Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

I regularly speak to groups about cybercrime, or “Internet facilitated crime” for your industry elites that abhor the term cyber. I provide an example scenario where attackers utilize a dedicated denial of service (DDOS) attack to target small businesses. I classify it as a crime of extortion and explain how modern cyber-criminals use new technology to commit age-old crimes.

The scenario places a small independent florist at the mercy of a cyber attacker the week before St. Valentine's day. The floral shop's website is suddenly unreachable right at the most crucial time of the busiest week for a florist. A call to the website designer yields no results. Calls to website hosting provider add only more frustration from department transfers, language barriers, and offers for higher valued services that add more costs and “may” alleviate the problem.

After the site has been down for about 24 hours the first email arrives. An offer for help. From the devil himself, of course. The email tersely explains the website is under attack and it can stop for a one-time payment of 5 BTC. What is a BTC the panic shopkeeper thinks, and how the hell do I get some? The small business has little choice but to pay the ransom or lose even more by having the website offline during the busiest week of the year!


Mandiant (Fireeye) recently released its report “Deep Dive into Cyber Reality – Security Effectiveness Report 2020”. The report details the effectiveness of security controls systems Mandiant clients utilize within their environments. Mandiant claims to have executed “thousands of tests” that simulate real attacks.

The authors of the report make a very important point that protecting an organization's computer and information systems is not entirely an IT problem. It is a business problem. Even more, it is an entire organization problem. Every single stakeholder that has access to the system has some responsibility to secure it. This is particularly true of the business executives who need to be more involved in security decisions. If the board does not have a CISO, it should. And that person needs to be viewed as an equal partner in the C-suite.

Of all the information provided by the report, the following stood out the most:


The CDC claims the seasonal influenza vaccine will not give you the actual flu but can result in side effects that are consistent with being sick with the flu virus. These include fever, headache, difficulty breathing, hoarseness, hives, weakness, and facial swelling. Well, that kind of sounds like being sick with the flu.

I know the flu vaccine makes me sick. Sometimes really sick, sometimes just a little sick, but every time I get a flu vaccine I get “flu-like symptoms” to one degree or another. Call me sick or not, but I am certainly not healthy at that point.

And I am not the only one. Although the CDC adamantly claims the flu vaccine will not – cannot – make you sick with the flu, a large percentage of Americans feel otherwise. A 2018 poll conducted by the NORC at the University of Chicago found that 41% of Americans do not get a yearly flu vaccine. When asked why they do not get the vaccine, 36% explained they have suffered negative side-effects from previous flu-vaccines. Side effects including fever, headache, sore throat, and shortness of breath.

Guess what those symptoms are also consistent with? Covid-19. Yes, the early symptoms of a Covid-19 infection are the same you may face after being vaccinated for the seasonal flu.


People often attempt to promote themselves or bolster their credibility by claiming they do good deeds. I am always amused by people who do this by claiming to do things that we are all expected to do anyway. “Why would I steal that, I pay all my bills?” or “I’m just out working hard trying to make it, I take care of all my kids”. In some social settings, such acts do set the claimant apart from their neighbors and peers, but in reality, it is what they should be doing anyway. Every member of society is expected to do these basic social responsibilities. You should pay ALL of your bills and you should take care of ALL of your children.

The Git repository and DevOps platform GitLab received some very positive press this week for conducting a phishing simulation on their employees. The GitLab Red Team used the open-source phishing campaign software GoPhish to target a sample of fifty employees with an email offering a laptop computer upgrade. Not surprisingly a significant portion of the test subjects failed. Thirty-four percent of the tested subjects clicked the link and fifty-nine percent of those employees provided their credentials. That works out to be ten employees provided their GitLab corporate credentials to the “bad guys”.


One of the most rewarding things I do is teach a class at the local community college. I love teaching and sharing my knowledge. I do not like the overhead or drama that comes along with it (that should be a post itself) but I absolutely love leading a group of students to the better understanding and appreciation of the criminal justice system. Like everything so far in the year 2020, this semester was the best of times and the worst of times all at once.

The class started in the classroom and ended online. The last time we physically met on campus was for the mid-term exam, so the class ended up being an equal mix of fifty-percent on campus, and fifty-percent online. Actually, we met one more time online than on campus, so I’m considering it an online course thereby allowing me to tick the resume checkbox of “online teaching experience”.

Teaching a class at a community college is the proverbial box of chocolates, you never know what you are going to get. The students vary greatly in age, educational background, life experience, and economic status. But they are all there for the same reason, well most of them, to achieve learning which will lead to professional success. This class was one of the largest and most diverse I have instructed which allowed for the opportunity to push discussion and student interaction. The students challenged me with pointed questions that in turn lead to some fantastic classroom interaction. Until, at least, Covid-19 arrived and shut the campus down.


My agency recently conducted a “phish your own” campaign and the results were, as usual, disappointing. Or maybe shocking. I was unaware that the message was going to be sent, but as soon as it hit my inbox, I questioned my office mate if he had also received the message? Upon affirmative response I declared it a phishing simulation as there was no way the spam filter would not have caught it. The email had more red flags than a pre-hurricane beach. Yet, ridiculous as the email was, over twenty people still fell for it. In a real life situation that is twenty opportunities for the attackers to access our network.

So here are three four a few quick and easy ways for to spot a phishing message.


For those of us old enough to remember, the classic comedy show Monty Python's Flying Circus had a series of skits parodying the Spanish Inquisition. The catchphrase “No one expects the Spanish Inquisition” was declared to explain the surprise when the trio of inquisitors suddenly appeared. I always think of this exclamation when I read about a company being pawned by a malicious employee. No one expects the insider!

But the larger question is “why not?”. Why is everyone still so shocked when a business is exploited through the effort of a bad employee? At some point it must be expected; you are going to be attacked from the inside. And shame on you if you fail to take (any) proactive steps to prevent it.

The most recent sensational insider threat story comes from the digital game provider Roblox. Allegedly, an employee was paid to provide access to Roblox records, including the backend customer service panel and player accounts. Joseph Cox has written a full expose for Motherboard (Vice).


And Rat's... In policing we have a simple saying to explain the monotony of continuously mitigating the poor choices of society, “same stupid thing, different stupid people”. Much Like your favorite gif video from the subreddit r/holdmybeer, rope-swings and mini-bikes never end well. Criminals keep using the same tricks to victimize different people, and different people keep making poor choices to become victims. It’s a never-ending loop. The faces change, the poor choices don’t.

In the most recent illustration of this concept, a cybercrime group dusted off a 15-year-old attack tool to victimize a new crop of fresh-faced college and university students. Most of these students were still learning to read the first time this tool was released to victimize – fresh-faced and naive college students.


I cannot dismiss the similarities between the current COVID-19 threat to human life and the threat of damage from cyber actors that businesses face every day – and have since they plugged into the Internet. Of course, it must be understood the stakes are much higher when humanity is facing down a deadly virus as the ultimate end can be death, not the loss of money, data, or reputation.

In the debate of when to “re-open” our now closed lives and return to “normalcy”, the news reporters and pundits often lament on the aspect of risk. But they rarely get it right.


The user is the weakest link. Long live the user.

All of us involved in the information security domain knows that the end-user is the weakest link of the security framework. Empirical study and anecdotal experience back this up. The bad guys know this and exploit it to maximum benefit. The 2019 Verizon Database Breach report details that 94% of all cyber breaches start with an email. Yet as security professionals, we also realize that it isn’t fair and bad form to blame the end-user. Particularly if they haven’t been properly trained.

Of course, it is easy to blame the user. Oh, how easy it is. Who clicked the link, answered the phone, or fell for the ridiculous story and sent the wire transfer. And they have received training. Well, at least a 15-minute lecture or a 3-minute video.


Enter your email to subscribe to updates.