Jon Callas on joining the ACLU

I have known Jon Callas for many years, tracking back to when he was part of the PGP Corporation and bringing encrypted email to the world. He has been a long-time security researcher who has been part of the launch teams at Silent Circle and Blackphone. Recently he has moved from Apple to the ACLU, where he is a technical fellow in the Speech, Privacy and Technology Project.

I spoke to him last week and caught up with what he is working on now, and thought you might be interested. His job now is to help the mostly legal team at ACLU to understand the technical issues, especially from someone who has been deeply steeped in them over the years. “Technology is such a part of the modern world that we need more people to understand it,” he said. One of his focus areas is the recent changes in Australian encryption laws. He is still trying to figure out the implications, and so far he views this bill as more guiding government assistance than actual intervention. The bill also raises more questions than it answers, such as how does a developer secretly insert code into a system that has tracking or build version controls? He is also watching the revelations around the Facebook document trove that was released this week by British lawmakers. (Here is the backstory and ProtonMail’s comments on the law is here.) “Clearly, there are contradictions between what Facebook management said they were and weren’t doing and what was mentioned in these documents,” he said. When I asked him what he what do if he were CTO of Facebook, he just laughed.

One other area of interest is how to understand how the government is acting to curb freedom of speech, and what is going on at our borders. “The government quite reasonably says that they can look inside your suitcase when you cross into our country. That I understand, but shouldn’t your electronic devices be treated differently from what else is in your suitcase? There are many answers here, and we need to have legal and policy discussions and understand exactly what problems we are trying to solve.”

We also spoke about the recent actions by Google employees protesting their Chinese-specific search engine. “I find it encouraging that tech people are looking at the consequences of what they do and where this technology is going to be used and what it all means,” he said. Now, “we are more in tune with privacy concerns. People are thinking about the ethics and consequences of what they are doing. They want to have a part in these discussions. That is what a free society should do.”

Brian NeSmith, providing SOC-as-a-Service with Arctic Wolf Networks

Brian NeSmith is the CEO of Arctic Wolf Networks, which was started back in 2012.  They provide Security Operations Center-as-a-Service. I have known him for decades when he started a quirky company called Cacheflow that eventually became part of Blue Coat where he was also CEO. I asked him a few questions.

Q: What has changed in enterprise infosec compared to when you first started at AWN six years ago?

Back when we started the company breaches were smaller with little lasting damage.  The stakes are much higher profile now. We started the company before Target, Equifax and Petya, major attacks that put cybersecurity on the evening news. Nowadays cybersecurity is a boardroom topic, and a company’s brand and business are affected by how good their security is.

Q: How does a SOC-as a S differ from just a MSP who sells managed SOC services?

SOC-as-a-service provides experienced security analysts doing real security work.  MSPs selling managed SOC services are usually just managing the infrastructure or forwarding alerts, but they are not doing the actual security work. The pressing issue in our industry today is how we detect and respond to threats and not just managing the infrastructure more cost effectively.  SOC-as-a-service provides that, and managed SOC services from an MSP does not.

Q: What portion of the resources you monitor are on premises vs. cloud of your current customers? How has that changed from six years ago?

The portion of cloud resources we monitor has been steadily increasing over the past six years.  But the largest resource we monitor in most companies is still the employees and their endpoints.  Many people view people as the weakest link in the chain, and we find that still to be the case.  Most security incidents are still due to some sort of human error or mistake even when they have the best security products in place.

Q: You ran Blue Coat through some very turbulent times, when it was first called CacheFlow. How have web apps changed from those early days and will enterprises ever feel secure deploying them?

It is a completely different world today than when I first started leading CacheFlow.  There is not a company out there that does not rely on a web app to operate or serve their customers.  If they have not, companies do not have a choice but to embrace web apps, so they need to figure out what is needed to feel secure deploying them.

Q: Is ransomware or fileless malware more of a threat today from your POV?

I don’t think they are any more of a threat than other types of malware.  Ransomware is different in that it can literally bring your business to a halt.  That is very different from traditional malware.  When it comes to fileless malware, the increased danger comes from how openly information is on how to exploit these.  We have seen malware become commercialized so you can literally purchase the malware you want to use and even get technical support.  This means that anyone can become a hacker, and it will result in more attacks.

A new way to do big data with entity resolution

I have this hope that most of you reading this post aren’t criminals, or terrorists. So this might be interesting to you, if you want to know how they think and carry out their business. Their number one technique is called channel separation, the ability to use multiple identities to prevent them from being caught.

Let’s say you want to rob a bank, or blow something up. You use one identity to rent the getaway car. Another to open an account at the bank. And other identities to hire your thugs or whatnot. You get the idea. But in the process of creating all these identities, you aren’t that clever: you leave some bread crumbs or clues that connect them together, as is shown in the diagram below.

This is the idea behind a startup that has just come out of stealth called Senzing. It is the brainchild of Jeff Jonas. The market category for these types of tools is called entity resolution. Jonas told me, “Anytime you can catch criminals is kind of fun. Their primary tradecraft holds true for anyone, from bank robbers up to organized crime groups. No one uses the same name, address, phone when they are on a known list.” But they leave traces that can be correlated together.

Jonas started working on this many years ago at IBM. He is trying to disrupt the entity resolution market and eventually spun out Senzing with his tool. The goal is that you have all this data and you want to link it together, eliminate or find duplicates, or near-duplicates. Take our criminal, who is going to rent a truck, buy fuel oil and fertilizer, and so forth. He does so using the sample identities shown at the bottom of the graphic. Senzing’s software can parse all this data and within a matter of a few minutes, figure out who Bob Smith really is. In effect, they merge all the different channels of information into a single, coherent whole, so you can make better decisions.

Entity resolution is big business. There are more than 50 firms that sell some kind of service based on this, but they offer more of a custom consulting tool that requires a great deal of care and feeding and specialized knowledge. Many companies end up with million-dollar engagements by the time they are done. Jonas is trying to change all that and make it much cheaper to do it. You can run his software on any Mac or Windows desktop, rather than have to put a lot of firepower behind the complex models that many of these consulting firms use.

Who could benefit from his product? Lots of companies. For example, a supply chain risk management vendor can use to scrape data from the web and determine who is making trouble for a global brand. Or environmentalists looking to find frequent corporate polluters. A finservices firm that is trying to find the relationship between employees and suspected insider threats or fraudulent activities. Or child labor lawyers trying to track down frequent miscreants. You get the idea. You know the data is out there in some form, but it isn’t readily or easily parsed. “We had one firm that was investigating Chinese firms that had poor reputations. They got our software and two days later were getting useful results, and a month later could create some actionable reports.” The ideal client? “Someone who has a firm that may be well respected, but no one actually calls” with an engagement, he told me.

Jonas started developing his tool when he was working at IBM several years ago. I interviewed him for ReadWrite and found him fascinating. An early version of his software played an important role in figuring out the young card sharks behind the movie 21 were taking advantage of card counting in several Vegas casinos, and was able to match up their winnings all over town and get the team banned.  Another example is from  Colombia universities who saved $80M after finding 250,000 fake students being enrolled.

IBM gets a revenue share from Senzing’s sales, which makes sense. The free downloads are limited in terms of how much data you can parse (10,000 records), and they also sell monthly subscriptions that start at up to $500 for the simplest cases. It will be interesting to see how widely his tool will be used: my guess is that there will be lots of interesting stories to come.

Security Intelligence (IBM) blog: Space Rogue, A Security Rebel Turned Pen Tester

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s. In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years and was recently back in DC to talk about what has changed, and what hasn’t, in terms of infosec. My interview with Thomas can be found in IBM’s Security Intelligence blog.

Security insider: Ben Rothke, Nettitude Group

Ben Rothke is a Principal Security Consultant at the Nettitude Group and is a CISSP, CISM and PCI QSA. He has over 15 years of industry experience in information systems security and privacy. He is the author of Computer Security: 20 Things Every Employee Should Know, and authors The Security Meltdown blog for CSOonline.

I first met him in Israel on a tour of infosec companies and he always has something thoughtful and interesting to say. Given his tenure, it isn’t surprising that his first major security issue that he can recall was a misconfigured firewall that was letting a whole lot of Internet traffic in. It took him a few hours to figure out the correct configuration. As he said, “everything old is new again when it comes to information security!”

Since he does a lot of PCI compliance work, his go-to tool is Ground Labs Card Recon tool for cardholder data discovery. He also uses tools from Skyhigh Networks and the native AWS security services as well. “The native AWS controls do go a long way to help configure and debug security configurations of their cloud services.” Another tool that he personally uses is Norton Mobile Security to protect his mobile devices. He also uses LastPass for managing his password collection. “I was concerned when they had their breach about putting all my eggs into one basket, so yes, you have to be prepared for that.”

“Nowadays you pretty much know when someone is trying to social engineer you,” he says. You can tell when you get an odd Facebook message or some dopey email, such as someone’s wallet has been stolen while on a trip and you haven’t heard from that person in ten years.” But the attackers have the odds in their favor: “All it takes is a couple of folks to click on the bait and they are living the high life.”

Over the last 18 months he has personally seen three different ransomware cases. For two of them, “they had good backups and ignored the ransom demands and were fine,” he said. The clients were able to reimage their machines and went about their business. However, with one client, “they had no leverage and had to pay the $600 ransom and learn from it. But now they have good backups, they took the attack as a wakeup call.” We commiserated on the fact that “you can’t have too many backups. Now that we have the cloud, it is easier, you can have a huge amount of data backed up without any tapes anymore.”

“Sometimes I see clients that have some rivalry between two different IT divisions,” he says. “It is like the competition between the police and fire departments. But they have to work together, and try to avoid finger pointing, and let them work it out and work together and understand each other’s point of view. Some companies are integrated better than others.” He says there isn’t any real magic to this integration. “It is more of a culture issue. If you are part of the same team, and guys are sitting near each other on the same floor, it is easier for one person to hand off to another and interact with them and build mutual trust.”

Part of the challenge is that everyone needs to be operating “from the same playbook, and understand the same collection of systems. After all, they are all supporting the same business goals and understanding the same endgame,” he says. “The challenge is that it takes a good executive at the top, whether that be a CIO, CTO or a CISO, for everyone to work well together and for this harmony to trickle down. Without this leadership, the conflicts trickle down too.”

You can subscribe now to my Inside Security newsletter and get information such as this interview and updated security news delivered regularly to your inbox.

Security Intelligence blog: Understanding the Relationship Between AI and Cybersecurity

The first thing many of us think about when it comes to the future relationship between artificial intelligence (AI) and cybersecurity is Skynet from the “Terminator” movie franchise. But I spoke with Dudu Mimram,  the CTO at Telekom Innovation Laboratories when I was in Israel earlier this month, and he has a somewhat rosier view. He suggested that AI must be understood across a broader landscape, regarding how it will influence cybersecurity and how IT can use AI to plan for future security technology purchases.You can read my blog post in IBM’s Security Intelligence here.

Adrian Lamo, RIP

I first met Adrian Lamo back in 2002. I was teaching a high school networking class and I thought it would be cool to have the kids experience a “real” hacker, since so many of them aspired to learn how to get into the computerized grading system that the school ran. It wasn’t a very exciting teachable moment, as I recall. But Lamo made a big impact on me, as he couch-surfed in my New York suburban apartment.

Sadly, I learned that last week he died at age 37 in Wichita, KS. The cause of death hasn’t yet been determined, and he had been living in the area for the past year, according to reports. Lamo moves around alot, thanks to a rather interesting personality that could best be described as on the autism spectrum.  When I met him, he had the symptoms of obsessive-compulsive disorder and was later diagnosed with Aspberger’s. One of his quirks was that it would take him a while to leave my apartment every morning: he had a sequence of steps to follow in a very specific order before he could walk out the door.

Lamo was a study in contradictions: both very bright and very socially awkward, a Sheldon Cooper before his time. He had a high sense of morality. At the time Lamo stayed with me, he had been arrested for breaking into several different computer systems, including that of the freelancer database of the New York Times. His method was to find an open Web proxy server and use that to gain entry inside a corporate network. (It is still a common entry point method, although many companies have finally figured out how to protect themselves.) He never profited financially from these attacks, instead he would often leave hints on how a company could close these proxies and improve their security. He was sentenced to house arrest for the Times attack.

At the time we met, he was called the “homeless hacker” – not because he was living on the streets, but because he was young and had no fixed address, and would go from couch to couch as the mood took him. I offered him a place to stay and a chance to get to know him better, thinking how cool could that be? Little did I know.

When I told my then-teenage daughter about his impending visit, she was rather incredulous (you have someone wanted by the police staying with us) but ultimately she was won over by his geek cred – she had a problem with her cell phone that she recalls him fixing in a matter of seconds.

Well, Lamo went on get a degree in journalism, ironically enough. He was very connected to the tech trade press, and Brian Krebs recalls his various interactions with him in this post.

Lamo is remembered in various tributes in the past few days with his role in the Wikileaks/Cablegate case of 2010, when he divulged the name of Private Manning to the feds as the leaker. Both then and now, his decision was vilified in the hacking community, with numerous online threats.

I had a chance to speak to Lamo back in 2011 and recorded the interview for ReadWrite, where I was working at the time. It covers a lot of ground:

He has some very wise comments about the importance of government secrecy, and the freedoms that it enables for us all. Lamo saw the Manning case from the other side, as a case that would be eventually remembered supporting our freedoms. It was a real issue for him, because as a hacker he could certainly understand what Manning was trying to do, but as someone who also understood the role of our military he couldn’t in good conscience allow her to leak all that data. When Manning contacted Lamo he had a crisis of conscience and made his decision. He struggled over harming Manning, whom he considered a friend, or harming countless others who would be placed at risk because of Manning’s leaks. He wishes Manning had come to him before making the documents public.

This is certainly an interesting position for a hacker to take, to be sure. He was vilified in the hacker community because of it, but I think he made the right decision. “Who would have thought that when we first met ten years ago that I would have been involved in the single biggest intelligence leak in history,” he told me. How true.

He continued to work as a security consultant, helping corporations understand better security practices as well as going out on the speaking circuit. Ironically, his preferred method of communications more recently was FedEx! “I’m a little bit of a Luddite these days,” he said.

Lamo left this planet far too soon. He was a very smart guy and had a very solid moral compass, and those two traits guided his actions all his short life. I am sad that he is no longer with us, and hope that his life can be noted and celebrated for his accomplishments, verve and significance.

Security Intelligence blog: An Interview With IBM Master Inventor James Kozloski on His New Security Patent: The Cognitive Honeypot

What does a master IBM inventor who typically models brain activity have to do with enterprise security? If you ask James Kozloski, you won’t get a quick answer, but it will definitely be an interesting one.

Kozloski, who is a manager of computational neuroscience and multiscale brain modeling for IBM Research, is always coming up with new ideas. He was recently part of a team of IBMers that received a security patent for a cognitive honeypot. If you don’t know what that is, check out my story on IBM’s SecurityIntelligence blog for details with this very interesting inventor.

Notable TechWomen, in honor of Ada Lovelace Day

The TechWomen program brings emerging women STEM leaders from around the world to the Bay Area for five weeks of mentoring and career development. Sponsored by the US State Department and run by the Institute of International Education, over the past six years it has brought more than 400 women here.

I spoke to two of the women that are taking part in the program, both are 32 and from different parts of Africa. Martine Mumararungu runs the core traffic engineering for a Rwanda ISP and has a BS in CS. She was one of seven women in her classes. “Most girls in Rwanda think STEM is just for men,” she told me. Luckily, she had an older brother and sister who were interested in science, and that sparked her own interest. She started out in programming, taking classes in C++ and Java, and got more interested in networking technology. She eventually earned her CCNA and CCNP certifications and has found them very much in demand in Rwanda and very valuable for her job at the ISP. She is using the program to learn more about IT security and how she can beef up her ISP’s profile in that area.

Umu Kamara hails from Sierra Leone where she is the assistant IT manager for a private shipping company. She got her BS in Physics and also got several Microsoft certifications. She switched to IT because she was always interested in systems and databases. She started out wanting to become a medical doctor but wasn’t accepted into the program because of low English grades. Now she is glad she didn’t go that route and likes being in IT. Her father (who died when she was four) was a mechanical engineer, and that motivated her to get interested in science at an early age. She is using the program to learn more about cloud technologies and data center security. She may try to switch her EDR products to more cloud-based ones. When I asked her about the relative bandwidth that she has in the States versus at home, she just laughed, agreeing with me that yes, here it is “a bit faster.” She also agreed that the Internet is here to stay no matter where you live, and even if you have just a marketing company you still need an online presence. “You can’t do without it.”

She experienced a data breach at her company; unfortunately, it was just after her boss left town for a seminar so she had to handle the situation. It was caused by an infected cell phone that was connected to the corporate network, and used malware-infused PDF and Word documents. She had to work long days to reinstall her servers and updates. “It was a good experience but I wouldn’t want to do it again.” The company was offline for several days and the revenue impact was huge, since ships couldn’t unload without the appropriate systems operating.

FIR B2B#70 podcast: The peculiar PR paradox of the resurrection of A.I. with Jason Bloomberg

“On the one hand, AI is perhaps the most revolutionary set of innovations since the transistor. But on the other, the bad press surrounding it continues to mount, perhaps even faster than the innovations themselves. And AI promises to change the role technology plays for every industry on this planet.” So writes Jason Bloomberg in a post on LinkedIn Pulse earlier this month. Paul Gillin and I sat down with him in our latest podcast to discuss some of the issues surrounding how to best publicize AI and some lessons that overall PR and marketing folks can learn from the rise and fall and current rise of AI. Bloomberg has been a tech reporter for decades, writing for Forbes and various other B2B tech pubs over the course of his career.

Jason’s post makes four important points about PR and AI:

  • AI vendors jump in with more hype than reality, what he calls AI-washing (after white-washing).
  • AI has been on the verge of being the next big thing for decades now.
  • AI will cost jobs. As if we didn’t have enough threats these days.
  • Skynet. Need we say more?

Listen to our 20 min. podcast here: