The Nation-State Cybercrime Problem

I’m an older American guy, and I grew up in the world of the Cold War where every enemy on TV or in the movies was a Russian. We had movies like “Red Dawn,” “FireFox,” “The Hunt for Red October” and many more. Then, the world changed and the Cold War era ended as we knew it. The question is, did the war ever actually end, or did it just evolve?

There is no doubt that the world has changed and evolved in many ways since those days when we all feared physical attack from the enemy. An important evolution in the warfare we remember is the shift to virtual attacks. These attacks cost the U.S. billions of dollars in financial losses and many more billions in defensive costs each year. We’re losing our digital Information almost as fast as we generate it, and this will impact us throughout our lifetimes. It used to be much more difficult for an adversary to gain information about a person in any usable intelligence format. It involved significant manpower to follow, track and otherwise monitor an individual. In the modern world, this has become so much simpler, as we continue to grow our digital footprint every day. The days of thick manila envelopes full of papers, traditional dossiers on people or stealthy microfilm cameras whisking away our information are gone. Now, it is all a bunch of ones and zeros in easily searched databases.  

Sadly, threats don’t stop with simple information theft. Cybercrime in the forms of business email compromise scams and ransomware are making huge amounts of money every year. While many of the gangs that partake in these attacks are independent, many also have an association with nation-states. Sometimes the association is loose, and sometimes the attackers may actually be part of the offensive forces of that nation state. In the past decade, we have seen several groups tied to nation-states unmasked and charged with crimes. Rarely, if ever, will this result in actual arrests, however it does send a message that they have been caught and are known. 

Some examples of this are when the U.S. charged 5 Chinese state actors with hacking in 2014. These five hackers from Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA) were charged with numerous crimes and are said to have targeted America’s nuclear power, metals and solar products industries with the intent to steal trade secrets and intellectual property that would be   valuable to China. In other words, China used their military cyber capabilities for economic gain. 

In the latest example, six Russian Main Intelligence Directorate (GRU) soldiers have been charged with hacking and cybercrime charges allegedly linked to almost a billion dollars in losses through ransomware attacks and ploys to disrupt the 2017 French elections and the 2018 winter Olympic Games. These six Russian soldiers are said to be responsible for some of the most devastating ransomware attacks we have seen, including the NotPetya ransomware variant, which was not really ransomware at all, as it lacked the ability to decrypt its victims files, but was in fact a destructive tool. 

Given Vladimir Putin’s rise to power from the KGB, it is no surprise that Russia has developed some highly advanced cyber warfare and espionage capabilities. China and Russia are not alone, however. Iran and North Korea are also known to have skilled teams of state-sponsored or trained groups that are focused on stealing money or information and disrupting the economies and activities of other countries.  

The lesson behind all of this is that there is a war going on, but it is not the kind of visible war we are used to. Many day-to-day citizens likely have no idea about the capabilities of these groups or the damage their efforts have caused. As security professionals, we have an obligation to be aware of these dangers and to educate people, especially those in the leadership roles within organizations, but we must do this without sounding like we support the idea of tinfoil hats. Stories like those mentioned here, where the U.S. government has charged foreign countries with this sort of criminal activity, are ways to introduce others to the idea that these battles are taking place through credible sources. From there, we educate people about the mechanisms of these attacks, especially phishing and social engineering attacks that target people and seem to work extremely well. This helps us build our case for the protections needed within our organizations and underlies the severity of the challenges we face.

Who knows, maybe if we continue to bring light to the subject, we will get that sequel to the FireFox movie after all. 

Staying Calm in This Storm

During this time of instability and change, a lesson that I learned many years ago keeps coming to mind over and over again. This lesson is all about staying calm when things heat up around us, and the power that remaining calm in stressful situations can bring.

I’m not going to lie, my natural instincts are very reactionary. I used to spend a lot of time in System 1 thinking mode, in other words, automatic and reactionary. I am not afraid to argue opinions with people or to speak out on issues, however I have learned that I tend to get much better results by taking a deep breath and moving to System 2 thinking.

This lesson really cemented itself in my head many years ago when I worked for the US Army. I was in a meeting that none of us wanted to be in and I had news nobody wanted to hear to deliver to some very senior people. The table is reserved for the big wigs. I sat in the ring of chairs lining the walls, not at the table and like the “red shirts” of Star Trek lore, I was waiting to be sacrificed to the lions at the table. When I was called upon, I shared the news with the group. As expected, it was like a bomb went off. People at the table were on their feet yelling and pointing at each other, I kept trying to clarify, but it was going south fast. I felt like a rabbit being eyed by a coyote. That when my colleague nudged me and whispered at me, “Stop talking”.

I did.

In a few seconds, people stopped looking at me, I stopped feeling terrified, and I was able to really listen to the arguments they were having between each other. From that I was able to figure out what they were really upset about and, after they quit throwing chairs at each other WWE style and calmed back down, I was able to address the issues that were at the core of the concerns. Not everyone was happy, but breaking the chain of system 1 thinking by simply following the advice to “stop talking” made all the difference in how things proceeded from there.

I have never forgotten that meeting or the impact that taking a breath and removing myself emotionally from the chaos had on the outcome. We find ourselves in chaos fairly often without even realizing it and if we aren’t careful, our thinking patterns default to instinctual actions. It’s far better if we train ourselves to recognize this shift, take a breath and apply some critical thinking to the issues facing us.

During this time of chaos, I let’s try to slow down a little and breathe. Most of us are feeling the stress of this new, if temporary life is causing us, but before you clean out your 401K or spend $150 on a pack of toilet paper, take that breath and see if it is really the right move or if it is just a reaction.

Finally, lets be kind. That person that is very upset at the supermarket, we don’t know what they are going through or have just gone through. Let’s try to remain calm and understanding as we all get through this together.

A Trip to the ER and Still Waiting for C-19 Results

OK, while I wait for my C-19 test results, Uncle Erich has some time to tell more of the story this morning. My brain is lifting from some of the fog, but I’m still feeling a bit ornery and sarcastic, so be ready for some of that. Honestly, there isn’t much funny in this update, but it might be interesting to see how things are going right now if you need medical help. TLDR: it’s a bit confused.


When I last left the story, I had been nasally assaulted with an insanely long swab that took some samples of what felt like brain tissue and that was sent away for C-19 testing. That happened Tuesday, I’m writing this on Friday and don’t have results yet. I know it takes time, but I’m currently self-isolated from the fam and pets until I hear back.

The “Incident”

So, anyway, let me tell you about Wednesday. I can summarize by saying this, “It sucked”. I’ll tell you why. 

I have sleep apnea and have for many years. That means I use a CPAP machine to keep me breathing at night. Well, Wednesday morning I woke up gasping for breath. I yanked my mask away from my face, was able to breathe, so I restarted the CPAP. My brain was a fuzzy mess, don’t judge what we do in that 1/2 awake time, MKAY?

Fast forward some amount of time, I have no idea how long, and I woke up again, this time tearing the mask off my face gasping, but I still couldn’t really get a breath. I couldn’t speak, but I if I slowed my breathing, I could get some air. I cranked the shower to “Burn your bum off” hot and let the steam relax my chest. It helped.

Having not died, I was happy-ish. It was about this time my wife, who had been sleeping in the living room (I am quarantined to our bedroom/bathroom right now) yelled in and asked me if I was OK. I was honest, and told her I wasn’t and that we should go to the hospital.

Now, I will tell you that the steam helped a lot, so we didn’t do the ambulance route and instead drove to the VA hospital (I’m a disabled vet). We arrived about 3am. I’m not going to lie, I was pretty shaken up. I’ve never felt unable to breathe like that, even through some anaphylactic episodes in the past. I couldn’t cough anything out, it wasn’t like there was just crap in my chest, I just couldn’t breathe. I would have to gues this is what asthma is like. it sucked.

Arriving at the VA hospital, I had my wife go in and let them know that I was awaiting COVID test results while I waited in the car. This was to give them a heads up and it worked out well. They directed us to the ambulance entrance and moved me in, avoiding the waiting room, and in to an isolation room. I was surprised, but they did let my amazing wife in the room with me. My breathing was still a bit rough, but I was doing much better. I will say that most of the rooms in the VA ER were empty, which surprised me.

From here, the med folks suited up in to positive airflow contraptions and proceeded to treat me. It was interesting here because it was fairly obvious that I was one of, if not the, first people with possible C-19 infection they were treating for something like this. It was made obvious as they were trying to figure out how to do things like take a chest X-Ray without infecting the X-Ray lab or the mobile equipment. In the end, they rolled a mobile machine in to the room, but then had to do a full disinfecting when they rolled it back out. 

There were a number of other little things too that they were having to deal with, such as making sure the door was closed completely each time they left and how to deal with the waste products from the needle sticks, etc. 

In the end, we did some flu tests (more huge swabs in my noggin) and strep, both came back negative. They pumped me up with some steroids (pun intended) and about 7am they let me go home with a note that if I started coughing up green crap, to let them or my PCP know and get some antibiotics started.

On a side note, they had me exit via the ambulance bay as I had come in and had my wife go to the pharmacy to pick up the meds they sent home with me. Well, she got me to the car, then when we went to enter the building, the security folks almost wouldn’t let her in to get my meds because she had been near someone that was undergoing testing. They finally relented when she explained that she had just come from the ER. This was another catch-22 that would have to be worked out. Hard to tell someone they had to pick up meds from the pharmacy, then not let them in to get them.

Now things are getting fun

So, fast forward to Thursday morning when I started coughing up green crap now. I woke with my head stuffy and chest congested (but I could breathe at least) and again the wonders of steam in the shower helped. 

It is now Friday and I am still no closer to getting antibiotics and my chest/head stuff is getting worse. I called my PCP, left a message, got a call back and told the receptionist what was going on. She relayed the message to the Nurse Practitioner and called me back saying the NP wouldn’t give me an antibiotic since she had not seen me but offered to have me come on Monday (in 4 days) if I wanted to see them. That whole process of calling, getting called back, relaying messages and calling back again, took about 3.6 hours with no result.

Try number 2 was recontacting the VA. I called the number for the hospital and surprisingly got through to a nurse in less than 30 minutes or so. I recalled the story, told her what the doc had said about green stuff and the next steps. She took the information, said she would relay it and get back to me.

That was yesterday afternoon. Nothing from them yet, although this morning the chest and sinus crap is worse than ever. My chest is really starting to get very sore and I am still no closer to antibiotics.

I have now tried Teladoc again and I am about 1 hour and 15 minutes in to being on hold in the “waiting room”. Here’s to hoping I can get somewhere with the antibiotics soon. 

I’ll keep you updated.

WFH and COVID-19 Testing. What a week so far

So a couple of nights ago, I was feeling pretty crappy, upper respiratory stuff moving from my head to my chest like the shot in the famous “Irish car bomb” drink. I tried to call the Teladoc service, but waited on hold for about an hour and a half before I gave up and just went to bed.  

Why did I decide to call? Well if you know me, you know I travel. I travel a lot. My 2nd car is a 737. In the last few weeks I’ve been to conferences in Washington DC, San Diego, Austin, TX, and other places as well, but the big kicker was RSA in San Fran where 2 people in the booth across from us tested positive. Fan-freaking-tastic, right!

Image from https://www.cnet.com/news/boeing-737-much-more-than-just-the-max/
My 2nd car…
Image from https://www.cnet.com/news/boeing-737-much-more-than-just-the-max/

The fact that I had upper respiratory garbage going on, along with all of the travel, has made me a little touchy about my symptoms. Now, I’ll be honest, I had pretty much all of the symptoms, except the fever. I want to be clear, I didn’t really think I have the C-19 virus running around in me, but the travel has me on edge.

So, back to the story, I woke up Tuesday morning feeling worse, symptoms were one heck of a headache, a head that felt like it was stuffed with about 10lbs too much stuff, and a tight chest with congestion (but still no fever to be seen). What great way to start the morning.

I went ahead and put a call into my primary doc and after an hour or so I
got a call back. I explained the symptoms to the nurse and she said she would check with the doctor. Another hour later the doctor called back said it’s time to get tested.

I called the local Emergency care place, gave them my symptoms and the fact I have had possible contact with someone. They said pack it up and bring it in. I was told that testing was being done in front of the urgent care in a tent as I understand it. Oh joy. At least they aren’t talking rectal temperatures out there in the parking lot (well, that was the hope for sure).

Even though I honestly don’t think I have it, at this point, my anxiety level peaked just with the thought of getting tested for it. This started throwing a whole bunch of what ifs in my head.

Like, what if we really don’t have enough toilet paper? What if Taco Bell is the only option for fast food in the near future (shout out to you Demolition Man), and I still don’t have extra toilet paper? This could be catastrophic. Fear is starting to cloud my vision, along with a strong desire for a Mexican pizza (with extra napkins). It’s at this time that I am really wishing Demolition Man had explained the 3 seashells. I mean it honestly makes sense if all future restaurants are Taco Bell, there would be no trees left, but I digress.

So, I eventually packed my butt in the car (now known as the disease-mobile) and headed to the testing center. When I got there, the tent was being packed away, but there was a table set up outside with some nurses. They had me fill out a questionnaire asking about key reasons for testing, reviewed it and brought me inside to the testing area (Some call it the main waiting room).

It was at this time, a very kind nurse pulled out a swab roughly the size of a toilet brush and proceeded to stuff it up nose until it pretty much hit my brain. At least she apologized during the non-op frontal lobotomy, but hey…

I was told that testing would take 3-5 days as they still had to ship the samples to California, given a lovely paper on how I was not allowed around anyone, not even my pets. Great I thought, that sample goes right back to the state that likely got me in to this mess. Oh well. I headed back to the disease-mobile and proceeded to drive my self home once my eyes uncrossed from the swabbing.

I have now self-isolated and taken over our bedroom and bathroom. My wife and pets have moved out of the room and left me do lanquish with only my 32″ TV, steaming services, computers, phone and hand-delivered meals to keep me company. First world problems, right? As in intorvert though, I have trained for this my whole life, so I think I will be OK.

I will continue with future updates very soon.

VISA Warning of Malware on Gas Pumps

https://www.zdnet.com/article/visa-warns-of-pos-malware-incidents-at-gas-pumps-across-north-america/?ftag=TRE-03-10aaa6b&bhid=85266577

 

This is tough to combat since it’s not a skimmer, but malware. I’ve seen some local places deploying chip technology on the pumps, but many still just use the mag stripe.

If it asks you to leave the card in the slot during authorization, at least it’s using the chip.

Other tips to consider when paying at the pump:

  • Use pumps closest to the cashier and front doors. Bad guys don’t like to work where good guys have visibility, so skimmers tend to be at far-away pumps
  • Use credit cards over debit cards if in doubt. It’s easier to deal with a compromised credit card than having your bank account emptied
  • When in doubt, pay inside 

 

Facebook Video Scam – “I Uploaded pictures of….”

This is not the first of its kind I’ve seen, but they follow the same basic script. I think it’s interesting that they use an existing, obviously compromised account (this one was established in 2007) to post in closed FB groups. 

They are smart enough to leave the single comment with a deceptive icon (YouTube in this case), then turn off commenting so it can’t be shouted down by other members of the group. It pretty much becomes up to the group admin to kill the post, but that might take a while.

The TinyURL link takes you to a link at yolasite.com where it appears to run Adobe Flash, however we are still looking at what exploit or payload it’s trying to push.

These same types of scams are often used to prompt people to install a “codec” (Software to view a type of video) in order to view the video, but it’s actually malware. Big surprise there, right? 

Just keep an eye open for these types of scams as they are getting more and more common.

Secure and Portable, is the SecureUSB KP the Ticket?

Have you ever found yourself in need of a way to keep some files or data secure while still needing them to be portable? In today’s modern world these two requirements seem to go hand-in-hand more often. Given the damage done to organizations and individuals through data breaches caused by misplaced or stolen data, it’s no wonder that an entire market of secure, easy to use and portable storage devices is developing and growing.

Perhaps, if these devices had been available at the time, my personal data would not have been lost by the Veterans Administration (VA), saving them $20 million, and even more importantly, the unfortunate incident regarding Santa and the “Naughty List” could have been avoided, along with countless similar incidents. 

The Product

I travel, I mean, I travel a LOT. Part of my job is doing talks at security and IT conferences all across the US. When I travel, I carry potentially sensitive information with me, (Scans of my drivers license, passport, some passwords and service recovery passcodes, etc.) just in case I lose a wallet, get locked out of accounts, etc. My paranoid nature keeps me from carrying any of this unencrypted, and my travel schedule keeps me wanting to carry the lightest, smallest devices possible. This is why I chose smaller USB keys over the larger portable drives (which also require another cable to haul along). Your mileage may vary.

Up until now, I’ve been using a USB 2.0 version of the 16GB Ironkey Basic S1000 (<-Amazon.com link) USB drive but have found myself feeling tight on storage and a little limited by it’s implementation. While at the RSA conference this year, I ran across SECUREDATA, Inc., which had some devices that really sparked my interest. While they had a number of different products, I was immediatly drawn to the SecureUSB KP (<-Amazon.com link), which I will refer to as “SecureUSB” from here on out. When they asked me if I would be willing to test it out for a month or so and give them my feedback, I accepted.

** For the record, while I received this as a evaluation drive, I am returning it to them when I’m done with it and they did not not pay me to do this review. They simply asked for my feedback, good or bad.**  

I have to say, there is something really sexy about about the smooth lines and brushed aluminum finish of the Ironkey (Yes, I just called a USB Key “sexy”), but the SecureUSB is no slouch either, it’s just different. Visually the SecureUSB looks larger than the IronKey, but when set side by side, it’s not. I’ve actually done this more than once just because my eyes do trick me. I think it’s the difference between the uninterrrupted case of the IronKey and the obvious PIN keys that are present on the SecureUSB, however even with the cover on the SecureUSB it just looks bigger to me. Maybe it’s black color as well. 

My Testing

Let’s be clear, this review is about the usability or “experience” using the drive and it’s value as compared to some other options, it is not an in-depth security or ruggedness review. For that reason I will not be security testing the FIPS 140-2 Compliant Design or IP 57 dust/water resistance claims. The focus of this review is how well the device works, especially when compared to some other options. The SecureUSB drives are available in several sizes including 8GB for about $79, 32GB for about $129 or 64GB versions for about $159

Build Quality

The first thing I noticed is the that build quality of the drive feels pretty good. The drive is almost all black with a blue o-ring at it’s base and a blue and white logo painted or silkscreened (not just a sticker) on the cover.

On the front of the drive itself are the buttons which are a matte black with white numbers and letters. They feel like they are made from a rubber-like material, but not cheap. On the back end, there is an area where you could attach this to a keychain, lanyard or something similar. I find this is a nice touch so I don’t lose the device. Nearest the USB-A connector is a small semi-transparent window that houses the status LEDs.

The back of the drive has a QR code, serial number and other information that is again, either painted or silk screened on. It doesn’t feel cheap like stickers do.

The USB-A connector us really unremarkable and has the telltale blue insert that tells you that this is a USB 3 device.

Unlocking the Drive

To unlock the drive, you simply press the key button, then enter the PIN number (default is 11223344) using the buttons and press the key button again within 10 seconds. Once unlocked you have 30 seconds to put in a computer or it locks itself again. This process is pretty simple, but I did have to refer to the quickstart guide once when I forgot the process.

The drive does support a “User” PIN and a separate “Admin” PIN. These PINs must be 7-15 digits long, cannot contain only consecutive numbers (e.g. 11111111) and cannot be just consecutive numbers (e.g. 2345678)

To avoid brute-force attacks, if you mess up and enter the wrong PIN ten times in a row, regardless of how much time has passed, the encryption keys are deleted and the data is gone. This is true even if you set an “Admin” PIN, the files are gone, so be careful here.

Admin Mode

Speaking of the “Admin” PIN, the drive has a bunch of features you can use in the “Admin” mode that are nice if you are deploying in an organization. I did not use these features myself, but they are documented in the manual.

The Admin can reset the user password and do some other neat things like adjust timeout to locking and other things as well. In addition, the drive can be opened in a read-only mode by either the user or the admin.

One thing that I find a bit odd is that according to the documentation whenever you unlock the drive with the “Admin” Pin, it resets the “User” PIN to default. NOTE – Secure Data reached out to me and mentioned that the documentation may not be clear here. This is what they said, I have no way to test this, but have no reason to doubt it either – “That sentence is trying to explain that when the Admin PIN is first set up, it will reset the User PIN”. So the key difference is, when the Admin PIN is first set up, the user PIN is reset, not any time the Admin PIN is used. Good to know.

Using the Drive

In my time using the drive, I found it to be pretty easy to use and downright convenient when I wanted to grab something off it quickly. As I mentioned, I have been using an IronKey, but that requires running a small program to connect to the drive, then mount another partition, using 2 drive letters and taking some extra time to get to the files.

IronKey Unlock Software

This can be a bit cumbersome if you just want to grab a file. Similarly, I have used simple USB-3 drives and VeraCrypt with the same issue. You have to run a program first, then unlock the drive. having a PIN on the device is much more convenient. This feature could also allow you create a bootable device that is encrypted when not in use. Unlock the drive, stick in the machine and tell the BIOS to use it as a boot device and you are in business. This simply can’t be done with the other options that require software to unlock them (although you could use them to run a VM).

Conclusion

Ultimately, as I said, this review is about usability, value and the overall experience.

After using the device for a little while, I have to say that I’m impressed. Of the features I used, the device did everything it said it would without complaint. Remembering the process for unlocking and making PIN changes, etc. may take some time to get used, but the basic functionality is great.

While the IronKey still wins the day from a sheer beauty aspect, the SecureUSB is far from ugly. Speed wise, I typically got around 100MBps during sustained file copies, which is something my current IronKey (remember it’s USB 2.0) can’t even come close to. 

SecureUSB Speed
Cheap Microcenter Drive on a Ryzen 7 2700 machine

While I really liked the drive, in the end I felt that at around $129.00 the cost was very reasonable for what you get, especially compared to the IronKey, however for someone that doesn’t use something like this often, or doesn’t need FIPS validation, using a cheap USB 3.1 thumb drive like this Microcenter 32GB version for under $4, encrypted with VeraCrypt might be a viable solution as well although it certainly lacks the “cool factor” that the SecureUSB does and is considerably slower. 

Several options, only two are cool

I’d say if you are in the market for a hardware encrypted USB thumb drive, it would benefit you to give the SecureUSB KP (<-Amazon.com link) a serious look. I really enjoyed my time with it and will be sad to see it go.

Final Note, I linked to items on Amazon with an affiliate link. If you found value in this review and decide to get one I would appreciate you following the link. Any little bit helps. Thanks