Back in the day hackers hacked to see what was possible. Why did they do it? Because it was there. I’m pretty sure Robert Morris said that. A lot of the most interesting and epic hacks in the early days of software were about pushing boundaries or learning systems for the simple joy of understanding how they worked. There are still a couple of areas like that left: the incredible checkm8 research comes to mind. Almost everything else out there is monetized.
Remember when virus writers wrote viruses to wreak havoc? Their goals might have been to destroy data, or cause chaos, or to spread the love . Now viruses and worms have been weaponized and monetized into ransomware.
Read more >>
As tensions ratchet up between the US, Russia, North Korea, Iran, and China the Cyberwarfare landscape is changing. Our critical infrastructure that we rely on every day is brittle and critically out of date. Industrial Control and SCADA systems touch on almost every aspect of your daily life from clean water, energy, to transportation. The pieces are falling into place for a very scary outcome. If news headlines, global trends, and tech reports tell us anything about cyber security in Industrial Control and SCADA systems in the past few years, it’s that we are currently in cyber cold war, and a full on cyber war could follow in short order. Read on to see how I’ve come to this conclusion and how the controls currently protecting us are not durable beyond the short term.
Read more >>
Earlier this year I listened to Sabu talk. Sabu the hacker. The same guy who was the brains behind Anonymous, who knocked down email servers in Iran, who attacked DNS servers in China, who participated in the cyber fight during the Arab Spring. The same Sabu who turned on his fellow hackers, putting them behind bars in order to reduce his own prison sentence. This is a guy who has been on the dark side and come out to tell us about it. Can we trust him? Maybe not. But when he tells his stories about the dark side of the web he has credibility.
Read more >>
I certainly love Apple products, and I own most of them. But Apple really missed the mark with the physical Apple Card. I love the perfectly white surface, as well as the beveled etching of the Apple and MasterCard logos. Even the chip connector is remade to be symmetric and balanced. It is gorgeous. It is a failure of engineering. Apple struggles with form over function with almost every product it releases. The company’s obsession with shiny, reflective, and thin objects leads to scratches, glare, and bendy iPhones. Granted, the products are also marvels of engineering. The camera in my iPhone has all but replaced my DSLR, my Apple Watch hasn’t left my wrist in years, and I have yet to find a pair of wireless headphones that compare to the AirPods.
Read more >>
Since my last post Protecting Yourself and Enterprise from Ransomware Attacks on the history and impact of ransomware I’ve gotten a few questions about whether Cloud Sync products like Dropbox, Box, iCloud, and OneDrive protect you from a ransomware attack. Cloud Sync products are different than Cloud Backup solutions like Mozy, Backblaze, or Carbonite. Backup solutions take a snapshot of your whole hard drive at certain points in time, because of this even if ransomware does encrypt your hard drive and your backup syncs the encrypted files to the cloud you will still have your pre-infection files available to you. Simply pick a pre-infection restore point and start from there.
Read more >>
I’ve had more than half a dozen friends and colleagues ask for my help in restoring encrypted files after a ransomware attack in as many months. Unfortunately, when ransomware is done “right” there’s little you can do other than restore from a backup and start again. You do have good backups, don’t you? Ransomware (like Cryptowall, Wannacry or Petya) is a type of malware that works by encrypting each personal document it finds and then deleting the original. It sends the key to its home servers and destroys the original local copy of the key. This leaves the victim with a bootable computer and a hard drive full of inaccessible files. A “ransom note” is left on the computer requesting bitcoin to be sent to an anonymous address. As nefarious as this seems, the customer service department of ransomware operations is quite good - I’ve talked to many people who paid the ransom and then were able to restore their file. The ransomware business model, ironically, supports better customer service than your local cable or internet provider.
Read more >>
Security enforcement is the traditional way of thinking about security, in which security teams are set as a gate to pass before software is allowed to be released. Because of this, development teams see security requirements as hurdles to pass instead of valuable insights. This isn’t unreasonable, most security teams have set themselves up this way, standing as the last bastion of security. I’ve heard security colleagues even say things like “every vulnerability must be fixed before ship!” With an attitude like that it’s no surprise that development teams aren’t excited to work with security.
Read more >>
In this post I want to try something new. Rather than writing an article, I’ll capture a dialog between Joe and I as we discuss a topic that interests us both. On Joe’s recommendation, I recently read Getting to Yes , written by Roger Fisher, William Ury, and Bruce Patton for the Harvard Negotiation Project. The book is nearly thirty years old, but it has been continuously updated and it still contains lessons worth learning. As I read the book I found that I was already using some of the techniques, but there were many more that either I hadn’t been exposed to or that I was employing only partially, and as a result I was being less effective than I could be. Even more importantly, the book taught me an overall framework for thinking about negotiation that I can now use to improve both my personal and professional life.
Read more >>
I just returned from the 27th Defcon security conference. I’ve been attending for the last 12 or so years and it has been interesting and fun to see the conference grow and mature. Once intimidating due to the homogenous attendees, lewd contests, and a “Try Harder” mantra, it has now evolved into a great place to learn and meet new people. Each year I speak at, or attend, a handful of security conferences. These range from the massive RSA Conference, where you can find hundreds of security vendors spending hundreds of thousand of dollars to hawk their latest security appliances, to small locally run, open source conferences that are run by engineers for engineers.
Read more >>
I was recently asked to give a talk about the state of AI in the field of Cyber Security. As I put together my comments, I found myself wondering, as I often do when on this subject, why AI hasn’t made a bigger impact on my field. I’ve been thinking about how to use AI techniques to improve security results for nearly two decades, and while the tooling and platform have gotten bigger and better, the impact I have been expecting has not yet materialized. Why is that?
Read more >>
