Wednesday, December 30, 2015

The Size and Scope of Data Breaches in 2015 (Bromium)

Last year was a pretty big year for data breaches, and it seems like 2015 is not so much different. Online retailers used to be a big target, but this we've seen breaches across many different sectors including insurance, many health companies and even governments. These targets carry even more of our personal data than retailers did. Awareness of security issues is higher than ever, with people putting more efforts into protecting their data. However, according to studies, the cost per stolen records has still managed to increase by 6% this year to an average cost of $154 per stolen record. Companies like Uber, Experian, Anthem, Premera and even the IRS had data breaches. Check out this graphic from Bromium to see the size and extent of breaches in 2015.

Tuesday, December 29, 2015

Call for Security Authors! No Prior Writing Experience Needed!

Over the course of the next year, I’d like to publish a few small booklets regarding reoccurring themes we’ve seen year-over-year in the security industry. What I’d like to do is have these booklets broken down into chapters with people within the security industry assisting with adding the real world material and insights. There is really nothing better than having those working in the trenches each day to guide the way the booklets should be written. There are so many people out there that don’t have the ability to share what they’re learning and doing each day and hopefully this can allow them to share their experience.  By doing so, we all benefit.

Within each topic I’d like to include multiple chapters, each topic will be somewhat different, but what I’m aiming at is education on topic itself. The granularity of the information for each topic will vary, but we should attempt to hit on the following main themes on each subject:

Booklet Themes
  • Review of the topic
  • Why it’s a reoccurring topic
  • Advice with solutions
  • Tricks of the trade
  • Improvements

At this time I’m proposing the following six topics to start with, since this advice is either in great demand when looking to resolve an issue or when proactively looking to improve your security posture. I’d like people to use these booklets as a way to guide people in creating better security for the topics being written on. These won’t be vendor slicks trying to sell a product, but something valuable that can be taken without bias. This in my opinion is more valuable. Also, this is a first stab at the topics, if you have others you think should be on the list, please let me know. We’re flexible.

  • Incident Response
  • DDoS
  • Deception in Depth
  • Security Monitoring
  • Phishing
  • Application Security

If you have experience in any of these areas, and want to submit some content on the topics, please let contact me at the email below. Once we get enough authors signed up we’ll start breaking down the themes of the topics in more detail. These booklets aren’t being sold and would hopefully be put under a creative commons licensing approach where others can share and add to it freely, but by giving credit to those that worked on it. 

If you’re interested, please contact me at

Monday, December 28, 2015

Cyber Security 2015 Reflections - Another Year Gone By

Here's some cyber security reflections I've written for Algosec as the year comes to a close. Also, a few things we're forecasting for the new year to come.

Wednesday, December 23, 2015

Another Example of Why Governments Should Exit the Encryption Debate (The Juniper Debacle)

With the recent revelation of the Juniper backdoor vulnerability, it begs the question as to why we should “let” the government put purposeful backdoors into our products. Apple has been very vocal on why they won’t be bullied into allowing this type of behavior with the government, and how the privacy of their users data is paramount. With the recent terror attacks in Paris and other places in the world, governments everywhere, U.S.A and U.K being the loudest, are attempting to use fear to push their agendas. This isn’t news anywhere. We know they’re looking to create backdoors into our encryption and it’s for that very reason why we have the Juniper scandal today.

In a recent article by WIRED magazine they explain that the backdoor was made possible due to the DUAL_EC_DRBG encryption algorithm which was purposely created by the NSA to decrypt data surreptitiously. This was always assumed while the protocol was in review, but was eventually pushed into NIST standard as one of the recommended encryption protocols at the time. It’s been reported that this was part of the NSA’s operation BULLRUN, which was created to break encryption for monitoring targets, and one in which they had a nearly $250 million dollar yearly budget to do so. Even more concerning is that the NSA purportedly paid off RSA with the sum of $10 million to include this algorithm into their product. RSA has since said that they were unaware of this at the time, but it’s still highly suspicious.

This being said, governments have already been accessing our systems, either in cooperation with technology vendors, or by illegally circumventing vendors technology to gather the data they’re looking to collect. So why should we trust them to be more responsible by allowing them to put holes into products that we use everyday? What have they done in the past to gain this respect and trust? They don’t have our confidence to play within the rules, so what makes them think we’d be willing to be taken by the hand and walked down a path we'll eventually regret? The problems they’re creating, look at Stuxnet and DUAL_EC_DRBG, discredit them from being taken serious. Also, it’s overreaching to start using the terrorist attacks in Paris, where they didn’t use encrypted channels for communications, or the terrorist attacks in San Bernardino, where there were public Facebook announcements made by the terrorist alerting of their actions. Both of these attack communications were in cleartext and both of these attacks weren’t stopped. This might be somewhat far-fetched by me, but if you want all the encrypted information now start stopping things that happen in the clear first.

What many of these governments aren’t thinking now is that they’re making your device less secure and more vulnerable to eventual attack by someone else. I understand they want to have a separate key that would only allow them to access the data when needed; which is still scary. But just like Dr. Ian Malcolm said in Jurassic Park, “Life, uh….finds a way” and it’s possible that the vulnerability/hole you created for yourself will be abused by others. That this hole will be used to spy against you, or that even more malicious actors will use a similar method to abuse the access that was blown open to “protect” people.  I can’t see any concrete reasons, or examples, that have been used in the past that dramatically slides the argument into the governments favor against us giving up our privacy. So as we watch the latest backdoor issue we've seen come to light with Juniper, all due to the NSA making a hole that shouldn't have been there to begin with, is yet another example of why the government should remove themselves from this debate completely. They don't have a track record of being responsible with this type of access and we don't want to give it to them.

Monday, December 21, 2015

Shop Safe This Holiday Season

With the holiday shopping season in full swing, many shoppers are deciding to skip the long lines and instead, make their purchases from the convenience of their mobile device. Did you know that nearly 53% of online purchases during last year's holiday season were made from a smartphone or tablet? This number is expected to grow even higher, making mobile shoppers a major target for cybercriminals. It's more important now than ever to fully understand how to stay safe when it comes to shopping from a mobile device or online. #ShopSafe.

Thursday, December 17, 2015

What's on Your InfosSec Wishlist?

I was recently asked the following question from TripWire: “If you had one wish for the infosec community this holiday season, what would it be and why?”. This is a very loaded question to be honest, since there's so many things on my wishlist, but there's one area I'm particularly passionate about that I think we should be doing more of next year. Here's my wishlist item, including many other information security professionals, as to what we'd like to see the community start doing this new year.

Tuesday, November 17, 2015

Speaking at IASA eSummit on "Deception in Depth"

Tomorrow I'll be speaking at the IASA Cyber Security eSummit on the topic of "Deception in Depth". The talk will be based on the following:

"Deception has a legitimate use in all types of defense. It’s been used for hundreds of year successfully, why stop now? The bad guys use deception to infiltrate your network, why not use it against them? In this presentation we’ll review what deception is and how we can use it for our advantage."

You can register to hear the talk live at the following link There are some interesting presentations going on tomorrow and it would great to hear any feedback. If you can't make it the presentation and talk will be recorded and available for download later on.

Tuesday, November 10, 2015

The Unintended Consequences of EMV (Pin and Chip) or The Water Balloon Effect

As of October 1st, 2015 merchants in the United States can potentially be held liable for fraud occurring on their PoS, if the EMV (aka Pin-and-Chip) systems aren’t rolled out. If you’re like most people you’ve probably received a new debt/credit card in the mail with the ability to use this new card at any EMV PoS at your favorite retail store. In my opinion this was a long time coming and I’m glad the legislation was made to have these systems pushed on retailors. Just like anything else, this doesn’t completely protect people, but its heads and shoulders above what we had in the past. My concern though, is that we’ll see adverse effects in other areas of the industry due to a direct correlation of securing a heavily targeted area.

Let me use the analogy of a water balloon for a moment. The water balloon can take on multiple oblong shapes depending on what area of the balloon is squeezed. If you pinch one area of the balloon the water will be pushed to another section, filling it in and changing the shape. If you release the section you’re applying pressure to on the balloon, the water will refill areas that were previously closed off, changing the shape again. At this point I think you’re wondering what EMV, cyber security and water balloons have in common with each other, let me see if I can make this clearer. The example of the water balloon shows that if something is being blocked, or not allowed to flow, it will be displaced to another part of the balloon, but won’t eliminate the fluid in the balloon. This is similar with EMV chip-and-pin cards and cyber theft. Attackers are going to come after you, they’re not going to stop, and if they’re having issues compromising the new PoS systems, they’ll attack elsewhere. Remember, they’re opportunistic. Whatever can give them the most bang for their buck is where they’ll focus their energy. They’re not going to disappear. 

With this being said, if we eliminate a very juicy and common target for attackers to feast on, what will they do? Will they invest money into breaking EMV systems; maybe. Will they attack retailers that don’t have these EMV PoS deployed in their network; most likely. Will they start broadening their horizons to untapped areas to keep making money; definitely. Think about that for a minute. By fixing an issue that people have been calling on to fix for years, could potentially cause other sectors, or areas of the industry to be brought under attack. That’s what I’m calling the “water balloon effect”, or the unintended consequences of directing malicious attention elsewhere, due to the remediation of a highly targeted area. There are many other sectors and areas of attack that we’ve seen grow over the past year (mobile malware, healthcare hacks, cryptolocker, etc.) and it would be interesting to see if these attacks grew exponentially over the next year, while PoS compromises decreased. If this is the case, what can we do going forward to alert other sectors of the “water balloon effect”? For the complete safety of the general community we should at least be aware that this theory is in place and that when we see a highly targeted exploitable risk remediated, we should start considering where that displaced water is going to end up.

This isn’t meant to be some type of fear mongering tactic to scare people into thinking bad things will occur, but the fact is we should be prepared over the next couple months to see where this goes. The old school PoS systems were such easy wins for hackers and if they’re not going to be easy to compromise now there’s the possibility of an attack shift towards other areas, or sectors. My only real advice is to determine what data attackers would want to compromise now and start getting your arms around it. I’m hoping you’re doing that now, but unlike other times in the past, this might be the calm before the storm for a few unsuspecting industries. Let’s embolden each other to take steps on preparing now while we still can.

Monday, November 9, 2015

Speaking at ISACA Long Island Conference

Would love to see some of you guys down there. Let me know if you're able to make it.

Saturday, November 7, 2015

Support the ProtonMail Defense Fund (Urgent)

Over the past couple days, our friend Andy Yen and ProtonMail, have been the victims of a vicious DDoS attack. Attackers are obviously very upset about internet privacy. Please take a moment and consider donating a few dollars, any amount helps, to help ProtonMail defend themselves and our privacy. Here's a link to their GoFundMe;

Friday, November 6, 2015

Long Island's Cyber Consortium 2015

Last week I was invited to a cyber-consortium hosted by Congressman Steve Israel at Long Islands NYIT College. This was the third meeting of the consortium the Congressman has organized and it had good representation of the NY area, especially on Long Island. Congressman Israel brought up the analogy of how when pushed to action Long Isladers have undergone great transition to change the world. He mentioned how when the space race began, Long Island transitioned from a potato and pumpkin farming community, to the life blood of Northrop Grumman (the company that built the moon lander). He started this consortium to bring us together and stop the threat of cyber risks against our home.

During this session Congressman Tom Graves, from Georgia, presented on his thoughts on where cyber security was going and how he and Congressman Steve Israel are attempting to champion their thoughts through the government. He spoke about how cyber-security was becoming one of the largest concerns in the government now and how we as a country need to start doing more about it. The analogy of hackers was brought up by saying, “We show up to play a football game and the other teams ready to play hockey.” The same rules don’t apply anymore and it’s taking the government time to react to these new challenges.

One of the major topics brought up from the group was on the recent CISA (Computer Information Sharing Act) bill. Both Congressmen voted for the bill and were asked very pointed questions regarding how it worked. There was heavy bipartisan voting on the bill, no matter how you feel about it, and the answers they responded with were very honest. When Congressmen Graves was asked if he thought it would fix the issue of cyber-security he responded that “It’s a piece to a puzzle, but not the end all be all.” He also wanted to see companies deal with vulnerable software first to stop the threat from happening to begin with, because what good will intel do if you’re vulnerable first. He’s one of the politicians that truly gets what we’re doing.

As you most likely know, I’m not a supporter of the CISA bill, but I understand where the Congressmen were coming from. After hearing about the people they knew personally that were affected by the OPM breach, it’s understandable to see their point of view. The aspect of privacy was brought up multiple times with the data being transferred, but the methods and processes weren’t fleshed out yet. All in all, we don’t all have to agree on every topic, but one thing was sure, both of these men are doing what they believe is the best for the cyber security community and will assist with making our home a safer place. I respect them both for doing so and wish we had more Congressmen/Senators that understand the risks we’re dealing with like these two men. It was a privilege to work a few things out with them, even if we don’t completely agree on all the topics. Having different sets of opinions is how you make progress. 

Wednesday, November 4, 2015

Gremlins in the Network

There are a few things in your firewall you need to be aware of before they rise up and bite you in the butt. Just like those nasty little Gremlins that spawned from a soggy Mogwai in the movie "Gremlins", these issues will keep reoccurring until you fix the issue and they can cause a lot of damage.

I wrote this article for Algosec to describe a few areas in your firewall you want to take a look at before they reach true "Gremlin State". Also when reviewing them, please make sure to keep the water bottles out of the data center, just in case.

Tuesday, November 3, 2015

Governments Banning Unbreakable Encryption

With all the improvements to encryption, especially those in the mobile arena, it's sad to think that a government can use fear to try and roll these achievements back when they don't get what they want. The British government and the GCHQ have been spying on their citizens for years, but now with the latest trends and advances in mobile phones, its not allowing communications to be decipherable by default. With these new encryption tools in place, governments are calling foul.

Over the past year the FBI was very vocal on their need to have a "master key"or "backdoor" placed into all devices for the protection of the country. We've seen how irresponsible the NSA's been with power, thanks to the Edward Snowden leaks, and giving them a backdoor into our lives was met with widespread outcry. They don't have right to snoop on an entire population and it's against our liberty to lives without privacy.

The British government is using the same guilty argument as the FBI did to try and pass a surveillance law into effect. When Prime Minister, David Cameron, says, "Terrorists, pedophiles and criminals must not be allowed a safe place online", he's really using this as a way to increase, or least keep par, the wide spread surveillance and data collection they've had in the past. Since everything these days is going towards mobile, without having this data collected on the entire population will decrease their ability to monitor severely. Without sounding callous, I have children, lived through a terror attack in NY and want to see cyber criminals locked up. I don't however, want to live in a life where the government could at anytime be monitoring my private communications. It will be abused and I personally don't think it's working. It's that simple.

I'm hoping that the Google's and Apple's of the world take a stand against governments looking to use FUD to propel their agenda of mass surveillance. It will be a sad day when a government can tell a private company how insecure they have to make their product. If there's a backdoor for someone to enter, it might not always be the one you expected. No good can come from this. 

Monday, October 19, 2015

Mapping FinFishers Surveillance Spyware

This is some great research done by on the FinFisher surveillance spyware. Check it out here. Great job, guys. 

Friday, October 16, 2015

Cyber Horror Stories From the Past Year

The eerie cyber season is upon us now, the time of year when the cyber ghouls are out looking for our data. This past year has been exceedingly spooky with major organizations being taken advantage of the cyber undead.  With this being Cyber Awareness Month we’d like to review a few of these attacks with you so that they can become part of your zombie security survival guide when the cyber apocalypse is pointed in your direction. Stay alert; you never know when these monstrosities will come after you next. Here are a few stories from the past year that will give you goosebumps.

We’ve noticed that 2015 is the year of the healthcare breach. These monsters have targeted healthcare over the past 12 months with wild abandon. Whether it is Anthem, Blue Cross, UCLA or any other casualty, these monsters have the taste for healthcare and want more of it. The industry as a whole has taken this very serious after seeing their peers eaten alive and is making strides to securing what they can before it’s too late. There is never a safe place from these beasts, but over the past 12 months the sea change in thinking for healthcare has been eye-opening. The entire industry is putting in defenses today that wouldn’t have been there if not for these vicious attacks. The carnage of these assaults has sparked a flame in healthcare, one that will hopefully continue to shine brightly. Otherwise, they’ll be the next ones to the stake.

The government has also become, or should I say always was, a favorite target for cyber witches that continue to plague their security. We noticed some advanced witchcraft thrown out the government this year in the forms of the OPM and IRS hacks. The enchantresses behind these breaches were sophisticated and able to craft unstoppable spells over the government networks who weren’t ready for their potent effect of data lose. These attacks were used to gain more insight into government employees and could only be the beginning of their spells. The stolen data these witches stole will probably be used later on to create a more refined incantation using this pinched data as an ingredient in their cauldron for an even greater conjuring of evil towards the government and their employees. The government as a whole needs to wake up and start making changes that will protect themselves from these types of attacks. They’re the biggest target to these overseas witches and will be for years to come.

 Something interesting we saw this year, that we don’t see every day, was a group of cyber fiends being hunted down by what seems like a another individual to usurp them from their evil throne. This of course was the “Hacking Team” hack, where the group “Hacking Team” was selling surveillance and malware to countries to spy on their people. The zombie hunting Phineas Fisher, who’s could play both hero and villain, defended these countries by exposing “Hacking Team” for what they really were. It’s interesting to watch these cyber vigilantes come right after evil, while toeing the line of becoming exactly what they’re fighting against. This battle for cyber purity is one that can swallow up a person, or group for that matter, if they’re not careful.

My dear friends, it’s been a terrifying 2015 and one that gives us reason to worry. Let’s use this Cyber Awareness Month as a way to educate others against ghouls on the internet lurking in the dark webs ready to pounce. Constant diligence and education will keep us safe, because you never know when they’ll strike. Let us be like Ghost Busters and team up together to let everyone know that “We ain’t afraid of no ghosts!”

Wednesday, October 14, 2015

Best Practices to Prepare for a Cyber Attack

The war is coming and it's a matter of time before you're attacked, assuming you aren't already under attack which you most likely are, and if you're not actively preparing for this event you'll be destroyed when it happens. There needs to be a plan of action, there needs to be training, there needs to be assigned roles, or you'll be scrambling during an incident. This article I wrote helps explain a few areas that should be done now in preparation of an incident. It's better to be prepared, rather than making it up in the heat of the moment. Knowing is only half the battle.

Don't Mess with Brian Krebs

If you mess with the Krebs you get the horns. Great article

Monday, October 12, 2015

Review of some best #CyberAwareTips

Tripwire recently correlated a few of the better cyber security awareness advice from the hashtag #CyberAwareTips for National Cyber Security Awareness Month (NCSAM). You can check out mine and others advice on this aggregated blog from Tripwire:

Friday, October 9, 2015

How NOT to be a Victim of Social Engineering [Cyveillance]

Here's a great infographic from Cyveillance about "How NOT to be a Victim of Social Engineering. To read the entire blog post please take a look here. Well done, Cyveillance.

Thursday, October 8, 2015

New Amazon Application Security Services

Okay, the cloud is dangerous and everyone should stop using it before it rains down your data upon all those it wasn't intended for, right? We'll, not really. There are times when keeping data in house is an ideal solution, but there are other times when pushing data to the cloud is completely viable approach. This is all about knowing your security risk appetite and understanding the data that's being hosted in the cloud and the security of the cloud provider. With this being said, Amazon has taken great strides in helping ease the "security of the provider" concern. Take a look at the following two products that Amazon recently released recently:

These two services assist greatly with running any type of web application off Amazon's AWS service. Many startups and lower income businesses are using Amazon to run their applications, as well as many very large companies, but for those without the revenues to purchase these services elsewhere Amazon has really created a secure ecosystem to keep clients from outgrowing their services from a security standpoint. This is a huge step forward for them and I'm personally very excited about seeing where they're going in the future. 

Wednesday, October 7, 2015

Building a cybersecurity culture in the workplace

We all know that attackers are coming after your users, this shouldn't be a surprise. We need to find better ways to have security awareness sink into their minds, because they're the first line of defense. They are the weakest links in your networks and systems. If they're not trained you're at even more of a risk of data breaches. It's really that simple. Also, all groups shouldn't be trained the same and having the dedicated training per group (administrators, marketing, finance, etc) will assist with getting a focused education and assist with better protection of your users.

Here's an article I collaborated with the good folks at Tripwire regarding some other cybersecurity culture training tips for the workplace.

Friday, October 2, 2015

Comparing MDM Solutions (IMO)

Here's my thoughts on how to compare mobile device management (MDM) when looking to purchase a system to manage your mobile devices. As the mobile market grows so does the risk of your data and internal networks being compromised on these devices. Here's a few criteria on how to make an educated decision on which MDM is right for your organization:

Who let the data out?! Time for effective egress filtering!

We've seen way to many organizations have data breaches due to not having proper egress filtering configured. Many places are still only worried about what's making it's way into the network and aren't concerned about what's leaving the network. This could be the difference between an attacker making it into your network and an attacker leaving with your data. If they aren't able to get data out, there's no data loss and this limits the risk of the compromise.

Security Metrics Crowdsourced Blog

If you're building a security dashboard with metrics for executives, or anyone for that matter, take a look at this blog assembled by Tripwire regarding "Top 10 Tips for Building an Effective Security Dashboard". Tip #6 is especially interesting ;)

Cyber Security Awareness Month #CyberAwareTips

October has been deemed "Cyber Security Awareness Month" by many major security companies and it's something, that if used correctly, could be of great assistance to those that might not be as cyber-savvy. I've been posting a few tips to Twitter with the hashtag #CyberAwareTips, along with many others. Let's see how much traffic we can generate with this hashtag and get the word out this month. 

Thursday, September 24, 2015

An interview with Andy Yen (Creator of ProtonMail)

I was recently given the opportunity to correspond with Andy Yen, creator of ProtonMail, regarding his encrypted email service and the current state of internet privacy. ProtonMail, which has been posted about multiple times on this blog, is growing at a rapid pace and is one of the most popular encrypted email services available. Through our correspondence I was able to ask Andy his opinion on internet privacy and what’s in store for the future of ProtonMail. Also, make sure to add a donation towards ProtonMail and spread the word about his company. Here’s a few questions Andy graciously answered for us:

What prompted you to start your own email service based on privacy? Was there a defining moment you can remember?

“The defining moment was two years ago when I tried to find a good way to keep my email communications secure and private. All of the existing solutions (mostly involving PGP) were simply too difficult to use, and since a good service didn't exist, the only solution was to create it ourselves.”

In your opinion, besides email, what is the largest threat to privacy on the internet today?

“The biggest threat is actually cultural. Nowadays, we have the Facebook, Snapchat, Instagram generation, which are young people being trained from a young age to share everything online without giving it a second thought. This trend can permanently alter the definition of privacy within a generation or two.”

What are your suggestions to a new generation coming up that see's privacy as more of an afterthought?

“I always joke that it will be very interesting to watch a US presidential election in 20 years where the old Facebook posts and instagram photos of the candidates resurface. I think it's important for the new generation to remember that what goes out onto the internet is permanent. Once you share a photo, you can NEVER take it back, and it could mark you for the rest of your life.”

Honestly, protecting privacy can be bad for business. Have you had push back from large organizations or governments regarding your service?

“Actually no, businesses large and small now understand that privacy is important. This is because, what businesses need more than ever is actually security, and encryption technologies like ProtonMail bring the security which ensures that cyberattacks like the Sony hack are a lot harder to pull off. Security is the goal, but privacy is the end state that comes with security.”

Over the past year I've personally noticed the increase of the ProtonMail service. Will ProtonMail always be free?

“We know that many of our users who need privacy the most (activists in Russia, China, etc) are also those that most cannot afford to pay. Thus, we are committed to keeping the basic version of ProtonMail free for as long as possible.”

Do you foresee any additional privacy services spawning off of ProtonMail in the future? I've heard rumors of a mobile app. Would you ever branch off into secure storage?

“Actually, our mobile apps have already been released in beta and we have several thousand beta testers using the apps today. In the future, we also intend to expand into storage since that is a commonly requested feature from our users.”

In what ways can our readers help assist continue making ProtonMail the best private email service out there?

“There are several ways in fact. The first is to get the message out about how bad the current surveillance state is. Many people simply don't realise they are being constantly tracked, monitored, and recorded online. Secondly, it is important to encourage others to also use ProtonMail because the most secure email system in the world cannot turn the tide if we don't get the world on board. And lastly, for uses who are interested in assisting us directly, it is possible to donate to the project here:

Tuesday, September 22, 2015

Protect Healthcare Data Now!

Healthcare data has become “en vogue” for hackers and it’s no secret that they’re looking for it. The risk to the patient and the cost a hacker can get for the data is much higher than any other record that can be stolen now.  I wrote the following blog describing this issue, why it’s important to protect the data and how the industry is taking this problem head on. Hope you like it.