Things Matt Wrote

Writings from the intersection of law enforcement and the Internet

I have written extensively about insider threats and I always touch on it when speaking about cyber-financial security. I am usually rebuffed by small business owners when I urge them to consider insider threat security and mitigations efforts. The counterarguments are usually something along the lines of “I only have 10 employees” or “We're like a family, I don't employ anyone I don't trust”. Their feelings quickly change when I explain that not all dangerous insiders are malicious. The term “threat” has such a harsh connotation that most people assume the insider had serious and deliberate intent to do the business harm. In most cases though, the employee that caused the damage just did something stupid. They clicked a link, were socially engineered by a phone caller, or published proprietary code to an open Github repository. I usually ask them about the receptionist who is a little too chatty with visitors or the bills payable clerk who has failed the phishing simulation audit every single time.

When it comes to small business security, the most dangerous employee can sometimes be the least suspected. And really good employees can become threats at any point. What about the employee who suddenly falls on hard times or has a minor surgery that leads to drug dependency. What about the employee that didn't get the promotion? These employees would never have considered acting against their employer if it would not have been for their unfortunate life situation. But drug addiction, financial distress, relationship turmoil, or animosity from discipline can make people act out of character.

Every business, no matter the size, needs to have an insider threat program. Even if it is just the business owner or a manager monitoring employee behavior and attitudes. Sally is going through a bad divorce. Bob is spending a lot of time at the casino and looks like he hasn't been taking care of himself. Jane is really, really, mad she didn't get that project manager position.


I don't have writer's block, I am suffering from finishing block. I just can't finish any of my writings. I currently have three long-form pieces that are about 75% written and just need an adequate closing paragraph. Distraction is my enemy. The opposite of writer's block, my mind is constantly filled with thoughts and ideas. I keep a note of writing topics that I update as they come to me. It's a long note. Unfortunately, many of the ideas never get acted upon because I'm constantly onto something that shines brighter. Much like when I do find time to sit down and write. If I can't finish the entire article in one sitting the chances are it won't be finished. It's a struggle for me to return and complete a piece because I'm quickly onto something new.

Summer is a distraction. I recently had a day off my real job and I planned to spend it writing and working on a few other creative pursuits. As Mr. Burns so thoughtfully wrote, “The best-laid schemes o' Mice an' Men. Gang aft agley.” I soon found the weather too appealing and I spent the majority of my day by the pool with a cool beverage and island music. Needless to say, no writing was done.

I might also suffer from a bit of writer's fatigue. As an investigator, I write reports all day, every day. I write thousands of words per week just to document my regular work activities. Sometimes the last thing I want to do in the evening or weekend is to spend more time in front of a screen writing. And the energy I do have left goes into my weekly newsletter Threats Without Borders which gets published every Tuesday. You should really check it out and subscribe.

But I love to write and I have a lot to say. I just need to get to it!

The sun just peaked over the horizon and the coffee's brewed. I'll be back to finish writing this in a bit.

Every year for the past twelve years, my family takes a week-long vacation at a beach along the Atlantic ocean. Each trip sees me carry along a computer, a bag of books, and a project list. This year was no exception with the to-do list including a few articles to write, working on a new website for a side project, and updating my CV. As with all the other years, none of that got done. One thing that did get done, however, was the publishing of my weekly newsletter “Threats Without Borders”.

For the past 31 weeks, I have published a Substack newsletter highlighting the best news and opinion pieces I read over the preceding week concerning cyber and financial crime. CyFicrime as I have coined it. I'm a voracious reader and easily spend 20 hours a week just reading articles, blogs, and documents published on the Internet. The easiest way to share my knowledge is with a newsletter delivered through email. I joke with my colleagues that I read the entire Internet so they don't have to.

The newsletter has evolved. It was published for the first twenty-four weeks under the generic “Matt’s Newsletter” because, well, I just wasn’t witty enough to come up with anything else. Then the phrase “Threats Without Borders” came to me as an apt descriptive for cybercrime. The Internet allows criminal threat-actors to victimize others anywhere in the world. Regardless of physical location or geopolitical nationality. Your countries physical border is benign and irrelevant! The name was changed and I think it's been well received.

My goal from the start has been to publish a newsletter every week for 52 weeks. So far so good. And I even delivered during vacation.

I have an updated goal; grow the newsletter to 1000 subscribers by the end of 2021. This is easily obtainable. If you are reading this on the blog – please consider checking the newsletter out and subscribing. If you casually browse to the substack site to read the newsletter – please subscribe. And if you already subscribe, please share it with a colleague. I'm not asking you to share your religion or opinion as to what is the best bear. (obligatory The Office joke)

Read Threats Without Borders at

I work for an accredited law enforcement agency. Dually accredited actually, holding sheepskins from both the Commission on Accreditation for Law Enforcement Agencies (CALEA) and the Pennsylviania Law Enforcement Accreditation Commission (PLEAC). We're one of the few agencies in the state that hold both the national and state accreditation titles. This an accomplishment to be proud of for sure, but it's expensive, burdensome, and at the end of the day may or may not make us better at policing.

The policy demands pushed down by various oversight organizations have been fast and furious in the aftermath of the death of George Floyd and the resulting focus on police. Particularly in the application of the use of force. Agencies that were accredited already met most of the policy demands called for by reformers but the need to look responsive is irresistible. Policies are tweaked, the language changed, “enacted dates” are updated to be current, and press releases touting agency reforms are issued. Some of these changes are badly needed, some are just policing reform theatre.

I'm a supporter of accreditation and believe that it's something every law enforcement agency should strive for. It's good for the leadership, it's good for the taxpayers, and at the end of the day, it's good for the individual officers. If the members of the agencies follow the policies as written they will be less likely to be questioned, disciplined, and end up named in a laws suit. And that is good for everyone. But it's not that easy. The policies are so vast, so broad, and some so complex, that compliance is difficult to achieve. Even for the best-intentioned officer. Many policy violations aren't because of deliberate intent, it is because the officer is making a split-minute decision while under extreme stress. The angle of his knee, on an actively resisting suspect's back, is the last thing on his mind. On the other hand, some are deliberately disregarded because they are complex, overly broad, and nearly impossible to comply with all of the time. Some officers believe, why even try?

Accreditation and compliance is also big business in the world of information security. And with ultimately the same result. Compliance is not security. If you believe that your organization is secure because it is deemed compliant you are going to be terribly disappointed. And look like a fool. Compliance models are a set of best practices that will lead the agency to a more productive and secure environment but you can't just enact the framework, declare yourself secure, and walk away.


I will soon be able to add “itinerant laptop computer reviewer” to my resume. I am writing this on a new Apple Macbook Air computer. Yes, my third new laptop in the past four months. It's only been 12 hours but I think this may be the one. Of course, I've said that before.

In 2012, I purchased a new Macbook Pro computer and used it as my primary machine until 2018 when I needed to upgrade. It was a great computer but only had an Intel i5 chip and 8GB of memory. I had begun using multiple virtual machines for security and forensic purposes and it just couldn't keep up, even after a RAM upgrade to 16GB. I wanted to stay in the Apple “ecosystem” but I was dismayed with some of the comments Tim Cook had made at that time. I feel strongly that a business should provide me with products and services and let me decide my politics. If you want to be a politician then fine get into politics, otherwise, just make a good computer and keep your mouth shut. I didn't feel I could reward a business that had a CEO that believed I was a horrible and detestable person because of my personal beliefs. And was outspoken about it!

Anyways, I left Apple and went with a maxed-out Lenovo Thinkpad X1 Carbon. It was smoking hot with an i7 processor, 16GB of memory, and the best feeling keyboard I had ever typed on. It was fantastic. The only downside, and the one that ultimately set me on this journey, was it ran Windows. The physical machine is flawless. The operating system, not so much. And as regular readers know, earlier this year Microsoft made it a very expensive paperweight with a corrupted update.


Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.

The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.

Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?


My wife dropping her iPhone in the pool this week taught us two things. First, she learned how cold 64-degree water is as she had to get in to retrieve the phone. Second, regardless of what Apple claims, iPhones are not waterproof. To be fair, I suspect it was the salt more than the water that shorted out the device. Regardless, dropping your phone in a 64-degree saltwater swimming pool is going to result in negative consequences for both you and the device.

This event also reinforced another concept that needs to be stressed when discussing crisis and security incident planning. Data stored on digital media, and in the cloud, is worthless if you can't access it. The loss of the phone created significant complications for my wife since she couldn't complete the two-factor authentication process required to access many of her work systems and data. We save data to cloud storage systems for safety, security, and redundancy, but it's all for naught if you can't access any of it.

This brings up a bigger issue when considering Disaster Recovery and Business Continuity plans for your business. They are worthless if you don't have a copy when a disaster strikes.


~ 90 days ago my Windows computer system crashed and burned. Microsoft pushed an update that corrupted the system and rendered it unrecoverable. I had back-ups so reinstalling the operating system and restoring the files would have been an adequate solution, albeit a pain-in-the-ass. I didn't go that route though. I was irate and didn't want to be a Microsoft Windows user anymore.

I have always been a Linux “tinkerer” and keep an extra Thinkpad with one distribution of Linux or another installed. The most recent was Pop!_OS from System76. I was so impressed by the system that I often thought, could this be a daily driver OS? I decided to answer that question when my Windows 10 system crashed and burned. Not just on a spare computer, or in a virtual machine, but on my main computer, as my everyday operating system. Will Linux work as my main computer operating system? Is 2021, finally the “Year of the Linux Desktop”?

Pop!_OS is a fantastic operating system that lives up to the hype-slogan “it just works”. Pop!_OS is sleek, polished, and aesthetically pleasing. It functions flawlessly on my Lenovo Thinkpad X1 Carbon (5th gen) and displays accurately on an external monitor. System76 actively develops the distribution and provides fantastic support to users and the community. The few problems I've had with configurations or installations have been easily solved by System76 support or documentation published by the community. Most importantly it has been stable. I have not had a single crash or unexpected system shut down and System76 has never forced the system to auto-install updates. The Pop!_OS user experience is good.

But, I must return to Windows.


Email security company Mimecast released their annual “State of Email Security” report for 2021. The report is based on a survey of 1,225 information technology and security professionals from businesses around the globe. The survey participants were from businesses that spanned the industrial sectors including technology and telecommunications, financial services, manufacturing, and health care.

The report is well done and easy to digest. It is not easy to accept though. It's not that the data appears illegitimate or deceitful, but is a stark reminder of the uphill battle security practitioners face in trying to protect their organizations.

Some of the statistics are expected such as six out of ten organizations sustained a ransomware attack in the past twelve months. Threats delivered by email rose by 64% in 2020. 70% of respondents expect that their business will be harmed by an email-bourne attack in 2021 and of those 26% claim that such an event is inevitable. Of course, it makes you wonder about the 30% that don't believe they will not be afflicted by a damaging email attack this year. There is a fine line between confidence and lunacy.


The 2020 Internet Crime Report was recently released by the FBI's Internet Crime Complaint Center. The one stat that stood out was the significant increase in extortion reports. The center received 43,101 reports of extortion in 2019. That number jumped to 76,441 in 2021, accounting for a 78% increase.

That increase in crime is certainly more palatable than the 110% increase in phishing complaints the center received, but a 78% increase is still significant. And extortion?

My immediate thought was IC3 is now considering Denial of Service for Ransom attacks as extortion which would be correct. These cyber-shakedowns are nothing less than criminal extortion. Think of the 1920's gangster walking to the local butcher shop, “Nice shop you have here, would be a shame if you had a fire” but apply it to a website ala “Nice website you have here, sure would be a shame if it was taken offline”. I have previously written about RDOS (Ransom DOS) attacks.