Saturday, August 20, 2016

So You Think You Can Cyber?

With a new school year looming, students ask themselves, "What do I want to do for a living?" Several summer interns at my day job and elsewhere have asked me about the information security field. The top question has been consistent which means it's time for a new blog post!

Why is cyber security such a hot field now?

It's a byproduct of accessibility of Internet connectivity and proliferation of connected devices. Twenty years ago, only the biggest companies and governments had the bandwidth, literally and figuratively. As ecommerce caught on, crime quickly followed. It started with the curious, the attention-seekers, and espionage. By the early 2000's, financially-motivated attackers emerged with the rise of online banking. Malware spread through email, attacking both corporations and consumers by impersonation (e.g. Zeus), while laws and defenses scrambled to catch up. Then came exploit kits which up-leveled the scale of attacks leading to an explosion of criminal activity. Skilled information security analysts, digital forensics investigators, and vulnerability analysts (pentesters) were in short supply. The technologies needed to combat the threats either didn't exist or came at high cost. "Information security" was a checkbox on audit reports for regulated industries and payment card processors that auditors themselves didn't fully understand or appreciate which meant they could be easily satisfied by incomplete or vague responses. While the industry struggled to define itself, the demand for highly skilled and experienced workers grew - too few people and too few products/services to fill a fast-growing field. The inevitable happened. Breaches became more common with increasing impact. Heartland and TJX proved to the criminals that they only needed to be right once while the defenders had to be diligent 100% of the time. Thus the odds were in favor of the bad guys. In the last 5 years, the number of significant breaches and huge dollar losses made its way into the mainstream press which brought cyber security issues into the common vernacular (at last).

As pointed out above, defenses need to be effective all the time, which requires a highly-skilled workforce with a depth of technical knowledge, problem-solving skills, legal awareness (particularly for incident responders and forensics specialists), and to continuously maintain the knowledge and skills. Add to the mix soft skills like grace under pressure, non-linear critical thinking, and, one that's often overlooked but absolutely essential, playing well with others. The attack surface grows constantly, crosses operating systems, devices, platforms, and programming languages while the threats constantly grow and shift, encompassing script kiddies, hacktivists, fraudsters, organized crime and nation state attackers. One need only look at a Target or Sony situation to understand the risk of taking shortcuts on security technologies and practitioners. There's no such thing as a "set and forget" security product or service - all security solutions require people who understand the threats and the technologies in order to maintain the products and services, which all require tuning to each organization's specific needs along with constant care and feeding to maintain effective vigilance. To stay on top of this ever-growing, ever-shifting landscape, we need a steady flow of new talent coming into the field, and there's just not enough of them. Meanwhile, experienced practitioners are hopping around from company to company because we're being chased by staffing recruiters dangling big paychecks literally every day. There's also a high degree of burnout because of the stress. So, it's basically a matter of supply and demand. There just aren't enough workers to fill the more than 1 million job openings (see http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#63aa9ec37d27). Folks in the industry are trying to change this through outreach at all levels of learning, from grade school-level up to advanced degree programs.

So, do you think you can cyber?

Saturday, April 9, 2016

Tourist's Guide to the Dark Web

I've gotten the same question from multiple people lately, which means it's time for a blog post. The question: What exactly is the 'Dark Web'?

First, let's clear up the language. There's "deep web," "dark net," and "dark web." These are not synonyms.

The "deep web" is any website that's not indexed/searchable on what we know and love as the Internet. Your online bank account or Yahoo/Gmail/Live/etc. email are examples of this. Basically, if you need to authenticate to reach content (log in with a username and password or passcode), you're accessing the deep web.

A "dark net," the term most often mistakenly used as a euphemism for "dark web," is unused IP space within an allocated range. It can also mean undiscoverable/masked IP space, such as virtual private networks (VPNs). Prior to the existence of the dark web, VPN nesting (using multiple virtual services to connect) was a popular method for those wishing to make their online trail difficult to follow.

The "dark web" is the mysterious sub-Internet underground society filled with shadowy figures who are anti-censorship or conducting nefarious activity.

Understanding the Internet's underbelly requires a brief overview of the Internet itself. Typically, a web browser is the means by which most of us connect to websites (I know, I know, there's curl, wget, and such; that's a different discussion). Web browsers dictate the user experience governing your connection. You can customize them to block ads, enforce SSL encryption (on websites that support it), add or remove domain and IP block lists, and on and on, or you can simply launch the browser, as is, and you're off and running. Meanwhile, your service provider, such as your home ISP, or your network admins at your office have ultimate control over how Firefox, Safari, Internet Explorer, Edge, Chrome, etc. access and interact with web and mobile sites. While some of the places we visit are members-only (see deep web), everyone can freely access the multitude of public web pages.

Well, not everyone. Which leads us to the "dark web."

The dark web was originally intended as a literal and figurative tunnel bored through the open web to enable unfettered Internet access for political dissidents, journalists, and others concerned about online privacy and censorship. Access is gained by one of several special web browsers that circumvent website tracking and traffic-control technologies while hiding their originating IP address to avoid being identified. Tor and i2P are examples of these browsers while the Great Firewall of China is an example of a reason they exist. The dark web very quickly attracted other types of people wishing to remain anonymous and/or hide their activity, namely criminals. Forums and markets appeared offering everything from street drugs, tutorials on cashing out ill-gotten gains, buying & selling weapons, hackers-for-hire....you get the idea.

The dark web is like any other community in real life or on the Internet. It has its nice side, where privacy-minded folks just want to do what they do without their activity being impeded or tracked. And it has its creepy neighborhoods, places you might think twice about visiting. I know the pull of curiosity is strong and anonymity can be empowering. Just remember that what you see can't be unseen. Disturbing content can stay with you, whether you like it or not. Consider yourself warned.

So how does the dark web work? It's sort of like a peer-to-peer network where the data sent from the browser gets broken up and distributed across multiple server relays ("nodes") operated by volunteers and through which traffic gets randomized. For optimization, a single session lasting a few minutes will follow the same route. Longer sessions or subsequent sessions will get re-routed to make tracking more difficult.

If you visit, enjoy your stay and try to avoid getting hurt or hurting others. The takedown and arrest of the operator of one of the dark web's largest drug markets, Silk Road, should serve as a reminder that, at the end of the day, we're all human. Humans make mistakes and that's how they get caught.


Tuesday, January 19, 2016

Open Season on ID Theft

It's that time of year again, tax time for the US and UK. Scammers keep track of the dates, too, and they've rolled out their 2015 tax year-themed malware and identity theft campaigns.

So how do they trick victims? The most common method is phishing. Here's an example making the rounds:


Clicking on the link takes the victim to a page that looks similar to this:


There are several hints that neither the email above nor the purported IRS page are legitimate. First and foremost, according to the IRS, they won't "initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."

Next, take a closer look at the URL:


Notice the domain name, "executiva.net." It should be obvious that the IRS web pages are all hosted on irs.gov.

Another clue in the URL is something we see often in phishing pages, the presence of multiple top level domains (TLDs). In this case, we see both ".com" and ".net." Without going too far into the technical weeds, a domain's TLD is the root of its home on the Internet where browsers or other Internet-connected devices can find it. While a domain can be registered with multiple TLDs,- such domain.com, domain.net, domain.org, etc. - each will reside on separate websites in order to route properly with each root TLD serving as a guide. There can be only one at a time.

So what can you do to protect yourself this (and every) tax season?

1) As mentioned in previous posts, I'm a fan of security freezes. It can be a hassle but a one-hour investment of your time buys you a lifetime of peace of mind.

2) Never click on links in emails. Period. Too many online companies have trained us all to click but it's safer to type in the web address yourself to ensure that you land where you expect to land.

3) Hover your mouse over hyperlinks in email. In all browsers that I can think of, this reveals the full and true address associated with the link. In phishing emails, you'll notice mismatches between what you expect to see and the real address.

4) Report phishing attempts to the IRS. They have great information and guidance, along with appropriate reporting email addresses, here: https://www.irs.gov/uac/Report-Phishing


Tuesday, December 1, 2015

Keep Your Spirits Bright


The holiday season is upon us, the time of year when we defy our normal spending and travel patterns. A bicyclist in Los Angeles hops on a plane to visit friends in Omaha where they spot a great deal on a putter that they ship to their favorite uncle in Texas. A Memphis lawyer spends Cyber Monday hunting for the best deals on imported wine for pickup in an NYC shop for their former college roommate. Best friends head to Las Vegas for a break from the early Colorado winter.

Why are these activities important? Because banks and credit card processors use automated fraud detection systems that "learn" our normal spending habits and locations then raise alerts on anomalous behaviors. The bad guys look forward to this time of year as much as kids await the season's first snow day. Fraudsters can count on consumers breaking their own models which may slow down these anti-fraud detections, giving criminals more time and flexibility for identity theft.

Some banks are better at detection than others, of course. But the onus isn't completely on them. There are simple steps you can take to protect yourself.

First and foremost, everyone should have a security freeze on their credit. Sometimes called a "credit freeze," this requires your direct participation to grant explicit access to your credit report in any request for information or application against your social security number. It's a bit of a pain to implement because you need to contact all of the "big 3" credit reporting agencies - Experian, Equifax and TransUnion - but the hour or so out of your life is worth the peace of mind knowing that fraudsters can't open new accounts in your name. You can learn more about security freezes at the FTC website here: http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

There are other steps you can take to keep the criminal Grinches at bay. Check your bank and credit card activity online more closely during the holidays, at least once a week. And while you're there, enable two-factor authentication ("2FA"), sometimes called "advanced access" or "identification code." This is a huge step in preventing bad guys from brute-forcing and/or phishing your login credentials. You can read more about that topic in my previous post, "What's In a (Pass)word?" Since that post was first published, more online services offer 2FA including banks, email providers and social networks.

With these few precautions, you can spend less time worrying about identity theft, or, worse, cleaning up the aftermath of fraud, and spend more time with loved ones. Happy holidays!

Friday, September 25, 2015

One Woman's Perspective



The topic of women in technology has come up a lot this year. I have never wanted to be included in any group, team, or job simply because my gender meets some diversity quota. I have always expected (and sometimes demanded) to be recognized for my unique skills and talent. What sets me apart, and I've noticed a similar trait among the other women in cyber crime fighting circles, is that I'm not just competent but also confident. I can only speak from my own experience but that confidence started with my parents. They told me - and showed me - that I could be or do anything and I believed them.

My mother led by example, breaking barriers as the first female stadium announcer in the US; she was the voice of the Reno Silver Sox, a now-defunct minor league baseball team. When we left Reno she worked as a temp in our new home town and soon rose to the executive level at that agency. In my house, gender inequity was something we saw on TV that my parents had a heck of time explaining to me.

As a little girl I broke things to figure out how they worked then I put them back together. Sometimes I made them work better than they were before or added capabilities. I started with radios and telephones, graduated to televisions and small appliances, and, ultimately, found my way to computers and software.

So, what did my parents do during my auspicious early years? My dad gave me a corner of his workshop and some basic safety instructions then turned me loose. He took me to Radio Shack to spend my allowance on electronic components when I wanted to build things from scratch just to see if I could. He gave me old junk that hadn't worked for years so I could tinker or cannibalize the parts for other projects. I have a brother who showed similar interests. My dad treated us exactly the same.

That's where the magic happened and that's where I think the we can all effect real change - if you have a daughter, feed her curiosity, encourage her enthusiasm and give her the confidence to follow her passions. If you don't have a daughter, it's a safe bet you know someone who's a parent of a daughter, whether they're your friends, your cousins, your in-laws, whatever.

Accomplishments take perseverance and perseverance requires a "damn the torpedoes" attitude which comes from within, not from someone saying "we need more <insert your underrepresented group here>." I believe I can accomplish any goal because I don't stop until I do and I now have a track record to prove it. That's the challenge I throw down in front of each of you, and will continue to tackle myself. Mentor girls. Inspire girls. Encourage girls. Be among the people they remember who gave them the confidence to keep going.

Sunday, April 5, 2015

What's In A (Pass)Word?

Prevailing wisdom among information security practitioners is that passwords are outdated as a secure means of authentication. However, until a better way achieves wide adoption they are a fact of online life.

Password Harvesting

So how do the bad guys get your password in the first place? There are lots of ways:

  • Sites like LeakedIn and Pastebin are popular locations for "dumps," collections of usernames or email addresses and associated passwords found by good guys, disclosed by rivaling bad guys, or posted as proof of an attacker's l337ness.
  • Spammers buy or trade validated credential dumps in underground forums, lists of usernames/email addresses with passwords that they've proven to be active by running them through automated account checking programs to log into the account at least once.
  • Credential-harvesting malware, like keystroke loggers and web form injections, that collect usernames and passwords typed into browsers on victim computers and get sent to a central collection point under the attacker's control.
  • Phishing emails that entice victims to login into replica, or "spoofed," websites that look exactly like popular online banking and email sign-in pages.
  • Brute force attacks against websites built on popular free platforms, like Wordpress and Joomla, or Internet-facing databases using automated scanning and exploit tools.

All of the attack tools are incredibly easy to find and so are credential dumps.


3 Basic Rules

The best defense is a good offense. It's trite but true. Let's start with the basics. Good password hygiene consists of 3 factors: complexity, length, and uniqueness.

A complex password is one that consists of upper and lower case letters, numbers, and special characters. The purpose of complexity is to defeat password crackers, automated programs that compare encrypted or hashed passwords against word lists. This is euphemistically known as a "dictionary attack" for a good reason. Password crackers run comparisons against plain language word lists and obvious variations. The more recognizable the password, the faster it can be cracked. For example, poppy123 is revealed in milliseconds, while pO9Py!@# can take hours or days, depending on the password-cracking program.

Just as important is password length. To grossly oversimplify the description of the computational process, password crackers "recognize" each character of a password, one by one. Therefore, the longer the password, the harder you force the cracker to work. It's kind of like the joke about outrunning an angry bear - you don't need to have the longest password, you just need to have one that's longer than the next guy's. Miscreants who crack passwords are typically going for quantity. They stop cracking when they've decrypted a victim list long enough to be worth their while, financially speaking. The harder password hashes get tossed out or recycled into credential lists they'll later sell or trade themselves for someone else to have a whack at them.

The single most important hygiene factor is uniqueness. This means that every time you register for an online account or change an existing password, you create a password that you don't use anywhere else. In other words, your email password is different from your Facebook password that's different from your Twitter password, banking password, and so on. Obviously, this means we have to keep track of an awful lot of passwords. There are several schools of thought on how best to do this. There are apps called password lockers that let you store all of your passwords and associations in a single place on your computer or smart phone. There's also good, old fashioned pencil and paper - writing down this information in a notebook. Some people I know use "forgot your password" as their preferred method, using this feature on websites to change their password every time they log in, subscribing to the above concepts with zeal because they're not worried about remembering it. Each password management method has its pluses and minuses. The right way is the one that works for you.


Additional Protections

But, wait, you're saying. What about that credential-stealing malware and phishing mentioned earlier? All the clever strategies in the world won't help if you hand your password to the bad guys in these cases. And you're right. This is where two-factor authentication and keystroke scrambling come in.

Two-factor authentication, also known as 2FA, is where you not only need a password but another piece of code to prove that you are who you say you are. Examples of this are cryptographic tokens, like chip-and-pin cards or USB dongles, and SMS text codes, a unique identifier sent to your cell phone that you type into a website to complete the login process. The former can't be easily replicated by miscreants, while the latter can be captured by keystroke loggers but the data is nearly worthless because it's only good for a very limited time. If you notice my equivocation, this is intentional. No 2FA method is 100% hack proof but, again, the harder the challenge the more likely the bad guys will go after easier targets and away from you.

Keystroke scramblers are anti-keystroke loggers, programs that turn your typing into random characters when collected by malware and phishing sites, while sending the real information to the website you're logging into. Keystroke scramblers do this by encrypting each action of the keyboard at the driver or operating system kernel level and verifying the recipient website. Again, this technology isn't 100% guaranteed to keep your passwords out of the hands of the bad guys but it certainly makes your information a less desirable target by wasting their time.

Will passwords be replaced with stronger authentication mechanisms some day? A lot of smart people are working towards this very goal. Until a solution is ubiquitous, these tips should help you stay safer online.

Tuesday, March 12, 2013

Reminiscing

I love my day job. It can be a lot of fun. I used to say that one of the reasons I enjoyed my work is that no lives were at stake. It wasn't like I worked for a hospital or the military. Then I saw a call for help in a computer security forum. Life has a funny way of making a point.

Back in the olden days of 2007 computer forensics practitioners like me were discouraged from working at the defense table in a courtroom. One of the best known industry groups at the time flat-out rejected the application of anyone who had ever worked against a plaintiff or prosecution in any jurisdiction. Thus, when I saw a plea by Alex Eckelberry, a respected name in security circles, I knew he faced an uphill battle in his quest. I jumped at the opportunity to right not only the wrong that Alex set out to fight, but also what I felt to be a breathtakingly misplaced bias among industry peers. Scratch that. I didn't "feel" it, I knew. I came to technology from a litigation background. I worked almost exclusively for defense attorneys and I knew what evil lurked in the hearts of men and hard drives. As I advanced through the digital forensics field, a few among us talked about the day when computer evidence wrongly interpreted would send an innocent person to jail. The State of Connecticut vs. Julie Amero proved us prescient.

Julie Amero was a substitute teacher who had been convicted in a 6-day trial and faced 40 years in prison for multiple counts of impairing the morals of a minor. How did she allegedly accomplish this fiendish feat? Porn-related pop-ups on a classroom computer.

In  January 2007, Alex helmed an anti-malware company and read about the case in a newspaper. That was how most people got their news back in those days. He knew, without even knowing the details, that such a porn storm was the hallmark of certain families of malicious programs. These programs almost never got onto a computer with users' knowledge much less intention. The sentencing was to take place in March so Alex put out the call. He needed people who could help him free her. Fast.

If anyone asked, I would tell them we worked on the case for at almost a year. Going back through my notes and email it turns out that it all happened in a little over two months. The team was assembled in February, the evidence analyzed, the sequence of events recreated and presented in a summary document to the Connecticut State Attorney in March. None of us were paid. That was never the point. Someone's life was at stake. Hell, one life had already been lost - Julie had been pregnant when she was arrested. The emotional strain took a physical toll and she lost the baby. Our team did our damnedest to free her from further suffering at the hands of amateurs and the uninformed.

We won. Sort of. The original conviction got vacated but the AG had political aspirations. He pushed for a new trial. Julie's health continued to be pummeled, along with her reputation throughout her ordeal. She eventually copped a misdemeanor plea to end it. You can read the forensic team's report here. Alex blogged about the case case here; this post links back to many others. You can see the Good Morning America post script here.

So, yeah, I love my job. I change lives. Once in a while, I'm honored to save one.