This week I hit the publish button on Issue 100 of the Threats Without Borders Newsletter. Here is the opening editorial of the issue:
I've been considering which is more significant, 100 or 2? In four weeks, this newsletter will reach the two-year milestone, but today’s issue is release 100. I have (somehow) managed to push out a Tw/oB newsletter every week for 100 straight weeks. There are few (optional) tasks in my life that I have done for 100 straight weeks. Through sickness, vacation, family, and a full-time job that never provides relief, I have managed to hit the publish button every Tuesday morning. I understand the interpretation of “quality” is left for the reader, but I’m damn proud of my effort regardless.
Please help me continue to grow by sharing the newsletter with others.
This week I spoke to a group of older adults at the local senior to discuss the current fraud schemes that target senior citizens and how they can avoid victimization. The last question of the day was, “what is the one thing anyone can do to help protect themselves from online fraud?” Inevitably, the same question is asked when I speak to younger adults about the responsible use of technology and avoiding victimization. Although the schemes come in different flavors, members of both age groups end up as victims for two primary reasons: lack of experience and a failure to apply sound reasoning.
Everyone needs a trusted counselor in their life. Someone other than a person that lives in the same house. I give the example that my wife and I have been together for so long that we generally see the world through the same lens. While we have different views on my cars, the value of good bourbon, or who should empty the dishwasher, we are absolutely in sync on the majority of important topics. I'm certain we would give near exact answers If you surveyed us on finances, politics, or raising children. This is where fraud victims go astray so many times. They seek advice about a questionable financial transaction from a spouse or someone else they spend the majority of their time with. The chances are this person will see the problem through lenses shaped by similar lived experiences. And they are probably just as inexperienced with modern technology and how it is used to facilitate fraud.
Talking to a trusted person who doesn't live in your house and has a different worldview is one of the best ways to prevent financial victimization. In many cases, older adults fear seeking advice from grown children as they don't want to appear vulnerable or incapable of taking care of themselves. Alternatively, they should speak with a trusted neighbor, a life-long friend, someone at the senior center, or even call the local police.
Most of the current fraud schemes require the victim to make hasty decisions. Inexperience, lack of information, and FEAR are what the fraudsters prey upon. Slow the game down to get a better view and allow time to consider alternative options. Evaluate the issue and what you're being asked to do. Seeking counsel from a trusted person who sees the world through a different viewfinder usually reveals that the offer really is too good to be true.
I've been thinking a lot about security and how to better protect organizations and assets. And this applies to both financial institution security and policing. We both are responsible for securing people and property.
So many times we remain unaware of an adversaries technique or tactic until it is applied to our organization. A new ATM exploit, method of depositing fake checks, or laundering gift cards. “We didn't know about it”.. is only a valid excuse if you are Victim-0. You should be actively seeking out new threats, new tactics, and new procedures and then altering your security posture to protect your organization.
Traditionally, in security and in policing, we are reactive. We stand the post. We wait for something to happen. We wait for the bad guy to make himself known. Then we reactive. The traditional sheepdog guarding the flock. But what if we went out and watched the wolves? We studied them. Learned their methods and techniques. Knew when they were coming and were ready for them. And trained the sheep to protect themselves.
I get it. We are so busy working on existing cases that there is no time to study what happened to someone else. Time to read, communicate, and share, is at a premium. There are only so many hours in a day. In a week. But that is how you become a better investigator. Recognize the TTPs – Tactics, Techniques, Procedures – of the bad guy. Recognize the signatures. Know what is connected and what isn't. Make your organization more secure. If you can prevent some cases then you won't have so many to investigate and therefore won't be so busy. Have the route planned before you need to take the trip.
We have two obligations:
1) Seek this information. Learn every day. Dedicate yourself to becoming a more knowledgeable practitioner each day, not just on training days.
2) Share information when you become patient 0 or 500. Pride has no place here. Acknowledge victimization to help others and others will do the same to help you.
We must be out in front- offensively. We can't wait until the enemy is already inside the city. Go find them. Study them. And when they come to our city we'll meet them at the gate, with a snarky smile, and tell them not today.
So, this isn’t Cy-Fi Crime related but hear me out – I have a theory (or maybe just an observation).
I work in a tourist town that has a large entertainment complex including a stadium that is used to host large musical concerts. Every summer the national touring acts come to town, and for a few hours I take off my cyber-financial cop hat and put on my drunk-and-disorderly cop hat. It’s no longer fun for me but it’s overtime pay and I have some kids to put through college.
These events result in my agency dealing with a lot of drunk teenagers and young adults, in fact, more than our fair share. I’d challenge that throughout a busy concert season we deal with just as many as any popular beach town.
Suffice to say I’ve observed countless numbers of drunks over the past 23 years. And I can’t remember ever seeing as many absolutely wrecked young females as we have seen over the past two seasons (and this season is only at the mid-point).
This trend seems to have risen along with the popularity of hard seltzers alcoholic drinks.
These easy-to-consume drinks with moderate levels of alcohol appear to have significantly increased alcohol abuse among young females.
In the past, the method for young people to get rip-roaring drunk have been excessive consumption of beer or hard liquor.
Neither of these has been popular with most young females. It’s rare when you see a young girl in a sundress hammer down a sixer of Busch Lite. Or carrying around a bottle of Jack.
But throwing back five or six pre-concert White Claws? That’s not only easy to do, but it’s also enjoyable. These drinks taste great and at only 100 calories a piece is great for the waistline. They are also very palatable for inexperienced drinkers who have no stomach for beer or bourbon.
Here is my theory if anyone in the behavioral science field wants to expand upon it. Hard Seltzer drinks are extremely popular with young females which have caused an increase in alcohol abuse within this demographic leading to never before seen levels of underage drinking and public drunkenness.
I surprised a colleague this week when I claimed my number one investigation tool was Google. Although I don’t use it for my personal searching, I begin every investigation, whether the target is a human or a business, with a standard Google search. I have an arsenal of more advanced tools that I transition into but many times the inquisition needs to go no further than some simple Google-Fu.
Two quick tips for better Google results:
Use the tabs.
At the top of your results page, you'll see a series of tabs that are generally titled “All”, “News”, “Images”, “Videos”, “More”, and “Tools”. It’s surprising how many people completely ignore these convenient time savers. The two that I always hit are Images and Tools.
Images: Developers will use a coding exercise called “Alt-Text” when embedding an image into a web page.
This attached text allows the end-user to receive some information about an image if for some reason they cannot view it. Most developers will include a description of an image and proper names if it includes a person or persons. The person you are searching for may not be mentioned in the article but may be tagged in the alt-text of an image. I have linked many people to an event or business simply by being tagged in an image.
Timeline: The “Tools” tab will allow you to timeline your search results. I generally start by narrowing the search results to the “Past Year” to get the most relevant results and then expand from there.
Scroll to the bottom of the search results and look at the related search suggested by Google. You're probably not the first person to ask the question and someone else probably worded it better than you. If Google is offering it they have already searched it and probably have the identified resources cached for quick access. Many times the search suggestions will pivot you to a better course than you initially set yourself.
The 2022 Verizon Database Breach Investigations Report (VDBIR) shows that 88% of all incidents have a human element as partial causation for the breach. Why are people not getting this? Why are they so bad at basic security? Yes, some of them are just stupid. But that's the minority of people so we can't hang our hat on that. Maybe it's because we security practitioners, law enforcement investigators, and crime-prevention specialists are just not very good at our jobs. Maybe?
Leadership expert Simon Sinek has a model called the Golden Circle which provides a vehicle to help leaders better communicate company goals and achieve employee buy-in of the mission. Traditional top-down communication starts from what. What to do, or not to do, and then moves to how to get it done. The “why” of a task is only explained if the subordinates ask enough, and even then the answer is usually something along the lines of “because we said so”.
Sinek proposes that true leaders start with the “Why”. The conversation starts with an explanation of why something needs to be done and details the positive benefit the task will have on the organization and the employee. The leader gets buy-in for the project before they move to the hard details of the what and how.
As security and crime-prevention practitioners we are super at telling people what to do, and how to do it, but do we ever really explain the why? Our awareness training sessions usually go something like this: This is a phishing email. This is how you can tell it's a phishing email. “Bad things” will happen if you click the link in this email. O.K. Thanks for your time and we'll see you all again next year.
Did we get buy-in? Or did we only do security theater?
I currently have 181 passwords in my password manager. Sadly, that's not even all of the passwords I keep as I have some systems and equipment that don't require stringent security so they don't get entered into the Bitwarden application. I maintain one Windows computer where the password is simply “Q”. Passwords for my virtual machines use a common alphanumeric scheme based on the operating system so I always know the password based on the machine. All in all, I probably maintain at least 200 passwords.
My password numbers may be a bit excessive as most people don’t have multiple sock-puppet accounts or feel the need to register their name with every new email service. A 2020 study conducted by NordPass found the average Internet user maintains one hundred passwords. And that's the problem.
Internet-enabled crime is largely underreported. Those affected by cybercrime may not know how or where to report their victimization. Some are too embarrassed to report it while many others don't even know they've been victimized. Regardless of the reason, the majority of persons victimized by cybercriminals fail to report it to law enforcement. A 2020 crime survey of England and Wales suggested that only 16.6% of frauds are being reported and only 1.7% of those victimized by “computer misuse offenses” are self-reporting their victimization.
Businesses aren't much better at reporting their victimization. This 2019 report by global IT and cybersecurity association ISACA found that enterprise and other business entities are vastly under-reporting cybercrime victimization, even when legally mandated to notify law enforcement and regulatory agencies.
The underreporting of cybercrimes makes the 2021 Internet Crime Report from the Internet Crime Complaint Center even more remarkable.
The Internet Crime Complaint Center (IC3) is the cybercrime reporting and analysis mechanism for the Federal Burea of Investigation. The center facilitates an easy and efficient way for citizens and businesses to self-report their victimization and losses. The collected information is then analyzed to look for trends and investigative leads. The results are distributed to FBI field offices for follow-up investigation and for information releases to educate the public. Each year the organization creates a summary of the previous year's numbers and publishes it as the Internet Crime Report.
The 2021 Internet Crime Report follows the trend of its predecessors in revealing that cybercrime has increased from the previous year. In 2021, the IC3 accepted 847,376 reports which is a 7% increase over the number received in 2020. The reported dollar loss is greater than 6.9 Billion dollars.
Remember that cybercrime victimization is grossly underreported? Yeah, so what are the true numbers for 2021? It's mind-boggling.
Part 1 detailed the hardware that I use every day. You can read it here.
Part 2 is a listing of the services, applications, and extensions that I use to increase my productivity and make my life easier. Well, sometimes it makes things harder. Does anyone want to guess how much time I've spent trying to find the perfect to-do list app? (Cue the hysterical laughter of hardcore pen and paper adherents)
Evernote. Let's just get this out of the way upfront as we are all on the constant search for the ultimate method to take and keep notes. I was an early adopter of Evernote but left when they socked us with a significant subscription fee increase a few years back. Then I spent years wandering in the wilderness experimenting with about every note-taking application available. Google Keep, OneNote, Joplin, Apple Notes, Bear, SimpleNote, and the list could go on. Last year, I broke down and paid Evernote's ransom demand because it is the best. At least for me.
Dropbox. Same story as Evernote. I've tried other services and dropbox just works. I still have accounts and keep storage in Onedrive, iCloud, Box, and a few others, but Dropbox is my main cloud drive.
BitWarden. Probably the most frequent question I'm asked is, “What password manager do you suggest?”. I used Lastpass for years and was happy with it until they rearranged their fee schedule and limited the number of devices you can link on the free tier. Password managers are not that complicated, technically, and don't deserve some of the extravagant fees they demand. Bitwarden is open source, easy to use, and is free.
Last week, I presented to the Delaware Valley Chapter of the International Association of Financial Crime Investigators. The intent of the talk was to demonstrate the lack of privacy when using Google products but many of the follow-up questions were about specific technologies that I personally use. I received several subsequent emails seeking additional clarification and technical advice.
So, I thought I'd do a write-up detailing my personal Tech Stack. Here is a general list of the technology, both hardware and software, that I use every day (almost).
The writing will be published in two different pieces due to its length. The first piece will detail the physical hardware devices and the second will be the software and services.
I don't want this to be construed as some affiliate marketing effort so there are no links to the products. You'll have to do the hard part yourself.
1) Apple Macbook Air (Apple silicon M1 chip, 16GB of memory, 1TB drive). I've had quite a run of laptops over the years and have owned four different ones in the past 18 months. You can read a bit about this experiment HERE. But for the past six months, I've been using a Macbook Air with the Apple silicon ARM-based M1 chip and it's pretty awesome. In terms of design and construction, it's unrivaled. macOS Monterey is good and always being further refined. If I could run Pop_OS on this piece of hardware the sun, moon, and earth, would be in perfect alignment.
2) Lenovo Thinkpad X1 Carbon (5th generation)running the PopOS Linux distribution. I have a special affinity for Thinkpad machines (I currently own three different models) and will always have one ready to boot up. This machine runs the Linux distribution PopOS by System76. I want this to be my everyday computer but I need to use some applications that just don't play will well with Linux yet.
3) Apple iPhone 12. Meh. Works well and I have no complaints. I only switched back to an iPhone because of the continuity with the Macbook. And Google is evil so owning an Android-based phone is longer tenable.