Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

I stopped making new year's resolutions a long time ago because I wasn't very good at keeping them. The pressure to maintain the effort became another stressor in my life. You can only fail at losing 15 pounds or daily teeth flossing so many times. I still set yearly goals but they are something that I have developed a plan and a roadmap to achieve.

Making new years resolutions is still popular for others and I have heard many declare their ill-fated intentions over the past few days. One of the most frequent themes I've heard has been the desire to “return to normal” referencing the Covid-19 pandemic and the way it's turned our lives upside-down since 2019.

What is normal at this point? I can only assume the declarants mean a return to life as is it was in December 2019. Do we really want to go back there at this point? And how would we do that? You can't put the past two years back in the bottle.

This longing for “normal” is foreign to those of us that defend against, or investigate cyber-financial crime. The concept of normalcy doesn't exist. Well, other than the bad guys are unrelenting in their attacks and continuously evolving their tactics to defeat us. There isn't a normal because the game is continuously evolving. Much like a virus, ransomware, phishing emails, business email compromise attacks, money laundering methods, and social engineering techniques are continually mutating in response to the tactics of security and law enforcement. There are new variants every day! The theme may be the same but the characters and their schemes are ever changing.

We never have the desire to return to normal because there is no normal. Normal is chaos. Everyday.

Welcome to 2022 and another year of combating cyber-financial crime. Normalcy is not an option.

#cyficrime #cybercrime #risk

New York Times author Nikole Hannah Jones recently made headlines herself for claiming that the United States dropped a nuclear weapon on the Japanese cities of Hiroshima and Nagasaki due to the sunk cost fallacy. The United States had spent so much money and time in creating an atomic weapon that it used the resulting tool only to prove that it was worth the effort. Anyone who has a half understanding of world history knows this is incorrect. This claim made in the weeks, months, or even a few years after the event, would be understandable. But after 81 years of study, scrutiny, and academic review, this assertion is proven wrong. So wrong, that someone who makes it should be held in no more regard than a person who still claims the earth is flat. Of course, Ms. Jones isn't about the truth.

Giving credit where credit is due, government decision-making and policy can be influenced by sunk costs. Personally, it is easy to pivot when realizing we're “throwing good money after bad” but in the machine of government, that is much easier said than done. Particularly, when the ego is involved.

Law enforcement agencies have this odd organizational setting where it's not quite a strict hierarchal military rank and file system but yet not run like a free market business entity. Much like a business, law enforcement agencies must satisfy the needs of their customers – the public it serves, and the executive board – the elected politicians. But unlike a business, the customers can't just go to a competing business. No matter how poor the service, the customers keep paying the bill – in the form of taxes. And the executives are everchanging, so if the law enforcement leadership conflicts with the CEO or Board of Directors they need only wait them out through the next election.

Read more...

Being a voracious reader, I would share my interesting findings with friends and colleagues through email. Eventually, one politely asked that I save his inbox the stress and just send a single email aggregating all of the interesting links I had gathered over the week. Matt's Newsletter was born.

That was the first try. It is hard to keep interested in something when no one is paying attention. I stopped publishing after a few weeks of no feedback and no subscribers.

I never lost my appetite for reading and sharing my knowledge though. I started to collect and publish my writings on a write.as blog. When I learned about the newsletter service Substack, I wondered if I could combine my writing with a newsletter sharing the best news stories I had read over the previous week? Matt's Newsletter was re-born.

52 weeks later, and a name change, it's still going.

Welcome to the Threats Without Borders Newsletter – Issue ONE YEAR!

So what have I learned after publishing a newsletter every week for one year?

Read more...

I have previously written about the rise of “dog fraud” and the increase of fake websites and Internet marketplace ads offering designer dogs that don’t exist. Well, the breeds of dogs exists, the seller just doesn’t actually possess any to sell. These fraudulent sellers are usually found operating on web marketplaces such Facebook and OfferUp but have also gone to the extreme of creating entire websites. And some of them are well designed and functional, not just a Weebly template with some stock photos.

I suspect the next breed that will be the focus of scammers is the Shiba Inu. The rapid ascent of the Shiba Inu cryptocurrency has resulted in images of the dog posted front and center of just about every mainstream press website and periodical. It is a really good-looking dog and with a price range of $900 to $2500, it will also look good to the scammers.

In my experience, dog scammers had been focusing on the trendy and highly sought after, French Bulldog. I compared searches for the two breeds on Google.

“Shiba Inu for sale” (red) versus “French bulldog for sale” (blue)

Searches for the Shiba Inu are trending up, not as dramatically as I assumed, but have certainly risen to equal that of searches for French bulldogs.

I suspect that the Shiba Inu will create a lot of empty wallets, crypto, and leather.

#cyficrime #cybercrime

As defined by Wikipedia, the Curse of Knowledge is a cognitive bias that occurs when an individual, who is communicating with others, wrongly assumes they have the background to understand the communication. Just because you have mastered a subject doesn't mean everyone you communicate with has also. I often assume that my audience has the prerequisite knowledge to understand the information I am presenting. I am often wrong, which leads to frustration on both ends. This doesn't mean they are low intelligence, or unable to learn, it just means we have different backgrounds, experiences, and professions. An orthopedic doctor trying to explain bone density to me is going to get the same response as me trying to explain Network Address Translation to her.

I recently participated in a ransomware tabletop exercise at a local business. Initially, I was disappointed in the simplistic scenario presented by the consultant running the exercise. Uhh, so basic, I can't believe they are getting paid for this, I thought. But as the exercise played out, I observed that even such a basic scenario led to very productive conversation. In fact, the participants couldn’t have handled much more. Many of the stakeholders were not in the business of security, or Internet technology, and needed to be brought up to speed.

The curse of knowledge got me again. I allowed my mastery of the topic influence my opinion of the exercise and assumed the other participants had an equal or better understanding of ransomware and the incident response process. I had been through the scenario so many times, in both exercises and reality, that I had the answers. I wrongly assumed the others would also.

Read more...

This week President Biden claimed to be “committed to the cybersecurity of the country” and promised to hold those that threaten our nation's security accountable. He also announced that his administration was hosting a meeting with 30 countries from the NATO and G7 alliance to discuss the problem of cybercrime and come up with a plan to combat it. The statement asserted the group would bring the “full strength” of their capabilities to disrupt the malicious cyber actors.

Israeli defense minister Naftali Bennett describes Iran as an Octopus that spreads its influence across the middle-east through its long tentacles. Mr. Bennett is the original proponent of the “Octopus Doctrine” declaring the only way to successfully beat an octopus is to target its head. “When the tentacles of the octopus strike you, do not fight only against tentacles, but strike the head also”. Life comes from the head, not the tentacles.

Previously the Biden administration outlined a new strategy for combating ransomware and cybercrime as detailed in this Wall Street Journal article. The administration plans to target the financial infrastructure of ransomware gangs hoping to remove the financial incentive of cyber-criminality.

Targeting the financial systems is just striking at one of the tentacles. You may cut it off but seven more exist and as you battle those the injured one will grow back.

Read more...

I love speaking to telemarketers. It's a game really. I like to see how long I can keep them on the line before they hang up in frustration. The key is to not be an overt jerk and string them along like you want to be part of their program but just can't grasp what they need from you. Or offer a problem that they just can't get around. For instance, not being able to grasp the difference between a debit account and a credit account when credit card debt consolidators call. Another favorite is explaining that I live on an overgrown wooded lot and agreeing to purchase solar cells if the company will remove the five mature oak trees on my property.

Sometimes this game has unintended beneficial consequences. The vehicle warranty callers are relentless and I had been telling them that I have various vehicles and couldn't understand what vehicle they wanted to offer an extended warranty. They don't know what vehicle you own when they first call so their script offers a little social engineering attempting to get you to mention the make and model of your vehicle. I would try to keep them on the line as long as possible without ever mentioning a specific vehicle. Eventually, the caller would hang up. But someone else always called back. Sometimes the next day.

Recently one caller slipped and asked what vehicle I owned that was between the model years of 2012 and 2019. I guess the actual company behind the calls realizes there is no need to offer an extended warranty on a new vehicle that already has a valid warranty. Or one that is too old and will be a sure claim.

So, I told the next caller that I owned a 2021 Tesla to see how he handled the new model year. To my surprise, it wasn't the year that stymied him. It was the vehicle. The caller said, “Oh, we can't offer a warranty on a Tesla. I'll remove you from the list.” And then he hung up.

Read more...

I have written extensively about insider threats and I always touch on it when speaking about cyber-financial security. I am usually rebuffed by small business owners when I urge them to consider insider threat security and mitigations efforts. The counterarguments are usually something along the lines of “I only have 10 employees” or “We're like a family, I don't employ anyone I don't trust”. Their feelings quickly change when I explain that not all dangerous insiders are malicious. The term “threat” has such a harsh connotation that most people assume the insider had serious and deliberate intent to do the business harm. In most cases though, the employee that caused the damage just did something stupid. They clicked a link, were socially engineered by a phone caller, or published proprietary code to an open Github repository. I usually ask them about the receptionist who is a little too chatty with visitors or the bills payable clerk who has failed the phishing simulation audit every single time.

When it comes to small business security, the most dangerous employee can sometimes be the least suspected. And really good employees can become threats at any point. What about the employee who suddenly falls on hard times or has a minor surgery that leads to drug dependency. What about the employee that didn't get the promotion? These employees would never have considered acting against their employer if it would not have been for their unfortunate life situation. But drug addiction, financial distress, relationship turmoil, or animosity from discipline can make people act out of character.

Every business, no matter the size, needs to have an insider threat program. Even if it is just the business owner or a manager monitoring employee behavior and attitudes. Sally is going through a bad divorce. Bob is spending a lot of time at the casino and looks like he hasn't been taking care of himself. Jane is really, really, mad she didn't get that project manager position.

Read more...

I don't have writer's block, I am suffering from finishing block. I just can't finish any of my writings. I currently have three long-form pieces that are about 75% written and just need an adequate closing paragraph. Distraction is my enemy. The opposite of writer's block, my mind is constantly filled with thoughts and ideas. I keep a note of writing topics that I update as they come to me. It's a long note. Unfortunately, many of the ideas never get acted upon because I'm constantly onto something that shines brighter. Much like when I do find time to sit down and write. If I can't finish the entire article in one sitting the chances are it won't be finished. It's a struggle for me to return and complete a piece because I'm quickly onto something new.

Summer is a distraction. I recently had a day off my real job and I planned to spend it writing and working on a few other creative pursuits. As Mr. Burns so thoughtfully wrote, “The best-laid schemes o' Mice an' Men. Gang aft agley.” I soon found the weather too appealing and I spent the majority of my day by the pool with a cool beverage and island music. Needless to say, no writing was done.

I might also suffer from a bit of writer's fatigue. As an investigator, I write reports all day, every day. I write thousands of words per week just to document my regular work activities. Sometimes the last thing I want to do in the evening or weekend is to spend more time in front of a screen writing. And the energy I do have left goes into my weekly newsletter Threats Without Borders which gets published every Tuesday. You should really check it out and subscribe.

But I love to write and I have a lot to say. I just need to get to it!

The sun just peaked over the horizon and the coffee's brewed. I'll be back to finish writing this in a bit.

Every year for the past twelve years, my family takes a week-long vacation at a beach along the Atlantic ocean. Each trip sees me carry along a computer, a bag of books, and a project list. This year was no exception with the to-do list including a few articles to write, working on a new website for a side project, and updating my CV. As with all the other years, none of that got done. One thing that did get done, however, was the publishing of my weekly newsletter “Threats Without Borders”.

For the past 31 weeks, I have published a Substack newsletter highlighting the best news and opinion pieces I read over the preceding week concerning cyber and financial crime. CyFicrime as I have coined it. I'm a voracious reader and easily spend 20 hours a week just reading articles, blogs, and documents published on the Internet. The easiest way to share my knowledge is with a newsletter delivered through email. I joke with my colleagues that I read the entire Internet so they don't have to.

The newsletter has evolved. It was published for the first twenty-four weeks under the generic “Matt’s Newsletter” because, well, I just wasn’t witty enough to come up with anything else. Then the phrase “Threats Without Borders” came to me as an apt descriptive for cybercrime. The Internet allows criminal threat-actors to victimize others anywhere in the world. Regardless of physical location or geopolitical nationality. Your countries physical border is benign and irrelevant! The name was changed and I think it's been well received.

My goal from the start has been to publish a newsletter every week for 52 weeks. So far so good. And I even delivered during vacation.

I have an updated goal; grow the newsletter to 1000 subscribers by the end of 2021. This is easily obtainable. If you are reading this on the write.as blog – please consider checking the newsletter out and subscribing. If you casually browse to the substack site to read the newsletter – please subscribe. And if you already subscribe, please share it with a colleague. I'm not asking you to share your religion or opinion as to what is the best bear. (obligatory The Office joke)

Read Threats Without Borders at cyficrime.substack.com

Enter your email to subscribe to updates.