When to think about a cyber security do-over

Posted on by
Reply

This is a piece that I co-authored with Greg Matusky and Mike Lizun of Gregory FCA. 

Imagine you’re on the precipice of greatness, some victory that will define you or your enterprise for eternity. Something important, game-changing, like going public, executing a merger, or something even bigger, like winning your first ever Super Bowl after 50 years of frustration.

And then it’s all lost. Stolen in the dark of night by someone who hacks your system and steals the secret sauce. Maybe it’s your IP or some market advantage. Or maybe it was simply the plays you plan to call that now will be used against your organization. ​

A lot of football fans, players, and coaches believe that is exactly what happened in 2005 when the New England Patriots beat the Philadelphia Eagles in Super Bowl XXXIX.

Even during that game, Philadelphia coaches knew something was amiss and tried to change set play calls. Every time the Eagles’ defensive coach blitzed, Tom Brady knew it and made a quick outlet pass. Two years later, the Patriots were fined $250,000 and draft picks for getting caught videotaping and the stealing the play calls from the New York Jets. A U.S. senator opened an investigation and found New England had been wrongly videotaping and stealing opponent play calls since 2000.

This year, after the Eagles beat New England, there’s been a lot of scuttlebutt about secret security measures the Eagles deployed to thwart any and all intrusions. One story holds that Philadelphia ran a fake practice the Saturday before the game, running plays and using a play call system they had no intention of using. Whether it happened or not, you gotta believe the Eagles weren’t going to be robbed again. Something did work. New England didn’t have a clue as to what the Eagles were doing on offense. They didn’t know about their calls and the result was Philadelphia putting up 538 total yards of offense.

Not every business gets to have a do-over like the Eagles. And in most cases, when it comes to cyber security and data breaches, hindsight is always 20-20. As an example, look at this recent Ponemon survey of 1,200 IT professionals. It found that the majority of them aren’t satisfied with cyber threat sharing tools in terms of timeliness, accuracy, and the poor quality of actionable information. Some of this has to do with a johnny-come-lately realization that threat intel could have been used to prevent a previous attack. Even UK-based telecom provider BT is now sharing its threat intel with its competitors, to try to stem attackers. So maybe the tide is changing.

There are lots of other cybersec lessons that could be learned from the latest Super Bowl matchup and what organizations can do when they get a second chance at defending their networks. They involve the role that revenge can play in motivating ex-employees, deliberate attempts to confuse attackers, and using specific traps to flush out intruders and confuse adversaries.

First, let’s look at revenge attacks.

These happen when insiders or former insiders get motivated by something that they experienced, and want to take out their frustration on their former employer.

The classic insider revenge scenario dates back to 1999, when Vitek Boden was applying for a job for the Maroochy county sewer district in Australia. He was a contractor for the district and the county decided not to hire him. To seek revenge, he caused thousands of gallons of raw sewage to be dumped into the local waterways, using a series of radio commands. He was eventually caught by a police officer with various RF equipment. What is important to note is that Boden had all this insider knowledge, yet never worked for the agency that he attacked. He was able to disguise his actions and avoid immediate detection by the agency IT department, which never had any security policies or procedures in place for disgruntled employees.

Ofer Amitai, the CEO of Portnox, has a more modern revenge tale. One of his customers is a big food company that didn’t pay attention to who was connected to its WiFi network. It had one employee who was fired, and came back to the vicinity of the plant with his own laptop. He changed temperatures on the refrigerators and destroyed hundreds of thousands of dollars of merchandize in revenge.

From these two examples, you can see it pays to be careful, even if a former employee never steps foot on your property or even if you never hired your potential attacker. Certainly, you should better screen insiders to prevent data leaks or willful destruction. And businesses should always monitor their wireless networks, especially as it is simple for an intruder to connect a rogue access point to your network and access data through it.

What about ways to obfuscate attackers?

Like in the Super Bowl, teams are now more careful about how they call plays during the game and practice times. Teams now use an array of sideline ruses to confuse prying eyes, everything from placards with pictures of Homer Simpson to using as many as three decoy sideline play callers.

That’s not too dissimilar to planting special “honeynets” on networks. Typically, they consist of a web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. These servers don’t contain any actual data, but appear to be a target to a potential attacker and can trap them into revealing their location, sources, or methods that can help network defenders strengthen their security. Honeynets have been around for more than a decade and have an active development community to make them more life-like to confound attackers.

“There will always be timely weaknesses during such events that hackers can exploit,” says Dudu Mimran, the CTO of Telekom Innovation Laboratories in Israel. “Public events such as the Super Bowl present an opportunity because many people will be using digital devices and posting pictures and opening emails around the event. Defenders need to understand the expected sequence of actions around these events and create pinpoint defenses and guidelines to reduce the expected risks. There needs to be a series of layered defenses coupled with user education and better awareness too.”

Good luck with your own do-overs.

FIR B2B #90: Learn the secrets of social media marketing from London’s top-rated restaurant today!

Posted on by
Reply

A social media firestorm has erupted over a fake restaurant that briefly became London’s top-rated eatery on TripAdvisor. But the restaurant never actually existed. This video explains how the Shed at Dulwich rose to the top of more than 18,000 restaurants over a seven-month extended campaign. While Paul Gillin and I don’t condone fakery, we commend journalist Oobah Butler (shown here), who pulled off the stunt, for using good social media marketing tactics to make it work.

There are lessons here for B2B marketers about how to use social media and appropriate word-of-mouth marketing to promote their own legit brands and products. In short, take the long view and frame your message from the start, sticking to key talking points and repeating them to reviewers who might be inclined to review your products and services. You should also concentrate on the most appropriate social networks to match your market; the Shed used Instagram and a series of carefully prepared food photos, since that is what resonates on that network. Butler understood the value of a good photo in his promotion, and that the look of the plate can be more important than the actual ingredients, which in many professional food photos is often inedible.

The Shed never cheated anyone, and the prank wasn’t intended to steal money. It was intended to show up TripAdvisor, and it succeeded masterfully. Butler did end up serving a meal to a few select folks, but didn’t charge them. He had a certain graceful charm that is appealing. The experiment demonstrates the value of knowing your market and being trendy but not going over the top. It also shows why having some fun with your social media accounts doesn’t hurt. You can listen to our 11 min. podcast here.

What’s new with blockchain and security

Posted on by
Reply

The world of bitcoin, blockchain and cryptocurrencies is moving so fast that it is hard to keep up, even if you try to follow current events. Certainly, it has been some wild times lately as the trading prices of these currencies has escalated wildly. This post will review some of my own interests, namely some interesting places where you might want to read up more about blockchains and the intersection of these technologies with IT security.

Probably a good place to start is with my sister newsletter, Inside Bitcoin, researched and written by David Stegon three times a week. Like my own Inside Security newsletter, it comes packed with tons of great content, current events, trading prices of the leading currencies and more. For example, in today’s issue you can find out that soon the electricity used for bitcoin mining will account for the bigger power usage than for people’s homes in Iceland.

If you are looking to learn more about cryptocurrency basics, the VC firm Andressen Horowitz has put together this page of links it calls is Crypto Canon. There are a lot of beginner’s guides about privacy and security and tutorials for developers. Another really great source that goes into details about the actual mechanics of the blockchain protocols can be found in the current issue of the Internet Protocol Journal. Written by Bill Stallings, it is a clear and solid explanation of how the blockchain works to self-authenticate transactions, which are at the core of this brave new world.

If you haven’t gotten enough of a fix, I humbly suggest next taking a look at a blog post that I wrote for the iBoss blog about recent blockchain exploits. Criminals are coming online, stealing funds from digital wallets, attacking currency exchanges, deploying hidden miners and going after initial coin offerings. This latter event is similar to an IPO for blockchain companies, only instead of receiving dollars (or some other real currency), they get cryptocoins, often newly minted. The opportunity for abuse and fraud is limitless, and some companies have already “mysteriously” disappeared after their ICO.

The hidden cryptominers are particularly pernicious. An average exploit can generate $500 a day per PC that has been compromised. Set up a network of a few thousand machines and you are literally creating cash while you sleep.

But blockchains can be used for improving and innovating when it comes to IT security too. Here are a few examples:

  • Shocard uses blockchains to provide an identity authentication system so that people can share information with each other securely.
  • Hypr is similar, encrypting a user’s credentials but doing so without any centralized authority needed to vouch for them or store the information.
  • Microsoft is adding blockchain features so that its Authenticator app can manage all kinds of user identity data and cryptographic keys.
  • CertCoinis one of the first implementations of blockchain-based PKI. The project, developed at MIT, removes central authorities altogether and uses the blockchain as a distributed ledger of domains and their associated public keys.
  • Guardtime built the identity management platform for the Estonian government and now sells its KSI blockchain-based enterprise security tools. Changes to the network configuration have to be authorized, making it harder for malware to gain access.
  • Maidsafe has created an alternative Internet where users are able to run apps, store data, and do everything else they normally do online, but in a more secure environment.
  • And IBM and Maersk have built a blockchain-based digital trading system to track shipments of the global logistics company.

We have just seen the very tip of the iceberg when it comes to using these technologies, both for good and evil. Send me your favorite bitcoin/blockchain product or anecdote if you don’t mind sharing.

 

 

 

 

iBoss blog: The Many Forms of Cryptocurrency Exploits

Posted on by
Reply

While the prices on cryptocurrencies have been all over the place in recent months, it is certainly attracting a different kind of attention from the criminal world that views them as malware opportunities. These attacks take numerous forms, including stealing funds from digital wallets, attacking currency exchanges, deploying hidden mining and initial coin offering (ICO) exploits.

The first major exploit was seen by the DAO joint Ethereum investment fund back in 2016, which suffered a DDoS attack and eventually had to shut down. While that grabbed major headlines, there have been other, less-publicized attacks on exchanges. I look at some of the more recent examples in my post for iBoss’ blog here.

iBoss blog: Ten ways to harden your WordPress servers

Posted on by
Reply

One of the weak points in your enterprise may be something that you haven’t paid much attention to, your WordPress servers. When you think more critically about the issue, there are a lot of exposed attack surfaces: a Web server running PHP scripts and accessing a SQL database. Sadly, criminals have long recognized this target and have begun to focus more of their efforts on exploiting WordPress servers. Indeed, this story from last summer’s DefCon conference demonstrated how hackers were able to locate a fresh new WP site within 30 minutes of going online. In my latest post for the iBoss blog, I talk about ways to make them more secure, such as adding the WordFence plug-in shown here.

FIR B2B Podcast #89: Fake Followers and Real Influence

Posted on by
Reply

The New York Times last week published the results of a fascinating research project entitled The Follower Factory, that describes how firms charge to add followers, retweets, likes and other social interactions to social media profiles. While we aren’t surprised at the report, it highlights why B2B marketers shouldn’t shortcut the process of understanding the substance of an influencer’s following when making decisions about whom to engage. The Times report identifies numerous celebrities from entertainment, business, politics, sports and other areas who have inflated their follower numbers for as little as one cent per follower. In most cases, the fake followers are empty accounts without any influence or copies of legitimate accounts with subtle tweaks that mask their illegitimacy.

The topic isn’t a new one for either of us. Paul wrote a book on the topic more than ten years ago. Real social media influencers get that way through an organic growth in their popularity, because they have something to say and because people respond to them over time. There is no quick fix for providing value.

Twitter is a popular subject for analysis because it’s so transparent: Anyone can investigate follower quality and root out fake accounts or bots by clicking on the number of followers in an influencer’s profile. Other academic researchers have begun to use Twitter for their own social science research, and a new book by UCLA professor Zachary Steinert-Threkeld called Twitter as Data is a useful place for marketers who know a little bit of code to assemble their own inquiries. (The online version of the book is presently free from the publisher for a limited time.) David has written more about his book on his blog here

Paul and David review some of their time-tested techniques to growing your social media following organically, and note the ongoing value of blogs as a tool for legitimate influencers to build their followings.

You can listen to our 16 min. podcast here:

Researching the Twitter data feed

Posted on by
1

A new book by UCLA professor Zachary Steinert-Threkeld called Twitter as Data is available online free for a limited time, and I recommend you download a copy now. While written mainly for academic social scientists and other researchers, it has a great utility in other situations.

Zachary has been working with analyzing Twitter data streams for several years, and basically taught himself how to program enough code in Python and R to be dangerous. The book assumes a novice programmer, and provides the code samples you need to get started with your own analysis.

Why Twitter? Mainly because it is so transparent. Anyone can figure out who follows whom, and easily drill down to immediately see who are these followers, and how often they actually use Twitter themselves. Most Twitter users by default have open accounts, and want people to engage them in public. Contrast that with Facebook, where the situation is the exact opposite and thus much harder to access.

To make matters easier, Twitter data comes packaged in three different APIs, streaming, search and REST. The streaming API provides data in near-real-time and is the best way to get data on what is currently trending in different parts of the world. The downside is that you could be picking a particularly dull moment in time when nothing much is happening. The streaming API is limited to just one percent of all tweets: you can filter and focus on a particular collection, such as all tweets from one country, but still you only get one percent.That works out to about five million tweets daily.

Many researchers run multiple queries so they can collect more data, and several have published interesting data sets that are available to the public. And there is this map that shows patterns of communication across the globe over an entire day.

The REST API has limits on how often you can collect and how far back in time you can go, but isn’t limited to the real-time feed.

Interesting things happen when you go deep into the data. Zachary first started with his Twitter analysis, he found for example a large body of basketball-related tweets from Cameroon, and upon further analysis linked them to a popular basketball player (Joel Embiid) who was from that country and lot of hometown fans across the ocean. He also found lots of tweets from the Philippines in Tagalog were being miscataloged as an unknown language. When countries censor Twitter, that shows up in the real-time feed too. Now that he is an experienced Twitter researcher, he focuses his study on smaller Twitterati: studying the celebrities or those with massive Twitter audiences isn’t really very useful. The smaller collections are more focused and easier to spot trends.

So take a look at Zachary’s book and see what insights you can gain into your particular markets and customers. It won’t cost you much money and could payoff in terms of valuable information.

 

 

The best way to get more social media influence is to grow your own

Posted on by
Reply

The NY Times published the results of a fascinating research project a few days ago. Entitled The Follower Factory, it describes a firm that gets paid to add followers to your Twitter, Facebook and other social media accounts. Shocking, right? What is interesting and new about this report is how far a scam artist will go to replicate real users data profiles, such as their face, background images, user name (with homographic substitutions to make it harder to distinguish from the original account owner), and biographic data to make the purchased followers seem more legit. Many celebrities – or would-be ones anyway – have bought massive follower lists in the attempt to boost their own brand. It doesn’t work, and most of these efforts ultimately fail.

The NYT piece goes into detail, showing how different automated bots can be used to create seemingly human Twitter accounts. While most of them aren’t worth the electrons that are consumed, there are some useful Twitter bots such as those that can detect emergency situations or track other newsworthy events. The piece also describes a dissatisfied employee from the original scammers who left to start his own venture, copying his former employer’s tactics. On the Internet, no one knows how low you can go.

Real social media influencers get that way through an organic growth in their popularity, because they have something to say and people respond to that over time. There is no quick fix for providing value. If you buy a bunch of followers, the “real” followers will go elsewhere. If you try to game the system, ultimately the folks who are just creating solid content will show these con artists up.

Sadly, this is nothing new. My podcasting partner Paul Gillin wrote about this more than six years ago about the flaws in Klout scores, which was a darling back then. But the link between people who spent a lot of time massaging their Klout data and higher scores troubled him then, and still does. There are more recent metrics to try to measure social media influence, but they are just as flawed. Let’s try to forget that we can distill influence into a single metric, and instead look at what the best influencers are trying to do. Interestingly, Gillin wrote a book on the topic more than ten years ago.

Marshall Kirkpatrick also long ago wrote a blog post about ways to add value in online communications. They are still relevant today:

  1. Be first. If you can be the first place someone sees some valuable information, people will notice.
  2. Say it best. If you communicate more clearly, effectively, or insightfully about a topic of general interest, that’s a big value add.
  3. Bring multiple perspectives together.
  4. Have a unique perspective.
  5. Be funny.

Notice what is different about this list? Everything you can do here doesn’t cost money, but it does take time and you need talented people who aren’t just cutting-and-pasting from across the Interwebs. Too bad that message isn’t clear, years after the web and social media first became popular.

FIR B2B Podcast #88: The Decline of Trust and New Twists on End-of-Year Research

Posted on by
Reply

This week, Paul Gillin and I examine the results of the 2018 Edelman Trust Barometer, which shows a remarkable drop in the overall trust from the public. Some alarming results from the annual survey:

  • Sixty-three percent of respondents say they do not know how to tell good journalism from rumor or falsehoods or if a piece of news was produced by a respected media organization.
  • Chinese citizens trust their government more than U.S. citizens trust theirs. 
  • Technology remains the most trusted industry sector of them all, with a trust rating of 75% (whew).
  • CEOs are becoming more trusted sources and are increasingly being asked to address public policy issues.
  • One-quarter of respondents said they read no media at all because it is too upsetting. 

In the second part of our discussion, we look at some examples of annual trends/reports in the security field that I have been studying for this post. For example, Kaspersky’s “story of the year” was about the rise of ransomware, and this set of predictions from ServiceNow are short and sweet, which is a nice break from the norm. Watchguard has been posting a series of predictions to its blog using short videos. All are noteworthy. We suggest B2B marketers review these tactics and see if they can apply to their own media relations efforts.

You can listen to our 17 min. podcast here:

The role of the WWII coder girls

Posted on by
Reply

I am reading the book Code Girls, the true story about the thousands of women who worked decoding WWII message traffic for the Army and Navy. It is a fascinating look at how they shaped the crypto and spying industries, and largely an unknown and untold story. I would recommend it highly for your own reading.

One of the women featured in this book is Elizebeth Friedman. She was one-half of a power couple that worked on code breaking and is documented in another book called The Woman Who Smashed Codes that came out last year. Her role is mentioned in Code Girls, but the focus is more on others who are even less famous. The couple met at the offices of an eccentric philanthropist named George Fabyan, who thought that Bacon wrote Shakespeare’s works and wanted some crackerjack researchers to prove it. The couple ended up falling in love with each other and disproving the Bacon theories once and for all.

There has been a lot written about the activities of the British coding group at Bletchley Park (and you can read some links to them here), but not as much about the parallel American efforts to decode the German Enigma and Japanese Purple codes that were used during the war. What is interesting about this book is how it talks about the lives of ordinary women who were plucked from being school teachers, clerks, and recent college graduates into this top-secret life in the nation’s capital and elsewhere to help the war effort.

Why were women chosen for this task? Several reasons. First, most of the men were off fighting the war, so the potential employment pool was diminished. Second, the military found that women made for better code breakers: they had better concentration and more of an eye for detail. Many of them were math and science majors and liked the kind of work that was involved – this was an era before we started telling girls that they weren’t good at math! Finally, the country needed thousands of them for this job. In some cases, entire graduating classes were hired on the spot. All of the women had no idea what they were signing up for, and often left their lives with nothing more than a few dollars in the pocket and a one-way train ticket to DC.

The Army and Navy had different recruiting strategies and set up competing organizations, based in different parts of DC. Early on, one group worked on messages that were received on odd-numbered days and one on even days. That wasn’t very productive, and eventually the two sorted out different theaters of war to focus on.

Two myths are busted in this book. The first is that people who were good at solving crossword puzzles made for good code breakers. That isn’t necessarily accurate, because crosswords are built with escalating clue difficulties, since most people start at the upper left and work their way down the puzzle. Code breaking is very tedious, and you have to deal with tons more frustration as you run into big roadblocks in figuring out patterns as the codes frequently change.

Second is that decoding intercepts could have helped prevent Pearl Harbor. That might have been the case had the US tuned up its efforts but that wasn’t possible during peacetime, given the climate that we had before we entered the war. Decoding intercepts was one of the reasons why we were able to dominate the Pacific theater and sink so many Japanese ships. Often, our military was reading their messages concurrently with their intended recipients, and had to stage a fake aircraft fly-over to hide the real source of their intelligence on the Japanese Navy’s movements.

An interesting side note: this past week my colleague Elonka Dunin (who has spent time with the Cryptos sculpture at the CIA headquarters building) published a paper about the Friedman tombstone and how it contains a hidden cipher. Can’t see it? Look closer. That is why most of us would be terrible code breakers.