016, which suffered a DDoS attack and eventually had to shut down. While that grabbed major headlines, there have been other, less-publicized attacks on exchanges. I look at some of the more recent examples in my post for iBoss’ blog here.