Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

This week President Biden claimed to be “committed to the cybersecurity of the country” and promised to hold those that threaten our nation's security accountable. He also announced that his administration was hosting a meeting with 30 countries from the NATO and G7 alliance to discuss the problem of cybercrime and come up with a plan to combat it. The statement asserted the group would bring the “full strength” of their capabilities to disrupt the malicious cyber actors.

Israeli defense minister Naftali Bennett describes Iran as an Octopus that spreads its influence across the middle-east through its long tentacles. Mr. Bennett is the original proponent of the “Octopus Doctrine” declaring the only way to successfully beat an octopus is to target its head. “When the tentacles of the octopus strike you, do not fight only against tentacles, but strike the head also”. Life comes from the head, not the tentacles.

Previously the Biden administration outlined a new strategy for combating ransomware and cybercrime as detailed in this Wall Street Journal article. The administration plans to target the financial infrastructure of ransomware gangs hoping to remove the financial incentive of cyber-criminality.

Targeting the financial systems is just striking at one of the tentacles. You may cut it off but seven more exist and as you battle those the injured one will grow back.

Read more...

I love speaking to telemarketers. It's a game really. I like to see how long I can keep them on the line before they hang up in frustration. The key is to not be an overt jerk and string them along like you want to be part of their program but just can't grasp what they need from you. Or offer a problem that they just can't get around. For instance, not being able to grasp the difference between a debit account and a credit account when credit card debt consolidators call. Another favorite is explaining that I live on an overgrown wooded lot and agreeing to purchase solar cells if the company will remove the five mature oak trees on my property.

Sometimes this game has unintended beneficial consequences. The vehicle warranty callers are relentless and I had been telling them that I have various vehicles and couldn't understand what vehicle they wanted to offer an extended warranty. They don't know what vehicle you own when they first call so their script offers a little social engineering attempting to get you to mention the make and model of your vehicle. I would try to keep them on the line as long as possible without ever mentioning a specific vehicle. Eventually, the caller would hang up. But someone else always called back. Sometimes the next day.

Recently one caller slipped and asked what vehicle I owned that was between the model years of 2012 and 2019. I guess the actual company behind the calls realizes there is no need to offer an extended warranty on a new vehicle that already has a valid warranty. Or one that is too old and will be a sure claim.

So, I told the next caller that I owned a 2021 Tesla to see how he handled the new model year. To my surprise, it wasn't the year that stymied him. It was the vehicle. The caller said, “Oh, we can't offer a warranty on a Tesla. I'll remove you from the list.” And then he hung up.

Read more...

I have written extensively about insider threats and I always touch on it when speaking about cyber-financial security. I am usually rebuffed by small business owners when I urge them to consider insider threat security and mitigations efforts. The counterarguments are usually something along the lines of “I only have 10 employees” or “We're like a family, I don't employ anyone I don't trust”. Their feelings quickly change when I explain that not all dangerous insiders are malicious. The term “threat” has such a harsh connotation that most people assume the insider had serious and deliberate intent to do the business harm. In most cases though, the employee that caused the damage just did something stupid. They clicked a link, were socially engineered by a phone caller, or published proprietary code to an open Github repository. I usually ask them about the receptionist who is a little too chatty with visitors or the bills payable clerk who has failed the phishing simulation audit every single time.

When it comes to small business security, the most dangerous employee can sometimes be the least suspected. And really good employees can become threats at any point. What about the employee who suddenly falls on hard times or has a minor surgery that leads to drug dependency. What about the employee that didn't get the promotion? These employees would never have considered acting against their employer if it would not have been for their unfortunate life situation. But drug addiction, financial distress, relationship turmoil, or animosity from discipline can make people act out of character.

Every business, no matter the size, needs to have an insider threat program. Even if it is just the business owner or a manager monitoring employee behavior and attitudes. Sally is going through a bad divorce. Bob is spending a lot of time at the casino and looks like he hasn't been taking care of himself. Jane is really, really, mad she didn't get that project manager position.

Read more...

I don't have writer's block, I am suffering from finishing block. I just can't finish any of my writings. I currently have three long-form pieces that are about 75% written and just need an adequate closing paragraph. Distraction is my enemy. The opposite of writer's block, my mind is constantly filled with thoughts and ideas. I keep a note of writing topics that I update as they come to me. It's a long note. Unfortunately, many of the ideas never get acted upon because I'm constantly onto something that shines brighter. Much like when I do find time to sit down and write. If I can't finish the entire article in one sitting the chances are it won't be finished. It's a struggle for me to return and complete a piece because I'm quickly onto something new.

Summer is a distraction. I recently had a day off my real job and I planned to spend it writing and working on a few other creative pursuits. As Mr. Burns so thoughtfully wrote, “The best-laid schemes o' Mice an' Men. Gang aft agley.” I soon found the weather too appealing and I spent the majority of my day by the pool with a cool beverage and island music. Needless to say, no writing was done.

I might also suffer from a bit of writer's fatigue. As an investigator, I write reports all day, every day. I write thousands of words per week just to document my regular work activities. Sometimes the last thing I want to do in the evening or weekend is to spend more time in front of a screen writing. And the energy I do have left goes into my weekly newsletter Threats Without Borders which gets published every Tuesday. You should really check it out and subscribe.

But I love to write and I have a lot to say. I just need to get to it!

The sun just peaked over the horizon and the coffee's brewed. I'll be back to finish writing this in a bit.

Every year for the past twelve years, my family takes a week-long vacation at a beach along the Atlantic ocean. Each trip sees me carry along a computer, a bag of books, and a project list. This year was no exception with the to-do list including a few articles to write, working on a new website for a side project, and updating my CV. As with all the other years, none of that got done. One thing that did get done, however, was the publishing of my weekly newsletter “Threats Without Borders”.

For the past 31 weeks, I have published a Substack newsletter highlighting the best news and opinion pieces I read over the preceding week concerning cyber and financial crime. CyFicrime as I have coined it. I'm a voracious reader and easily spend 20 hours a week just reading articles, blogs, and documents published on the Internet. The easiest way to share my knowledge is with a newsletter delivered through email. I joke with my colleagues that I read the entire Internet so they don't have to.

The newsletter has evolved. It was published for the first twenty-four weeks under the generic “Matt’s Newsletter” because, well, I just wasn’t witty enough to come up with anything else. Then the phrase “Threats Without Borders” came to me as an apt descriptive for cybercrime. The Internet allows criminal threat-actors to victimize others anywhere in the world. Regardless of physical location or geopolitical nationality. Your countries physical border is benign and irrelevant! The name was changed and I think it's been well received.

My goal from the start has been to publish a newsletter every week for 52 weeks. So far so good. And I even delivered during vacation.

I have an updated goal; grow the newsletter to 1000 subscribers by the end of 2021. This is easily obtainable. If you are reading this on the write.as blog – please consider checking the newsletter out and subscribing. If you casually browse to the substack site to read the newsletter – please subscribe. And if you already subscribe, please share it with a colleague. I'm not asking you to share your religion or opinion as to what is the best bear. (obligatory The Office joke)

Read Threats Without Borders at cyficrime.substack.com

I work for an accredited law enforcement agency. Dually accredited actually, holding sheepskins from both the Commission on Accreditation for Law Enforcement Agencies (CALEA) and the Pennsylviania Law Enforcement Accreditation Commission (PLEAC). We're one of the few agencies in the state that hold both the national and state accreditation titles. This an accomplishment to be proud of for sure, but it's expensive, burdensome, and at the end of the day may or may not make us better at policing.

The policy demands pushed down by various oversight organizations have been fast and furious in the aftermath of the death of George Floyd and the resulting focus on police. Particularly in the application of the use of force. Agencies that were accredited already met most of the policy demands called for by reformers but the need to look responsive is irresistible. Policies are tweaked, the language changed, “enacted dates” are updated to be current, and press releases touting agency reforms are issued. Some of these changes are badly needed, some are just policing reform theatre.

I'm a supporter of accreditation and believe that it's something every law enforcement agency should strive for. It's good for the leadership, it's good for the taxpayers, and at the end of the day, it's good for the individual officers. If the members of the agencies follow the policies as written they will be less likely to be questioned, disciplined, and end up named in a laws suit. And that is good for everyone. But it's not that easy. The policies are so vast, so broad, and some so complex, that compliance is difficult to achieve. Even for the best-intentioned officer. Many policy violations aren't because of deliberate intent, it is because the officer is making a split-minute decision while under extreme stress. The angle of his knee, on an actively resisting suspect's back, is the last thing on his mind. On the other hand, some are deliberately disregarded because they are complex, overly broad, and nearly impossible to comply with all of the time. Some officers believe, why even try?

Accreditation and compliance is also big business in the world of information security. And with ultimately the same result. Compliance is not security. If you believe that your organization is secure because it is deemed compliant you are going to be terribly disappointed. And look like a fool. Compliance models are a set of best practices that will lead the agency to a more productive and secure environment but you can't just enact the framework, declare yourself secure, and walk away.

Read more...

I will soon be able to add “itinerant laptop computer reviewer” to my resume. I am writing this on a new Apple Macbook Air computer. Yes, my third new laptop in the past four months. It's only been 12 hours but I think this may be the one. Of course, I've said that before.

In 2012, I purchased a new Macbook Pro computer and used it as my primary machine until 2018 when I needed to upgrade. It was a great computer but only had an Intel i5 chip and 8GB of memory. I had begun using multiple virtual machines for security and forensic purposes and it just couldn't keep up, even after a RAM upgrade to 16GB. I wanted to stay in the Apple “ecosystem” but I was dismayed with some of the comments Tim Cook had made at that time. I feel strongly that a business should provide me with products and services and let me decide my politics. If you want to be a politician then fine get into politics, otherwise, just make a good computer and keep your mouth shut. I didn't feel I could reward a business that had a CEO that believed I was a horrible and detestable person because of my personal beliefs. And was outspoken about it!

Anyways, I left Apple and went with a maxed-out Lenovo Thinkpad X1 Carbon. It was smoking hot with an i7 processor, 16GB of memory, and the best feeling keyboard I had ever typed on. It was fantastic. The only downside, and the one that ultimately set me on this journey, was it ran Windows. The physical machine is flawless. The operating system, not so much. And as regular readers know, earlier this year Microsoft made it a very expensive paperweight with a corrupted update.

Read more...

Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.

The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.

Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?

Read more...

My wife dropping her iPhone in the pool this week taught us two things. First, she learned how cold 64-degree water is as she had to get in to retrieve the phone. Second, regardless of what Apple claims, iPhones are not waterproof. To be fair, I suspect it was the salt more than the water that shorted out the device. Regardless, dropping your phone in a 64-degree saltwater swimming pool is going to result in negative consequences for both you and the device.

This event also reinforced another concept that needs to be stressed when discussing crisis and security incident planning. Data stored on digital media, and in the cloud, is worthless if you can't access it. The loss of the phone created significant complications for my wife since she couldn't complete the two-factor authentication process required to access many of her work systems and data. We save data to cloud storage systems for safety, security, and redundancy, but it's all for naught if you can't access any of it.

This brings up a bigger issue when considering Disaster Recovery and Business Continuity plans for your business. They are worthless if you don't have a copy when a disaster strikes.

Read more...

~ 90 days ago my Windows computer system crashed and burned. Microsoft pushed an update that corrupted the system and rendered it unrecoverable. I had back-ups so reinstalling the operating system and restoring the files would have been an adequate solution, albeit a pain-in-the-ass. I didn't go that route though. I was irate and didn't want to be a Microsoft Windows user anymore.

I have always been a Linux “tinkerer” and keep an extra Thinkpad with one distribution of Linux or another installed. The most recent was Pop!_OS from System76. I was so impressed by the system that I often thought, could this be a daily driver OS? I decided to answer that question when my Windows 10 system crashed and burned. Not just on a spare computer, or in a virtual machine, but on my main computer, as my everyday operating system. Will Linux work as my main computer operating system? Is 2021, finally the “Year of the Linux Desktop”?

Pop!_OS is a fantastic operating system that lives up to the hype-slogan “it just works”. Pop!_OS is sleek, polished, and aesthetically pleasing. It functions flawlessly on my Lenovo Thinkpad X1 Carbon (5th gen) and displays accurately on an external monitor. System76 actively develops the distribution and provides fantastic support to users and the community. The few problems I've had with configurations or installations have been easily solved by System76 support or documentation published by the community. Most importantly it has been stable. I have not had a single crash or unexpected system shut down and System76 has never forced the system to auto-install updates. The Pop!_OS user experience is good.

But, I must return to Windows.

Read more...

Enter your email to subscribe to updates.