Category Archives: Blog

More phishing leaks into Gmail

I’ve been a Gmail user since its beginning in 2004. Unlike Yahoo! email, Gmail has historically done an exemplary job of blocking spam and phishing.

Until this year.

New forms of phishing are evading Google’s filters: the first is what I call the “invoice scam,” where the sender emails an attachment claiming to be an invoice. I surmise that either the attachment has malware embedded in it, or they are hoping that I will pay the invoice by sending money to who-knows-where.

Another form of phishing I’m seeing a lot (several each day) are emails in which the entire contents of the message is a single image. The image claims to originate from a major retailer such as Home Depot, Ace Hardware, and others. I’m told that I have been selected to win a product of some sort. Like the invoice scam, I’m certain that clicking the image will take me to a watering hole attack, a page where I’ll be asked for login credentials or payment information.

I don’t doubt that Google will figure out how to block these types of phishing messages. But the senders are not going to give up so easily. We must continue to be on our guard and practice the principles of incoming emails:

  • Be wary of emails from people you don’t know.
  • Be wary of emails from people you DO know that are out of character.
  • Confirm the message through independent means (NOT a reply).
  • Do not be curious and click, just to see what happens next.

Crypto Purchase Scam

Over the past three weeks, I’ve received several invoices through PayPal for alleged purchases of cryptocurrency. One such invoice is shown here.

Recent PayPal invoice

I don’t have a PayPal account, and I have not been in contact with this seller, so my natural inclination is to consider this a scam.

The email actually originated at PayPal, per the SMTP and DKIM headers, and the View and Pay Invoice link actually goes to paypal.com.

Computer Glasses

I suffered from eyestrain from working on computers all day long, until my optometrist recommended computer glasses. I had not heard of them before, but could not work without them today.

What computer glasses are – prescription eyeglasses with a specific strength where the eyes are completely relaxed (as though looking at objects far, far away, which completely relaxes the muscles that shape the eye’s lens) when viewing objects about an arm’s length away (the typical distance to a monitor). Further, my computer glasses have a yellow tint that blocks excessive blue light – more benefit that helps prevent cataracts, macular degeneration, and retina damage. 

I also use those “night light” features on laptops, tablets, and smartphones that reduce blue light after hours. I used to purchase third-party software to do this, but modern OS’s have this as a standard feature nowadays. 

More info: https://safetygearpro.com/what-are-computer-glasses-and-how-do-they-work/ (not a product endorsement, but an informative article). 

Are You Ready?

Social unrest. Inflation. Supply chain shortages. Earthquakes. Freak storms. Floods. Rampant crime. Wars and rumors of wars. Disease. Famine. Erosion of culture and social values.

It’s hard not to recognize that the world is going through some kind of distress. Its root cause is difficult to discern and may be invisible. But to many, it feels as though something big is about to happen, although what that something may be will depend on what you believe and who you ask.

Some of the possibilities being discussed include:

  • A drastic change in the global financial system with a significant impact on standards of living
  • A drastic change in global political systems with significant impact on personal freedom
  • A world war that includes the use of weapons of mass destruction
  • The sudden, inexplicable disappearance of a substantial portion of the world’s population
  • A pandemic with a high mortality rate
  • A dramatic appearance of UFOs and their occupants
  • An unexpected weather, geological, meteoric, or astronomical event that causes widespread damage over much of the world

Whatever it might be, it feels as though we should get our lives in order. What that means for each of us will vary, but at its core are our relationships with others.

Do not be afraid to dig deep into your memory, so that you may settle accounts with others. Do not delay.

Chance Meetings Are Not Chance Meetings

I was on a business flight between Seattle and Anchorage earlier today. In the days coming up to the flight, I was re-checking seat assignments to see if I could get something better than the premium cabin middle seat. This morning, before the flight, I saw an exit row seat in coach open up, and I decided to go for it as I knew I would want to work on a book I’m finishing up.

A man in the same row as me arrived and sat down. He had a C.S. Lewis book that I have not read, so I asked him if he liked it. He said that he did. I shared a couple of other C.S. Lewis titles that I have read over the years. As we talked a bit more, I shared that Lewis’ title, A Grief Observed, was a good read many years ago after my son passed away. The man told me that he had lost a son as well.

Three weeks ago.

My heart ached for him. I know this pain well. I imparted some of my own experiences and observations, including sage advice imparted to me, including that given by one of my half-brothers who lost two children. I told him that the memories will remain and the pain will slowly ebb.

Our conversation lasted but ten minutes.

You never know who you are going to run into or what opportunities will come your way to help others.

Cross-Country Road Trip

I’d thought of a cross-country road trip all of my adult life, but never thought I’d have the opportunity or take the time to do it.

That all changed in June, 2022, when we purchased a moderately rare vehicle from a private party in Rhode Island and drove it home to Washington State.

a brief road stop at Painted Canyon, North Dakota

The journey was moderately stressful, as this was a new-to-us 17-year-old complex machine, and a couple of minor things didn’t work right. And the trip was a bit of a dash. I would have preferred to do the trip in two weeks instead of one, and take the time to see some of the sights.

Still, we saw a ton of farmland, and from our vantage point, realize again that America has vast agricultural resources that could feed the entire world. We live in the middle of farmland back home, so it was familiar to us, but there was so much of it to see along the little strip of land that was our journey’s path.

The entire trip – flying to Boston and driving back home, was nearly two weeks. It’s the longest stretch of vacation away from work I’ve had in decades. Unplugging from work was hugely valuable to me. As a type-A, I need to take more breaks, and am grateful for the opportunity to have done so.

My LinkedIn Connection Management Strategy

Spoiler: the mute connection feature is the most effective tool to improve your feed.

In the eighteen years since joining LinkedIn, I’ve adapted my connection management strategy. For the first 10-12 years, I would accept connection requests only from people I actually knew and, often, met once or more in person or by phone. That approach served me well.

In recent years, I shifted this slightly. Today, if an incoming connection is well known to one of my trusted connections, I’ll accept the request. Otherwise, I often reject them. I will reject incoming requests based on other criteria that I will not reveal here.

I generally reject requests from vendors, particularly if their tagline or their invite implies that they see me as a business prospect. I already receive too many vendor communications, and I know how to find vendors if and when I need them.

For those who are already connected to me, I will retain them as a connection, unless:

  • They do an excessive number of posts, re-posts, or likes. If my feed starts to look like their feed, I’ll most likely mute the connection. They will remain a connection, but I’ll no longer see their posts, comments, or likes.
  • They are overly political. Whether I agree with them or not, I’m here in LinkedIn for business, not for politics or social issues. Connection muted.
  • They are overly non-business. LinkedIn is not Facebook. Connections whose posts look more like Facebook are immediately muted.
  • They post clickbait.
  • They post those ridiculous questions, such as: Click Like if your first programming language was C; click Celebrate if your first programming language was Pascal; click Support if your first programming language was Fortran; click Love if your first programming language was Java.
  • They are abusive. No further comments needed.

I have found that these practices result in a really clean feed with little or no politics, cat pictures, and so on.

One thing about the Mute Connection feature. To my knowledge, LinkedIn does not provide a list of muted connections, nor do they show that a connection has been muted. That means that being muted is kind of a LinkedIn death penalty. You can be muted, but you can never leave.

The Real Reasons for the Infosec Skills Shortage

I’ve been in technology for more years than I’ll publicly admit, and I’ve been full-time infosec for 23 years now. In the past ten years, it’s been hard to escape the rallying cry of the skills shortage: organizations take weeks, months, and longer to fill infosec positions.

I’m going to tell you now why, in many cases, this so-called skills shortage exists.

We’re lazy.

Yes, we are lazy. We don’t want to take the time to find a motivated, solid foundation, perfect personality, tech worker, and train them up on cybersecurity. Instead, we want only the finished product.

We all want unicorns.

Further, we want someone who has experience in all ten of the main preventive / detection / response tools we use. I think we’d have better luck on Power Ball.

We’re cheap.

If we are fortunate to find a candidate who checks all of the boxes, we probably can’t afford them. Unicorns are rare, and rare things are expensive.

There – I said it. Most of us fit into one or more of the above categories. Me included.

Modern Infosec is Older Than You

While researching a project I’m working on, I found an interesting publication, National Bureau of Standards Special Publication 500-19, Audit and Evaluation of Computer Security. This publication contains most of the principles found in modern infosec management and control frameworks today. Indeed, looking into the details, one finds discussions of static and dynamic evaluation of computer programs and numerous other familiar topics.

Here’s the punchline. This document was published in 1977. Forty-five years ago.

The next time someone complains to you about having to deal with these “new” cybersecurity standards and practices, you can remind them that these standards and practices are older than most living people in the world today.

Selected screenshots from the Table of Contents.

Source: U.S. National Institute for Standards and Technology legacy archive

The entire document is available from NIST here.

RTO Takes Some Adjusting

Chuck Nolan, after four years of WFH (source: Dreamworks Pictures)

Historically and collectively, the COVID-19 pandemic was one of the most impactful events in a generation. Entire industries were uprooted, resulting in significant shifts in how and where people live and work. The work-from-home (WFH) phenomenon was wrenching for some, welcome by others, and transformational for all. Workers and companies adjusted and continued to operate as best as they could, and WFH became the new normal for entire industries and professions.

Chuck Nolan readjusting to normal life (source: Dreamworks Pictures)

Return to the office (RTO) has been disruptive for companies and workers. Management in some organizations have insisted that personnel plan on working in offices part-time and full-time. We’ve seen the entire spectrum of compliance and non-compliance, and we’ve seen large organizations order a full- or part-time RTO and then backtrack when employees objected.

Workers are finding the transition from WFH to RTO nearly as disruptive in 2022 as WFH was in 2020. The routines established in WFH have become normal, routine, and comfortable. In many organizations, workers can choose whether to return to the office, continue to work from home, or adopt a hybrid arrangement.

WFH is probably here to stay. During the pandemic lockdown, many organizations began recruiting workers from wider geographic areas who live hundreds and even thousands of miles from workplaces. Organizations have discovered that they can compete for workers across larger areas. Workers have found that they can live almost anywhere and do their jobs effectively in full-time, permanent WFH arrangements.

It’s difficult to know whether a gradual shift back to in-office work will occur, or if work-from-home will be a permanent fixture in today’s workforce. Time will tell.

My Favorite Interview Question

I’ve hired dozens of analysts and engineers in my career, and have always enjoyed the interview process to get to know prospective team members. And I have been interviewed plenty of times myself, so I’m familiar with the pressure we’re under to be hyper-focused on interviewers’ questions and comments, what is said, what is not said, and body language. Being interviewed is a welcome challenge and an exhilarating experience – although terrifying at times.

image courtesy techpreview dot com

I have realized that, when being interviewed, my hyper-focus may not be revealing the real me. So when I interview candidates, I have a favorite question that I like to ask near the end of the interview. For instance, if the candidate’s name is Charles, I would ask,

“Charles, in this meeting, we’ve seen a lot of what I like to call ‘interview Charles,’ who is highly focused on the conversation and exerting a lot of mental energy to be sure the conversation goes well. What I’d like to know is this: how is everyday Charles different from interview Charles?”

Over the years, I’ve seen a wide range of responses. This question has stumped a few candidates, meaning they may lack self-awareness. Or, they might feel like I’m trying to pierce a sacred veil, to go beyond the persona on display to the real person beneath. But this is precisely the point: interviewees are often nervous, and nervousness shows itself in various ways: they talk too much, too little, or they guard what they may feel are personality flaws so that I see only the highly professional, analytical thinker.

In an interview, we strive to show only our best side. As a result, we verbally redact a great deal about our personality – the human side of us. But that human side is exactly who we want to find and know. After all, there is a real prospect of working with this person every day for perhaps many years. We want to be sure we know who we are hiring and whether we will like working with them.

It’s Turtles All the Way Down

A mythological explanation of the world states that the flat earth rests on the back of a giant turtle, which itself rests on the back of an even larger turtle. That turtle rests on a still larger turtle, and so on, forever.

Third-party risk management is like the epistemological stack of world turtles: each organization obtains goods and services from yet other organizations, and so on with no apparent end. All organizations are at least partly dependent upon others for goods or services essential for delivering goods or services to their customers.

So, where does it all end? Depending upon the industry and the criticality of individual goods or services, third party risk management generally vets critical vendors, and determines whether those vendors have effective third party risk management programs.

We’re all in this together.

— excerpt from an upcoming book on information security management

The Criticality of Business Alignment for Information Security Programs

The need for an organization’s information security program to be business-aligned cannot be overstated. The lack of business alignment could be considered a program’s greatest failing if not corrected.

For the most part.

It is critical for an information security program to be aligned in terms of support of the organization’s overall goals, and to utilize existing mechanisms such as corporate governance and policy enforcement. However, if and where there is dysfunction in the organization in terms of culture (for instance, a casual attitude or checkbox approach towards security or privacy), the program may position itself deliberately out of phase with the organization to alter the culture and bring it to a better place. In another example, rather than be satisfied with what may be low organizational maturity, security program leaders may influence process maturity by example through the enactment of higher maturity processes and procedures.

As change agents, security leaders need to thoughtfully understand where alignment is beneficial and where influence is essential.

— excerpt from an upcoming book on information security management

Peter H Gregory Publishes a Book To Guide Aspiring Tech Book Authors

Seattle, WA – April 26, 2022 – Author Peter H. Gregory has announced that his latest book, “The Art of Writing Technical Books,” has just been published. The book is available in paperback and electronic editions worldwide.

Peter H Gregory is a well-known author of tech books, including certification study guides for the world’s leading professional certifications in information security and privacy. He has authored over fifty books in the past twenty-three years, beginning with “Solaris Security.” He wrote this first book in 1998-1999 amid the dot-com boom when most servers on the Internet were powered by the Solaris operating system from Sun Microsystems and when internet security was just becoming a concern.

“I have wanted to write this book for many years,” cites Gregory. “I have mentored numerous aspiring authors and helped many get published. But until now, I only could converse with them and answer their questions. Everything I’ve helped others with is captured in this book.”

Gregory has long been passionate about helping aspiring writers break into the publishing profession. He has been instrumental in helping several accomplished professionals publish books for major publishing houses, including Sarah Perrot and Matthew Webster.

About Peter H Gregory

Peter H Gregory is a career information security, privacy, and technology professional and a former executive advisor and virtual CISO. He is the author of over fifty books on information security and emerging technology. Visit him at peterhgregory.com.

For interviews with Peter H Gregory, please contact at: https://peterhgregory.wordpress.com/contact/

# # # 

You are free to disseminate this news story. We request that you reference Peter H Gregory and include our web address, www.peterhgregory.com

Just-In-Time is Failing Us

In past generations, families and businesses stocked up on essentials for that “rainy day” disruption, whatever it was. There was wisdom in that kind of thinking that was overrun in our generation.

Decades of peacetime, economic prosperity, the reliability of supply chains, and the lust for greater profits led to a “just in time” mentality and practice.  Instead of stocking up on essentials, we rely on a steady influx of supplies – whatever they are – because we have gotten used to the reliability of the supply chain.

An all-too-familiar sight

Just-in-time was driven by investors and accountants who found that organizations could eke out a bit more profit through not having unused inventory on the books. This is a trap we made for ourselves because we thought that nothing would ever go wrong.

Normalcy bias is what got us into this mess. And I do say “mess,” because it’s soon going to feel like one:

  • The global semiconductor shortage is bound to worsen, particularly when China attacks Taiwan, the source of most semiconductors in the world. This will result in short supplies and higher prices of everything with chips in them – worse than we are experiencing presently. We’re about to learn just how dependent we have become on information technology.
  • The shortage of truck drivers is precipitating the shortage of “everything else” – felt by consumers and businesses.  Every one of us has experienced this personally.
  • War and changes in domestic energy policy is driving the cost of everything higher.
  • There is an acute shortage of fertilizer in the world, due to rising natural gas prices. This means that there will be less food in this harvest year, resulting in food prices skyrocketing.

The resilient supply chains that took decades to build were taken down in years, and will take years to rebuild. But the shortage of everything will make even this a difficult task.

I believe we are about to experience shortages and price hikes like the world has not seen since World War II – but it’s likely to be worse than that, because supply chains are not just local, but global.

We are living in wartime – and this is going to change everything. Too few people, including those in charge, fully understand what this means.

CISSP For Dummies 7th edition Published

The latest edition of CISSP For Dummies, the 7th edition, is now available from Amazon, Barnes & Noble, Walmart, Target, and other booksellers.

Co-author Lawrence Miller and I completed this latest revision early in 2022. This revision covers the new CISSP Common Body of Knowledge that was updated in 2021. In addition to updates reflecting changes in the CBK, numerous other changes were made, reflecting advances and changes in cybersecurity practices, risks, threats, and regulations.

The publication of this 7th edition is a celebration of TWENTY YEARS of CISSP For Dummies. Larry and I wrote the first edition of CISSP For Dummies in 2002.

CISSP For Dummies is the only CISSP study guide approved by (ISC)2, the organization that manages the CISSP certification worldwide. This is a testimony to the quality and completeness that only CISSP For Dummies provides to security professionals who aspire to earn this prestigious certification.

Clément Dupuis

This announcement would be incomplete without a grateful shoutout to Clément Dupuis, founder of CCCure, the well-known training organization for technology professionals. Clément passed in 2021, but not before providing valuable research material to Larry and me as we created this edition of the book.

Groundhog Day, WFH, and Eye Contact

The COVID-19 pandemic and working from home for many office workers have wrung the variety out of our lives. Many of us have found ourselves in a Groundhog Day scenario (referring to the movie) where our workdays are a nearly-identical blur:

The variety of our days is mostly gone:

Our commute (from the bedroom to the kitchen to the home-office-or-whatever) is the same: we don’t drive different routes, we don’t make any stops, we don’t experience the weather, we don’t see any scenery, and we don’t see any interesting people or things.

Our workday is more regimented: we have rigid schedules, we don’t run into people in the hall, we don’t have those impromptu, unplanned conversations, and we don’t see each other at lunch.

In short, our work lives have become quite dull – the same routine every day, with little prospect for change.

Here’s an observation from eight years of WFH, particularly since 2020 when we were sent home to work remotely for God-knows-how-long: we no longer look at each other in the eye. This may seem like a small thing, but it feels important to me: eye contact is the most intimate body language in an office conversation, vital because it keeps us honest and connected. In videoconferencing, we can look into the eyes of someone we’re talking with, but when we do so, they see us looking up (or down, if the webcam is at the bottom of our screen). Or, if we concentrate on looking into the webcam and its tiny green dot, we are not looking into the eyes of the person we are speaking with, even if they think we are. You could argue that the use of a smartphone makes this a little easier, but still: we are looking at a video representation of the person, not at the actual person. The result: we are not connected with our co-workers as we should be. The quality of our connected relationships suffers, as if we’re all holding back a little bit.

I don’t have the answers – I’m not a sociologist but a technologist. My observations are as a layperson who instinctively feels like something important is missing in our work-from-home, long-distance work relationships.

I’m going skiing today with my kids. This time of year, I relish the every-other-Friday mental health break of connecting with people and getting outside.

Ralph Pratt, My Career-Changing Mentor

My first professional job was in the M.I.S. (Management Information Systems – what they used to call IT) department at Washoe County, Nevada. I had a variety of responsibilities, including mainframe computer operations, backup tape librarian, programmer, and creator of training materials. I had developed software to track the hundreds of 9” magtape reels in the backup tape library in a language called MAPPER.

MAPPER was a bit like Excel and a bit like MS-Access. One could develop a variety of “lists” and even mimick some of the characteristics of a relational database management system. Also, various input forms, query forms, and reports could be developed. I maintained some MAPPER-based applications and wrote the tape library system to track the inventory of backup tapes, some of which were on long-term retention, as long as seven years.

I was one of the first MAPPER programmers at Washoe County, and was asked to teach a course on MAPPER programming to the other programmers in the department (about ten in all). The course was a two-day, all-day course in the M.I.S. training room. I took the programmers through all of the basics, and had them develop their own little application to get some hands-on practice. Two such courses were completed, and they went pretty well.

My boss’s boss, Ralph Pratt, was the operations manager at Washoe County M.I.S. Being in my mid-twenties, I considered him an old, crusty dude who was grumpy most of the time, and I considered him mostly unapproachable. I was not much of a relationship builder in those days. Anyway, Ralph called me into his office one day. He told me that he would like me to teach a modified version of the MAPPER course to the Washoe County Commissioners, the elected officials who oversee all county operations. The prospect of teaching this course to the commissioners was exciting and terrifying to me.

Ralph asked me to shut the door to his office. He told me that we would practice what it would be like to teach the course to the commissioners, who were all very non-technical. This was the time before the IBM PC, so the commissioners had little keyboard experience.

Ralph instructed me to begin the first course segment in his office in a role-playing exercise. I began to speak, and in my first or second sentence, Ralph barked, “Stop. You used a technical term – they won’t understand it. Start over.”

I started again, got a bit further, and then, “Stop.” Same reason.

Again.

“Stop.”

We discussed for a moment. Leave all technical terms behind, Ralph told me.

I tried again and got a bit further.

Ralph stopped me half a dozen times or more. Our session lasted thirty or forty minutes.

In retrospect, this was the most valuable thirty minutes of my entire career.

This was the beginning of what I now call being “bilingual,” in an unconventional sense. When I use the term “bilingual,” I’m referring to the ability to speak to technologists in technical terms, and to speak to businesspeople in non-technical terms. Over many years, I would hone this skill in training and public speaking events, eventually writing numerous books on technology. I needed to explain complex technical concepts in easily-understood terms. I’ve gained the reputation of doing this well.

It all goes back to Ralph Pratt. Thanks, Ralph, and may you rest in peace.

Denial of Service (DoS) Attacks Need Not Be High Volume To Be Effective

In the cybersecurity industry, there is a mistaken notion that a denial of service (DoS) attack only consists of flooding a target system to render it unavailable for legitimate uses. And while this indeed describes a DoS attack, there are other forms.

There is DoS’s big brother, distributed denial of service (DDoS), in which a large number of systems flood a target system to completely overwhelm it. But on the other end of the scale, a DoS attack can also consist of a single packet, which can be considerably more difficult to detect.

Let’s look at some examples of single packet DoS attacks, both new and old:

  • Ping of death (CVE-2013-3183). A malformed ping, such as a ping packet containing as many as 65,535 bytes, can cause a buffer overflow, resulting in a crash of the target system.
  • Zip bomb (CVE-2019-9674 and others). A specially formed ZIP archive that expands to exhaust system resources. The well-known 42.zip file expands to 4.5 petabytes of uncompressed data.
  • WinNuke (CVE-1999-0153). This attack on older versions of Windows sends out-of-band data to a target computer on TCP port 139 that contains an Urgent pointer, causing it to crash.
  • LAND (CVE-1999-0016). This attack sends a spoofed TCP SYN packet with the target host’s IP address as both source and destination. This causes the machine to reply to itself continuously.
  • Regular expression denial of service (ReDoS) (CVE-2021-23490, CVE-2021-45470, and others). This attacks a target system’s regular expression parser by providing a regular expression that takes a very long time to evaluate.

Refer to these sources if you are not familiar with Denial of Service:

https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos

https://www.rapid7.com/fundamentals/denial-of-service-attacks/

https://datatracker.ietf.org/doc/html/rfc4732

Articles Catalog Published

I’ve recently cataloged many of the articles I’ve written over the past twenty years and posted them on a new static page on my website, entitled Articles. I’ve managed to preserve most of them by creating PDF’s. A few of them seem to be gone forever, although I haven’t given up entirely.

My articles appear in periodicals, including Computerworld, Software Magazine, SearchSecurity, InformIT, Information Security Magazine, Optiv Security, and BankInfoSecurity.

Separate pages on my website catalog interviews and speaking engagements.