Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.

The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.

Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?


My wife dropping her iPhone in the pool this week taught us two things. First, she learned how cold 64-degree water is as she had to get in to retrieve the phone. Second, regardless of what Apple claims, iPhones are not waterproof. To be fair, I suspect it was the salt more than the water that shorted out the device. Regardless, dropping your phone in a 64-degree saltwater swimming pool is going to result in negative consequences for both you and the device.

This event also reinforced another concept that needs to be stressed when discussing crisis and security incident planning. Data stored on digital media, and in the cloud, is worthless if you can't access it. The loss of the phone created significant complications for my wife since she couldn't complete the two-factor authentication process required to access many of her work systems and data. We save data to cloud storage systems for safety, security, and redundancy, but it's all for naught if you can't access any of it.

This brings up a bigger issue when considering Disaster Recovery and Business Continuity plans for your business. They are worthless if you don't have a copy when a disaster strikes.


~ 90 days ago my Windows computer system crashed and burned. Microsoft pushed an update that corrupted the system and rendered it unrecoverable. I had back-ups so reinstalling the operating system and restoring the files would have been an adequate solution, albeit a pain-in-the-ass. I didn't go that route though. I was irate and didn't want to be a Microsoft Windows user anymore.

I have always been a Linux “tinkerer” and keep an extra Thinkpad with one distribution of Linux or another installed. The most recent was Pop!_OS from System76. I was so impressed by the system that I often thought, could this be a daily driver OS? I decided to answer that question when my Windows 10 system crashed and burned. Not just on a spare computer, or in a virtual machine, but on my main computer, as my everyday operating system. Will Linux work as my main computer operating system? Is 2021, finally the “Year of the Linux Desktop”?

Pop!_OS is a fantastic operating system that lives up to the hype-slogan “it just works”. Pop!_OS is sleek, polished, and aesthetically pleasing. It functions flawlessly on my Lenovo Thinkpad X1 Carbon (5th gen) and displays accurately on an external monitor. System76 actively develops the distribution and provides fantastic support to users and the community. The few problems I've had with configurations or installations have been easily solved by System76 support or documentation published by the community. Most importantly it has been stable. I have not had a single crash or unexpected system shut down and System76 has never forced the system to auto-install updates. The Pop!_OS user experience is good.

But, I must return to Windows.


Email security company Mimecast released their annual “State of Email Security” report for 2021. The report is based on a survey of 1,225 information technology and security professionals from businesses around the globe. The survey participants were from businesses that spanned the industrial sectors including technology and telecommunications, financial services, manufacturing, and health care.

The report is well done and easy to digest. It is not easy to accept though. It's not that the data appears illegitimate or deceitful, but is a stark reminder of the uphill battle security practitioners face in trying to protect their organizations.

Some of the statistics are expected such as six out of ten organizations sustained a ransomware attack in the past twelve months. Threats delivered by email rose by 64% in 2020. 70% of respondents expect that their business will be harmed by an email-bourne attack in 2021 and of those 26% claim that such an event is inevitable. Of course, it makes you wonder about the 30% that don't believe they will not be afflicted by a damaging email attack this year. There is a fine line between confidence and lunacy.


The 2020 Internet Crime Report was recently released by the FBI's Internet Crime Complaint Center. The one stat that stood out was the significant increase in extortion reports. The center received 43,101 reports of extortion in 2019. That number jumped to 76,441 in 2021, accounting for a 78% increase.

That increase in crime is certainly more palatable than the 110% increase in phishing complaints the center received, but a 78% increase is still significant. And extortion?

My immediate thought was IC3 is now considering Denial of Service for Ransom attacks as extortion which would be correct. These cyber-shakedowns are nothing less than criminal extortion. Think of the 1920's gangster walking to the local butcher shop, “Nice shop you have here, would be a shame if you had a fire” but apply it to a website ala “Nice website you have here, sure would be a shame if it was taken offline”. I have previously written about RDOS (Ransom DOS) attacks.


Several years ago, I was a guest on a local radio show where I spoke about Internet-enabled fraud. The final question asked by the show host was, “what are 'three quick things' that someone can do to protect themselves from cybercrime?”. It was such a simple question but it really caught me off guard. How could I hesitate on this? I just spoke about fraud schemes for the past 30 minutes. I was able to quickly name three things so I didn't look like a complete fool but as I looked back, the three tips that I gave weren't the best. It wasn't that I didn't know the answer, in fact, the complete opposite, I knew too much. The struggle was taking a huge volume of information and distilling it down into three bullet points. The quick and immediate “musts” of your topic.

Since that time, whenever I go speak publicly, I always prepare my “three quick things” answer for the given topic. These prepared responses also come in handy during a regular conversation. It's nice to immediately have a coherent response when friends, family, and colleagues ask for your opinion on a topic where you are recognized as being more knowledgeable than others.

Most small businesses, say less than 100 employees, do not have any dedicated employee for IT services, let alone security. Most time it is a collective effort to keep the Internet on and the printers connected. The lucky ones can afford contract services but for most, security is a wing and a prayer.

“What are some things I can do to keep my business secure?” is the most frequent question I get asked by these small business owners.

Three Quick Things:


I was recently involved in a conversation with colleagues where we marveled over the abundance of suitable victims that perpetuate cyber-criminality. Police agencies around the country receive daily calls from people who wish to self-report their technology-enabled victimization. I am cautious to not engage in victim shaming but the majority of these reports leave investigators speechless. Literally, head shaking and speechless.

Our conversation begged the question: Why do we even show up to work anymore? We could be sitting on a sunny beach, drinking pina-colada’s, and running Craigslist frauds from our prepaid cellphones!

The conversation was obviously in jest, but the underlying questions have stuck with me. Internet-facilitated crimes are fairly easy to conduct, remain a relatively low risk, and are very profitable. So what keeps those of us who understand the methods and mechanics of cyber-fraud from committing them ourselves? There are thousands of law enforcement and private security practitioners all around the world that have a deep understanding of how, and why these fraud techniques work. They know the capabilities of law enforcement and are aware of what gets investigated and what does not. And yet, they continue to show up every day to fight the good fight and never engage in any criminality. Even when crime is the easier and much more profitable choice.



In October of 2020, the Treasury Department issued a warning to domestic financial institutions that facilitating ransom payments on behalf of ransomware victims could be an Office of Foreign Asset Control (OFAC) violation. The warning noted that many ransomware attackers are seated in countries that are on the OFAC sanction list. These countries include North Korea, Russia, Ukraine, Iran, and Syria. Shortly after that warning was issued I published an article titled “Ransom and Rats” where I explained why law enforcement strongly discourages ransom payments. Paying the ransom perpetuates and broadens the crime by rewarding the bad guys for their criminal conduct. I likened the ransomware actors to the rats used by psychologist B.F. Skinner. If every time the rat hits the bar it gets food then it is going to keep hitting the bar. If ransomware actors continue to get paid they are going to keep spreading ransomware!

Of the classical criminological theories that can be applied to cyber-enabled crime, the Rational Choice Theory fits perfectly when applied to ransomware actors. The theory holds that people are free to choose their behavior and makes these choices based on the avoidance of pain and pursuit of pleasure. People choose to commit crime because it is in some way rewarding, either mentally, physically, or financially. Offenders will commit a crime when it is fun, satisfying, easy, and financially rewarding. Crime is discouraged through the fear of punishment. If offenders believe they will be identified, captured, and punished, they are less likely to engage in a given criminal activity. People consider the cost to benefit factors when deciding to commit a crime and act accordingly in their own best interest. They make a rational choice.

This is the basis of the current ransomware epidemic. Ransomware attacks are easy to facilitate, there is a low likelihood of identification or capture, and it is profitable. If you have no moral convictions prohibiting you from engaging in criminal activity there is no reason to not give ransomware a try. It is a rational choice.

Did I mention that ransomware attacks are profitable?


A week ago, Microsoft pushed an update to my Windows machine rendering it unusable. Absolutely corrupted! Look down to the previous post or click HERE to read a bit more about that.

I had been playing around with the Pop!_OS Linux distribution for a while and deciding to make it my my main operating system (or die trying). Here are some thoughts and observations after being 'All in on Pop' for the past week.

Pop!_OS (20.10) as run on a Lenovo Thinkpad X1 Carbon (5th generation).

I once heard someone explain the reason Microsoft does not make the Office suite for Linux is because there would be no reason to use Windows. This is probably more true than Microsoft would like to admit. The most challenging part of switching from Windows to Linux is the translation of office documents, including Word, Excel, and PowerPoint slide shows to a format compatible with an available Linux application. This is especially daunting for those of us who live in the world of government where Word docs and Powerpoint are the common languages. Tell someone at a police department you are sending them a file in Open Document Format and they’ll be lost for three days.


I could have alternatively titled this piece “In with two feet”, or “My hand was played”, or “Windows Sucks so now I'm 100% Linux”.

Microsoft Windows pushed an update to the machine Friday morning that rendered it useless. I'm assuming the service pack was supposed to make the computer run better, maybe more securely, but it just left it with a blank black screen. I spent about four hours doing everything the IT Help Desk experts of the Internet said I should but nothing worked. I could “Cntrl/Alt/Dlt” into the control panel but nothing from there. It wouldn't even boot into safe mode. Seriously dead.

I have a somewhat robust back-up strategy so I had all of my content (almost) saved somewhere else. I lost some text docs I had saved to the desktop and some PDF's I had recently downloaded but nothing irreplaceable. The true loss is the workflow. The software, the utilities, the folder structure, and the working environment you have spent the past three years perfecting. If anyone from Microsoft reads this – Time Machine, please. System restore points are awesome until you can't access them.


Enter your email to subscribe to updates.