Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

Regular readers of this blog or those who subscribe to the Threats Without Borders newsletter, have read my concerns about security training. This article from ZDNet highlighting the failure of such efforts struck a chord with me, but not because I agree with the position of the article. Well, not entirely. I agree that security training is not the be-all, end-all, and new learning techniques are needed.

The article proposes that security training is failing because it’s not being delivered in a way that creates a security mindset. The author believes the effort needs to be all-encompassing and daily.

"I think one of the most important things to realize is most of the education and training done, it's not very effective," "The 30-minute video you're obligated to watch once a year doesn't do the job".

Yes, I’ll agree with this, but maybe it’s not all on the security professionals.

I like to use the analogy of telling a child not to touch a hot stove. You can tell a child over and over to not touch the stove coil while it's glowing red hot, and even show them the scars you have from doing it, but until they do it and get burned they don't have any context. And because they don’t have any context, because they haven’t felt the pain, they’re going to touch the hot stove.

Consider phishing. How many phishing victims have received some form of training? A LOT. Yet they still clicked the link. In many of the cases I have investigated, the person responsible for clicking the link or sending the money order says to me, “ I knew it looked suspicious” and “ I know better, I saw the same thing in training”,

Almost all promise me “ I won't make that mistake again”. And they won't. Much like a child never touches a hot stove top twice, they must get burned for the message to have an impact.

#cyficrime #cybersecurity #infosec #risk

I stopped making new year's resolutions a long time ago because I wasn't very good at keeping them. The pressure to maintain the effort became another stressor in my life. You can only fail at losing 15 pounds or daily teeth flossing so many times. I still set yearly goals but they are something that I have developed a plan and a roadmap to achieve.

Making new years resolutions is still popular for others and I have heard many declare their ill-fated intentions over the past few days. One of the most frequent themes I've heard has been the desire to “return to normal” referencing the Covid-19 pandemic and the way it's turned our lives upside-down since 2019.

What is normal at this point? I can only assume the declarants mean a return to life as is it was in December 2019. Do we really want to go back there at this point? And how would we do that? You can't put the past two years back in the bottle.

This longing for “normal” is foreign to those of us that defend against, or investigate cyber-financial crime. The concept of normalcy doesn't exist. Well, other than the bad guys are unrelenting in their attacks and continuously evolving their tactics to defeat us. There isn't a normal because the game is continuously evolving. Much like a virus, ransomware, phishing emails, business email compromise attacks, money laundering methods, and social engineering techniques are continually mutating in response to the tactics of security and law enforcement. There are new variants every day! The theme may be the same but the characters and their schemes are ever changing.

We never have the desire to return to normal because there is no normal. Normal is chaos. Everyday.

Welcome to 2022 and another year of combating cyber-financial crime. Normalcy is not an option.

#cyficrime #cybercrime #risk

New York Times author Nikole Hannah Jones recently made headlines herself for claiming that the United States dropped a nuclear weapon on the Japanese cities of Hiroshima and Nagasaki due to the sunk cost fallacy. The United States had spent so much money and time in creating an atomic weapon that it used the resulting tool only to prove that it was worth the effort. Anyone who has a half understanding of world history knows this is incorrect. This claim made in the weeks, months, or even a few years after the event, would be understandable. But after 81 years of study, scrutiny, and academic review, this assertion is proven wrong. So wrong, that someone who makes it should be held in no more regard than a person who still claims the earth is flat. Of course, Ms. Jones isn't about the truth.

Giving credit where credit is due, government decision-making and policy can be influenced by sunk costs. Personally, it is easy to pivot when realizing we're “throwing good money after bad” but in the machine of government, that is much easier said than done. Particularly, when the ego is involved.

Law enforcement agencies have this odd organizational setting where it's not quite a strict hierarchal military rank and file system but yet not run like a free market business entity. Much like a business, law enforcement agencies must satisfy the needs of their customers – the public it serves, and the executive board – the elected politicians. But unlike a business, the customers can't just go to a competing business. No matter how poor the service, the customers keep paying the bill – in the form of taxes. And the executives are everchanging, so if the law enforcement leadership conflicts with the CEO or Board of Directors they need only wait them out through the next election.

Read more...

Being a voracious reader, I would share my interesting findings with friends and colleagues through email. Eventually, one politely asked that I save his inbox the stress and just send a single email aggregating all of the interesting links I had gathered over the week. Matt's Newsletter was born.

That was the first try. It is hard to keep interested in something when no one is paying attention. I stopped publishing after a few weeks of no feedback and no subscribers.

I never lost my appetite for reading and sharing my knowledge though. I started to collect and publish my writings on a write.as blog. When I learned about the newsletter service Substack, I wondered if I could combine my writing with a newsletter sharing the best news stories I had read over the previous week? Matt's Newsletter was re-born.

52 weeks later, and a name change, it's still going.

Welcome to the Threats Without Borders Newsletter – Issue ONE YEAR!

So what have I learned after publishing a newsletter every week for one year?

Read more...

I have previously written about the rise of “dog fraud” and the increase of fake websites and Internet marketplace ads offering designer dogs that don’t exist. Well, the breeds of dogs exists, the seller just doesn’t actually possess any to sell. These fraudulent sellers are usually found operating on web marketplaces such Facebook and OfferUp but have also gone to the extreme of creating entire websites. And some of them are well designed and functional, not just a Weebly template with some stock photos.

I suspect the next breed that will be the focus of scammers is the Shiba Inu. The rapid ascent of the Shiba Inu cryptocurrency has resulted in images of the dog posted front and center of just about every mainstream press website and periodical. It is a really good-looking dog and with a price range of $900 to $2500, it will also look good to the scammers.

In my experience, dog scammers had been focusing on the trendy and highly sought after, French Bulldog. I compared searches for the two breeds on Google.

“Shiba Inu for sale” (red) versus “French bulldog for sale” (blue)

Searches for the Shiba Inu are trending up, not as dramatically as I assumed, but have certainly risen to equal that of searches for French bulldogs.

I suspect that the Shiba Inu will create a lot of empty wallets, crypto, and leather.

#cyficrime #cybercrime

As defined by Wikipedia, the Curse of Knowledge is a cognitive bias that occurs when an individual, who is communicating with others, wrongly assumes they have the background to understand the communication. Just because you have mastered a subject doesn't mean everyone you communicate with has also. I often assume that my audience has the prerequisite knowledge to understand the information I am presenting. I am often wrong, which leads to frustration on both ends. This doesn't mean they are low intelligence, or unable to learn, it just means we have different backgrounds, experiences, and professions. An orthopedic doctor trying to explain bone density to me is going to get the same response as me trying to explain Network Address Translation to her.

I recently participated in a ransomware tabletop exercise at a local business. Initially, I was disappointed in the simplistic scenario presented by the consultant running the exercise. Uhh, so basic, I can't believe they are getting paid for this, I thought. But as the exercise played out, I observed that even such a basic scenario led to very productive conversation. In fact, the participants couldn’t have handled much more. Many of the stakeholders were not in the business of security, or Internet technology, and needed to be brought up to speed.

The curse of knowledge got me again. I allowed my mastery of the topic influence my opinion of the exercise and assumed the other participants had an equal or better understanding of ransomware and the incident response process. I had been through the scenario so many times, in both exercises and reality, that I had the answers. I wrongly assumed the others would also.

Read more...

This week President Biden claimed to be “committed to the cybersecurity of the country” and promised to hold those that threaten our nation's security accountable. He also announced that his administration was hosting a meeting with 30 countries from the NATO and G7 alliance to discuss the problem of cybercrime and come up with a plan to combat it. The statement asserted the group would bring the “full strength” of their capabilities to disrupt the malicious cyber actors.

Israeli defense minister Naftali Bennett describes Iran as an Octopus that spreads its influence across the middle-east through its long tentacles. Mr. Bennett is the original proponent of the “Octopus Doctrine” declaring the only way to successfully beat an octopus is to target its head. “When the tentacles of the octopus strike you, do not fight only against tentacles, but strike the head also”. Life comes from the head, not the tentacles.

Previously the Biden administration outlined a new strategy for combating ransomware and cybercrime as detailed in this Wall Street Journal article. The administration plans to target the financial infrastructure of ransomware gangs hoping to remove the financial incentive of cyber-criminality.

Targeting the financial systems is just striking at one of the tentacles. You may cut it off but seven more exist and as you battle those the injured one will grow back.

Read more...

I love speaking to telemarketers. It's a game really. I like to see how long I can keep them on the line before they hang up in frustration. The key is to not be an overt jerk and string them along like you want to be part of their program but just can't grasp what they need from you. Or offer a problem that they just can't get around. For instance, not being able to grasp the difference between a debit account and a credit account when credit card debt consolidators call. Another favorite is explaining that I live on an overgrown wooded lot and agreeing to purchase solar cells if the company will remove the five mature oak trees on my property.

Sometimes this game has unintended beneficial consequences. The vehicle warranty callers are relentless and I had been telling them that I have various vehicles and couldn't understand what vehicle they wanted to offer an extended warranty. They don't know what vehicle you own when they first call so their script offers a little social engineering attempting to get you to mention the make and model of your vehicle. I would try to keep them on the line as long as possible without ever mentioning a specific vehicle. Eventually, the caller would hang up. But someone else always called back. Sometimes the next day.

Recently one caller slipped and asked what vehicle I owned that was between the model years of 2012 and 2019. I guess the actual company behind the calls realizes there is no need to offer an extended warranty on a new vehicle that already has a valid warranty. Or one that is too old and will be a sure claim.

So, I told the next caller that I owned a 2021 Tesla to see how he handled the new model year. To my surprise, it wasn't the year that stymied him. It was the vehicle. The caller said, “Oh, we can't offer a warranty on a Tesla. I'll remove you from the list.” And then he hung up.

Read more...

I have written extensively about insider threats and I always touch on it when speaking about cyber-financial security. I am usually rebuffed by small business owners when I urge them to consider insider threat security and mitigations efforts. The counterarguments are usually something along the lines of “I only have 10 employees” or “We're like a family, I don't employ anyone I don't trust”. Their feelings quickly change when I explain that not all dangerous insiders are malicious. The term “threat” has such a harsh connotation that most people assume the insider had serious and deliberate intent to do the business harm. In most cases though, the employee that caused the damage just did something stupid. They clicked a link, were socially engineered by a phone caller, or published proprietary code to an open Github repository. I usually ask them about the receptionist who is a little too chatty with visitors or the bills payable clerk who has failed the phishing simulation audit every single time.

When it comes to small business security, the most dangerous employee can sometimes be the least suspected. And really good employees can become threats at any point. What about the employee who suddenly falls on hard times or has a minor surgery that leads to drug dependency. What about the employee that didn't get the promotion? These employees would never have considered acting against their employer if it would not have been for their unfortunate life situation. But drug addiction, financial distress, relationship turmoil, or animosity from discipline can make people act out of character.

Every business, no matter the size, needs to have an insider threat program. Even if it is just the business owner or a manager monitoring employee behavior and attitudes. Sally is going through a bad divorce. Bob is spending a lot of time at the casino and looks like he hasn't been taking care of himself. Jane is really, really, mad she didn't get that project manager position.

Read more...

I don't have writer's block, I am suffering from finishing block. I just can't finish any of my writings. I currently have three long-form pieces that are about 75% written and just need an adequate closing paragraph. Distraction is my enemy. The opposite of writer's block, my mind is constantly filled with thoughts and ideas. I keep a note of writing topics that I update as they come to me. It's a long note. Unfortunately, many of the ideas never get acted upon because I'm constantly onto something that shines brighter. Much like when I do find time to sit down and write. If I can't finish the entire article in one sitting the chances are it won't be finished. It's a struggle for me to return and complete a piece because I'm quickly onto something new.

Summer is a distraction. I recently had a day off my real job and I planned to spend it writing and working on a few other creative pursuits. As Mr. Burns so thoughtfully wrote, “The best-laid schemes o' Mice an' Men. Gang aft agley.” I soon found the weather too appealing and I spent the majority of my day by the pool with a cool beverage and island music. Needless to say, no writing was done.

I might also suffer from a bit of writer's fatigue. As an investigator, I write reports all day, every day. I write thousands of words per week just to document my regular work activities. Sometimes the last thing I want to do in the evening or weekend is to spend more time in front of a screen writing. And the energy I do have left goes into my weekly newsletter Threats Without Borders which gets published every Tuesday. You should really check it out and subscribe.

But I love to write and I have a lot to say. I just need to get to it!

The sun just peaked over the horizon and the coffee's brewed. I'll be back to finish writing this in a bit.

Enter your email to subscribe to updates.