Saturday, January 28, 2017

"Calexit" Backed By The Kremlin

FYI, anyone thinking that "Calexit" is a good idea should take a look at who's behind it: Russia.

Why? Divide and conquer foreign governments while increasing the scope and power of its own:

Interesting to note that Russia celebrates every country dividing except its own - talk of secession is illegal there:

"Moscow supports pro-Russian separatists in eastern Ukraine, but criminalizes calls for separatism or increased regional autonomy at home."

yescalifornia[.]org, the website set up for the Calexit initiative, was registered by Louis Marinelli:
Registrant Name: Louis Marinelli
Registrant Organization:
Registrant Street: 606 27th Street
Registrant City: San Diego
Registrant State/Province: California
Registrant Postal Code: 92102
Registrant Country: US
Registrant Phone: +1.6195812403
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:

Who's he? Read for yourself:…/from-his-home-in-russia-calexit-lead…/

Moscow hosted & funded anti-globalizationists from around the world in July 2016:…/us-and-eu-separatist-groups-to-ga…/…

California’s “embassy” is the headquarters of Russia’s Anti-Globalization Movement:

Google dork (search term) to see just how Marinelli is portrayed in Russian propaganda: louis marinelli

Sunday, January 22, 2017

Attribution for Beginners

How do intelligence analysts know <nation-state/threat-actor> is behind malicious activity?

The simple answer is that criminals are human. Humans are creatures of habit. Humans follow certain constructs of behavior native to their geographic regions. Humans make mistakes. In intelligence terms, these human foibles translate to "tools, techniques and procedures," or TTPs.

This isn't the most illuminating answer to anyone new to threat research and adversary hunting. So in this blog, I'll go over a very basic example. I won't show a bad guy, real or based on a real adversary, for a number of reasons. First and foremost, the minute an adversary's TTPs are made public they change them up. This can set active investigations and legal cases back months. Instead, for illustrative purposes, I'll use the country's (reportedly) new cyber security czar's already-public website, Giuliani Security and Safety.

Attributing activity is similar to reconnaissance, the first step in the cyber kill chain. The only difference is that the analyst is backing into the information using artifacts collected in the initial stages of investigation. The typical first couple of the artifacts researched are the source activity's IP addresses and domain names. Let's say we found in our logs. First, we look for the IP addresses associated with the domain:

Digging into the background on these IPs reveals that they were/are dedicated to Because they're dedicated, as opposed to residing on shared hosts with other domains, these IPs are interesting. We'll note these as solid leads on enumerating the infrastructure behind the domain. What we would do from here in a real investigation is use tools like Shodan, Censys, Nmap and others to identify what's on the IPs - software, versions, exposed services and ports, known vulnerabilities of software/versions and services, etc. For the sake of brevity and because this is not a real attacker/investigation, I'll skip that part here. Interested readers can find this information easily.

Let's move on to see what we can learn about the domain. One of the key factors is learning who registered the domain. There are multiple ways to do this. I'll use a graphical example:

There's a lot of information here. Interested folks can look up the RFC on DNS here. Meanwhile, let's focus our attention on the registrant details:

Who's Data Docket? Might be a website or IT company but it's best not to speculate. We let the data speak. As of this writing, the search term "Data Docket" fails to yield the domain name in the Registrant Email address in the first page of Google results. That means "" is buried in the nether regions of the results which means it's got low traffic numbers. Sounds oddly small potatoes for such a high profile customer.

Let's try the email address. The search results for that look more promising. Here's the top hit:

So who's David Haenel? All results, and I mean ALL, relate to a lawyer in Florida. Just to be sure, I tried searches on his name plus every keyword I could think of that could turn up a web designer or host ("web," "website," "developer," "web host,""technology," etc.). The only results that came up, time after time, were related to David Haenel, Esq. He has the corner on the Internet search results. So here he is:

Now we start to ask questions. Why is a lawyer registering the domain of a cyber security company? What's his relationship to the source domain? Sure, Rudy Giuliani was a lawyer but if you're going to outsource technology-based responsibilities, wouldn't a technology company be more appropriate? Which makes this deviation from the norm seem deliberate. Or does it? Let's see what LinkedIn has to say about Mr. Haenel.

That third entry is interesting. A simple search for "Scorch SEM" gives us the domain name, no surprises there. A visit as of this writing showed a parked page (placeholder). Seems unusual for a 13-year-old company. So we take a look through the Wayback Machine and find this, circa 2013:

Note the contact email, "" Interesting but inconclusive. David is a pretty common name. Until we turn our attention to the bottom of the page:

Copyright by Finebloom & Haenel. Where have we seen those names before? On the header of the pages for Finebloom Haenel & Higgins, as seen above. Seems like the same guy. Going back to the search results on the name "David Haenel" it's starting to make sense - Scorch and both tout SEO, search engine optimization. Mr. Haenel is clearly good at SEO given that he's managed to corner the search market on his name.

By the way, there's a reason I chose a lookback at 2013. It's the year went live. They secured the domain name in 2004, added the first IP host in 2009, and parked the domain until Feb 2013.

From here, we would look for intersections between the lives of Haenel and Giuliani to see what, or who, brought them together. We would build relationship maps based on those intersections, the infrastructures, and end up with the story of who's who and why.

This (extremely brief) exercise has been based in what's called "OSINT" or open source intelligence. In other words, putting pieces together using publicly available information. Had this been a real investigation, we would have had non-public information to help us uncover the facts, such as logs from systems touched and traversed. If malware was involved we would have samples and/or artifacts like configuration files, supporting scripts, command and control infrastructures, and such.

Similar to a physical crime scene, all bits of data in and around the scene of cyber crime are sifted for breadcrumbs of trails that can lead to identifying the true source of malicious activity. Even when the bad guys try to trip up investigators to throw them off track, the specific tactics they use for disinformation are also fingerprints once you know how and where to look.

Saturday, September 10, 2016

How Not To Do Security Research

Something came to my attention that’s a convenient follow-on to my previous post:

The overt message in this video is good. We should all be careful about how we handle our ATM, debit & credit cards. On the other hand, the power of the warning is lost on people like me who cringe at the behavior of the messenger. It’s hard enough for the good guys to navigate legal waters without people like this encouraging others to emulate their bad behavior.

Don’t get me wrong - I jiggle card readers at ATMs and gas stations all the time. Those are the top targets for the type of card skimmers depicted in this video. But that’s where the similarities between us end.

Mistakes this guy made:

- Removing the device without informed consent of the impacted financial institution and/or law enforcement, not ok. But wait, you say, it came off in his hand. However, he clearly had a cell phone. He could have stopped at that point and called the police, the bank or both. "Freeze the scene" is a fundamental in digital forensics.

- Walking away with evidence unlawfully collected, really not ok. Unless, of course, that walk is to the nearest police station or bank branch. Which it wasn't, we can surmise, as we listen to the next mistake...

- Intending to destroy evidence ("I'm gonna go see what I can do about reverse engineering this") without informed consent, egregiously not ok. Regardless of whether or not he did disassemble the reader, the whereabouts of that device between time of discovery to being turned over the to the police (see his first "Update" on the YouTube page) and what happened to it in the duration is undeniably called into question. It's no longer a viable piece of evidence in any court of law in the hands of a passable defense attorney.

What the creator of this video did by stomping all over the evidence of a crime ensured the bad guys got away it and victims will never see a dime in restitution. Most banks indemnify customers in this type of fraud to some extent. In the US, skimmer victims are typically liable only for the first $50 in losses. In the EU, where this video was reportedly shot, the victims would likely have been fully compensated.

I use this video now when interviewing job candidates. There’s more to threat research than technical skill. Critical thinking is just as important. Enthusiasm is great, obstruction of justice is a massive fail.

Saturday, August 20, 2016

So You Think You Can Cyber?

With a new school year looming, students ask themselves, "What do I want to do for a living?" Several summer interns at my day job and elsewhere have asked me about the information security field. The top question has been consistent which means it's time for a new blog post!

Why is cyber security such a hot field now?

It's a byproduct of accessibility of Internet connectivity and proliferation of connected devices. Twenty years ago, only the biggest companies and governments had the bandwidth, literally and figuratively. As ecommerce caught on, crime quickly followed. It started with the curious, the attention-seekers, and espionage. By the early 2000's, financially-motivated attackers emerged with the rise of online banking. Malware spread through email, attacking both corporations and consumers by impersonation (e.g. Zeus), while laws and defenses scrambled to catch up. Then came exploit kits which up-leveled the scale of attacks leading to an explosion of criminal activity. Skilled information security analysts, digital forensics investigators, and vulnerability analysts (pentesters) were in short supply. The technologies needed to combat the threats either didn't exist or came at high cost. "Information security" was a checkbox on audit reports for regulated industries and payment card processors that auditors themselves didn't fully understand or appreciate which meant they could be easily satisfied by incomplete or vague responses. While the industry struggled to define itself, the demand for highly skilled and experienced workers grew - too few people and too few products/services to fill a fast-growing field. The inevitable happened. Breaches became more common with increasing impact. Heartland and TJX proved to the criminals that they only needed to be right once while the defenders had to be diligent 100% of the time. Thus the odds were in favor of the bad guys. In the last 5 years, the number of significant breaches and huge dollar losses made its way into the mainstream press which brought cyber security issues into the common vernacular (at last).

As pointed out above, defenses need to be effective all the time, which requires a highly-skilled workforce with a depth of technical knowledge, problem-solving skills, legal awareness (particularly for incident responders and forensics specialists), and to continuously maintain the knowledge and skills. Add to the mix soft skills like grace under pressure, non-linear critical thinking, and, one that's often overlooked but absolutely essential, playing well with others. The attack surface grows constantly, crosses operating systems, devices, platforms, and programming languages while the threats constantly grow and shift, encompassing script kiddies, hacktivists, fraudsters, organized crime and nation state attackers. One need only look at a Target or Sony situation to understand the risk of taking shortcuts on security technologies and practitioners. There's no such thing as a "set and forget" security product or service - all security solutions require people who understand the threats and the technologies in order to maintain the products and services, which all require tuning to each organization's specific needs along with constant care and feeding to maintain effective vigilance. To stay on top of this ever-growing, ever-shifting landscape, we need a steady flow of new talent coming into the field, and there's just not enough of them. Meanwhile, experienced practitioners are hopping around from company to company because we're being chased by staffing recruiters dangling big paychecks literally every day. There's also a high degree of burnout because of the stress. So, it's basically a matter of supply and demand. There just aren't enough workers to fill the more than 1 million job openings (see Folks in the industry are trying to change this through outreach at all levels of learning, from grade school-level up to advanced degree programs.

So, do you think you can cyber?

Saturday, April 9, 2016

Tourist's Guide to the Dark Web

I've gotten the same question from multiple people lately, which means it's time for a blog post. The question: What exactly is the 'Dark Web'?

First, let's clear up the language. There's "deep web," "dark net," and "dark web." These are not synonyms.

The "deep web" is any website that's not indexed/searchable on what we know and love as the Internet. Your online bank account or Yahoo/Gmail/Live/etc. email are examples of this. Basically, if you need to authenticate to reach content (log in with a username and password or passcode), you're accessing the deep web.

A "dark net," the term most often mistakenly used as a euphemism for "dark web," is unused IP space within an allocated range. It can also mean undiscoverable/masked IP space, such as virtual private networks (VPNs). Prior to the existence of the dark web, VPN nesting (using multiple virtual services to connect) was a popular method for those wishing to make their online trail difficult to follow.

The "dark web" is the mysterious sub-Internet underground society filled with shadowy figures who are anti-censorship or conducting nefarious activity.

Understanding the Internet's underbelly requires a brief overview of the Internet itself. Typically, a web browser is the means by which most of us connect to websites (I know, I know, there's curl, wget, and such; that's a different discussion). Web browsers dictate the user experience governing your connection. You can customize them to block ads, enforce SSL encryption (on websites that support it), add or remove domain and IP block lists, and on and on, or you can simply launch the browser, as is, and you're off and running. Meanwhile, your service provider, such as your home ISP, or your network admins at your office have ultimate control over how Firefox, Safari, Internet Explorer, Edge, Chrome, etc. access and interact with web and mobile sites. While some of the places we visit are members-only (see deep web), everyone can freely access the multitude of public web pages.

Well, not everyone. Which leads us to the "dark web."

The dark web was originally intended as a literal and figurative tunnel bored through the open web to enable unfettered Internet access for political dissidents, journalists, and others concerned about online privacy and censorship. Access is gained by one of several special web browsers that circumvent website tracking and traffic-control technologies while hiding their originating IP address to avoid being identified. Tor and i2P are examples of these browsers while the Great Firewall of China is an example of a reason they exist. The dark web very quickly attracted other types of people wishing to remain anonymous and/or hide their activity, namely criminals. Forums and markets appeared offering everything from street drugs, tutorials on cashing out ill-gotten gains, buying & selling weapons, get the idea.

The dark web is like any other community in real life or on the Internet. It has its nice side, where privacy-minded folks just want to do what they do without their activity being impeded or tracked. And it has its creepy neighborhoods, places you might think twice about visiting. I know the pull of curiosity is strong and anonymity can be empowering. Just remember that what you see can't be unseen. Disturbing content can stay with you, whether you like it or not. Consider yourself warned.

So how does the dark web work? It's sort of like a peer-to-peer network where the data sent from the browser gets broken up and distributed across multiple server relays ("nodes") operated by volunteers and through which traffic gets randomized. For optimization, a single session lasting a few minutes will follow the same route. Longer sessions or subsequent sessions will get re-routed to make tracking more difficult.

If you visit, enjoy your stay and try to avoid getting hurt or hurting others. The takedown and arrest of the operator of one of the dark web's largest drug markets, Silk Road, should serve as a reminder that, at the end of the day, we're all human. Humans make mistakes and that's how they get caught.

Tuesday, January 19, 2016

Open Season on ID Theft

It's that time of year again, tax time for the US and UK. Scammers keep track of the dates, too, and they've rolled out their 2015 tax year-themed malware and identity theft campaigns.

So how do they trick victims? The most common method is phishing. Here's an example making the rounds:

Clicking on the link takes the victim to a page that looks similar to this:

There are several hints that neither the email above nor the purported IRS page are legitimate. First and foremost, according to the IRS, they won't "initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."

Next, take a closer look at the URL:

Notice the domain name, "" It should be obvious that the IRS web pages are all hosted on

Another clue in the URL is something we see often in phishing pages, the presence of multiple top level domains (TLDs). In this case, we see both ".com" and ".net." Without going too far into the technical weeds, a domain's TLD is the root of its home on the Internet where browsers or other Internet-connected devices can find it. While a domain can be registered with multiple TLDs,- such,,, etc. - each will reside on separate websites in order to route properly with each root TLD serving as a guide. There can be only one at a time.

So what can you do to protect yourself this (and every) tax season?

1) As mentioned in previous posts, I'm a fan of security freezes. It can be a hassle but a one-hour investment of your time buys you a lifetime of peace of mind.

2) Never click on links in emails. Period. Too many online companies have trained us all to click but it's safer to type in the web address yourself to ensure that you land where you expect to land.

3) Hover your mouse over hyperlinks in email. In all browsers that I can think of, this reveals the full and true address associated with the link. In phishing emails, you'll notice mismatches between what you expect to see and the real address.

4) Report phishing attempts to the IRS. They have great information and guidance, along with appropriate reporting email addresses, here:

Tuesday, December 1, 2015

Keep Your Spirits Bright

The holiday season is upon us, the time of year when we defy our normal spending and travel patterns. A bicyclist in Los Angeles hops on a plane to visit friends in Omaha where they spot a great deal on a putter that they ship to their favorite uncle in Texas. A Memphis lawyer spends Cyber Monday hunting for the best deals on imported wine for pickup in an NYC shop for their former college roommate. Best friends head to Las Vegas for a break from the early Colorado winter.

Why are these activities important? Because banks and credit card processors use automated fraud detection systems that "learn" our normal spending habits and locations then raise alerts on anomalous behaviors. The bad guys look forward to this time of year as much as kids await the season's first snow day. Fraudsters can count on consumers breaking their own models which may slow down these anti-fraud detections, giving criminals more time and flexibility for identity theft.

Some banks are better at detection than others, of course. But the onus isn't completely on them. There are simple steps you can take to protect yourself.

First and foremost, everyone should have a security freeze on their credit. Sometimes called a "credit freeze," this requires your direct participation to grant explicit access to your credit report in any request for information or application against your social security number. It's a bit of a pain to implement because you need to contact all of the "big 3" credit reporting agencies - Experian, Equifax and TransUnion - but the hour or so out of your life is worth the peace of mind knowing that fraudsters can't open new accounts in your name. You can learn more about security freezes at the FTC website here:

There are other steps you can take to keep the criminal Grinches at bay. Check your bank and credit card activity online more closely during the holidays, at least once a week. And while you're there, enable two-factor authentication ("2FA"), sometimes called "advanced access" or "identification code." This is a huge step in preventing bad guys from brute-forcing and/or phishing your login credentials. You can read more about that topic in my previous post, "What's In a (Pass)word?" Since that post was first published, more online services offer 2FA including banks, email providers and social networks.

With these few precautions, you can spend less time worrying about identity theft, or, worse, cleaning up the aftermath of fraud, and spend more time with loved ones. Happy holidays!