Tuesday, November 17, 2015

Speaking at IASA eSummit on "Deception in Depth"

Tomorrow I'll be speaking at the IASA Cyber Security eSummit on the topic of "Deception in Depth". The talk will be based on the following:

"Deception has a legitimate use in all types of defense. It’s been used for hundreds of year successfully, why stop now? The bad guys use deception to infiltrate your network, why not use it against them? In this presentation we’ll review what deception is and how we can use it for our advantage."

You can register to hear the talk live at the following link http://iasaglobal.org/monthly-esummit/. There are some interesting presentations going on tomorrow and it would great to hear any feedback. If you can't make it the presentation and talk will be recorded and available for download later on.

Tuesday, November 10, 2015

The Unintended Consequences of EMV (Pin and Chip) or The Water Balloon Effect

As of October 1st, 2015 merchants in the United States can potentially be held liable for fraud occurring on their PoS, if the EMV (aka Pin-and-Chip) systems aren’t rolled out. If you’re like most people you’ve probably received a new debt/credit card in the mail with the ability to use this new card at any EMV PoS at your favorite retail store. In my opinion this was a long time coming and I’m glad the legislation was made to have these systems pushed on retailors. Just like anything else, this doesn’t completely protect people, but its heads and shoulders above what we had in the past. My concern though, is that we’ll see adverse effects in other areas of the industry due to a direct correlation of securing a heavily targeted area.

Let me use the analogy of a water balloon for a moment. The water balloon can take on multiple oblong shapes depending on what area of the balloon is squeezed. If you pinch one area of the balloon the water will be pushed to another section, filling it in and changing the shape. If you release the section you’re applying pressure to on the balloon, the water will refill areas that were previously closed off, changing the shape again. At this point I think you’re wondering what EMV, cyber security and water balloons have in common with each other, let me see if I can make this clearer. The example of the water balloon shows that if something is being blocked, or not allowed to flow, it will be displaced to another part of the balloon, but won’t eliminate the fluid in the balloon. This is similar with EMV chip-and-pin cards and cyber theft. Attackers are going to come after you, they’re not going to stop, and if they’re having issues compromising the new PoS systems, they’ll attack elsewhere. Remember, they’re opportunistic. Whatever can give them the most bang for their buck is where they’ll focus their energy. They’re not going to disappear. 

With this being said, if we eliminate a very juicy and common target for attackers to feast on, what will they do? Will they invest money into breaking EMV systems; maybe. Will they attack retailers that don’t have these EMV PoS deployed in their network; most likely. Will they start broadening their horizons to untapped areas to keep making money; definitely. Think about that for a minute. By fixing an issue that people have been calling on to fix for years, could potentially cause other sectors, or areas of the industry to be brought under attack. That’s what I’m calling the “water balloon effect”, or the unintended consequences of directing malicious attention elsewhere, due to the remediation of a highly targeted area. There are many other sectors and areas of attack that we’ve seen grow over the past year (mobile malware, healthcare hacks, cryptolocker, etc.) and it would be interesting to see if these attacks grew exponentially over the next year, while PoS compromises decreased. If this is the case, what can we do going forward to alert other sectors of the “water balloon effect”? For the complete safety of the general community we should at least be aware that this theory is in place and that when we see a highly targeted exploitable risk remediated, we should start considering where that displaced water is going to end up.

This isn’t meant to be some type of fear mongering tactic to scare people into thinking bad things will occur, but the fact is we should be prepared over the next couple months to see where this goes. The old school PoS systems were such easy wins for hackers and if they’re not going to be easy to compromise now there’s the possibility of an attack shift towards other areas, or sectors. My only real advice is to determine what data attackers would want to compromise now and start getting your arms around it. I’m hoping you’re doing that now, but unlike other times in the past, this might be the calm before the storm for a few unsuspecting industries. Let’s embolden each other to take steps on preparing now while we still can.

Monday, November 9, 2015

Speaking at ISACA Long Island Conference

Would love to see some of you guys down there. Let me know if you're able to make it.

Saturday, November 7, 2015

Support the ProtonMail Defense Fund (Urgent)

Over the past couple days, our friend Andy Yen and ProtonMail, have been the victims of a vicious DDoS attack. Attackers are obviously very upset about internet privacy. Please take a moment and consider donating a few dollars, any amount helps, to help ProtonMail defend themselves and our privacy. Here's a link to their GoFundMe; https://www.gofundme.com/protonmaildefense

Friday, November 6, 2015

Long Island's Cyber Consortium 2015

Last week I was invited to a cyber-consortium hosted by Congressman Steve Israel at Long Islands NYIT College. This was the third meeting of the consortium the Congressman has organized and it had good representation of the NY area, especially on Long Island. Congressman Israel brought up the analogy of how when pushed to action Long Isladers have undergone great transition to change the world. He mentioned how when the space race began, Long Island transitioned from a potato and pumpkin farming community, to the life blood of Northrop Grumman (the company that built the moon lander). He started this consortium to bring us together and stop the threat of cyber risks against our home.

During this session Congressman Tom Graves, from Georgia, presented on his thoughts on where cyber security was going and how he and Congressman Steve Israel are attempting to champion their thoughts through the government. He spoke about how cyber-security was becoming one of the largest concerns in the government now and how we as a country need to start doing more about it. The analogy of hackers was brought up by saying, “We show up to play a football game and the other teams ready to play hockey.” The same rules don’t apply anymore and it’s taking the government time to react to these new challenges.

One of the major topics brought up from the group was on the recent CISA (Computer Information Sharing Act) bill. Both Congressmen voted for the bill and were asked very pointed questions regarding how it worked. There was heavy bipartisan voting on the bill, no matter how you feel about it, and the answers they responded with were very honest. When Congressmen Graves was asked if he thought it would fix the issue of cyber-security he responded that “It’s a piece to a puzzle, but not the end all be all.” He also wanted to see companies deal with vulnerable software first to stop the threat from happening to begin with, because what good will intel do if you’re vulnerable first. He’s one of the politicians that truly gets what we’re doing.

As you most likely know, I’m not a supporter of the CISA bill, but I understand where the Congressmen were coming from. After hearing about the people they knew personally that were affected by the OPM breach, it’s understandable to see their point of view. The aspect of privacy was brought up multiple times with the data being transferred, but the methods and processes weren’t fleshed out yet. All in all, we don’t all have to agree on every topic, but one thing was sure, both of these men are doing what they believe is the best for the cyber security community and will assist with making our home a safer place. I respect them both for doing so and wish we had more Congressmen/Senators that understand the risks we’re dealing with like these two men. It was a privilege to work a few things out with them, even if we don’t completely agree on all the topics. Having different sets of opinions is how you make progress. 

Wednesday, November 4, 2015

Gremlins in the Network

There are a few things in your firewall you need to be aware of before they rise up and bite you in the butt. Just like those nasty little Gremlins that spawned from a soggy Mogwai in the movie "Gremlins", these issues will keep reoccurring until you fix the issue and they can cause a lot of damage.

I wrote this article for Algosec to describe a few areas in your firewall you want to take a look at before they reach true "Gremlin State". Also when reviewing them, please make sure to keep the water bottles out of the data center, just in case.

Tuesday, November 3, 2015

Governments Banning Unbreakable Encryption

With all the improvements to encryption, especially those in the mobile arena, it's sad to think that a government can use fear to try and roll these achievements back when they don't get what they want. The British government and the GCHQ have been spying on their citizens for years, but now with the latest trends and advances in mobile phones, its not allowing communications to be decipherable by default. With these new encryption tools in place, governments are calling foul.

Over the past year the FBI was very vocal on their need to have a "master key"or "backdoor" placed into all devices for the protection of the country. We've seen how irresponsible the NSA's been with power, thanks to the Edward Snowden leaks, and giving them a backdoor into our lives was met with widespread outcry. They don't have right to snoop on an entire population and it's against our liberty to lives without privacy.

The British government is using the same guilty argument as the FBI did to try and pass a surveillance law into effect. When Prime Minister, David Cameron, says, "Terrorists, pedophiles and criminals must not be allowed a safe place online", he's really using this as a way to increase, or least keep par, the wide spread surveillance and data collection they've had in the past. Since everything these days is going towards mobile, without having this data collected on the entire population will decrease their ability to monitor severely. Without sounding callous, I have children, lived through a terror attack in NY and want to see cyber criminals locked up. I don't however, want to live in a life where the government could at anytime be monitoring my private communications. It will be abused and I personally don't think it's working. It's that simple.

I'm hoping that the Google's and Apple's of the world take a stand against governments looking to use FUD to propel their agenda of mass surveillance. It will be a sad day when a government can tell a private company how insecure they have to make their product. If there's a backdoor for someone to enter, it might not always be the one you expected. No good can come from this.