Blaming the Victim for the Crime

Posted on May 22, 2014 by Eric

Putting the victim on trial. Decades ago we learned to stop putting victims of sexual abuse, domestic violence and rape “on trial”. Well, mostly anyhow. But we, mostly, stopped blaming the girl because she wore a short skirt or went to a bar and flirted with guys. These days we don’t try and say that the domestic violence victim invited the abuse or they were at fault for not speaking up in the first place. And so forth. But there’s a community that, I am sad to say, spends a lot of time blaming the victims of crime.

Continue reading

Posted in General | Tagged , , , , , , , | Comments Off on Blaming the Victim for the Crime

You Can’t Defend Without Intelligence

Posted on May 20, 2014 by Eric

Imagine you are an Army General. And you have been given responsibility to defend a town that is the key to the local road network. You have a specific set of units under your command and several days to prepare to defend before the enemy is expected to attack. How are you going to go about setting up your defenses? Could you successfully defend without understanding the routes the enemy will use and what capabilities the enemy will have in addition to the knowing their objective?

Continue reading

Posted in InfoSec, Security | Tagged , , , , , | 3 Comments

New Year’s Resolution: Stop Being a Victim

Posted on December 31, 2013 by Eric

I was recently asked what I thought should be the most important resolution for consumers going in to 2014. A resolution in the context of improving the individual consumers personal and financial security. Since the request was for publication in a magazine article, I gave a relatively brief answer. Since I think this particular resolution is very important for everyone, I decided to expand upon it here on my blog.

Each and every consumer who uses email and the Internet (that’s pretty much all of you) should make the following resolution this New Year’s.

I resolve to change my online behavior in order to not be a victim of an evil doer.

Yes, the people who steal money, financial data and personal data by email and websites are evil doers. They are worse, by far, than the guy holding up 7-11. That guy is lucky if he gets away with $100 and he put himself at significant risk to get that money. He did not dupe, trick, deceive anyone. He didn’t take advantage of a trusting elderly person and steal their life savings. Contrary to what movies like “Dirty Rotten Scoundrels” and “Hackers” portray, con artists are not some sort of underground hero that you should like. Indeed, online con artists … social engineers in the world of information security …. cost society horrible amounts of money. They steal people’s life savings, drain their bank accounts, max out their credit cards, compromise their financial and health data and much more.

These guys are really good and they are, mostly, safe from law enforcement. They are anonymous online and live in countries where US and Western European police forces have a difficult time getting cooperation.

What can you, the individual, do to protect yourself? There’s five easy changes in your online behavior that you should make. Almost all people I talk to about their online behavior do at least one of these things on a regular basis. By doing so, you are putting yourself at serious risk. Why? Because the above mentioned evil doers KNOW that you do this and they are taking advantage of your behaviors. So, let’s change them and avoid the risk posed by these guys.

Don’t click on links in email sent to you.

One of the simplest ways for someone to attack you is to put a malicious link in an email. They do something like creating an email that pretends to be from Microsoft and tells you that you need to verify your email address. And provides a very convenient link in the email to do the verification. In fact, I just got one of those emails from another large company that urged me to verify my email and make sure and change my password.

I checked the link that the email wanted me to go to and lo and behold, it was not actually from the computer company named after a fruit. Had I gone to that website and entered my email address and changed my password, they would have had a good chance at being able to compromise my email account. Which is a really critical first step for a nasty financial attack against me. As I point out in the next behavior change.

Do not use the same password for your email and your financial accounts. Ever.

You need to make sure that your email and online financial accounts use different passwords. Why? Because if you goof on #1 and give away a password, you don’t want it to be the same as your bank account password. The first thing the bad guy tries is hitting major financial institutions with your ID and password. Most of us are lazy by nature, and we use the same ID and password on all our online accounts. And our evil doer’s odds are decent that you bank at Wells Fargo, Chase, Citi, PNC or Bank of America since as recently as 2009 over 40% of all consumer deposits were at the top 5 banks.

If you have given away a password, but it is your email password, then the criminal must put more effort in to his attack on you. He will have to try logging in to all of these different banks and then saying he forgot his password. When he does, of course, it sends an email to your email account asking for confirmation. Since the bad guy now controls your email account (cause in #1 you gave him your password), he can confirm that he is you and change your password to one he wants it to be. But it was harder than if you use the same password for both.

Remember that behavior by friends and acquaintances that isn’t normal is suspicious.

Emails, ecards, etc from acquaintances that are out of character should generate suspicion. A friend who never sends you an e-card is unlikely to have suddenly decided to start sending them. Much more likely is that your friend’s email account was compromised and is now being used to initiate a social engineering attack on you.

Of course you trust your friend. Of course you want to see this funny card that your friend sent you. Of course you click on the link. And, of course, the e-card website has malicious software (a “virus”) on it and it is able to insert it on to your computer. Depending on the goals of this bad guy, many different things can happen. Often you will never even realize it, but your computer is now being used as part of a botnet that can attack many other computers and networks. Or, perhaps, there is a secret keylogging software on your computer now, recording every keystroke you make. And so on.

Enable anti-spam technologies in your email client.

Your email client has technology that enables it to filter many of those social engineering email attacks. Whether it is an online email client like Yahoo! or Google, or it on your computer, like Apple’s Mail or Microsoft’s Outlook. Seriously. All you have to do is turn it on and it works. It looks at your email, decides what is malicious and then sends that email to a junk folder.

Some of the email that gets filtered in there is pure spam. You know, offers for viagra, cheap home loans, pornography. But some of the email that is filtered is from the guy trying to get you to “reset your password”. So use the technology and make your life better. No ads for viagra and far fewer malicious attacks get in your inbox.

Be aware of offers that are too good to be true.

If you receive an offer in your email that is really good, like REALLY good …. delete it. If it is too good to be true, it’s a trap. If someone wants to pay you $20/hour to work from home and the work is “easy” and you have never heard of them before in your life …. it’s a con artist. You will become a mule for financial crime and not even realize what has happened. The money going through your account that you are earning $20 an hour to transfer around the world? Yep, you guessed it … it’s stolen. They are playing on your desperation, greed, etc to get you to help them commit a crime.

Just delete that too good to be true email.

Posted in Security | Tagged , , , , , , , | 1 Comment

2013: A Roller Coaster

Posted on December 21, 2013 by Eric

Or, as my wife put it, Random Ramblings of a Security Executive.

Yes, it’s that time. Writing a blog post to wrap up the year, just all the rest of you do. I decided I’d cover my personal and professional life and the infosec world too. And I realized that it’s been a pretty crazy year on all 3 fronts. It’s been up and it’s been a stomach churning drop as well. With a couple barrel rolls, a loop de loop or two and some high speed turns thrown in.

Personal Life

My personal life is all about planes, trains and automobiles this year. Well, okay, no trains. So, all about planes and automobiles. But the first is funnier. Anyhow, probably the two big personal life stories involve planes and cars.

First, my 16 year old stepson has his driver’s license. And a car. And he got in his first (not at fault) accident, too. Yep, that was a heck of a ride right there. He’s a good kid. Very conscientious and careful about driving. But still the accident. Within less than a mile of the house. Stacy went and rescued him and did a great job at it.

With my professional life really ramping up, I spent a ton of time traveling. Lots of time on airplanes. I mean LOTS …. From Aug 1 to Dec 20 I flew 63,862 air miles. That includes going to just about every major airport in the US. That includes Atlanta, Dulles, National, Boston, Pittsburg, Detroit, Columbus, Minneapolis-St. Paul, O’Hare, Dallas, Houston, Phoenix, Los Angeles, San Francisco, Portland and Seattle.

That’s a lot of freaking air travel and airports in less than 5 months. And that doesn’t include the fact that I flew to Sydney, Australia. That’s 16,882 miles for a 6 day trip. An average of 2,813 miles per day. LAX to Sydney is 14 hours on an airplane.

Yes, my personal life involves a lot of flying. And more importantly, being away from my family a lot. They support what I do, and they agree with the choices. But I’m not sure any of us were quite prepared for what this was going to look and be like.

20 weeks. 63,862 miles. 3193 miles a week. My wife is a saint.

On a side note, in the middle of that I got to meet a guy I’ve been corresponding with since 2003. For 10 years I have written to, and interacted with, Glenn Reynolds. Most of you know him as Instapundit. Well, he was the keynote speaker at the ISSA International Conference this year. And he and I spent two hours having a drink and a bite to eat. What a strange world when you can know someone for a decade BEFORE you actually meet them.

Professional Life

My professional life this year can be summed up in one easy statement: Continuous change.

Seriously, this year has been one of change. In January I was the CISO and head of Enterprise Risk Management for Providence Health & Services. Today I am the Vice President of Security & Strategy for Core Security. In the middle of that Providence had a new CEO, first time that changed in over a decade. And healthcare is going through massive and immense change, as we all know. What it will look like in a year or two is anybody’s guess. But certainly not the same.

So I left being the CISO of a large corporation …. A company that would be about #208 on the Fortune 500 list, about comparable to Starbucks …. Something that my friend Dave Estlick and I always tease each other about. But no longer. I now work for a company with 185 employees and revenue of about $25 million a year. For someone whose professional life has been the US Army, EDS and the Providence, this is a massive change. Huge. And fun. I love this company.

And I changed what I do, as well. In the Army I was a small unit leader, a tank commander. At EDS I led teams in business process outsourcing, professional services and consulting environments. At Providence I led an information security department for 7 years. Now? I lead strategy for Core. I have no direct reports. I have no direct team (at least for now). So, my whole professional life I have led teams and been measured by how well I did that. And now, I will be measured by my personal impact to a company. Not by what my team does or how good at leading a team I am.

That’s a big change at age 46.

The InfoSec World

A year of turbulence and change. We found out that the NSA couldn’t keep a contract employee from stealing all their secrets. We found out that we were right about Adobe and their ability to do good security. And it turned out that traditional mechanisms of securing payment systems just wasn’t going to work well if you were a retailer the size of Target.

The bad guys are so capable and have so many resources that they were hacking in to media companies like the NY Times and Washington Post just to find out what was being written about them.

The head of the NSA got heckled at Blackhat.

This was the year that social activist and revolutionary attacks came into their own. Think about Anonymous and the Syrian Electronic Army. Think about all the Twitter and LinkedIn attacks and phishing and spoofing.

This was the year that the whole world discovered that China was cyber enemy #1 … and then wondered if the NSA had surpassed that.

This was the year that it became obvious that traditional information security was not the solution to stop cyber attacks. And now we wonder what to do.

Frankly, my personal and professional life were driven by my realization that information security had to change. It’s been a roller coaster. It’s been crazy. But really, life is better than ever. I have a great wife, great kids and a great job. I get to make a difference, to some small extent, in the world around me every day.

I haven’t even talked about food I’ve eaten, some of the great wines I’ve had, cigars I’ve smoked. Not a word about the good times my wife and I have had. Or the various trials and tribulations of the family. But I figured you guys were bored by now. So, here’s the end.

2013 has been wild and crazy and good.

I wonder what 2014 will bring.

Posted in Career, Government, InfoSec, Life and Times, Security | Tagged , , , , , , , , , | 2 Comments

Thinking About Healthcare.gov’s Security

Posted on November 1, 2013 by Eric

Now that the Information Technology and Security communities have had time to digest what’s going on with Healthcare.gov, they are starting to think about what the “glitches” mean from a security perspective. For example, here’s some coverage in eWeek. And I’ve been asked by several other publications to provide my thoughts on the site’s security.

Ironically, the glitches may be the best security tool yet, per the article:

“In fact, the site’s stability issues and lack of usability to this point may be its best security: Even hackers haven’t been able to get in long enough to make it work,” Carpenter (VP of Strategy at AccessData) said.

As I point out in the article, a system as complex and interconnected as this one is, with as much data as it contains, is highly susceptible to attack, exploitation and breach of data. The technical difficulties that the site has suffered through do not hold out much hope that security has been implemented without “glitches”, either.

A site this complex, with this many bugs and glitches, being fixed on a crash basis, will have all sorts of vulnerabilities. And it turns out that one of the key contractors working on healthcare.gov, QSSI, has had security control problems in the past per this article. The only way to secure complex systems is to do the basics of security very well. But, the specific security control issues cited in the government audit, allowing employees to connect USB drives and iPods to workstations with access to sensitive data, is a pretty basic thing.

*Update – There’s another good article on SC Magazine’s site as well.

Posted in InfoSec | Tagged | 5 Comments

The Adobe Breach: Initial Lessons

Posted on October 30, 2013 by Eric

Now that we’ve had a little time to absorb the impact of the Adobe breach, there’s a few lessons we can learn already. First, a link for those who have been living in a cave and don’t know what I mean: Krebs on Security has had great coverage.

What we know:

  • Adobe was breached via a vulnerable Cold Fusion web application server exposed to the Internet. Cold Fusion is an Adobe product.
  • The vulnerability was known for months, a published vulnerability, and was not patched
  • 38 million user’s accounts were compromised
  • Source code for Acrobat, Reader, Coldfusion and PhotoShop has been compromised

Two Initial Lessons

User accounts are a huge target for attackers. Basically, every big breach you read about includes breached user accounts. Even if there is no financial data in the account, compromising user name and password allows the bad guy to begin attacking the user’s other accounts since it is quite common to use the same ID/PW combination for most accounts. If an email account can be compromised, then the process of breaking in to financial accounts gets really easy. First thing all users should do is differentiate the passwords for email accounts, product sites like Adobe and financial sites.

Organizations continue to be compromised, breached and exploited through vulnerabilities and bugs in their systems that are well known and published. Although the vulnerabilities are known and patches published, companies are not patching their systems. Contrary to the belief that it is because companies don’t care about security, I will argue that it is essentially to the point of impossibility now. When a large organization does a vulnerability scan of its systems, it turns out a print out the size of the Manhattan phone book. There is no way, in the midst of every other priority out there, for the IT teams to deal with all of these vulnerabilities. They don’t even know which ones are important or how to prioritize the vulnerabilities. The key lesson here is that patching vulnerabilities requires tackling the problem by determining where and how the adversary will attack you, and defending there. It basically requires that we do something new and disruptive.

Finally, we know that much of Adobe’s source code for their software has been compromised. This from a company that has a really bad track record of serious security flaws in their software anyhow. Now the bad guys have direct access to Adobe source and will be able to discover all sorts of previously undiscovered vulnerabilities. If at all possible, you should stop using software from Adobe right now.

*Update 10/31/13 – Welcome Instapundit readers …. take a look around. This blog is primarily about Information Security, which is my profession, but also has some interesting stuff on my chickens, cigars and backyard home offices. 🙂

Posted in InfoSec, Risk Management, Security, Vulnerability Management | Tagged , , , | 20 Comments

Interesting Things

Posted on October 14, 2013 by Eric

I work for a very interesting company, culturally speaking. It was originally founded in Buenos Aires, Argentina about 15 years ago. After achieving significant success in their market space, Core moved its headquarters to Boston. However, the majority of the company other than some administrative and sales staff, remained in Argentina. Over time, the company came to have two major locations. About half the company is located in Buenos Aires and the other half in Boston. A few people, like me, are in home offices, but spend significant time in one of the headquarters.

Because of this, the company has a very diverse culture and worldview. Interestingly, I am finding that many things we on the west coast of the US take for granted as factual and accurate is not considered to be the case by people I am now working with.

I loved living in Germany in the 1980’s and “traveling” in the Middle East and Africa in the early 1990’s because of the enormous exposure to other cultures and viewpoints. It allowed me to learn just how limited and parochial the perspectives I had been culturally raised with actually were and to greatly broaden my understanding of the world around me. And this company is giving me that same opportunity. I love it.

Posted in General, Life and Times | Tagged , , , , | Comments Off on Interesting Things

Back to Basics …. Again

Posted on October 5, 2013 by Eric

It appears that the bad guys who exploited Adobe in August, and stole ColdFusion and Adobe (maybe) source code, as well as millions of credit card numbers, used a well known ColdFusion vulnerability. What seems to have happened is that they were able to exploit an unpatched ColdFusion instance and then follow an attack vector that led them to credit cards and source code. For some of the details on this, see this story by Krebs.

And now it’s time for me to rail, once again, about the need for InfoSec and IT Operations to “do the basics”. C’mon guys, this was your own vulnerability. One you knew about, controlled the source code for, published patches for, etc. And you couldn’t patch it? How many times must the bad guys exploit basics like this, and then follow an internal kill chain to the crown jewels before we get serious about this problem?

This is exactly why I joined CORE Security … to help with this problem. Until these very basic issues are solved, all the advanced security stuff is pointless. CISOs need to stop fretting over BYOD. It’s time for them to get back to patching vulnerabilities and shutting down attack vectors into their networks.

Posted in BYOD, InfoSec, Security, Vulnerability Management | Tagged , , , , , , , | Comments Off on Back to Basics …. Again

Day 3 at CORE

Posted on October 2, 2013 by Eric

Yet another day of fun at CORE today. Spent the day getting to know the people, figuring out critical strategies, and places where I can start inserting myself to have some immediate impact.

Started working on goals for the next 90 days with my boss, as well. Always good to know what you are supposed to do for the next quarter.

Today a few folks who have been reading Instapundit came over and read a few things I’ve written here when Glenn linked to my post about my new job. A few left comments and many thanks to them for starting to create a conversation. A prevailing theme appeared in those comments, both here and on Glenn’s blog, that I thought I would say something about.

I spoke of being in a war that we (the guys who are trying to protect information and property) are losing. The general tenor of the comments was that our government refuses to acknowledge there is a cyber war happening. And that even if they do, the government has made it much worse through the spying, eavesdropping done by government agencies and the insertion of security holes and backdoors in certain types of software products that provide protection of data through encryption.

Although I often am critical of the Obama administration, this is an area where I am not particularly critical. Here’s why.

1. About the war. Actually, the Obama administration has been much more conscious of cyber-security and the conflict around data theft, cyber warfare attacks and much more. The FBI and other agencies have been willing, nearly, to name names when it comes to who the bad guys are. And the administration has definitely tried to do some decent work around improving government cyber-security. Now, to call it a war is not something the government should do if we aren’t prepared to wage war at a national level. And frankly, we aren’t and we shouldn’t be.

2. About the NSA spying on Americans and back doors in encryption tools. I am quite critical of what is happening here and very strongly opposed to it. However, to be frank again, the issue is one that has been going on for years, decades even. It’s not an Obama administration only issue, or a Democrats only issue. It’s a significant governance and constitutional problem. But let’s be really clear. The bad guys are not succeeding because of any of this. The reality is that they are winning because we are not doing the basic job of securing people and computers that should be done. It’s a big part of why I joined CORE, they are bringing new capabilities to bear that can really change this issue.

On this particular topic, I believe I can speak with some authority. I’ve been part of work groups that have provided input, advice and expert opinion to the Obama administration on what the Federal government can do to improve cyber-security in meaningful ways. And they have actually listened to some of what the industry experts had to say.

On top of that, I have spent time and energy (like my whole life) in this field, first military, then physical and then information security. I can claim to know something about it. I can say, with great accuracy I believe, that those of us on the good side of this fight are definitely way behind the bad guys right now in terms of processes, tools and capabilities. We need to change that before we start claiming that NSA back doors are the problem.

Posted in CyberWar, FUD, General, InfoSec, Life and Times | Tagged , , , , , , , | Comments Off on Day 3 at CORE

It’s Day Two

Posted on October 1, 2013 by Eric

And I am having a blast here at CORE Security! Got to be part of the quarter end yesterday … I think that was really good, making sure I experienced the craziness as everything came down to the last couple hours of the quarter. It’s been a long time since I was in an operational organization driven by that sort of thing. I needed to experience it again. And having it be Day One … that was really the right thing to get my head in the right space.

Of course I’m having fun, it’s a new job. But it’s the sort of job I really like … focusing on the future, on strategy, on people and on solving problems. I love that sort of thing. And right now I have the opportunity to make a huge difference in this organization and to the security industry as a whole.

Boston is gorgeous right now, beautiful Indian Summer going on. Have been walking to work every morning, not something you can do easily in Seattle at this time of year.

Life is pretty good!

Posted in General | Tagged , , | Comments Off on It’s Day Two