Thursday, February 7, 2019

Ain't No Party Like A Left Coast Party

Attending Left Coast Crime this year? Join me, along with several of the short story authors appearing in Sisters in Crime NorCal’s brand-new anthology of crime and mystery fiction, FAULT LINES, for a Happy Hour toast to our readers!



We’ll be at the Grain Tasting Bar in the main lobby of the Hyatt Regency Vancouver on Thursday March 28 at 5pm.

What's Left Coast Crime? It's the annual gathering of authors, readers, critics, librarians, publishers, and other fans of mysteries held during the first quarter of the year in Western North America.

Hope to see you there!

Tuesday, November 6, 2018

Coming Soon - My Crime Fiction Debut

I'm thrilled to announce my first publishing credit in crime fiction! It's sort of a double debut - my local chapter of Sisters In Crime is publishing their first-ever anthology, Fault Lines: Stories by Northern California Crime Writers, coming in March 2019.

Check out this killer lineup:


I wrote the short story, "SegFault," (geek shorthand for "segmentation fault," a computer error condition) to see how far I could make it in a blind submission process alongside the award winners and best sellers in the NorCal SinC chapter. It also gave me a fun way to challenge myself to write a cyber crime-themed short story, as opposed to the novel I'm currently polishing up. The word count restriction tested my ability to translate technical concepts into plain English while spinning a compelling yarn.

Watch this space for updates as the release for Fault Lines date draws nearer.


Wednesday, September 19, 2018

Let's Talk Blockchain!

You walk into a conference room. Co-workers pop open cans of LaCroix water. You brought your laptop, ready for the hard questions. An executive takes a seat at the head of the table. The topic of discussion gets under way. And then it happens. Someone uses the word "blockchain" in a way that makes zero sense and sounds like magic.


Blockchain isn't magic. It's math.

The current implementations of blockchain relate to cryptocurrency, like Bitcoin or Ethereum. So let's go with that as an easy way to describe the magic - er, math - of blockchain.

Generating cryptocurrency is like a gold mine. There's a mountain (the public ledger aka blockchain), and a bunch of gold nuggets (mathematical challenges) are buried in that mountain. Finding each nugget (solving the challenge) leads to finding more nuggets (moving on to the next challenge). But only up to a point. Because, like mines, cryptocurrencies are finite. Why? Blockchain.

Each step of the process of digging up the nuggets gets validated by a cryptographic algorithm, like an assessor who measures the size and weight of the gold nuggets you bring in after a long day of mining. No single assessor is given the power to validate all of the gold nuggets in the world. They group together and all have to agree, which is where the public ledger comes in. Each assessor shares their information by adding their "yup, it's gold and here's how much this nugget is worth" message on to one another's assessments that get logged in the ledger. The latest validation is added to the previous ones, forming a daisy chain of "yups." That chain links together all the available validations to prove you did, indeed, uncover a bunch of gold nuggets that the group of assessors agreed to validate.

Maybe "chainlink" didn't sound sexy enough. Instead, it's called "blockchain." Rather than simply issue a certificate of authenticity/value, which could be stolen or forged, the blockchain is made up of chunks of cryptographic algorithms that act as the authoritative "yup" to prove your mining efforts paid off. The act of mining cryptocurrency is known as...wait for it...cryptomining.

Cryptomining is like digging up all the gold nuggets from all the mountains. The value of cryptocurrencies is like any commodity. It's determined by how much people are willing to pay for it. Generating each "coin" is computationally expensive (translation: it takes a lot of horsepower) because the chain of algorithms is long and the math puzzles are intentionally hard to make sure the results are rare. The rarer the commodity, the higher its value. Blockchain accomplishes this by enforcing the difficulty by length and distribution of its structure. Thus, mining cryptocurrency is slow and methodical.

This is why bad guys have taken to hiding cryptomining scripts and programs on compromised systems. The more horsepower they can throw at mining operations by hijacking your computer, cell phone, TV, or other Internet-connected devices, the faster and more coins they can yield. The blockchains don't care who finds their associated coins (e.g. Bitcoin, Ethereum, Monero, etc.) or how, it only matters that they're found.

So, simply put, blockchains are distributed chunks of data that, when pieced together, validate information of value. Really, that's all. No magic required.


Thursday, May 17, 2018

Confessions of a Star Wars Fan

I have a confession to make. I'm not really a fan of science fiction. There are exceptions, of course. Star Wars: A New Hope jumps to the top of my list. I'm a HUGE fan. So are most of my peers in the cyber crime fighting world. Including those who, like me, may not be the biggest sci-fi fans. It occurs to me the exceptions – the sci-fi books and movies I enjoy – often have a hacker theme. Even Star Wars.

What? I hear you ask. Star Wars is a hacker movie?

Yes, yes it is.

Some parts are obvious. Like Princess Leia saying, in reference to the stolen Death Star plans, "I only hope that when the data's analyzed, a weakness can be found." That's classic reverse engineering.

There are other hacker-y scenes, too.

Luke triggering the hologram, for instance. It was meant for Obi Wan's eyes only but Luke accidentally made R2D2 play a snippet. In other words, he inadvertently exploited a vulnerability in the droid.

When Luke and Han pose as storm troopers with Chewbacca in handcuffs to trick their way into the detention area, that's an example of social engineering.

R2D2 plugging into the port to find Leia in the first, place, that's penetration testing. Once R2 has that digital foothold, the droid turns off the trash compactor. This is an example of lateral movement within a now-compromised network.

Obi Wan gets in on the vuln exploitation by finding and shutting down the tractor beam holding the Millennium Falcon. Sure, he does it manually, but, hey, it worked.

And when our heroes get away, Leia says, "They're tracking us." There are several ways that could be cross-referenced to cybersecurity. For years, content providers have used tracking pixels on web pages as a way to combat lookalike phishing pages. Honeypots have been around for ages, too, which are computers or virtual computers intended to be hacked so the good guys could watch and see what the bad guys do. More recently, canary tokens/files have gained popularity, named for "canary in a coal mine." Like honeypots, these are lures to attract miscreants to see who might be stealing data and where the stolen data ends up.

Maybe it's a perspective thing. Or maybe it was intentional on George Lucas' part. Either way, to me, the first Star Wars movie, A New Hope, isn't what I think of as typical science fiction. It's one of my favorite hacker flicks.

May the Force be with you.

Friday, February 9, 2018

What's a Security Freeze and Why Should I Care?

In light of the billions (with a "B") of personally identifiable information records now leaked, dumped and being sold in the criminal underground, identity fraud is at an all time high. These records contain information as innocuous as your email address and password used on a website that got breached, or highly detailed information about you exposed by the accidental leak of the database containing all registered US voters.

I've talked about 2-factor authentication in a past blog post. This time, we'll take a deep dive into protecting the information criminals use to monetize leaked and stolen data, your credit reports.

What's a credit report? It's basically your financial life as recorded by debt and linked to your Social Security Number. A credit report contains your bill pay history (also know as credit history), your credit card issuers (past and present), your debt history (car loans, rent/mortgage holders past and present thus your past and current addresses), all the information that goes into the makeup of your credit score. Credit reporting agencies sell this information to insurers, employers (for background checks) and loan application evaluators (mortgage lenders, landlords, banks/personal loan issuers, etc.).

How do bad guys leverage credit reports? The most obvious way is identity theft - opening lines of credit, credit cards or other types of loans in your name. They get the credit card or money, you get the bills. Other forms of fraud are cobbled together identities - one person's name, another's address, a third person's SSN, and so on. This makes it harder to both catch and repair the damage to all victims' financial well being.

In order to accomplish these forms of fraud the credit issuers first run a credit check of the requestor (real or criminal). Thus, access to this information is critical. That's where a security freeze comes in. Also known as a credit freeze, it's a service that "locks" your credit report against credit/loan application access requests until you explicitly allow an agency to respond. This differs from fraud alerts, which are reactive and most often temporary. That is, you get alerted that someone accessed your credit report after the fact. A security freeze is prevention against fraudsters and thieves impersonating you, regardless of the how much information they have to verify your identity. What they won't have is the secret to temporarily unlock the credit report. That secret is either a PIN or a password the credit agencies mail to you and that you need to supply to the credit agency when you apply for new credit cards, loans, or submit to a background check. A handy tip I've learned is you can specify the agency to be queried when a credit check is needed. You don't have to unlock them all.

Security freezes are relatively easy to set up. The caveat is that you need to set a freeze at each of the credit reporting agencies: Experian, TransUnion and Equifax. Two smaller reporting outlets have emerged and those should be included: Innovis and ChexSystems. These two aren't as comprehensive in the overall services they provide but they can be inroads for criminals who can't get past freezes at the Big 3. All told, it takes roughly an hour out of your life to lock out the bad guys.

We're at the mercy of data brokers to protect our information. Security freezes offer peace of mind when they fall down on the job.

Friday, May 19, 2017

Shadow Brokers/NSA Malware Update - Haven't Patched? Do It Now.



The Shadow Brokers data dump is the gift that keeps on giving.

It wasn't just the victims and good guys who took notice of the unbridled spread of the WannaCry ransomware worm. The bad guys paid attention, too. And now more SMBv1-based attacks have been unleashed or are in active development.

If you have an older Windows machine and think you're out of luck there's good news. Microsoft recently released updates for their outdated/unsupported operating systems going back to Windows XP. The updates are unusual because Microsoft makes it a practice to never update end-of-life operating systems and software. They prefer to spend development cycles on new products and those under their support contracts. This is a special case, though, as many of the devices infected by WannaCry and being targeted by the new malware include embedded operating systems (things like ATMs and point-of-sale systems) that *can't* be easily updated.

It's also worth noting that, according to NetMarketShare.com, Windows 10 is lagging behind its older predecessors in terms of adoption. Windows 7 makes up nearly half (48.5%) of the current operating systems in use today while XP, Vista, 8 and 8.1 combine to make up over 16%. That's a whole lot of unpatched exposure.

For those with XP, Vista, 8, 8.1, Server 2003 or Server 2008, you can find standalone updates to protect against the SMBv1 exploits here:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

For some reason Microsoft made the Windows 7 and Server 2008 R2 standalone updates separate from the above batch. You can find them here:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012215

What are you still doing here? Go patch now!

Saturday, May 13, 2017

Basic Hygiene aka Security 101

What the heck happened on May 12? Super-evil technical genius releases ransomware worm that invaded systems around the world and he made a gazillion dollars?

Nope.

A ransomware worm was, in fact, released in the wild. It did, in fact, cause mass chaos. This depicts the last 24 hours of infections worldwide (see MalwareTech for real-time stats):



The "evil genius" created this attack by using information released by Shadow Brokers a few weeks ago. As of this writing the miscreant has made a whopping $26K in Bitcoin. Meanwhile, the good guys are continuing to eradicate this mess through various truly genius means.

The real culprit in the exponential spread of this attack? You.

The worm (self-propagating code) leveraged a weakness in an outdated version of a Microsoft Windows feature known as Server Message Block, or SMB, to plant the ransomware and spread itself to the next machine. To grossly oversimplify, SMB is how Microsoft systems "talk" to each other. Microsoft released a patch for this vulnerability on its current products back in March.

The 2 important points in that last sentence: "current products," "patched in March."

Microsoft is well known for its upgrade path. Some people like it, some people hate it. Microsoft wants their customers to update to their latest operating systems to make money, sure. But it's also to keep their customers safer. Their engineers and threat researchers constantly work to improve the security of their products. This is why they release monthly security updates. This is also why they offered a free upgrade to Windows 10 for so long.

One of the key factors in the rampant spread of this ransomworm (as some of my peers have dubbed it) is versions of Windows that are so old (XP, for instance), they stopped being supported by Microsoft years ago. This means no security updates have been released for these systems. And that means they are vulnerable to multiple attacks, including this one.

Which brings me to the second point. As stated above, the vulnerabilities that made this worm possible were patched in March. For those who do have current systems, and left Windows Update enabled (the default), you probably just read about the hoopla and went on with your life. According to latest statistics, at least 90,000 people didn't get the memo and have spent the last 24 hours really wishing they had.

This entire event highlights failures in basic computer hygiene. I thought it an opportune time to remind folks of the simple steps to reduce the likelihood of becoming a victim to this and other types of online attacks. This applies to ALL computer and mobile systems, not just Microsoft, by the way:
  • Keep your operating system and installed software current
  • Turn on automatic updates for your operating system (at a minimum) and software popular with bad guys (Adobe, Java, iTunes, etc.)
  • Back up regularly
  • Install antimalware and keep it updated
The last point may or may not have helped with the ransomworm but it's still a good practice. And yes, Mac users, this means you, too. Last week also saw OS X take a direct hit by the Proton malware.

Prevention is so much easier than recovering lost time and, worse, lost data.