Every year for the past twelve years, my family takes a week-long vacation at a beach along the Atlantic ocean. Each trip sees me carry along a computer, a bag of books, and a project list. This year was no exception with the to-do list including a few articles to write, working on a new website for a side project, and updating my CV. As with all the other years, none of that got done. One thing that did get done, however, was the publishing of my weekly newsletter “Threats Without Borders”.
For the past 31 weeks, I have published a Substack newsletter highlighting the best news and opinion pieces I read over the preceding week concerning cyber and financial crime. CyFicrime as I have coined it. I'm a voracious reader and easily spend 20 hours a week just reading articles, blogs, and documents published on the Internet. The easiest way to share my knowledge is with a newsletter delivered through email. I joke with my colleagues that I read the entire Internet so they don't have to.
The newsletter has evolved. It was published for the first twenty-four weeks under the generic “Matt’s Newsletter” because, well, I just wasn’t witty enough to come up with anything else. Then the phrase “Threats Without Borders” came to me as an apt descriptive for cybercrime. The Internet allows criminal threat-actors to victimize others anywhere in the world. Regardless of physical location or geopolitical nationality. Your countries physical border is benign and irrelevant! The name was changed and I think it's been well received.
My goal from the start has been to publish a newsletter every week for 52 weeks. So far so good. And I even delivered during vacation.
I have an updated goal; grow the newsletter to 1000 subscribers by the end of 2021. This is easily obtainable. If you are reading this on the write.as blog – please consider checking the newsletter out and subscribing. If you casually browse to the substack site to read the newsletter – please subscribe. And if you already subscribe, please share it with a colleague. I'm not asking you to share your religion or opinion as to what is the best bear. (obligatory The Office joke)
I work for an accredited law enforcement agency. Dually accredited actually, holding sheepskins from both the Commission on Accreditation for Law Enforcement Agencies (CALEA) and the Pennsylviania Law Enforcement Accreditation Commission (PLEAC). We're one of the few agencies in the state that hold both the national and state accreditation titles. This an accomplishment to be proud of for sure, but it's expensive, burdensome, and at the end of the day may or may not make us better at policing.
The policy demands pushed down by various oversight organizations have been fast and furious in the aftermath of the death of George Floyd and the resulting focus on police. Particularly in the application of the use of force. Agencies that were accredited already met most of the policy demands called for by reformers but the need to look responsive is irresistible. Policies are tweaked, the language changed, “enacted dates” are updated to be current, and press releases touting agency reforms are issued. Some of these changes are badly needed, some are just policing reform theatre.
I'm a supporter of accreditation and believe that it's something every law enforcement agency should strive for. It's good for the leadership, it's good for the taxpayers, and at the end of the day, it's good for the individual officers. If the members of the agencies follow the policies as written they will be less likely to be questioned, disciplined, and end up named in a laws suit. And that is good for everyone. But it's not that easy. The policies are so vast, so broad, and some so complex, that compliance is difficult to achieve. Even for the best-intentioned officer. Many policy violations aren't because of deliberate intent, it is because the officer is making a split-minute decision while under extreme stress. The angle of his knee, on an actively resisting suspect's back, is the last thing on his mind. On the other hand, some are deliberately disregarded because they are complex, overly broad, and nearly impossible to comply with all of the time. Some officers believe, why even try?
Accreditation and compliance is also big business in the world of information security. And with ultimately the same result. Compliance is not security. If you believe that your organization is secure because it is deemed compliant you are going to be terribly disappointed. And look like a fool. Compliance models are a set of best practices that will lead the agency to a more productive and secure environment but you can't just enact the framework, declare yourself secure, and walk away.
I will soon be able to add “itinerant laptop computer reviewer” to my resume. I am writing this on a new Apple Macbook Air computer. Yes, my third new laptop in the past four months. It's only been 12 hours but I think this may be the one. Of course, I've said that before.
In 2012, I purchased a new Macbook Pro computer and used it as my primary machine until 2018 when I needed to upgrade. It was a great computer but only had an Intel i5 chip and 8GB of memory. I had begun using multiple virtual machines for security and forensic purposes and it just couldn't keep up, even after a RAM upgrade to 16GB. I wanted to stay in the Apple “ecosystem” but I was dismayed with some of the comments Tim Cook had made at that time. I feel strongly that a business should provide me with products and services and let me decide my politics. If you want to be a politician then fine get into politics, otherwise, just make a good computer and keep your mouth shut. I didn't feel I could reward a business that had a CEO that believed I was a horrible and detestable person because of my personal beliefs. And was outspoken about it!
Anyways, I left Apple and went with a maxed-out Lenovo Thinkpad X1 Carbon. It was smoking hot with an i7 processor, 16GB of memory, and the best feeling keyboard I had ever typed on. It was fantastic. The only downside, and the one that ultimately set me on this journey, was it ran Windows. The physical machine is flawless. The operating system, not so much. And as regular readers know, earlier this year Microsoft made it a very expensive paperweight with a corrupted update.
Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.
The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.
Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?
My wife dropping her iPhone in the pool this week taught us two things. First, she learned how cold 64-degree water is as she had to get in to retrieve the phone. Second, regardless of what Apple claims, iPhones are not waterproof. To be fair, I suspect it was the salt more than the water that shorted out the device. Regardless, dropping your phone in a 64-degree saltwater swimming pool is going to result in negative consequences for both you and the device.
This event also reinforced another concept that needs to be stressed when discussing crisis and security incident planning. Data stored on digital media, and in the cloud, is worthless if you can't access it. The loss of the phone created significant complications for my wife since she couldn't complete the two-factor authentication process required to access many of her work systems and data. We save data to cloud storage systems for safety, security, and redundancy, but it's all for naught if you can't access any of it.
This brings up a bigger issue when considering Disaster Recovery and Business Continuity plans for your business. They are worthless if you don't have a copy when a disaster strikes.
~ 90 days ago my Windows computer system crashed and burned. Microsoft pushed an update that corrupted the system and rendered it unrecoverable. I had back-ups so reinstalling the operating system and restoring the files would have been an adequate solution, albeit a pain-in-the-ass. I didn't go that route though. I was irate and didn't want to be a Microsoft Windows user anymore.
I have always been a Linux “tinkerer” and keep an extra Thinkpad with one distribution of Linux or another installed. The most recent was Pop!_OS from System76. I was so impressed by the system that I often thought, could this be a daily driver OS? I decided to answer that question when my Windows 10 system crashed and burned. Not just on a spare computer, or in a virtual machine, but on my main computer, as my everyday operating system. Will Linux work as my main computer operating system? Is 2021, finally the “Year of the Linux Desktop”?
Pop!_OS is a fantastic operating system that lives up to the hype-slogan “it just works”. Pop!_OS is sleek, polished, and aesthetically pleasing. It functions flawlessly on my Lenovo Thinkpad X1 Carbon (5th gen) and displays accurately on an external monitor. System76 actively develops the distribution and provides fantastic support to users and the community. The few problems I've had with configurations or installations have been easily solved by System76 support or documentation published by the community. Most importantly it has been stable. I have not had a single crash or unexpected system shut down and System76 has never forced the system to auto-install updates. The Pop!_OS user experience is good.
Email security company Mimecast released their annual “State of Email Security” report for 2021. The report is based on a survey of 1,225 information technology and security professionals from businesses around the globe. The survey participants were from businesses that spanned the industrial sectors including technology and telecommunications, financial services, manufacturing, and health care.
The report is well done and easy to digest. It is not easy to accept though. It's not that the data appears illegitimate or deceitful, but is a stark reminder of the uphill battle security practitioners face in trying to protect their organizations.
Some of the statistics are expected such as six out of ten organizations sustained a ransomware attack in the past twelve months. Threats delivered by email rose by 64% in 2020. 70% of respondents expect that their business will be harmed by an email-bourne attack in 2021 and of those 26% claim that such an event is inevitable. Of course, it makes you wonder about the 30% that don't believe they will not be afflicted by a damaging email attack this year. There is a fine line between confidence and lunacy.
The 2020 Internet Crime Report was recently released by the FBI's Internet Crime Complaint Center. The one stat that stood out was the significant increase in extortion reports. The center received 43,101 reports of extortion in 2019. That number jumped to 76,441 in 2021, accounting for a 78% increase.
That increase in crime is certainly more palatable than the 110% increase in phishing complaints the center received, but a 78% increase is still significant. And extortion?
My immediate thought was IC3 is now considering Denial of Service for Ransom attacks as extortion which would be correct. These cyber-shakedowns are nothing less than criminal extortion. Think of the 1920's gangster walking to the local butcher shop, “Nice shop you have here, would be a shame if you had a fire” but apply it to a website ala “Nice website you have here, sure would be a shame if it was taken offline”. I have previously written about RDOS (Ransom DOS) attacks.
Several years ago, I was a guest on a local radio show where I spoke about Internet-enabled fraud. The final question asked by the show host was, “what are 'three quick things' that someone can do to protect themselves from cybercrime?”. It was such a simple question but it really caught me off guard. How could I hesitate on this? I just spoke about fraud schemes for the past 30 minutes. I was able to quickly name three things so I didn't look like a complete fool but as I looked back, the three tips that I gave weren't the best. It wasn't that I didn't know the answer, in fact, the complete opposite, I knew too much. The struggle was taking a huge volume of information and distilling it down into three bullet points. The quick and immediate “musts” of your topic.
Since that time, whenever I go speak publicly, I always prepare my “three quick things” answer for the given topic. These prepared responses also come in handy during a regular conversation. It's nice to immediately have a coherent response when friends, family, and colleagues ask for your opinion on a topic where you are recognized as being more knowledgeable than others.
Most small businesses, say less than 100 employees, do not have any dedicated employee for IT services, let alone security. Most time it is a collective effort to keep the Internet on and the printers connected. The lucky ones can afford contract services but for most, security is a wing and a prayer.
“What are some things I can do to keep my business secure?” is the most frequent question I get asked by these small business owners.
I was recently involved in a conversation with colleagues where we marveled over the abundance of suitable victims that perpetuate cyber-criminality. Police agencies around the country receive daily calls from people who wish to self-report their technology-enabled victimization. I am cautious to not engage in victim shaming but the majority of these reports leave investigators speechless. Literally, head shaking and speechless.
Our conversation begged the question: Why do we even show up to work anymore? We could be sitting on a sunny beach, drinking pina-colada’s, and running Craigslist frauds from our prepaid cellphones!
The conversation was obviously in jest, but the underlying questions have stuck with me. Internet-facilitated crimes are fairly easy to conduct, remain a relatively low risk, and are very profitable. So what keeps those of us who understand the methods and mechanics of cyber-fraud from committing them ourselves? There are thousands of law enforcement and private security practitioners all around the world that have a deep understanding of how, and why these fraud techniques work. They know the capabilities of law enforcement and are aware of what gets investigated and what does not. And yet, they continue to show up every day to fight the good fight and never engage in any criminality. Even when crime is the easier and much more profitable choice.