Saturday, September 10, 2016

How Not To Do Security Research

Something came to my attention that’s a convenient follow-on to my previous post:



The overt message in this video is good. We should all be careful about how we handle our ATM, debit & credit cards. On the other hand, the power of the warning is lost on people like me who cringe at the behavior of the messenger. It’s hard enough for the good guys to navigate legal waters without people like this encouraging others to emulate their bad behavior.

Don’t get me wrong - I jiggle card readers at ATMs and gas stations all the time. Those are the top targets for the type of card skimmers depicted in this video. But that’s where the similarities between us end.

Mistakes this guy made:

- Removing the device without informed consent of the impacted financial institution and/or law enforcement, not ok. But wait, you say, it came off in his hand. However, he clearly had a cell phone. He could have stopped at that point and called the police, the bank or both. "Freeze the scene" is a fundamental in digital forensics.

- Walking away with evidence unlawfully collected, really not ok. Unless, of course, that walk is to the nearest police station or bank branch. Which it wasn't, we can surmise, as we listen to the next mistake...

- Intending to destroy evidence ("I'm gonna go see what I can do about reverse engineering this") without informed consent, egregiously not ok. Regardless of whether or not he did disassemble the reader, the whereabouts of that device between time of discovery to being turned over the to the police (see his first "Update" on the YouTube page) and what happened to it in the duration is undeniably called into question. It's no longer a viable piece of evidence in any court of law in the hands of a passable defense attorney.

What the creator of this video did by stomping all over the evidence of a crime ensured the bad guys got away it and victims will never see a dime in restitution. Most banks indemnify customers in this type of fraud to some extent. In the US, skimmer victims are typically liable only for the first $50 in losses. In the EU, where this video was reportedly shot, the victims would likely have been fully compensated.

I use this video now when interviewing job candidates. There’s more to threat research than technical skill. Critical thinking is just as important. Enthusiasm is great, obstruction of justice is a massive fail.


Saturday, August 20, 2016

So You Think You Can Cyber?

With a new school year looming, students ask themselves, "What do I want to do for a living?" Several summer interns at my day job and elsewhere have asked me about the information security field. The top question has been consistent which means it's time for a new blog post!

Why is cyber security such a hot field now?

It's a byproduct of accessibility of Internet connectivity and proliferation of connected devices. Twenty years ago, only the biggest companies and governments had the bandwidth, literally and figuratively. As ecommerce caught on, crime quickly followed. It started with the curious, the attention-seekers, and espionage. By the early 2000's, financially-motivated attackers emerged with the rise of online banking. Malware spread through email, attacking both corporations and consumers by impersonation (e.g. Zeus), while laws and defenses scrambled to catch up. Then came exploit kits which up-leveled the scale of attacks leading to an explosion of criminal activity. Skilled information security analysts, digital forensics investigators, and vulnerability analysts (pentesters) were in short supply. The technologies needed to combat the threats either didn't exist or came at high cost. "Information security" was a checkbox on audit reports for regulated industries and payment card processors that auditors themselves didn't fully understand or appreciate which meant they could be easily satisfied by incomplete or vague responses. While the industry struggled to define itself, the demand for highly skilled and experienced workers grew - too few people and too few products/services to fill a fast-growing field. The inevitable happened. Breaches became more common with increasing impact. Heartland and TJX proved to the criminals that they only needed to be right once while the defenders had to be diligent 100% of the time. Thus the odds were in favor of the bad guys. In the last 5 years, the number of significant breaches and huge dollar losses made its way into the mainstream press which brought cyber security issues into the common vernacular (at last).

As pointed out above, defenses need to be effective all the time, which requires a highly-skilled workforce with a depth of technical knowledge, problem-solving skills, legal awareness (particularly for incident responders and forensics specialists), and to continuously maintain the knowledge and skills. Add to the mix soft skills like grace under pressure, non-linear critical thinking, and, one that's often overlooked but absolutely essential, playing well with others. The attack surface grows constantly, crosses operating systems, devices, platforms, and programming languages while the threats constantly grow and shift, encompassing script kiddies, hacktivists, fraudsters, organized crime and nation state attackers. One need only look at a Target or Sony situation to understand the risk of taking shortcuts on security technologies and practitioners. There's no such thing as a "set and forget" security product or service - all security solutions require people who understand the threats and the technologies in order to maintain the products and services, which all require tuning to each organization's specific needs along with constant care and feeding to maintain effective vigilance. To stay on top of this ever-growing, ever-shifting landscape, we need a steady flow of new talent coming into the field, and there's just not enough of them. Meanwhile, experienced practitioners are hopping around from company to company because we're being chased by staffing recruiters dangling big paychecks literally every day. There's also a high degree of burnout because of the stress. So, it's basically a matter of supply and demand. There just aren't enough workers to fill the more than 1 million job openings (see http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#63aa9ec37d27). Folks in the industry are trying to change this through outreach at all levels of learning, from grade school-level up to advanced degree programs.

So, do you think you can cyber?

Saturday, April 9, 2016

Tourist's Guide to the Dark Web

I've gotten the same question from multiple people lately, which means it's time for a blog post. The question: What exactly is the 'Dark Web'?

First, let's clear up the language. There's "deep web," "dark net," and "dark web." These are not synonyms.

The "deep web" is any website that's not indexed/searchable on what we know and love as the Internet. Your online bank account or Yahoo/Gmail/Live/etc. email are examples of this. Basically, if you need to authenticate to reach content (log in with a username and password or passcode), you're accessing the deep web.

A "dark net," the term most often mistakenly used as a euphemism for "dark web," is unused IP space within an allocated range. It can also mean undiscoverable/masked IP space, such as virtual private networks (VPNs). Prior to the existence of the dark web, VPN nesting (using multiple virtual services to connect) was a popular method for those wishing to make their online trail difficult to follow.

The "dark web" is the mysterious sub-Internet underground society filled with shadowy figures who are anti-censorship or conducting nefarious activity.

Understanding the Internet's underbelly requires a brief overview of the Internet itself. Typically, a web browser is the means by which most of us connect to websites (I know, I know, there's curl, wget, and such; that's a different discussion). Web browsers dictate the user experience governing your connection. You can customize them to block ads, enforce SSL encryption (on websites that support it), add or remove domain and IP block lists, and on and on, or you can simply launch the browser, as is, and you're off and running. Meanwhile, your service provider, such as your home ISP, or your network admins at your office have ultimate control over how Firefox, Safari, Internet Explorer, Edge, Chrome, etc. access and interact with web and mobile sites. While some of the places we visit are members-only (see deep web), everyone can freely access the multitude of public web pages.

Well, not everyone. Which leads us to the "dark web."

The dark web was originally intended as a literal and figurative tunnel bored through the open web to enable unfettered Internet access for political dissidents, journalists, and others concerned about online privacy and censorship. Access is gained by one of several special web browsers that circumvent website tracking and traffic-control technologies while hiding their originating IP address to avoid being identified. Tor and i2P are examples of these browsers while the Great Firewall of China is an example of a reason they exist. The dark web very quickly attracted other types of people wishing to remain anonymous and/or hide their activity, namely criminals. Forums and markets appeared offering everything from street drugs, tutorials on cashing out ill-gotten gains, buying & selling weapons, hackers-for-hire....you get the idea.

The dark web is like any other community in real life or on the Internet. It has its nice side, where privacy-minded folks just want to do what they do without their activity being impeded or tracked. And it has its creepy neighborhoods, places you might think twice about visiting. I know the pull of curiosity is strong and anonymity can be empowering. Just remember that what you see can't be unseen. Disturbing content can stay with you, whether you like it or not. Consider yourself warned.

So how does the dark web work? It's sort of like a peer-to-peer network where the data sent from the browser gets broken up and distributed across multiple server relays ("nodes") operated by volunteers and through which traffic gets randomized. For optimization, a single session lasting a few minutes will follow the same route. Longer sessions or subsequent sessions will get re-routed to make tracking more difficult.

If you visit, enjoy your stay and try to avoid getting hurt or hurting others. The takedown and arrest of the operator of one of the dark web's largest drug markets, Silk Road, should serve as a reminder that, at the end of the day, we're all human. Humans make mistakes and that's how they get caught.


Tuesday, January 19, 2016

Open Season on ID Theft

It's that time of year again, tax time for the US and UK. Scammers keep track of the dates, too, and they've rolled out their 2015 tax year-themed malware and identity theft campaigns.

So how do they trick victims? The most common method is phishing. Here's an example making the rounds:


Clicking on the link takes the victim to a page that looks similar to this:


There are several hints that neither the email above nor the purported IRS page are legitimate. First and foremost, according to the IRS, they won't "initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."

Next, take a closer look at the URL:


Notice the domain name, "executiva.net." It should be obvious that the IRS web pages are all hosted on irs.gov.

Another clue in the URL is something we see often in phishing pages, the presence of multiple top level domains (TLDs). In this case, we see both ".com" and ".net." Without going too far into the technical weeds, a domain's TLD is the root of its home on the Internet where browsers or other Internet-connected devices can find it. While a domain can be registered with multiple TLDs,- such domain.com, domain.net, domain.org, etc. - each will reside on separate websites in order to route properly with each root TLD serving as a guide. There can be only one at a time.

So what can you do to protect yourself this (and every) tax season?

1) As mentioned in previous posts, I'm a fan of security freezes. It can be a hassle but a one-hour investment of your time buys you a lifetime of peace of mind.

2) Never click on links in emails. Period. Too many online companies have trained us all to click but it's safer to type in the web address yourself to ensure that you land where you expect to land.

3) Hover your mouse over hyperlinks in email. In all browsers that I can think of, this reveals the full and true address associated with the link. In phishing emails, you'll notice mismatches between what you expect to see and the real address.

4) Report phishing attempts to the IRS. They have great information and guidance, along with appropriate reporting email addresses, here: https://www.irs.gov/uac/Report-Phishing