Category Archives: Security

Matryoshka

Tommy Mothersbaugh caught an anomaly. For the first time in over a year of scouring security logs, he found something that shouldn’t have been there. He took the report to his boss, Mary Jordan. He knocked on her open door.

“What’s up, Tommy?”

“I think I got something here, Mary. It’s not much, but it’s something.”

“Whatcha got?”

Tommy held out the report and pointed at a traffic flow. “That’s a printer in our Panguitch office. Trying to reach a TOR exit node.”

Mary lifted up her glasses to squint at the tiny print. “Huh. You sure about that? Double checked it and all?”

“Yes. Something’s up with that.”

Mary set the report on her keyboard. “OK if I keep this for my report?”

Tommy nodded. “Anything else you want me to do for follow-up?”

“No, no, that’s OK, we just file our reports and then things move upstairs… By the way, I wanted to ask you something and I’ve got a few minutes before my next meeting. You want to get the door and have a seat?”

Tommy shut the door and sat down.

Mary propped her glasses up, over her forehead. “How would you like to do a field assignment? You’ve been doing good work here in Analysis, so it’s only natural that you eventually sample other types of work… if you’d like to.”

“Sure, yeah. I mean, yes, that would really be cool.” Tommy’s surprise turned to excitement. “Where would I be going?”

“Well, wherever they send you. You’ll go through an orientation and then the officer in charge will let you know your assignment. But we can get you there as soon as you like. Tomorrow, even.”

“Tomorrow?”

“Tomorrow.”

“Dude. That would be awesome.” If Tommy was a puppy, his tail would be wagging wildly.

“Well, pack up your desk and make room for your successor.” Mary’s smile got Tommy to jump up, shake her hand, and then zip over to his desk with his good news.

A short, waited interval after Tommy left, Mary opened up SightsAndScenes.com and clicked the “helpful” button by Barry7711’s review of The Dinner Bell restaurant in Muleshoe, Texas.

Instantly, a minor official in another nation received an alert on his phone. The text on Gleb Ivanovich’s phone read, “Text ACCEPT to 495 697 03 49 to receive information on your prize!”

Any English-language text with the phone number for the Kremlin was serious news. Gleb brought up his browser and checked which review for The Dinner Bell got an additional like. Following the liked review back to that user’s home town indicated where operational cover had been blown. And that cover had been blown in… Panguitch, Utah? What and where is a Panguitch? Even after looking up information on the tiny town, Gleb couldn’t believe it existed. Why they had bothered to put a system there that we had bothered to compromise, Gleb did not know. He shook his head and sent a PDF brochure of Bryce Canyon National Park to another minor official.

Sofiya Olegovna glanced over the brochure in Gleb’s email and checked the traffic records for that system. After a few clicks and a few presses of Page Down, she had the data she needed to review. Hmmm… we haven’t done anything with that system in a long time, a long long time… and neither have they. Was this something some other guys were doing? Sofiya thought some more and became certain. This was definitely the doing of some other guys. Sofiya moved to make her report to those who needed to know.

Mere moments later, a spam campaign sent out 3.2 million messages proclaiming the virtues of all-natural Xenon Hexafluoride capsules. Most of the spams were either eliminated by filters or deleted by the fools still suffering without antispam measures. There were, however, 2 people who did not delete the spams, but, rather, accorded them the most urgent of responses. One of those people was in a very quiet office in a very quiet building in a very quiet part of Northern Virginia.

The TINCAN monitoring project was one of the most demanding of analytical jobs, but one that had also produced much valuable intel. Cracking the Spam Code was possible only because of the incredible attention to detail by the steganographers working for TINCAN, searching for meaning in the grainy background images of the spams sent by agents of the rival power. Of course, the meaning in the images was always encrypted, but the one-way pad in the hands of TINCAN’s director provided the key, every time. And now, the urgent response from the person in the very quiet office brought a collection of letters and numbers to the TINCAN director for his one-way pad to work its magic.

Director Andy Garfield ran the decryption protocol. He nodded and dismissed the urgent responder, then contacted his counterpart in Systems Monitoring via a scrambled line. Even if a rival power or those other guys had access to the phone system, they wouldn’t be able to break the encryption on the line. And, besides, what was so unusual about two intel directors talking with each other?

As it turned out, the rival power *did* have access to the phone lines. And, while it was true that the rival power could not decrypt the phone conversation, the rival power nevertheless deduced that this particular conversation fit a pattern that had gone along with its recent spam campaigns. Agents and administrators within the bowels of the rival power’s intelligence community put the wheels in motion to bring the spam campaigns to a close. One or two more actual messages would be leaked, and then disinformation until they didn’t believe us anymore. After that, the spam would have served its purpose.

Director Claus Niklaus of Systems Monitoring answered Director Andy Garfield’s call. “This is Niklaus.”

“Hello Niklaus. Garfield here. How ya doin’?”

“Doin’ fine, Andy, yourself?”

“Got my health. Can’t complain. This a good time?”

“Sure is. What’s eatin’ ya, succotash?”

“Well, Claus, it’s like this. You got a system in Panguitch that came up in analysis earlier today?”

“Yeah, just a while ago.”

“Well, I know all about it.”

“Ya don’t say… Huh. Thanks for the info, Andy.”

“Always a pleasure to help out, Claus. Hang in there, buddy.”

“Sure thing. Thanks a heap. See ya.”

“See ya.”

They both hung up and Claus leaned back in his chair. Only way Andy would have known that is if he’d intercepted and decoded a message from the rival power regarding the Panguitch system. Only way the rival power would know about that would be if they had a mole in his organization or a tap on his lines or a hack on his systems. Time to hire a rat-catcher, Claus figured.

The next problem Claus faced was that this wasn’t a direct operation of the rival power’s. Had it been, they wouldn’t have used the Spam Code that Andy’s TINCAN people were taking apart. That meant that the other guys were mixed up in this. The rat looked to the rival power for money and benefits, but the compromise on the Panguitch system could be laid at the doorstep of the other guys. Claus put in a call to Lauren Bishop, Director of Internal Investigations.

“Joyful Snow Pea Restaurant, can I help you?”

“Sorry, wrong number. I misdialed the third number.”

“OK, no problem, goodbye.”

Claus redialed, properly, and got Lauren on the phone and let her know about the mole, and how he may or may not be working for us or them, but definitely the other guys.

Meanwhile, the cashier at Joyful Snow Pea Restaurant knew exactly what to do, based upon Claus’ message. She placed an order for 2 dozen cans of Hunan-style water chestnuts to the trade attache at the Chinese consulate in San Francisco. The trade attache, in turn, sent an email to Shandong Huaye Tungsten & Iridium Tech Co., Ltd., requesting a quote for 600kg of pure tungsten rods, 100mm diameter. That email kicked off an alert that went straight to the head of Bureau Nine of the Ministry of State Security.

He wasted no time in getting up and moving as fast as he could without running to his boss, hoping to get there before the head of Bureau 8. The head of Bureau 8 had an unfair advantage, as his office was 10 meters closer than his own.

The head of Bureau 9 sped past the door of Bureau 8. He smiled. Those speed-walking classes had paid off a great dividend. He entered his director’s office and did his heel-toe, heel-toe walk right past the secretary, into the director’s antechamber. He pressed a button and waited.

Still no sign of Bureau 8. The head of Bureau 9 smiled as he heard the buzzer indicating the director was ready to receive a visitor. He walked in, normally this time, and said only, “Panguitch cover blown.”

The director nodded and dismissed the head of Bureau 9. The head of Bureau 9 nodded and exited. In the antechamber, he saw the head of Bureau 8 cooling his heels. “No need to see the boss now, I got here first.”

“Damn. Just my luck, I was in the water closet when I got the info.”

“You know it is Bureau 9’s job to protect this ministry from infiltration by foreign agents. Why do you always meddle in our matters?”

“You know damn well it’s Bureau 8’s job to handle counterintelligence. We have to keep tabs on you guys in Bureau 9 when you step into our territory.”

“Is that what you will tell the senior director? That we are in your territory?”

“No, this is a small thing, not worth a fight… but what might be worth a fight is your bureau removing our microphones. Your department is not above suspicion of counterintelligence.”

“Well if you want your microphones back, give us back our cameras! We have to be certain that our counterintelligence team hasn’t been infiltrated by foreign agents!”

The head of Bureau 8 thought a bit. “Two microphones for one camera?”

The head of Bureau 9 nodded in agreement. “Send the draft proposal to me today, I’ll sign off on it.”

Both men returned to their respective departments. The head of Bureau 8 then reviewed the budget for next year’s office supplies. He circled the amount proposed for printer toner and noted it should be reduced.

Three days later, Tommy Mothersbaugh was just outside Panguitch Middle School in Panguitch, Utah, wearing a brown shirt with a printer vendor’s logo prominently embroidered above the left pocket. His instructions were to remove a printer from the faculty workroom and replace it with a similar model. He was then to deliver the removed printer to the e-waste center in Hurricane, but was to get there by way of Orderville and Zion National Park.

Tommy also had instructions to park at Zion National Park and to go see the sights for ten minutes, leaving his vehicle unlocked.

Tommy arrived at Zion and parked his car near a bunch of tour buses loaded with Chinese tourists. They all debouched from the buses around the same time he left his van. Tommy walked away, glancing back at the mob of Chinese tourists. He went to the main office, figuring he’d use the bathroom while he was there. After using the bathroom, he walked around in the gift shop and accidentally bumped into one of the tour bus drivers.

“Oh, sorry! Please excuse me.”

“Not a problem, no worrying.” Tommy was struck at the thickness of the driver’s Russian accent. Then again, lots of immigrants got jobs as drivers, such was the nature of things. Tommy never was sure about what things he should ask questions about and what things he should just let pass without comment, so he guessed this was no big deal and forgot about it.

Tommy returned to his van and checked the insides. Nothing was stolen, and the printer looked like it hadn’t been touched. Tommy shook his head at the instruction that made no sense and drove on to the e-waste disposal center. This field work was just as boring as analysis work, but at least he got to see some beautiful countryside on this mission.

Meanwhile, back on one of the tour buses, the Chinese tourists were talking animatedly about a small piece of electronic gear they had removed from the printer as the bus driver nonchalantly checked to make sure the bus security cameras were running properly.

Shock and Awe

Colonel Guaripolo was screaming into the field telephone in order to be heard. Bombs were landing all around and above his command bunker, even as Presidente General Trompeta was asking for a status report from the front. “So, Colonel Guaripolo, how are things going?”

Damn civilian in a general’s uniform! “Bad! Very very bad!”

“What do you mean, bad? How can things be bad? We have the finest weapons from the Estados Unidos! These are the best in the world! Those losers from San Teodoros have no idea how mighty our forces are!”

“With respect, sir, it is our own army of Nuevo Rico that are discovering the might of our forces!”

“What do you mean? Explain yourself, Colonel! At once!”

Colonel Guaripolo was tempted to stick his head outside so he could die a war hero instead of having to explain military matters to this buffoon. “Our air force uses GPS-guided munitions, correct?”

“Yes. Deadly accurate.”

“Only when GPS is working properly. We spent millions on the GPS bombs, San Teodoros spent hundreds on GPS hacking tools. Their facilities are all giving off false signals, so our weapons correct for that false signal.”

“That’s a shame. I knew some of those gringo arms salesmen were cheating us. Don’t worry, I’ll get our money back. Don’t you worry. We’re not getting ripped off on this deal.”

“Presidente General, with respect, those corrections made the bombs fall on our positions! We are bombing ourselves! The GPS hacking means we are bombing ourselves!”

The Presidente General’s voice condescended. “Stay calm, Colonel. No need to lose your composure. Be brave… wait a moment, can you please hold the line? Thanks.”

Colonel Guaripolo held the receiver in slack-jawed disbelief as the barrage began to abate.

Presidente General Trompeta clicked back over onto Colonel Guaripolo’s line. “Good news, Colonel. The aerial bombardment problem is taking care of itself. I just heard from Colonel Bodoque, at the Air Force. San Teodoros shot down our aerial tankers, so the planes have to return to base before they can deliver their full load.”

“Will we then go back to non-GPS guided bombs?”

“No, because all we have are the latest and greatest weapons. Looks like your securing of the Gran Poco region will have to be done without an air force.”

“Wait? No air force? But can’t they at least fly missions with what’s in their tanks without refueling?”

“Ha ha, you’re going to laugh when you hear this, but those clever little bastardos from San Teodoros have been in our military logistics network for some time. We thought those fuel tanks at the airbase were full up, but they’re actually close to empty. Can’t always trust the data being fed to your software, can you? Ha ha haaaaa…”

Colonel Guaripolo had no laughter for the moment. And then, suddenly, the unbombed Nuevo Rican tanks started to roll… backward. “Presidente General, sir, the tanks… are they fitted with autonomous operation software?”

“But of course! Finest tanks for us from the Estados Unidos! Even if all the people in them are dead, they can fight on!”

“Well, they have no people in them and they are in full reverse.” Loud crashes. “Some have collided with our artillery pieces.” Distant mechanic whines, dropping in pitch. “Others are on the main highway back to Ciudad Trompeta.”

“Really? That’s not what I ordered. The ones on the highway… log into every tenth one and delete its driving software! Morale only improves with a demonstration like that!”

Colonel Guaripolo’s head spun as he pondered for a moment how Presidente General Trompeta was trying to fight a cyberwar like a World War One field marshal. “Presidente General, we cannot even do such a thing – we’re still trying to set up our battle communication network!”

“The gringos said it could be done in minutes.”

“The gringos that dropped off the boxes of gear laughed at me when I asked how many minutes it would take. This stuff is worse than Swedish do-it-yourself furniture!”

Trompeta shifted into philosophy. “Ah, yes, Swedish do-it-yourself furniture… I lost, something like, 2 of my wives and 5 mistresses or so because of Swedish do-it-yourself furniture. Once, I lost a wife and a mistress on the same item! It was a chest of drawers, and you think those would be easy. Not so! There’s a step at the beginning where the drawing is very unclear and-”

The line cut out.

Trompeta became a tiny bit angry and felt a need to focus it on something. He pointed at an aide in the room. “Colonel Trivino!”

Colonel Trivino snapped to attention. “Sir!”

“Find out why the phones went dead. If it was because of hackers in San Teodoros, have Colonel Guaripolo court-martialed for incompetence in protecting our networks. If it was because Guaripolo hung up, have him court-martialed for insubordination!”

“Yes sir!” Colonel Trivino ran from the room, a barely-concealed sigh of relief punctuating the sound of the door closing behind him.

31 minutes later, Trompeta watched as a column of Nuevo Rican tanks rolled past the presidential palace… in reverse… A jeep drove up in the opposite direction and got in the left turn lane to enter the palace grounds. It had to wait a while for the tanks to finish their retreat to points as far away from San Teodoros as their hackers could drive them. Then the jeep turned up the palace drive and a uniformed man leaped from it before it even came to a stop, stumbling then rushing to the palace door.

A minute later, Colonel Bodoque was in Trompeta’s office. “Presidente General! The situation is grave! We have no air defenses! Communications are down, and with them, our ability to operate our weapons! We are wide open to a San Teodoros air attack!”

Trompeta pounded his desk. “Operate them manually!”

Colonel Bodoque dared to pound the desk back. “We can’t! We outsourced that task to an outfit in Taiwan!”

“What? I gave no such command!”

“Yes you did! When you ordered that private contractors would handle certain security aspects, just as in the Estados Unidos! A Taiwanese company put in the lowest bid and they’re in charge of our air defenses, except our connection to the Internet is down and they can’t reach our systems.”

Trompeta frowned.

Colonel Bodoque continued with his impertinent line. “It may be just as well. I heard that all those contractors were just kids that played a lot of video games. Nobody was checking quality or anything like that.”

Trompeta’s face began to darken with rage.

Bodoque did not fear Trompeta’s anger. “I would advise you at this point to get into your presidential jet and flee the country, but all our air traffic control systems are offline. Again, the privatization of government functions, as per your order.”

Trompeta slowly rose from his chair to regard Bodoque eye-to-eye.

He reached for the gold-plated pearl-handled revolver at his side.

Bodoque made no move. He only glared back at Trompeta.

Trompeta pointed his revolver at Bodoque. A quiet growl from the Presidente General: “Colonel Bodoque, I am relieving you of your command and then I am going to personally execute you for treason.”

Colonel Bodoque spoke just as quietly and forcefully as Trompeta. “You don’t have any ammunition in your pistol.”

Trompeta pulled the trigger. Click.

Bodoque continued. “My guess is that for the last few months San Teodoros has been intercepting our ammunition shipments. We keep saying we never got our bullets or bombs and our suppliers keep insisting that they’ve got the tracking information to prove that they arrived and were claimed. Probably more San Teodoros GPS hacking at work. But, as for me…” Bodoque pulled out his own automatic pistol. “… I ordered my ammunition on eBay.”

Trumped, Presidente General Trompeta dropped his pistol and raised his hands.

“Señor Trompeta, you are now under arrest, for crimes against the people of San Teodoros, and so on and so on. I, Colonel Bodoque, am taking charge in a coup d’etat.”

Bodoque had planned his coup well: his loyal soldiers had quietly acquired all the Nuevo Rican surplus military vehicles that lacked auto-driving functions as well as some powerful radio transmitters. As he rounded up the remaining Trompeta henchmen, a lone Nuevo Rican truck drove towards the San Teodoros lines, a white flag signaling the end of yet another brief Latin American border skirmish.

Bodoque was soon making a radio announcement, blaring from loudspeakers on the trucks in case the people were too busy trying to get to Instagram instead of patriotically listening to their radios. Bodoque followed the standard script for a successful coup, which one does after taking control of radio, television, and other telecommunications:
1. Say who is in charge
2. Say who is to be arrested
3. Order that everyone who is not to be arrested must report for work tomorrow
4. Announce the curfew

Bodoque didn’t want a mess like what happened when the Americans took over Iraq and forgot to make those announcements. While his mind was on the thought of American messes, Bodoque began to flip through a glossy arms catalog. He stayed away from the so-called “smart” systems at the back and focused his attention on the weapons that didn’t have anything to do with the Internet. The army of Nuevo Rico needed to re-arm itself, this time with weapons that couldn’t be hacked.

A Realistic Process for Dealing with Cloud Breaches

Given how cloud breaches are becoming more and more common, I would like to present a realistic process for dealing with them. I say realistic because this is probably already what is going on, but is not documented. So, here goes:

It starts with a proper management reaction when the vendor informs the firm regarding the breach:

Then your management will then need to do this privately:

But this should be their public reaction to the vendor’s notification:

Your developers will do this as they inspect the code:

Your security team will do this as they look at how the breach was done:

And then do this after they’re told they have to help clean up the mess:

Next, your developers will work hard on a new solution:

The security team will look over the developers’ solution and offer constructive feedback:

So the developers will take that feedback and refine their solution:

The network team may have some concerns on what the developers are hoping they can do in the datacenter:

Management may also have to deal with increased budget requests to implement the more secure solution:

And all the former employees are doing this as they hear the rumors and read the headlines:

And that, my friends, is how we can realistically deal with a cloud breach! I thank you for your time in reading this and hope it helps. 🙂

The Internet of No Fun

Little Bobby rushed in with the speed and joy that told the world he was five and a half years old and loving it. “Dad! A drone fell into our backyard! Can we keep it?”

Dad leaned out to the right to look at Bobby around his monitor. “Hold on there, sonny… have you done a VA scan on it?”

Bobby looked at the ground the way only a five and a half year old whose dreams were being confronted with harsh reality could do. “No…”

“What is our rule about bringing devices on to our wireless network?”

“No devices on the network until we’ve done a VA scan.”

“And?”

“And we’ve either patched or otherwise mitigated the vulnerabilities.”

“And?”

“And we’ve filed the change request documentation.”

“… And?”

“And we’ve got the change window scheduled, gosh, dad, you make all this no fun!” Bobby looked like he was ready to cry. Or update his resume and start looking for a new dad.

Dad knew that it was pretty much the same everywhere. Not wanting to see any turnover in the kid department, he worked on a consoling angle. “You think this is no fun? Then maybe it’s time I had you sit with me doing all the qualification testing so you’ll see just how much no fun this is for me, too!”

The shared experience reminded Bobby that he was in this together with everyone else. It’s not uncommon for five and a half year olds to express contrition and Bobby did just that. “Sorry, dad… I’ll go fire up the Kali Linux box…”

“There’s a good boy. Daddy has to go to a meeting now with Uncle Frank about next year’s family IT budget.”

“Are we gonna get a new firewall?” That exuberance again. Kids sure do bounce back, don’t they?

“Well, we’re still paying for Grandpa’s unexpectedly high syslog generation, but I think we might get a new firewall in Q2 next year.”

Bobby ran laughing down the hallway. “Yaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay!!!”

The meeting with Uncle Frank went well and Dad was happy that there were a few more goodies in the budget besides the firewall that he’d be able to announce at the family Q4 wrap-up meeting on 25 December. Dad had just enough time to type a few lines of code and then Sara stomped in the way only a 13 year old expecting to be disappointed could do. “Dad, can I go to a friend’s house now?”

“Did you finish ringfencing all your old wearables?”

Exasperation permeated the room. “Yes. Dad.”

“OK, did you also wipe the config on our old perimeter router like I’ve been telling you to do for the last three days?”

“Yes. Dad. I did it. It’s all wiped. Are you happy?”

“Sara, don’t take an attitude with me or you’re not going out.”

“Sorry.” Not very sincere, but a dad couldn’t expect much better from 13 years old.

“All right, that’s better. Which friend did you want to go see?”

“Veronica.”

Dad was concerned. He really didn’t want Sara hanging out with Veronica. Veronica’s family didn’t have very good change management processes and it was common knowledge around town that they weren’t necessarily up to date on their patch management. “I would be happier if she came over here.”

“Oh God, not this again.”

“Well, Sara, you tell me. If I try to RDP to Veronica’s family’s domain controller, am I going to get blocked, or am I going to get a login screen?”

“Dad, they have a really secure password on it!”

“That’s not my point, Sara. You know as well as I do that I shouldn’t even be able to reach that server, let alone via RDP. Now am I able to reach that server or not?”

“Fine. You win. I’ll just rot away here.”

“Sara, that’s not a win for me. I just want you to be safe, that’s all. Even if you left your cell phone home, your shoes are still exposed. As are your pants, your shirt, those earrings, am I right?”

Sara rolled her eyes with the wild, limbic-system fueled thinking so prevalent amongst the 13 year old set.

Dad tried to persuade. “And what happens to the rest of your clothes if the ones you’re wearing now are compromised?”

“Dad! That happened ONE TIME when I was eleven! Why do you have to keep bringing it up?”

“Well, you seem to be on track to have it happen again, when you’re 13. I’d rather not have to deal with another breach.”

“What. Ever.” Sara exhaled hard, but then had an idea. “What if I put all my clothes on airplane mode, will that be OK?”

Dad considered. That was reasonable. “OK. You put them all on airplane mode and you can go to Veronica’s. Get mom to take you, though.”

“She can’t dad. She’s on a sev one TAC call with the refrigerator vendor. There was a problem with our proxy and now the licensing on the fridge is all messed up.”

“OK, let me just wrap up this IPS signature modification and I’ll take you, just as soon as I get it into production.”

Dad was ready to get out and drive around for a while, anyway. Drive wasn’t really the right word, since the car did it all itself, but it was best to have a parent go with a kid, just in case. Gary Rasmussen’s daughter knew how to hack past parental controls on cars and could go pretty much anywhere unsupervised. Then there was that fight that Linda Hartford’s son got into where he and that other kid, Jerry something or other, kept hacking the speed governors on each other’s cars so they’d barely crawl. Having a parent ride along tended to keep those kinds of teenage shenanigans from happening.

Grasshopper and Ant and the App Store

One day, at the beginning of spring, Grasshopper and Ant each got a new smartphone. They both chose the same make and model. They even had the same cell carrier with the same data plan. The only difference, apart from Grasshopper being of the order Orthoptera and Ant being of the order Hymenoptera, was their general attitude towards security in general and app permissions in particular.

Ant was very security-conscious. He switched off his GPS and other location services, activating them only when he needed them, and then turned them off again right away. When he loaded an app, he read carefully over what permissions it required. Any game, for example, that needed access to his contacts list was right out, as were other apps that seemed to need access to data that seemed unrelated to the primary function of the app. As a result, Ant did not have many apps on his smartphone. He did load quite a lot of music and ebooks on his phone for entertainment, but refused even to install Facebook or Twitter. He was just that kind of guy.

Grasshopper, on the other hand, loaded all kinds of games and apps on his phone. He didn’t care what permissions they wanted, he would load them up. He would load them up, use them for a while, and then forget about them and load more apps. Ant thought Grasshopper was out of control. Grasshopper thought Ant was a party pooper.

It may not surprise you, dear reader, to discover that Ant also checked his credit card statements regularly while Grasshopper had a more carefree attitude towards personal finance.

At any rate, all through the spring and summer and into the fall, Grasshopper combined hundreds and thousands of shapes into rows of three or more, built up digital armies and empires, and used every emoji that he could find. Ant, meanwhile, kept to his books and his music.

As the first snow of winter fell to the ground, Grasshopper got a letter in the mail that many of his credit cards had been maxed out. Grasshopper didn’t think that he’d made that many in-game purchases, so he checked over his recent statements in greater detail. He was shocked to discover a number of very large purchases on his account for goods that he had never received. Not knowing what to do, he went to Ant’s house and begged Ant for a few scraps of food to tide him over through the winter, for he had no means to purchase provisions, what with his maxed-out cards.

Ant chided Grasshopper, “I’ll give you nothing, foolish Grasshopper!”

Grasshopper felt like a melting snowflake. “That’s a bit harsh, Ant. Where is your pity? Your sense of charity?”

Ant growled on, “Look, those are obviously fraudulent charges on your accounts. Just call the credit company and have them removed. You’ll have to cancel all your cards, but-”

“Oh! Whatever will I do without credit cards?”

“Well, you could let me finish my sentences, for a start. As I was saying, cancel the cards, BUT you will get new ones in a few days. That’s how it works out. It’s possible that the charges were just simple fraud from one of your apps being a front for bandits or from you not using secure sites for purchases.”

Grasshopper began to dance a little. “Why, that is marvelous news! All will be well!”

“Quit interrupting me. And you could stand to be a little less manic-depressive, if possible. All will not be well if this is part of an identity theft. There have been a number of major breaches of late, and I’m sure at least one of the million apps you’ve downloaded was a headline. You should get a credit report and see if any accounts in your name have been opened up recently – and if those accounts also have maxed out cards. Then there’s a follow up with the IRS to see if someone files a fraudulent tax return in your name, to get a government refund sent to them. That’s just the start, really.”

Grasshopper was silent.

Ant said, “I’m done. You won’t interrupt me if you say something now, if-”

“Oh! Goodness! Identity theft! Whatever shall I do? Please, brother Ant, do you have an identity I can borrow to see me through the cold of the winter?”

“It doesn’t work that way, Grasshopper. I recommend you check out articles on what to do if you’re a victim of identity theft.”

“Why can’t you tell me more, O wise Ant?”

“Because I’ve never had my identity stolen! I don’t know what else to do, as I’ve never had to know!”

“Why haven’t you had your identity stolen?”

“Well, for starters, I’m careful about the apps I load on my phone. Now, do you mind? I’m with people, here.”

Grasshopper bid farewell and trudged home, sadder but wiser. One by one, he started to uninstall all his apps and vowed to never again blithely install a game that needed access to his web history, contacts, location, calendar, phone records, media folders, and core OS files.

Fox and Crow and the Strong Password

Once upon a time, Crow had a rather nice hunk of cheese. Rather than hold it in his beak, which would leave it vulnerable any time Crow wanted to talk, Crow placed it in a vault and secured the vault by means of a very strong password.

Now, Fox happened to be walking past Crow’s tree when he saw the vault in the tree’s branches and a computer system connected to the vault. “There’s something you don’t see every day!” Fox said to himself as he sat under the tree a while to watch what was going on with the vault and the computer, which really stuck out among the leaves and branches of the tree.

Crow noticed that Fox was making general observations. Being a rather clever animal himself, Crow decided to try to get Fox to move along before Fox learned enough to compromise Crow’s security. Crow shouted, “Move it, Fox, or I’ll start throwing acorns at your head!”

Fox replied, “But good sir Crow, I’m only resting in the shade of this lovely tree a moment! Would you deny a fellow woodland creature such a blessing in the heat of the day?”

Crow would have none of that. “There are plenty of trees around here, move your bushy butt!” With that, Crow started to pelt Fox with acorns.

Fox ran away, but was still determined to get at the contents of that vault, whatever they were. Only valuable things go into vaults, and there was a good chance that what was valuable to Crow would also be valuable to Fox. Fox thought of a plan on how to penetrate Crow’s security.

As a first step, Fox went to the nest of a killdeer bird. The nest was on the ground and it held four small eggs, really too small even for Fox to want to make a meal of them. Fox merely placed his paws near the eggs and waited for Killdeer to return.

When Killdeer came back from foraging, she saw Fox near her eggs and immediately pretended to have a broken wing, hoping to draw Fox away from her nest.

Fox would have none of that. “Easy, sister, I’m not falling for the broken wing con you killdeer run. And I’m not interested in eating the eggs. I’ll be happy to leave them alone if you have a simple conversation with Crow on my behalf.”

Killdeer was a little panicked, given how Fox was holding her eggs hostage. “I’ll go to Crow. What do you want me to say?”

A short time later, Killdeer hopped on to a branch in Crow’s tree. She introduced herself. “Hello Crow, I’m a security researcher. I’m checking with folks in this area to see if they’re using strong passwords to secure their valuables.”

Crow puffed up his chest feathers. “I have a very secure password, indeed.”

“Does it include upper and lowercase letters?”

“That it does, and more!”

“Does it include numbers and non-alphanumeric symbols associated with the number keys?”

“That it does, and more!”

“Does it involve a phrase so that you can use the phrase as both a memory aid and as a lengthy password?”

“That it does, and more!”

“Does it involve non-alphanumeric characters not associated with the number keys?”

“That it does, and more! Look, is this going to go on much longer? I got things to do.”

“Oh, that was pretty much my last question, Crow. If all those things are true, then you certainly have a nice, strong password. Although…”

“What?”

“Well, I just don’t know if it’s the strongest password possible. It may be good, but is it the best?”

Crow was a vain fellow and couldn’t stand the thought of his password possibly not being the best. “Well, what’s the best password you’ve heard so far?”

Killdeer said exactly as Fox had instructed her. “*aRRa(ud4B1t35Ar3Pa1nFu|”.

Crow laughed. “That’s only 24 characters! Mine is much better than that!”

Killdeer asked, “Well, what is it?”

Crow cackled out, “,,V4n!7Y_I5-tH3(f1477eREr_()f=7hE_S0u1,,”.

Killdeer nodded, “My! That truly is a great password. It absolutely sounds like the best one, ever!”

Crow nodded proudly. “Told you so.”

Later that night, Fox climbed up Crow’s tree. Red foxes like Fox normally didn’t climb trees, but Fox had watched a few YouTube how-to videos on how to climb trees made by some gray foxes, who themselves are famous for their climbing abilities. Once up the tree, Fox entered Crow’s great password into the computer and was able to access the vault. Although the large hunk of cheese made climbing down difficult, Fox managed the maneuver and made off with his ill-gotten gain.

In the cold morning light that followed the robbery, Crow saw the opened vault and his insides turned ice cold. Too late, he realized that a password is no good at all once someone else knows it.

Tortoise and Hare and the Internet

Once upon a time, Tortoise and Hare both decided to start their own e-commerce firms. Both received roughly the same amount of bank financing, but while Tortoise put some funds towards a firewall, an IPS, and an anti-phishing program, Hare went cheap on his firewall and put everything he had into fancy marketing materials. For storage, Tortoise kept his data on-premises while Hare put all his data into the cloud.

Hare thought he was pretty slick as he started to rack up contracts at a faster pace than Tortoise.

One day, though, a Big Bad Moose pointed his tools at the IP range that included the public addresses of both Tortoise’s and Hare’s firms. The Big Bad Moose didn’t specifically target Tortoise or Hare: their numbers had just come up, so it was their turn to be targeted by the Big Bad Moose. Next week, it would be the Big Bad Duck or the Big Bad Gerbil, or, well, {Big Bad {$SPECIES}} would pretty much define all the evil hackers out there in the land. Point being, there were lots of hackers of all different types, so one shouldn’t be surprised if a Big Bad Moose is trying to pwn servers.

While Hare’s cheap firewall was enough to stop Moose’s general port scan, it didn’t do a thing against Moose’s SQL injection attacks on Hare’s firewall or the spear fishing emails to CarrotFest that Moose sent to people in Hare’s company.

Meanwhile, Tortoise’s IPS caught the SQL injection attacks and his phishing defenses blocked the emails to LettuceCon that Moose had sent to Tortoise’s company. Moose didn’t care. In his work, some attacks worked and some just made one focus on the attacks that worked.

After the Big Bad Moose got some username and password combos for Hare’s network, he was delighted to discover that the RDP port was allowed in from the firewall to servers and desktops inside. Moose used the stolen credentials to get good stuff like financial details and company credit card info, which he then used to buy lots and lots of stuff for himself, particularly big-ticket items like home theater systems that would fetch a pretty good return on eBay in “unopened” condition. Once those transactions had cleared, he sold the credit card numbers.

Big Bad Moose then sold access to Hare’s open relay mail server to a Big Bad Komodo Dragon. Within seconds, millions of spam mails in Bahasa Indonesia were flying through Hare’s mail server, effectively shutting down his business operations. Worse, only a few hours later, Hare’s email server got black-holed. Hare had no idea about what to do to get back into production. Nobody at Hare’s company knew what to do except to shut down the email server, which they did for a day, allowing them to get off the blacklist.

But, as soon as they turned it back on, the Indonesian spam from Big Bad Komodo Dragon came back on, as well. Hare shut down the email server again and called a consulting company to assess the damage. When the consultants found all the penetrations on Hare’s network, they recommended that he flatten all his systems and start over. When Hare looked at the consultants like they were crazy, the consultants showed Hare where his servers were now storing illegal pornography. That got Hare to agree with the consultants.

Meanwhile, Tortoise kept going like business as usual. He even started to get clients that had dropped Hare, due to Hare’s extended outage.

Hare noticed how Tortoise was getting more business and reckoned that his was going to fail soon. Hare made a career change and got into consulting, so that he could share his lessons learned with other small business owners. Whenever he saw another business owner trying to go as fast as possible without putting much emphasis on security, Hare would say, “Not so fast, there, buddy! Let me tell you why slow, steady, and secure can win the race…”

Trump Confirms His Own Breach of Security

The story was earnest and hotly debated by partisans: The President of the United States, in discussion with Russian officials, revealed highly sensitive materials. Supporters of the president denied such things ever happened as opponents demanded answers.

Then, on Twitter, the president confirmed that he had revealed secrets to the Russians. He gave a reason that ostensibly justified the revelation in his view, but the kernel of the message was that, yes, Trump freely gave sensitive information to Russian officials.

This is disastrous. Not only did Trump speak freely about things best kept secret, he also allowed a Russian photographer into the Oval Office for an unrestrained photo shoot. What other pictures were taken in the Oval Office besides those of Trump and the Russian dignitaries? What documents would have been in view that the photographer would have recorded?

Back to the conversation: in US Army training films from World War Two, the message is emphatic – even if one reveals only bits and pieces of a fact, those bits and pieces are assembled with other bits and pieces to reveal a more complete picture. The training films illustrate this more complete picture with scenes of one’s brothers in arms getting slaughtered by the enemy and an officer delivering a post-mortem condemning those who talked.

Trump claims that he was being helpful and humanitarian. The training films talk about that: Name, rank, serial number, that’s all you tell them. Some observers speculate that Trump was bragging about what he knew. The training films talk about that, as well: Name, rank, serial number, that’s all you tell them. What about cooking up a story to deliberately mislead? The army’s advice on that is as simple as it is predictable: Name, rank, serial number, that’s all you tell them.

While it may not be illegal for a president to breach security, it certainly is unwise. It certainly also has consequences outside the legal system. Elements in what Trump revealed could indicate sources and methods used to acquire the information, even if Trump himself did not discus those things. Once the bits and pieces are combined, that more complete picture could have US intelligence assets picked up for questioning by enemies of the nation. It could have other partners in intelligence sharing hesitate and ask if what they share will eventually make it to the Russians by way of Trump. These consequences are serious.

Whatever his rationalization for revealing the information, Trump should not have revealed it. The Russians can help themselves with their own resources. Humanitarian concerns could be addressed in a host of other ways, without revealing sensitive information. Granted, there are certain topics that must be discussed in such meetings, but they must be discussed in a guarded and deliberate fashion, no matter how genial and cordial one’s discussion partners may be. For everything else, and I mean *everything* else, there’s only one answer and the US Army beat me to it: Name, rank, serial number, that’s all you tell them.

Shame on Mr. Trump. He can’t maintain proper security. How sad!

Meet the Hackers

Hackers… they’re a bunch of social misfits, loners, hoodie-wearing, energy drink slamming programming geeks, right? Well, no. They’re not. The bad guys with computers are not the sort to slide easily into media stereotypes. Most of them are members of criminal organizations or have nation-state backing. Awkward loners don’t fit in with the Russian Mob or the People’s Liberation Army. Gotta have team players in those groups.

Hackers don’t always use computers, either. Social engineering – also known as running a con job – is incredibly effective and simple to do. You’d be surprised how many people will give out their passwords when accused that they’re not strong enough. “Why, you better believe I got a secure password! It’s +O;66fg#3.>ha!” Hint: the password isn’t secure anymore if it’s been read out loud to someone else. It’s also not secure if it’s written on a notepad or post-it note.

Do you have someone that’s always asking questions about where things are on the network? That’s possibly social engineering. One guy did that at a company and learned where the financial data was stored. After a two month interval, a tiger team broke into the server room and stole that exact server. The thieves were caught and the connection to the inquisitive employee became evident. The people at that company were shocked to discover that a guy they all considered to be a cheerful, bumbling, balding co-worker was in fact in league with organized crime.

That guy, and others like him, are well-camouflaged. They blend in. They go to lunch with the rest of the gang. They have neither an excess, nor a deficit, of cool. They live in apartments and homes, they watch sports and reality teevee shows, they drink beer, they may not even know anything more technical than how to copy and paste and add an attachment to an email. Because, face it, if a guy copies a sensitive document and then sends it to someone that shouldn’t have access to it, that’s a data breach. A hack. And the guy that did it could have been a total shlub.

True, he could have been a more exotic chap, say, a soldier in an army unit responsible for espionage via computers. But that guy’s not working alone. He’s also not working on a short timetable. Guys like him or the organized crime types have all the time and patience in the world to find where the weaknesses are in an organization and then exploit them. They develop custom code, just like other corporations do, but their custom code is dedicated to undermining their target, rather than developing just-in-time strategic synergies. Most of what they do goes undetected for the simple reason that the vectors they use are either ones that haven’t been used before or their target isn’t looking where they’re active with .

If you like the shows with slick hackers with social flaws, keep on enjoying them, along with everything else that’s been Hollywood-ed up. But in your real life, the guy compromising your financial data is going to buy a case of beer and then have a trip to Disneyland. Be careful about the questions that you answer and hope that you’ve got a security team that has a data loss prevention tool in place, among other things.

The Myth of Efficiency

Would you like for your car to run faster? Well, it’s easy. Just shed excess weight on the vehicle. Get rid of the doors, seat cushions, seat belts, airbags, windows, the roof, electronic systems, and man! That car will MOVE!

What’s that I hear you say? It will be unsafe? Well, pardon me, but you wanted it to be faster. You said nothing about preserving the current level of safety.

And although I doubt that any sensible person would want to drive that vehicle at top speeds, we do precisely the same things with our Internet usage and our programs and apps. We want them to be as fast as possible and, if it means less security, we accept the higher risk by saying “I’ll be careful!” and then going forth to enjoy the higher efficiency without really being any sort of careful at all. Why?

It’s simple to my mind. Our brains are well aware of the possible bodily harm that can result from a car accident, so we reject a tradeoff of mayhem mitigation for super speed. But a computer application? A website? No physical harm can result from using those things, so why not worry less and enjoy them more? We simply don’t think of the potential financial and personal wreckage that could result from unsecured data transfers. We fail to see that the injuries from unsafe computing are very real and very damaging and very permanent. If we did see what could happen, we’d ask for the digital version of safety belts, every time.

I’ll point a finger at programmers and designers: they want their customers to have the smoothest experience possible. That smooth experience makes money or facilitates the making of money, so it’s no small thing. But, again, the blindness to the risks in the digital world mean that those designers and programmers aren’t necessarily thinking about the safety of that experience. This is particularly evident in the emerging area of “smart controls”. Smart controls basically turn a phone or a laptop into a giant remote control device for something that used to not be remotely controlled.

Even the idea of remote control doesn’t sound all that bad. Our teevee remote controls do just fine, don’t they? But would you maintain that benevolent attitude towards your teevee remote if some kid a mile away was able to interfere with your choices and put your channel choice on anything he wanted? It’s no mistake that a “nightmare scenario” in many a spy thriller or sci-fi flick involved The Bad Guy taking over the airwaves and forcing the world to watch whatever he dictated. Stuff like that really freaks us out. Well, how about a nightmare scenario in which The Bad Guy messes with your thermostat? Or forces you to order an extra gallon of milk? Or locks all the world’s ovens on cleaning mode?

OK, so those are all #firstworldproblems. But the ones that can hit the third world involve disruption of power grids or supply chains. How about a man-in-the-middle attack that scrapes a few pennies out of every bank account in India? In places where microcredit is embedded into the local economy, such an attack could destroy lives. Who would do such a thing? Well, there’s a Marxist insurgency in about a third of India, so there’s my first candidate to execute such a move.

A home with a closed, unlocked door offers more security than some of these highly efficient applications. I mean, at least the door is closed, so that someone has to make an effort to see what’s going on inside. Far too many apps send every transaction, back and forth, in plain text.

Now, there are some security measures that are as easy as locking a door. But there are also some security measures that are as difficult as putting on a suit of plate armor and mounting a horse. As one would expect, the more complete security measures are also those that involve the biggest drags on performance. But look at it this way: which vehicle would you rather operate, a unicycle with a solid-rocket booster engine, or a comprehensively-tested motor vehicle with excellent safety ratings from its excellent safety features? While the unicycle rocket will definitely move faster than that car, the car exposes its operator to a much shorter list of potential hazards. For example, “death due to improper aim at start of journey” is a biggie to consider with the unicycle, not so much with the car.

So it should be in the programming and development world. It’s my frustration as a security professional to see security treated as a cost that should be minimized. Too often, I’ve heard of businesses that refused to stand for a reduction in efficiency that later wound up with their doors shut for good within days of the major breach that happens in the early days of their existence. To treat security as a costly afterthought is tantamount to saying one or more of the following phrases:

“I’d like to have all my employees lose their job after a major breach, which is statistically bound to happen very soon.”

“I would prefer for my company’s intellectual property to be in the hands of my competitors, preferably without my knowledge or ability to get recourse through criminal and/or civil courts.”

“I feel much better knowing that, when my financial records are breached, the criminals involved will enjoy high levels of server uptime, plenty of bandwidth, and be ‘very satisfied’ with their experience in compromising my network.”

“Our company’s vision statement is: We will have synergies of poor security and high ease of use enable criminals to have first grab at our profits, even before we pay our fixed or variable costs.”

That last one might actually get shareholder attention.

But what to do? I’m not a C-something-O or a member of any board or anything like that. I can’t tell my company or any other company that there are areas where security is a joke, and that’s where to expect the next breach. Even if I was a CxO or chairman of the board, there’s no guarantee that I’d have all my company’s employees take security seriously enough to realize when they need to help implement it. This becomes a huge deal in major corporations, where employees tend to reject anything not done 100% by the book, and offer little or no help after making the rejection. Now, the “why” of that may have more to do with outsourcing and other heinous practices to control labor costs, but it does point up the old Machiavellian maxim that mercenaries aren’t going to protect you as passionately or as effectively as your own citizens.

So, if you want to predict where the next headline-grabbing breach will be, look for a major company with a massive contract labor pool in place of full-time employees, that also brags about how fast and effective its operations are. That’s where the money is and, chances are, also where the advanced persistent threats are already embedded in the system.

Who knows? Maybe even one of those threats is so embedded, it even has a section of actual employees tucked away somewhere that actually provide technical support for it. They file exemptions with anti-malware groups and open up firewall rules and away they go…

So, to sum up, efficiency without security is reckless endangerment. We should be ready to have things be at least a little slower so that we can enjoy a greater measure of security.

For more, feel free to visit and join up with http://www.networking-forums.com.