Category Archives: threats

What I Was Doing On 9/11/2001

In 2001, I was the security strategist for a national wireless telecommunications company. I usually awoke early to read the news online, and on September 11 I was in my home office shortly after 5:00am Pacific Time.  I was perusing corporate e-mail and browsing the news, when I saw a story of a plane crashing into a building in New York.

I had a television in the home office, and I reached over to turn it on. I tuned to CNN and watched as smoke poured from one of the two towers in the background, as two commentators droned on about what this could be about. While watching this I saw the second airliner emerge from the background and crash into the second tower.

Like many, I thought I was watching a video loop of the first crash, but soon realized I was watching live TV.

I e-mailed and IM’d members of our national security team to get them aware of these developments. Before 6am Pacific time, we had our national emergency conference bridge up and running (and it would stay on all day). Very soon we understood the gravity of the situation, and wondered what would happen next.  We were a nation under attack and needed to take steps to protect our business.  Within minutes we had initiated a nationwide lockdown (I cannot divulge details on what that means), and over the next several hours we took more steps to protect the company.

——–

Since being a teen-ager I had a particular interest in World War Two. My father was a bombardier instructor, and his business partner and best friend was a highly decorated air ace.

——–

We are under attack and we are at war, I thought to myself early that morning, and while I don’t remember specifics about our national conference bridge, I’m certain that I or someone else on the bridge said as much.  Like the sneak attack on Pearl Harbor on December 7, 1941, we all believed that the 9/11 attacks could have been the opening salvos of a much larger plan. Thankfully that was not the case. But in the moment, there was no way to know for sure.

For many days, I and probably a lot of Americans expected more things to happen. The fact that they didn’t was both a surprise and a relief.

Don’t let it happen to you

This is a time of year when we reflect on our personal and professional lives, and think about the coming years and what we want to accomplish. I’ve been thinking about this over the past couple of days… yesterday, an important news story about the 2013 Target security breach was published. The article states that Judge Paul A. Magnuson of the Minnesota District Court has ruled that Target was negligent in the massive 2013 holiday shopping season data breach. As such, banks and other financial institutions can pursue compensation via class-action lawsuits. Judge Magnuson said, “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.” I have provided a link to the article at the end of this message.

Clearly, this is really bad news for Target. This legal ruling may have a chilling effect on other merchant and retail organizations.

I don’t want you to experience what Target is going through. I changed jobs at the beginning of 2014 to help as many organizations as possible avoid major breaches that could cause irreparable damage. If you have a security supplier and service provider that is helping you, great. If you fear that your organization may be in the news someday because you know your security is deficient (or you just don’t know), we can help in many ways.

I hope you have a joyous holiday season, and that you start 2015 without living in fear.

http://www.infosecurity-magazine.com/news/target-ruled-negligent-in-holiday/

Why there will always be security breaches

At the time of this writing, the Target breach is in the news, and the magnitude of the Target breach has jumped from 40 million to as high as 110 million.

More recently, we’re now hearing about a breach of Neiman Marcus.

Of course, another retailer will be the next victim.  It is not so important to know who that will be, but why.

Retailers are like herds of gazelles on the African plain, and cybercriminals are the lions who devour them.

As lions stalk their prey, sometimes they choose their victim early and target them. At other times, lions run into the herd and find a target of opportunity: one that is a little slower than the rest, or one that makes a mistake and becomes more vulnerable. The slow, sick ones are easy targets, but the healthy, fatter ones are more rewarding targets.

As long as their are lions and gazelles, there will always be victims.

As long as there are retailers that store, process, or transmit valuable data, there will always be cybercriminals that attempt to steal that data.

LinkedIn’s “Intro” So Toxic It Could Dramatically Change BYOD

LinkedIn’s new “Intro” iOS app directs all e-mail sent or received on an iOS device through LinkedIn’s servers.

Yes, you’ve got that right.

Even so-called “secure” e-mail.

Even corporate e-mail.

Has LinkedIn been acquired by the NSA?  Sorry, bad joke, poor taste – but I couldn’t resist. It crossed my mind.

BYOD implications

So what’s this to do with BYOD?

Many organizations are still sitting on the sidelines with regards to BYOD. They are passively permitting their employees to use iOS devices (and Androids, Windows phones too) to send and receive corporate e-mail, mostly on unmanaged, personally owned devices. This means that organizations that presently permit their employees to send and receive e-mail using personally owned iOS devices are at risk of all of that e-mail to be read (and retained) by LinkedIn, by every employee that downloads and installs the LinkedIn “Intro” app.

LinkedIn talks about this as “doing the impossible.”  I’d prefer to call it “doing the unthinkable.”

Organizations without MDM (mobile device management) are powerless in preventing this, for the most part.

Every cloud has a silver lining.

This move by LinkedIn may finally get a lot of organizations off the fence in terms of BYOD, but employees might not be happy.  Organizations’ legal departments are going to be having aneurisms right and left when they learn about this, and they may insist that corporate IT establish immediate control over personally owned mobile devices to block the LinkedIn Intro app.

Corporate legal departments usually get their way on important legal matters. This is one of those situations. When Legal realizes that LinkedIn Intro could destroy attorney-client privilege, Legal may march straight to the CIO and demand immediate cessation. That is, once you peel the Legal team off the ceiling.

Nothing like a crisis and reckless abandon by a formerly trusted service provider to get people moving.

This article does a good job of explaining the evils of LinkedIn Intro.

My respect for LinkedIn could not be at a lower point if they publicly admitted that they were sending your content to the government.

Invisible Adversaries

“On the Internet, adversaries can’t be seen. Everyone knows they’re out there because the airwaves are full of news about new breaches and break-ins. There are adversaries and victims, but connecting the dots in between is often difficult. Adversaries are willing to take great risks because catching them, or even knowing who they are, is difficult.”

— excerpt from an upcoming book on zero-day threats

Writing more about zero-day threats

I completed a book recently (a custom pub for a private company) on advanced persistent threats, and today I’m writing another book on stopping zero-day threats using new technology that is becoming well known.

Timely stuff – I’m dealing with these topics at my day job as well. Isn’t just about everyone in the data security field?  Sure.

I have published about 34 books in 15 years. After that many books I have a pretty good system for organizing my writing, and my approach to writing a book.  Today I’m diverging from one of those habits.

I usually write the introduction last, after I’ve written the rest of the book. Today I’m writing the introduction first. Today apparently I’m thinking top-down instead of bottom-up. There are any number of reasons for this, and I’m not going to try and figure it out.  Once the words start coming out, I’m not going to examine the reason for it – instead I’m just going to let my fingers do the typing and be grateful I’m not in a fit of writer’s block – the creativity drought that new writers fear, and experienced writers are familiar with.

Well, back to work.  The words are still coming.  This book should be out in about 4-6 weeks.

Prism, XKeyscore, and International Business

Disclaimer: I do not, nor ever had, any level of secret clearance for any government. I have no connections to Snowden, the NSA, or any person or organization linked to them.

From 2006 through 2012, I was the information security officer for a global financial services company, selling subscription based services to the largest companies in the world in every industry sector.  Understandably, many of the larger corporate customers expressed a lot of concern over the confidentiality of their financial data when stored in our systems. Despite having numerous external audits and penetration tests (with reports available to these customers), many of the larger customers won additional concessions in the form of additional security controls, in exchange for their business.

The U.S. PATRIOT Act was a tremendous stumbling block for many potential non-U.S. customers. They were concerned about the ability for law enforcement to serve secret subpoenas and obtain business records without their knowledge or consent.  Our only argument was that we were not the source for original data, and that federal law enforcement would more likely go after original records, such as banking and telecommunications. Still, many non-U.S. companies elected not to do business with our U.S. based company because of PATRIOT.

Revelations of Prism and XKeyscore represent U.S. law enforcement and spy agencies taking a gigantic leap beyond PATRIOT. With PATRIOT (as I understand it — my former employer was never, to my knowledge, served with a National Security Letter), a judge was required to sign or approve the national security letter on behalf of the federal law enforcement agency that wished to obtain information.  But with Prism and XKeyscore, U.S. federal law enforcement and other agencies have unilaterally obtained – and apparently continuously obtain – many forms of electronic records, without the consent of anyone.

Prism and XKeyscore, in my belief, will prove to be extremely harmful to U.S. based electronic services providers at every level: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and virtually all other forms of electronic services that store, transmit, or process electronic information.  With PATRIOT, the mere prospect of law enforcement obtaining information in special, limited circumstances was enough to scare away many potential customers. With XKeyScore and Prism, law enforcement continuously obtains much of this same information.  Thus, the probability of law enforcement (and other agencies) obtaining sensitive information increases from longshot to near absolute certainty.

This has got to be bad for U.S. based businesses in nearly every sector that provides services to customers worldwide.

————-

Aug 5 update: headline article in Puget Sound Business Journal echos my sentiments. http://www.bizjournals.com/seattle/news/news-wire/2013/08/05/nsa-revelations-could-cost-us-lead.html