Tuesday, November 6, 2018

Coming Soon - My Crime Fiction Debut

I'm thrilled to announce my first publishing credit in crime fiction! It's sort of a double debut - my local chapter of Sisters In Crime is publishing their first-ever anthology, Fault Lines: Stories by Northern California Crime Writers, coming in March 2019.

Check out this killer lineup:


I wrote the short story, "SegFault," (geek shorthand for "segmentation fault," a computer error condition) to see how far I could make it in a blind submission process alongside the award winners and best sellers in the NorCal SinC chapter. It also gave me a fun way to challenge myself to write a cyber crime-themed short story, as opposed to the novel I'm currently polishing up. The word count restriction tested my ability to translate technical concepts into plain English while spinning a compelling yarn.

Watch this space for updates as the release for Fault Lines date draws nearer.


Wednesday, September 19, 2018

Let's Talk Blockchain!

You walk into a conference room. Co-workers pop open cans of LaCroix water. You brought your laptop, ready for the hard questions. An executive takes a seat at the head of the table. The topic of discussion gets under way. And then it happens. Someone uses the word "blockchain" in a way that makes zero sense and sounds like magic.


Blockchain isn't magic. It's math.

The current implementations of blockchain relate to cryptocurrency, like Bitcoin or Ethereum. So let's go with that as an easy way to describe the magic - er, math - of blockchain.

Generating cryptocurrency is like a gold mine. There's a mountain (the public ledger aka blockchain), and a bunch of gold nuggets (mathematical challenges) are buried in that mountain. Finding each nugget (solving the challenge) leads to finding more nuggets (moving on to the next challenge). But only up to a point. Because, like mines, cryptocurrencies are finite. Why? Blockchain.

Each step of the process of digging up the nuggets gets validated by a cryptographic algorithm, like an assessor who measures the size and weight of the gold nuggets you bring in after a long day of mining. No single assessor is given the power to validate all of the gold nuggets in the world. They group together and all have to agree, which is where the public ledger comes in. Each assessor shares their information by adding their "yup, it's gold and here's how much this nugget is worth" message on to one another's assessments that get logged in the ledger. The latest validation is added to the previous ones, forming a daisy chain of "yups." That chain links together all the available validations to prove you did, indeed, uncover a bunch of gold nuggets that the group of assessors agreed to validate.

Maybe "chainlink" didn't sound sexy enough. Instead, it's called "blockchain." Rather than simply issue a certificate of authenticity/value, which could be stolen or forged, the blockchain is made up of chunks of cryptographic algorithms that act as the authoritative "yup" to prove your mining efforts paid off. The act of mining cryptocurrency is known as...wait for it...cryptomining.

Cryptomining is like digging up all the gold nuggets from all the mountains. The value of cryptocurrencies is like any commodity. It's determined by how much people are willing to pay for it. Generating each "coin" is computationally expensive (translation: it takes a lot of horsepower) because the chain of algorithms is long and the math puzzles are intentionally hard to make sure the results are rare. The rarer the commodity, the higher its value. Blockchain accomplishes this by enforcing the difficulty by length and distribution of its structure. Thus, mining cryptocurrency is slow and methodical.

This is why bad guys have taken to hiding cryptomining scripts and programs on compromised systems. The more horsepower they can throw at mining operations by hijacking your computer, cell phone, TV, or other Internet-connected devices, the faster and more coins they can yield. The blockchains don't care who finds their associated coins (e.g. Bitcoin, Ethereum, Monero, etc.) or how, it only matters that they're found.

So, simply put, blockchains are distributed chunks of data that, when pieced together, validate information of value. Really, that's all. No magic required.


Thursday, May 17, 2018

Confessions of a Star Wars Fan

I have a confession to make. I'm not really a fan of science fiction. There are exceptions, of course. Star Wars: A New Hope jumps to the top of my list. I'm a HUGE fan. So are most of my peers in the cyber crime fighting world. Including those who, like me, may not be the biggest sci-fi fans. It occurs to me the exceptions – the sci-fi books and movies I enjoy – often have a hacker theme. Even Star Wars.

What? I hear you ask. Star Wars is a hacker movie?

Yes, yes it is.

Some parts are obvious. Like Princess Leia saying, in reference to the stolen Death Star plans, "I only hope that when the data's analyzed, a weakness can be found." That's classic reverse engineering.

There are other hacker-y scenes, too.

Luke triggering the hologram, for instance. It was meant for Obi Wan's eyes only but Luke accidentally made R2D2 play a snippet. In other words, he inadvertently exploited a vulnerability in the droid.

When Luke and Han pose as storm troopers with Chewbacca in handcuffs to trick their way into the detention area, that's an example of social engineering.

R2D2 plugging into the port to find Leia in the first, place, that's penetration testing. Once R2 has that digital foothold, the droid turns off the trash compactor. This is an example of lateral movement within a now-compromised network.

Obi Wan gets in on the vuln exploitation by finding and shutting down the tractor beam holding the Millennium Falcon. Sure, he does it manually, but, hey, it worked.

And when our heroes get away, Leia says, "They're tracking us." There are several ways that could be cross-referenced to cybersecurity. For years, content providers have used tracking pixels on web pages as a way to combat lookalike phishing pages. Honeypots have been around for ages, too, which are computers or virtual computers intended to be hacked so the good guys could watch and see what the bad guys do. More recently, canary tokens/files have gained popularity, named for "canary in a coal mine." Like honeypots, these are lures to attract miscreants to see who might be stealing data and where the stolen data ends up.

Maybe it's a perspective thing. Or maybe it was intentional on George Lucas' part. Either way, to me, the first Star Wars movie, A New Hope, isn't what I think of as typical science fiction. It's one of my favorite hacker flicks.

May the Force be with you.

Friday, February 9, 2018

What's a Security Freeze and Why Should I Care?

In light of the billions (with a "B") of personally identifiable information records now leaked, dumped and being sold in the criminal underground, identity fraud is at an all time high. These records contain information as innocuous as your email address and password used on a website that got breached, or highly detailed information about you exposed by the accidental leak of the database containing all registered US voters.

I've talked about 2-factor authentication in a past blog post. This time, we'll take a deep dive into protecting the information criminals use to monetize leaked and stolen data, your credit reports.

What's a credit report? It's basically your financial life as recorded by debt and linked to your Social Security Number. A credit report contains your bill pay history (also know as credit history), your credit card issuers (past and present), your debt history (car loans, rent/mortgage holders past and present thus your past and current addresses), all the information that goes into the makeup of your credit score. Credit reporting agencies sell this information to insurers, employers (for background checks) and loan application evaluators (mortgage lenders, landlords, banks/personal loan issuers, etc.).

How do bad guys leverage credit reports? The most obvious way is identity theft - opening lines of credit, credit cards or other types of loans in your name. They get the credit card or money, you get the bills. Other forms of fraud are cobbled together identities - one person's name, another's address, a third person's SSN, and so on. This makes it harder to both catch and repair the damage to all victims' financial well being.

In order to accomplish these forms of fraud the credit issuers first run a credit check of the requestor (real or criminal). Thus, access to this information is critical. That's where a security freeze comes in. Also known as a credit freeze, it's a service that "locks" your credit report against credit/loan application access requests until you explicitly allow an agency to respond. This differs from fraud alerts, which are reactive and most often temporary. That is, you get alerted that someone accessed your credit report after the fact. A security freeze is prevention against fraudsters and thieves impersonating you, regardless of the how much information they have to verify your identity. What they won't have is the secret to temporarily unlock the credit report. That secret is either a PIN or a password the credit agencies mail to you and that you need to supply to the credit agency when you apply for new credit cards, loans, or submit to a background check. A handy tip I've learned is you can specify the agency to be queried when a credit check is needed. You don't have to unlock them all.

Security freezes are relatively easy to set up. The caveat is that you need to set a freeze at each of the credit reporting agencies: Experian, TransUnion and Equifax. Two smaller reporting outlets have emerged and those should be included: Innovis and ChexSystems. These two aren't as comprehensive in the overall services they provide but they can be inroads for criminals who can't get past freezes at the Big 3. All told, it takes roughly an hour out of your life to lock out the bad guys.

We're at the mercy of data brokers to protect our information. Security freezes offer peace of mind when they fall down on the job.