In what’s amounting to a pretty significant slip-up, Swedish Transportation Authority appears to have provided quite a bit of sensitive information to a group in the Czech Republic. What is really surprising to me is that they are outsourcing so much of their potentially sensitive data offshore.
While I understand the attractiveness of outsourcing some IT functions, when your data is this significant and personal, steps must be to be taken to better secure it. Coming from a Department of Defense background, there were certain things that we would never allow non-citizens or offshore third-party entities to see. In this case, all of the vehicle information, including that of military and police, were provided to groups in the Czech Republic without a reasonable screening process.
More surprising than that, is the fact that their firewalls and much of their communications is being managed from Serbia. Really? There are times when the transfer of risk or management of Information Technology functions make sense. We see this all the time in a smaller scale with respect to cloud computing, but again there are times where saving a few dollars is not worth the risk of exposing the data.
Can you imagine if here in the US, the Transportation Authority, or even State MVDs outsourced the data processing and storage to an outside country like say, North Korea? This is pretty much like what’s Sweden is doing when Outsourcing firewalls and such to Serbia and having the Czech Republic deal with their Transportation Authority data. Perhaps tensions aren’t quite as high between those countries as the US and North Korea, but my understanding is they aren’t exactly in lockstep either.
Think about this when you’re looking at cloud providers. Understand where the data is going, who is processing it and the nature of the data and sensitivity as well. Require background checks for people who are handling sensitive information. Don’t be that guy or gal that makes the news like this.
It’s Friday morning and after a pretty intense Thursday, just want to send out a little warning to folks. Yesterday we lost a great musician and “The Juice” is about to be loose. These are two pretty significant headlines. What does that mean? Well it means the scammers are going to be using this against people.
Be ready for phishing emails related to these two stories. Pretty much any time there’s a major event inboxes are flooded with stuff like this. This is pretty typical since social engineering is really about leveraging our emotions against us.
Now I have to admit, music hasn’t played a huge role in my life but it has many others so this hits home for many especially given the fact that it’s a suicide. With respect to OJ, I think most of us that are old like me remember the low-speed chase in LA and the ensuing legal battle, more than what he actually got locked up for. Either way these things relate to a number of us across different generations and that makes them great ammo.
I suggest that if you haven’t already, send some simulated phishing emails to your users related to these subjects. The idea is to inoculate them before they get the one with a malicious attachment. My company KnowBe4, has already been all over this today and already has templates made to deal with this sort of thing. If you’re a customer, use them.
Stay safe out there folks, and let those users know that this may be coming.
The Look When You Find Out You Have Been Breached… For Over A Year.
So when is a ransomware attack a good thing? How about when it uncovers a previous breach where someone has been in your system for over a year. That’s exactly what happened to Peachtree Neurological Clinic in Atlanta. While they didn’t pay the ransom, they did find out someone had been in their system since February of 2016.
Now, they haven’t said how many patients data may be disclosed and breach hasn’t been added to the HHS breach tool, but it looks like names, Social Security numbers, driver’s licenses, addresses, phone numbers, medical data, prescriptions and/or health insurance data are at risk. That’s a lot of data on a person. This should be an interesting one to watch.
How long would this have gone on if it wouldn’t have been for the ransomware attack? Who knows. See, there is a silver lining sometimes. 🙂
Well folks, Hacker summer camp is right around the corner. While I won’t be able to be there for all of it, I will be there for a couple of days at Black Hat. I’m returning this year once again as a booth babe in the KnowBe4 booth. Unfortunately before Defcon starts, I have to be in Austin to wrap up the 12 days of Sysmaswhich is being put on by Spiceworks in honor of SysAdmin Day in the 28th. It’s going to be a ton of fun, but it’s also going to be a very long week.
So the deal is, I’ll be there Wednesday and Thursday in the booth doing demos and stuff like that. we have Kevin Mitnick signing books on Wednesday evening, and we’re handing out these truly epic KnowBe4 axes. We have an axe to grind with ransomware. Kind of catchy huh? I’m going to have a bunch of goofy puns for that. Maybe I’ll even axe you a question about it.
I can’t wait for this fun!
I’m going to warn everyone right now, this next week is going to take an awful lot of energy drinks to survive. For the record, the white Monster energy drinks or the white Rockstar energy drinks are my favorites. Just saying, you show up to our booth with one of those for me, and I’m going to take care of you as best I can. If I’m in a really good mood, I might even sign your forehead with a sharpie. Hey, I’m just cool like that.
Since I arrive Tuesday at about midnight, I’m not going to be doing much then. I might be up for something Wednesday night, but it’s going to depend on how the day goes. Apparently I’m expected to work at this thing. Thursday, I have to leave straight from Black Hat and head to Austin, Texas for the “SysAdmin Day edition of On the Air” on Friday morning. that’s going to be a ton of fun, especially since I’ll probably be giddy and such from a lack of sleep. Tune in if you’re feeling it. I love the Spiceworks group as they tend to live life to its fullest. It’s going to be at 10 a.m. Central, so 9 a.m. Vegas time. That means flip open your laptop and watch it while you nurse your hangover. Hey, we’re giving away a Nintendo switch, so you might even get lucky there.
On a serious note, if you want to talk shop and ransomware or social engineering, come hit me up in the booth. I would love to have discussions about it. likewise if you were looking for anyone to interview during the show, I’m happy to offer my expertise. it’s not every day you get a security guy that’s this charming, good-looking, and humble all in one package. 🙂
As an educated and well travelled swine, I have to say that life on the road is not always easy. In fact, although it looks like glitz and glam, there are some rough times as well and I can tell you that spending a lot of time in airports is not what it’s cracked up to be. At times I miss my mud pit and eating airport food is missing the… ‘je ne sais quoi’… something, of home prepped slop. Add to that the fact that I rarely see others of my kind, and it can be a lonely life, even with my human along to do my bidding for me.
I bring a human along mostly because a lack of vocal cords makes it tough for me to speak, so I have to drag him around to be my voice to the other human servants. Sometimes you would swear they think THEY own the planet, but I don’t mind letting them have their little delusion as long as they do my bidding in the end. I control them with my mind, so they always do.
A recent trip outlined the dangers and difficulty of life on the road. I took my human to Washington DC to attend a conference and speak at another one (I’m good a multitasking the human). I wore red that day as it is a power color and when you are in the nation’s capitol, you never know who you will run in to, and have to boss around. In any case, although I’ve been to DC before, I have never been to the Museum of Natural History and wanted to check it out.
Posing at the train station. Selfies are hard when you have no real arms
To understand how this works, years ago I had my human purchase a first class traveling home for me called the ‘Oakley Kitchen Sink‘. Think of it as a human-powered RV. It’s incredibly spacious inside, comfortable and has lasted me several years of heavy travel. Since I spend a lot of time in here controlling the humans thoughts, making the human spend that much money on a backpack was something I have never regretted.
During this trip to DC, I loaded myself up in the pack and had the human go to the train station. This ended up being an interesting time, but I’m not going to repeat myself as I had the human talk about it already in this thread. I was finally able to get him to the museum safely, although it was apparently very hot outside of the RV as he was sweating profusely. The museum itself was wonderful. I was able to interact with many of the exhibits (sometimes with help from my human) and spotted some folks that I am pretty sure are a close relative to myself.
I have a cousin with tusks like that, only these are upside down
I wasn’t scared at all. Honest. I just stared him down
I am reasonably sure we are related. Both of us are pretty hardcore!
From here it was work, work, work as I took my human to the Gartner event and spoke at the International Legal Technical Association (ILTA) event. I mostly stayed in my RV for the time, but had my human take me to some pretty good sessions and spoke with some great people.
Tomorrow I leave for Chicago for BSides Chicago where I am speaking (through my human again). This time I’m going whole-hog and wearing my derby in hopes of attracting some tickets to DerbyCon. The resident bee doesn’t agree with my blatant attempt to score DerbyCon tickets, however I told him to buzz of about it. He has shifty eyes anyways. Not someone who’s opinion you can trust.
Would you trust those shifty eyes?
Perhaps I will do a “Day in the life of…” post tomorrow so you can see what it’s like to be on the road. Time will tell.
It’s July, how do you still have machines vulnerable to this? It’s not like this hasn’t been publicized. Yeah, I get it, patching can be a pain, but really? They should have had mitigations in place.
FTA: “Norville says most of the affected data is not retrievable, and it is unclear if any significant files have been lost. Two file servers and 19 computers within the police department’s system were breached.”
Before I even start, I have to admit that I’m every bit as guilty of this as anyone else. I love tech and gadgets and have been dazzled, then disappointed before. As I was thinking about this, I was picturing stones flying around my own glass house, so don’t take this personally if you find yourself looking back in the mirror as well. After all, GI Joe flooded my childhood with messages of, “knowing is half the battle.” It’s what we do with the knowledge that will let us prevail in the other half of the battle. Hopefully my experiences and bad decisions can help some of you.
Now that I have that off my chest, I can go ahead and tell you that if you are investing time and money in high-tech “solutions” without addressing non-technical or low-tech solutions, you are really screwing up. Yep, 100% screwing the pooch, making a mess of it, etc., etc., etc., so stop it!
The Hook
If you haven’t noticed already, those signs you see at the airport, the ads in magazines, the internet, or anywhere else are put together by a special type of person called a “Marketer”. These people aren’t evil on purpose, but I see a lot of them going to the “dark side” (I hear they have cookies). It could be the pressures of lead generation or competition, but whatever it is, some fall in the dark well of snake oil sales. They start making ridiculous claims like, “With our WAF, data breaches are a thing of the past” or “The ‘cloud’ will fix all of your ailments”. When you see these people at trade shows, they even begin to believe their own rhetoric and will pitch it to you with a confident smile on their face. What’s worse is, you may start to believe it yourself. Your executives may start to believe it, your boss may start to believe it. Best case, big $ goes out the door and your security situation still hasn’t improved dramatically. Worst case, big $ goes out the door and you are in worse shape than when you started.
Avoiding the Gut Punch
How do you avoid this unpleasant experience? It will take a conscious effort of will to step back and see through the smoke.
First, if something says it’s a “solution”, put on your skeptical hat and hold on to it. In security there is reduction of risk, but I have never seen a professed “solution” be an actual end to something meaningful. Many times I have seen a “solution” open up a whole other can of worms that was unexpected.
Second, compare to other similar devices/platforms and see if the fancy new feature is just different wording for something already being done by someone else. If there is a key feature that gets you all spun up, don’t assume you know what it actually is doing. I have convinced myself that things are going to do one thing, when in fact they do something altogether different, simply because I really WANTED them to do what I thought they meant. Make sure you take a deep breath and understand the limitations of the feature you are so hot for. It can save many tears down the road.
Sometimes the right tools are being used wrong
Third, understand how things are going to work together. There are few things worse than getting a new device only to find out that managing it takes a lot of time and effort because nothing integrates with your current infrastructure.
Finally, and most importantly, consider if you are trying to throw a high-tech fix at a low-tech or no-tech problem. In many cases, risk can be decreased dramatically through policy, procedure or easy architecture changes. Sometimes you are using the tool wrong and can’t even see it.
Examples of Your Hair-Brained Scheme?
Let’s use ransomware attacks as an example. Not only has WannaCry and Petya/NotPetya caused issues, but Cerber and others have been doing it for a long time. Let’s look at some easy things that would have made these attacks less of an issue, maybe even trivial, had they been done.
Patching – MS17-010 was exploited in a couple of these, but other patched vulnerabilities have been exploited time and time again. Most of the time, 0-days are not what is used, it’s old exploits on vulnerable machines. Sure patches are a pain to keep up with, but time spent here can pay of greatly. Imagine if MS17-010 was applied globally before WannCry, it would have been a minor nuisance rather than a global event. Review your patching process and give it the attention it deserves. If you can’t patch, using mitigating controls or isolate the device from anything it doesn’t NEED to communicate with.
Network Segmentation – It still boggles my mind how many “flat” networks are out there. These days, the cost of segmenting networks is nearly trivial and the implementation is well understood. What is segmentation, simply put it’s the practice of limiting communication between devices or groups of devices. Consider this, does your receptionist need to be able to get to a login screen for your SQL server? Does finance need to get to the Development environment? Does Dev even need a direct connection to Production? Anywhere you can limit this communication, you provide a mechanism of containment. Now if your receptionist launches malware, it can’t ever reach important resources. Clean up is now easier and real damage avoided. With a little planning and work you can significantly limit how far malicious programs or hackers can get within your network for little or no cost. WannaCry spread by being able to get to servers on port 445. Had they been segmented damage would have been much more contained.
Backups – Sure you get the email every day/week that says your backups ran, but do you really read the email and have you ever tested your backups by restoring them? Maybe the backup successfully backed up 40kb worth of data, but nothing else. If the job is whacked and it only thinks it’s supposed to backup 40kb, it’s going to tell you it was successful. Make sure you know what’s going on. I suggest restoring some random critical data at least once a month and ensuring you can get it. This will help you understand the time it takes and the process so you aren’t doing it when the world is on fire and the pressure is on. Also, do a full restore at least twice a year. Make sure it all works. Backups are a great way to fight ransomware and the ability to quickly restore would have made WannaCry just a nuisance.
Have An Incident Response Plan – Figuring out how to respond sucks when you are in the middle of it all. Put some effort in to having a plan that at least covers the basics for common scenarios. Having things like contact information for execs, law enforcement and online resources can really help take some pressure off when responding to an event. Know where your software and licensing is in case you need to reload things. Know how to reach your vendors or cloud providers and have that documented. Something will eventually go wrong, so be ready when it does.
Get Visibility In One Place – If at all possible, get your logs, alerts and events feeding in to some sort of a SIEM or central spot. Easy stuff like firewall logs or endpoint protection alerts going to one place can make a huge difference in your ability to notice and identify potential attacks or events. For example, if a bunch of your endpoint protection agents start throwing alerts, you can spot it quickly and take action. This is one of the more technical things I do think needs to be done, however the cost does not have to be significant. Look in to ELK Stack (aka Elastic Stack) or AlienVault OSSIMfor free ways to get some visibility in to your network. A quick reaction can significantly reduce damage in an attack.
Work On Your Organizations Security Culture – Teach your users how to spot phishing attacks and avoid falling for scams. Changing the security culture of your users is one of the best ways to avoid attacks. People need to know that they are targets so then can protect themselves. They need to know what to look for in order to spot attacks and have a way to report them quickly. Understand that you may not be the best person to put training together. We tend to be technical people and that does not always resonate with the users. Employ other departments, such as marketing if you are going to do it on your own, or better yet use a 3rd party like my company KnowBe4to do it for you. It’s not expensive and it works well. Reminding users that attacks like ransomware impact them at home as well can really help them pay attention in the training. Fostering an attitude of helpfulness from the security/IT team will go a long way to getting the users to want to engage. Don’t shame folks when they screw up, and they will. Instead, reward them for doing the right thing. Kudos at a company meeting or in a company-wide email or even a pizza party for the department that does the best, can really impact the culture. Have fun with it and remember that it’s a scary topic for some folks, so they may need a little reassurance before they start to play well with others. Be patient and the reward can be great.
If you put some effort in to the things I have listed above, you can significantly improve your security posture with very little cost. When looking for ways to solve problems, try to separate yourself from the marketing hype and focus on the task at hand. See if there is another way to accomplish your goal and keep your mind open to all options, not just the shiny ones.
If you bought stuff at Buckle between October 28, 2016 and April 14, 2017 with a credit card, you may want to check your statements. It seems they found some POS malware infecting the system. Not a lot of data is out, but it looks like swipe transactions are the target.
A public radio station in San Fran had streaming and email taken offline by ransomware last Thursday, June 15th. They had to set up a temporary email account to deal with live questions during the “Forum” radio show. Only the streaming and email was taken down, but in this day and age, that can be a significant percentage of listeners.
Yesterday I travelled to Washington DC to attend the Gartner Security Summit. This is not my first time in DC but I had never been to the Smithsonian Museum of Natural History and since I had some to time to myself on this Sunday I decided to head over. I was going to Uber over, but the hotel receptionist mentioned that it was a quick trip on the Yellow Line Metro to L’Enfant Plaza and a short walk to the National Mall. I decided to take the Metro. I like new experiences.
First, I found a wallet on a bench at the Metro stop. It had $83 in cash and a bunch of credit cards and such. I turned it in the lady in the booth. It took a while, but we inventoried the contents and she logged the find, etc. I missed a couple of trains during this, but that was OK, I did the right thing.
I caught the next train there at the Eisenhower station and headed along the path of the beam to downtown DC (Blaine is a pain*). About 15 minutes later I arrived at L’Enfant station where I happily disembarked, looking forward to my trip to the museum. At this point, it was about 1:00pm and since I had not had lunch after arriving, I decided to find something to eat on my way. Now, L’Enfant station is huge. It’s a transfer point for several other lines and is not easy to navigate. It’s also underground at this point. I managed to find the exit after a few minutes and headed out the gates. There was not much in the way of foot traffic actually leaving the station, so I was alone.
Just about the time I exited the little podium gates, I was approached by guy. He was about 6’1″, tall and skinny, had short dreadlocks, and was black. I wouldn’t normally mention his race, but it plays in to things a little later. His approach was aggressive and unexpected, however I do keep an eye on my surroundings (*cough* *cough* *paranoid* *cough*).
He said something to me, but I had my earbuds in, so I pulled one out while continuing to walk. I said, “huh?” and he repeated himself. He said he wanted me to give him a dollar for the bus. Mind you, he told me he wanted me to give him a dollar, he did not ask. I told him I didn’t have any cash (true) and he get even closer asking me for the dollar. I told him again that I had no cash. At this point he called me some pretty rude things and walked ahead of me quickly. There are some long escalators heading to the plaza, 2 of the 3 were going up, one going down. He got on the right escalator going up about 10 yards ahead of me, and I got on the left. He glared at me the entire way up the escalator, then at the top, he proceeded to block the escalator he was on pestering the next 2 people trying to get off the escalator.
The folks just walked by and ignored him and he repeated his action of talking smack to them as they walked away. I kept going and found a place for lunch where I got in the line. There were only a couple of people ahead of me at this time, and the same guy walks up to the older people who were at the register, gets in their face and demands a dollar from them. One of the 2 people told him no, and they guy reached over and pointed at his wallet and said, “You have it there!”. The 2nd guy at the register gave him a dollar, probably hoping he would go away, but the guy turned around and started cussing at them all the same. As he was leaving, I told the older folks that he had been demanding money and cussing people out from the exit booth.
He heard me, turned around and got about 2 inches from my face and started talking a lot of smack, cussing me out and asking me if I had a problem. At this point something sort of odd happened, I found myself very detached and calm. That surprised me. I just looked him straight in the eyes and said, “You have some issues man.” and continued to stare back. He broke eye contact and turned around like he was going to walk away, then turned around quickly and got in my face again. He started calling me names again, pretty much everything was about being white. I’ve never really experienced a racial tirade like that before, but I just stared him down and started to smile. I couldn’t help it, it reminded me of Full Metal Jacket and I could just feel that he was just blustering a bunch of hot air. I can’t say how I knew he was all show, maybe it was because his eyes showed some confusion and actually looked a bit scared. I don’t think he expected me to stand my ground and start smiling, because he backed away quickly, then walked away quickly while continuing to hurl racial insults. He really didn’t like the fact that I was white.
It was easily one of the more interesting experiences I have had. Fact is, he would have been easy to put down as he was trying to make himself look big by holding his arms out at shoulder height, looking like a chicken while exposing his whole midsection. He was open for a knee to the groin, the gut or a headbutt before he could have done anything to prevent it.
I don’t know if he was on drugs, but I don’t feel like he was. His eyes were focused and appeared to be aware. I could actually see the change in them when I wouldn’t back down. Honestly, I think he is just a punk that uses extreme aggression to try to bully things out of people. I wonder if this works better in places like DC where the general population is almost guaranteed to be unarmed.
One thing is for sure, I won’t be doing much more walking around without some sort of defense available. I usually take my camera monopod, a large aluminum tube that could double as a seal club, along when I walk strange cities alone. This time I did not. I can tell you that I won’t be caught off guard like that again.
Stay safe out there.
*Obligatory Dark Tower reference when I ride a train.
In what’s amounting to a pretty significant slip-up, Swedish Transportation Authority appears to have provided quite a bit of sensitive information to a group in the Czech Republic. What is really surprising to me is that they are outsourcing so much of their potentially sensitive data offshore. 
Be ready for phishing emails related to these two stories. Pretty much any time there’s a major event inboxes are flooded with stuff like this. This is pretty typical since social engineering is really about leveraging our emotions against us.
Well folks, Hacker summer camp is right around the corner. While I won’t be able to be there for all of it, I will be there for a couple of days at Black Hat. I’m returning this year once again as a booth babe in the KnowBe4 booth. Unfortunately before Defcon starts, I have to be in Austin to wrap up the 
I’m going to warn everyone right now, this next week is going to take an awful lot of energy drinks to survive. For the record, the white Monster energy drinks or the white Rockstar energy drinks are my favorites. Just saying, you show up to our booth with one of those for me, and I’m going to take care of you as best I can. If I’m in a really good mood, I might even sign your forehead with a sharpie. Hey, I’m just cool like that.
If you haven’t noticed already, those signs you see at the airport, the ads in magazines, the internet, or anywhere else are put together by a special type of person called a “Marketer”. These people aren’t evil on purpose, but I see a lot of them going to the “dark side” (I hear they have cookies). It could be the pressures of lead generation or competition, but whatever it is, some fall in the dark well of snake oil sales. They start making ridiculous claims like, “With our WAF, data breaches are a thing of the past” or “The ‘cloud’ will fix all of your ailments”. When you see these people at trade shows, they even begin to believe their own rhetoric and will pitch it to you with a confident smile on their face. What’s worse is, you may start to believe it yourself. Your executives may start to believe it, your boss may start to believe it. Best case, big $ goes out the door and your security situation still hasn’t improved dramatically. Worst case, big $ goes out the door and you are in worse shape than when you started.
If you bought stuff at Buckle between October 28, 2016 and April 14, 2017 with a credit card, 
Yesterday I travelled to Washington DC to attend the Gartner Security Summit. This is not my first time in DC but I had never been to the Smithsonian Museum of Natural History and since I had some to time to myself on this Sunday I decided to head over. I was going to Uber over, but the hotel receptionist mentioned that it was a quick trip on the Yellow Line Metro to L’Enfant Plaza and a short walk to the National Mall. I decided to take the Metro. I like new experiences.