Saturday, December 09, 2017

Keyloggers in HP Drivers? Not sure, but… Healthcare? Retail? Money?

I received one of those updates from one of those lists on LinkedIn this morning. The headlines read "Keylogger found in HP Printer Driver". When I went to read the piece —keyloggers interest me —the piece had been removed from LinkedIn. The idea that the piece is removed might mean it was false, or premature… I'm not sure. What I do know is this… Key loggers are a pervasive, cancerous threat to information security and the operations that worry about it.

Yesterday during a CTAC demo for a large healthcare company, I ran a quick demo using the API. I pulled everything from every sinkhole that we monitor for anything with the word 'health' in the industry field, domain, or email address.

This one query showed 8990 records going back to 2016, 855 in 2016 —significantly lower, and 73 unique addresses being sent to 23 sinkholes.

We know of roughly 1250 sinkhole locations that capture everything from healthcare to bank accounts to porn. The idea that HP print drivers are (may be) compromised with keyloggers would not be surprising.

The idea that we can pull meta data on these sinkholes during a live demo and have findings in almost every industry both thrills me as a collector and scares the hell out of me as a security guy.

The idea that there are keyloggers in HP Print drivers? This is yet to be seen, but I'd probably speculate that many drivers are likely compromised. Remember VPN drivers under XP? Who'd have thought those would have been compromised?

Keyloggers, from an attacker perspective, are low skill high payoff attacks. Deploy, wait to be clicked, let it report back and collect the goods.

I'm keeping it short this week.
Until next time,
Have a great weekend (in the snow?)

Saturday, December 02, 2017

Announcing: Red Sky Small Business Alliance and a Day of Presentations

In the last few years we've had more and more experiences with small business —banks, credit unions, port operators, supply chain companies, local NH companies, etc. —primarily in the area of fraud —account takeover, card not present, new accounts, business email scams, etc., and it's only getting worse as fraud crosses information security boundaries and many are left simply not knowing where to turn.. 

Heading into '18, we decided to extend a hand. We wanted to do something for/with small business. Small business by the SBA is defined as 1-500 employees, or a manufacturer, up to 1500. 

Announcing the Red Sky Small Business Alliance. Red Sky Small Business Alliance is a no-cost community of companies who need cyber help. Risk assessments, architecture support, log reviews, incident response support, forensics, best practice, and more. We have someone that can help.

If you're a small business, please join us this Thursday for a day of Fraud related educational presentations as we announce the newest Wapack Labs service, the Red Sky Small Business Alliance. The day is offered at no charge. We'll start the day with a brief intro to the new Alliance, followed by one of our most popular speakers and talks, Elizabeth (Liz) Shirley, the head of our Fusion Intelligence Team.

We have 100 seats available for the day. Come in for the day, or in and out as you desire. Registration is on EventBright. 

When:     Thursday December 7th
Time:      9-4 EST
Where:   A bridge will be provided after registration

The Red Sky Small Business Alliance presents a well-timed online event -- 'CYBER FRAUD FOR CHRISTMAS'. Please join top cyber professionals as they share a series of presentations on fraud topics including; scams, malware, and viruses.

Included in this presentation is a Threat Intelligence University (TIU) seminar on Scripting for Analysis & Hunting
Sign up now, only 100 online seats available. Bridge information will be provided after you register. No tickets needed.


9:00 to 9:15 AM -- Introduction
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

9:15 to 10:00 AM -- Post Data Breach ID Fraud & Mitigations
Liz Shirley | Technical Director, Intelligence & Analysis

10:00 to 10:15 AM -- Cyber Fraud: Skimmers and ATM Malware
Chris Alexander | Cyber Analyst

10:15 to 11:30 AM -- How The Cyber Grinch Stole Christmas: Social Engineering And Scams Around Holidays And Major Events
Technical Support scams, viruses/phishing pages, and holiday scams.
Jesse Burke | Advanced Cyber Analyst

11:30 to 11:45 AM -- Typosquatting – What’s in a Name?
Scott Hall | Jr. Cyber Analyst

11:45 to 12:15 PM -- Evolutions in Business Email Scams
Aure Hakenson | Cyber Analyst

12:15 to 1:00 PM Hacking People’s Lives with Google Sync
In reference to the recent Google Docs hack that went around, we will cover some of the unseen and convenient features that Chrome offers. If an account is compromised, these features can be used to exploit the end user and other accounts tied to the browser and email..
Sean Hopkins | Senior Security Engineer, H2L Solutions

1:00 to 2:00 PM -- Block Chain-Related Fraud
Yuri Polozov | Eurasia Desk Analyst

2:00 to 3:30 PM -- Threat Intelligence University (TIU) – Scripting for Analysis & Hunting
Chris Hall | Co-Founder, Principal Engineer

3:30 to 3:45 PM -- Closing Remarks
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

Saturday, November 25, 2017

Grand Challenge: Victim Notification at Scale

I've been thinking about this for several years. There are several people out there using the term "Grand Challenge" — Bill Joy, Bill and Melinda Gates, and others. I think it applies here. 

I have a friend who is a police officer in the mid-west. His wife owns a one person candy store that takes orders for her hand made candy over the internet. She has an online order form, will take orders via a non-toll free telephone number, and she lists a gmail account for her company. My friends wife could just as easily be a three person credit union, a mom and pop logistics shop, or a hair dresser making appointments on his/her iCloud calendar. 

In 2010 there were 27.9 million small businesses, and 18,500 frms with 500 employees or more. Over three-quarters of small businesses were nonemployers one sole proprieter

Why do we care? 

According to the IndependentGoogle says that phishing attacks pose the “greatest threat” to users of its services.  The company has studied the ways in which hackers steal people’s passwords and break into their accounts. In the space of 12 months, it found 788,000 login credentials stolen via keyloggers (tools that secretly record every key you press), 12 million stolen via phishing (a method of tricking you into giving up your personal information), and 3.3 billion exposed by third-party data breaches.

Last week we blogged about the problems that we identified when attempting to notify individuals and small company victims of breach. These did not include the 3.3 billion exposed by third-party breach, rather, those who were infected by keylogger, phishing, drive-by, spam, or automation. What is the process for notifying not only the nearly 13 million Google users mentions above, but also the 22 million showing up in our sinkholes, and the hundreds of millions showing up in others?

Who notifies my friend's wife when her computer gets breached and her customer accounts —payment information, shipping (presumably their home) address, and other privacy information is stolen by unscrupulous cyber thieves? 

As far as I can tell, nobody.

Nobody notifies them. The identity monitoring services would never see the kinds of activity that Google (or we, as intelligence providers) see. They can sign on to notification sites like Have I Been Pwned, but HIBP doesn't run sinkholes either, so they wouldn't know. Troy specializes in third party breach notification, not intelligence.

Let’s fix that.

Last year we sent almost 200,000 notifications to abuse email accounts listed in companies domain registrations. This came with mixed feedback -some positive, mostly negative.  This year we sent notifications to individuals. Out of all of the emails sent, we were marked as spam only once (thank you!), and earned a 97% reputation score with our transactional email provider. The email might have been worded better, but in talking with one of our Red Sky members, we were told that they too had received similar mixed feedback when attempting their own notification campaigns.

Today, from Sinkhole collections alone, we have recorded over 22 million sinkhole connections reaching out to command and control (C2) nodes that we own.  What does that mean? It means that there are a ton of people out there who have no idea that they've been infected, and nobody else who is going to tell them about it. Worse, my bet is, they have no idea where to get help? 

One company? Ten? Fifty?  That's easy… How do we handle 22 million? Should it be done by a government? The US? The National CERTS? Where is the clearing house? And with the numbers growing exponentially, it's only going to get worse. 

I see this as a Grand Challenge scale opportunity —one that is never going to be fixed with current technology, rather requiring education. 

Saturday, November 11, 2017

A Veterans Day Message

It's Veterans Day, and instead of my normal blog, I wanted to take a moment and acknowledge the vets, and the vet interns that we've brought into our small company.  We're small, but we pitch in where we can, and we very much enjoy training returning vets to do what we do. 

So first, to our team. These guys are the mentors, peer analysts, and instructors:

  • Me? USN and USCG
  • Chris: USA 
  • Liz: USAF
  • Bill: CGIS (Ret) - Heads up our Veteran program (Thank you!)
  • Mac: USMC-R
  • John: USAF (Ret)
  • Pedro, USMC (Introduced through Audrey at the VA, and full scholarship recipient at SNHU)
  • Brent, USMC (Introduced through Audrey at the VA)

And to our interns — Some did 15 weeks for credit, others have been here much longer. Some decide to stay even after the semester. To Audrey at the Manchester VA Hospital,  the myriad of people in the Veteran and placement offices at Southern NH University, and Peter at Manchester Community College; Thank you for helping us help returning vets:
  • Jeremy (and buddy!), USMC (Former Wapack Analyst and full scholarship recipient at MCC)
  • Chris, USA (and SNHU student)
  • Jessica, USA (and SNHU student)
  • Phil, USN (and SNHU student)
  • Shannon, USA 
  • Matt, US?? (and SNHU student)
  • Travis, USA
  • Inbound in January: Thomas, USMC and Manchester Community College
Thank you!

Saturday, November 04, 2017

Reducing complexity!? Small business?

A few minutes ago I heard a security pro giving an interview on television. He says that one of the best things that a company can do is reduce complexity. I don't disagree. However… the graphic shown here is VERY old, but I love it. The story it tells is amazing…

I consider myself an expert in IT risk. I think about it often. I think about the complexity that's built into our own computing and the things that hide either just below the surface, or sitting just outside the fence waiting for someone to leave a door open, even a little bit. I used to give a talk.. it was about an hour long and one slide. This one slide talk discusses how in any given environment, if you follow any one of the standards (NIST, SANS Top 20, ISO), there are at least 100 things that you need to do right every minute of every day —and if you miss one? The door's left open and those automated threats are always there; always standing by the ready waiting to pounce.

So let's think about this for a moment… lets frame the scenario.  Let's say you're a small business; a 20 person company with public facing internet, an online ordering system, and you produce something that's distributed digitally or in a storefront.  Your computing environment might look like this:

  • 20 employees, each with two (or more) devices (computer and mobile phone).. 40 devices
  • Servers and storage —handling digital data, processing work product, etc… 30 devices
  • You probably have some kind of cloud environment.. maybe your hosted in one?
  • You'll likely use several Software as a Service providers one or more of your internal needs —Google Corporate Apps, Microsoft Office, or something else. 
  • VPN access into remote areas for sensitive work
  • VPN access into the company for remote workers
  • Externally facing operations —public facing web servers, databases, etc.
  • Externally facing customer touchpoint —registration pages, shopping carts, etc.
Immediately, you can see, you have 40 user endpoints, plus 30 server/storage endpoints, plus the network infrastructure that connects them… 

You've got cloud infrastructure, customer facing infrastructure, email in the cloud. You're probably processing credit cards, and for all of this, you have absolutely no idea how many additional endpoints you've got data passing through or sitting on. 

And then, you've decided to implement your security standard… remember that 100 number that I talked about? It's probably conservative, but for even your small company, you only have direct visibility and control over a small portion of your total computing environment!

AND your stuff is probably in a cloud that HOSTS bad stuff —because they all do,  but that's a story for another blog! 

As well, buy any computer today —Mac or PC, and default storage is in the cloud. Wow! And if you try and turn it off, it gives you a warning that you'll lose access to your stuff! 

So, where do we reduce complexity? It seems to me like it's built into the process. It's one of the reasons that I love the intelligence and risk roles so much. I'm like the weather man.. I don't (and won't) be right all of the time, but if I'm right more times than not, it's good. As a defender, you've got to be right every time. And the owner has to be able to pay for it all… and it's not cheap.

I get the question almost every time I speak in public —"What do you guys do?" We are a small company, and as an intelligence company, obviously we're targeted. We've set up controls but we must also stand guard. We trust some things in the cloud but not others. Our sensitive stuff is moated off —sometimes multiple times, and with few exceptions, passwords are dead to us. We require two factor authentication for just about everything. And as important as everything else? We know where the highest priority threats are coming from. 

Want to know more? Join us. I'll give you a presentation and show you how we do it!

Reduce complexity? I'm not sure that's even possible anymore, but I am sure that there are ways to offset it. 

Intelligence is one of the best value items that money can buy… It shouldn't cost you an arm and a leg. It should save you reading time. It should save you stress.  It should tell you what to protect from today, next week, and maybe next year; and you should be able to buy it from someone who doesn't want to sell it to you to get you to buy their box. 

Information sharing is the other. The latest buzz phrase seems to be 'trusted circles'. Find a group —Red Sky Alliance, the Financial Services ISAC, the Maritime ISAO, or one of the others that are out there.  Asking questions of others in a trusted, non-governmental environment is HUGE. Why non-governmental? Nobody wants to talk about themselves when there's a chance a regulator might be in the room. Use information sharing to learn how to fix your stuff —and then decide how you want to work with the government. Privacy is important. 

Climbing off my horse…
Until next time,
Have a great weekend!

Saturday, October 28, 2017

CTAC Attack! Fridays

How many times have you walked into the office, only to find your boss looking for answers to the threat of the day —you know what I mean. I saw this on the news this morning. What's it mean? or Hey boss, we just got hit with this and now you have to explain it (and fast!).

If you've ever been in one of these situations read on...

Every Friday afternoon at 2:00, we hold a short form training session called CTAC Attack! CTAC is short for Cyber Threat Analysis Center, and its desktop of tools that we provide to our subscribers for their own analytics. CTAC Attack! goes like this…

The idea is that in 20 minutes or less, a presenter will show a group of analysts -virtually via webinar, how they use a specific tool, or in combination, tools, to solve analytic problems.  20 minutes is usually more than enough time to show the tool, describe how the analysts uses it to solve a problem, and then leave 10 minutes for Q&A. Presenters earn CTAC Attack T-Shirts, and attendees are entered into a drawing to win one.

So this week instead of my authoring an opinion piece, I've recorded a short, two minute video summation of one of the sessions that I do. This is a tool that we bought from a startup. It was built to create books, but we liked it more as a search and answer tool, so we hired the founder to make sure we got it right, and after some slight modifications, this quickly became one of my favorite tools.

THIS, is information sharing. We created a dashboard of our favorite tools. I love (LOVE) Pagekicker. Most of the other guys loves CyberChef. We all love Kibana, and we share notes in real time via Slack.

Enjoy the video. Interested in seeing more? Drop me an note.

Until next time,
Have a great weekend!

Saturday, October 21, 2017

Sometimes you just need to talk to someone!

I've used the VA for my healthcare since leaving the Navy in 2001. In my opinion, it's one of the best deals going.  One of the things that you see from the minute that you walk in, are magnets, handouts, and wallet cards —seemingly everywhere —all designed for one thing; they give a vet a place to call when they're in crisis. Maybe that applies more to some than others, but for that one, who finds themselves in crisis, it could mean everything.

I was having dinner with Liz last night. Liz is the head of our intelligence team. We talked about the idea that since starting Red Sky Alliance back in 2012, people, laws, and trends have really changed. In Red Sky for example, once fertile two-way communication has become more the place where we get RFIs from members, deliver PIRs and get asked questions about the intelligence we push through.

So in talking with Liz last night, who's given talks to over 1000 people in the last three weeks —her audience largely bankers, with the majority being smaller --all on fraud; a subject we know well, She says, you know what? These companies just want a place where they can ask questions, not necessarily share a bunch of information.

"They're not all big companies" she says. The majority of those she's talked to haven't built an internal, 200 person infosec team (like many of our original members), nor do they have dedicated intelligence. They have Directors of IT who, many times find themselves double, even triple-hatted —CIO, CISO, Analyst, Fraud person, privacy, and general go-to person for anything wrong with the IT. They participate in free groups and pull down as much information as they can, and make due with it as best they can, but when they get stuck… they want to talk with someone.

And for the last four years, this is exactly what Red Sky Alliance has been. Red Sky Alliance is a place talk to an analyst. Not only can you talk to a Wapack analyst, ask the RFI, or get your intelligence, but Red Sky still today maintains roughly 40% month over month participation —not including my own analysts. Companies come in when they want to talk —when in crisis and they get expert feedback from folks dedicated to monitoring the chatter, pulling apart code, and tracking the fraud. And when we don't know the answer, someone else usually does. Did I mention 40% participation? Yeah, someone else usually knows.. it's called crowdsourcing… and it's amazing.

And in the coming weeks, we're making it easier than ever to talk to someone. We've been on Jive since the start, and realized the need is for more tactical communications. We're moving to a Slack-based platform starting November 1st. Tactical, mobile, and always on. Need to talk to an analyst? Compare notes? We're here; and so are about 60 of your closest friends. This isn't a group of 2000+, it's small trusted, and smart.

I think Liz stumbled onto our new marketing message. Talk to an analyst. 

She's dead on.


This week was the week for fraud. Liz has delivered three talks in the last two weeks to over a thousand people, is preparing to do another one this week, and will give a talk on cryptocurrencies in fraud next week at the MacKenzie Institute in Toronto. 

We published several pieces of analysis, one originally appearing to be a simple smash and grab leading us down another analytic path only to believe (still a WIP) that it may turn out to be a major data loss breach and even more, ongoing fraud —for over a year. 

Me? I'm speaking at ISC2 in New Hampshire on Tuesday and heading off to ZeroDay Con in NY later in the week. I'm looking forward to seeing some of you.

So until next time,
Have a great weekend!