Saturday, October 25, 2014

Change in blog format

I've taken a bit of a different tact on blogging of late. Rather than point out hard issues (that sometimes get fixed, sometimes not), I've started posting through the week. Posts to the Henrybasset Blog announce in Twitter, Linkedin, and Facebook but because of both issues associated with the use of a mailer system, I'm going to temporarily hold on announcing via email. If you'd like to receive updates from my blog, please feel free to sign on, follow me on twitter at @henrybasset, Google+, or Linkedin.

I'm keeping it short this morning... daughter's testing for High School admissions (can you imagine!).

Have a great weekend. Keep an eye out through the week. I'll be posting!


Friday, October 24, 2014

Moscow, Beijing poised to sign deal on joint cyber security ops

This is interesting to me.

"A draft treaty apparently outlines mutual agreement to the use of online operations to interfere with independent states in a bid to undermine sovereignty or disrupt social, economic or political order."

The idea that Russia and China are reportedly signing an agreement on November 10th for joint us of online operations is amazing to me.  For those of you who've heard me talk,  I talk much about the idea of disintermediation... taking out the middle man.  Who, do you think independent states might be?  I'm guessing the US, maybe Sweden (just a wild guess after Russian flyovers, and a submarine off the coast of Stockholm), maybe Poland and Ukraine? Regardless,  if you think for a moment that infrastructures in China are only used by Chinese hackers today, you're wildly mistaken.  The sky isn't falling, but once these guys figure out how to working together (all new partnerships go through forming, storming, norming and performing... we'll see how long it takes)... but once they figure it out, the game changes.

Thursday, October 23, 2014

Poles who spied for Russia?

We've been tracking the Russia | Ukraine conflict for about a year, and last month one of our analysts speculated that we'd see cyber activity hitting Polish targets. It should come as no surprise. Poland has been looking for opportunities to reduce their dependence on Russian gas, which btw, travels through pipelines in Ukraine... seeing any patterns?

So this crossed my radar tonight when I had a few moments to settle in for the night. Intelnews has been talking about Russian spies in Poland.  Intelnews is one of my favorite sites for non-technical, geopolitically focused intelligence... and this is the third such piece I've seen in two days. And with the thought that Russia will continue to regain control, if not over Ukraine, then over the lines that pass their fuel to the EU, and also over those who attempt to find other sources, it is our belief that Poland will not only land in the crosshairs of foreign intelligence (from Russia), but also that we'll see the Putin/Ivanov cyber playbook continue, but with expanded new targeting.

So I scratch my head. With Cyber Berkut (a Ukranian, pro-Russian hacker group) hitting the Warsaw Exchange in August, and the reporting of Russian intelligence operating in Poland... does it make sense that we see ISIS messaging in files pulled from Warsaw Exchange today? I'm not jumping to conclusions, only looking at the pile of data with one eye closed and the other in a hard squint.

If it walks like a duck, quacks like a duck, and leaves little piles around my pond... Well, we're keeping an eye out for swimmers scooting over the water.

Warsaw Stock Exchange whacked? Cyber Berkut?

Pastebin indications of the Warsaw Stock Exchange. Here's the first reporting we've seen after reporting it to our members and customers.

According to other reporting, several thousand passwords and files leaked.  Apparently, there were also attacks attributed to Cyber Berkut in August. If you were at the FS-ISAC summit, I told you the Cyber Berkut and Green Dragon.. they've also been used to attack a Ukrainian bank and governments in the EU.

Wednesday, October 22, 2014

iCloud... and of course, Apple's response

It doesn't call out attacks from China, but Apple does respond.. if you didn't know how to check it (I'm assuming that if you read my blog, you probably do... I hope you do...). But here's Apple's directions on how to check the digital certificate associated with the iCloud website.

"The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting, they should pay attention to the warning and not proceed."

I have a couple of thoughts on this.. you knew I would.

First, the iCloud website is indeed NOT protected by a digital certificate. The digital certificate in and of itself is part of a protection scheme, but I wouldn't hang my hat on a digital certificate keeping bad guys out of iCloud.

Second, leaving this to users to check, 'pay attention to the warning and not proceed' strikes me smack in the funny bone. I want to laugh, but it hurts when I get hit there. Check that digital cert every time you log in. I wonder if my mom will check it when she logs in. Will yours?

China in iCloud? Like a freakin sticky booger!

Apple iCloud is (allegedly) fully of Chinese hackers, grabbing personal photos, personal information, and presumably, my iTunes library! I'm thinking there's a simple and easy defense. Let them find my P90X starting pictures it'll scare 'em off for good! They'll never come back!

Regardless, these guys keep coming back. So two things.. Chinese hackers as I know them aren't as much interested in personal information -that's the domain of others, more interested in intellectual property and targeting Falun Gong. The MO (to me) sounds more like someone else using a Chinese infrastructure to pull off something more. iCloud isn't exactly known for hosting business, so I'm thinking (speculating only) that it's PII that the attackers might be after (or maybe they'll find the pictures of the iPhone 7??). To the money guys (meaning carders) full identities mean more money --PINs are more easily reset. 

So is it Chinese? Is it somoene else using Chinese tools? Tell me more!


Sunday, October 19, 2014

How do we achieve 100%?

I nearly always drive when I travel. I hate to fly. I drive because before or after a busy week, the time on the road lets me think, without the constant interruption of email, phone calls, etc. This is some of my most productive thinking time. I like to play audio books. Yesterday it was Moby Dick --I like the classics.

Yesterday, during my eight hour drive, one of the things that I thought about over and over, was a conversation I'd had with a security manager at one of the government agencies during the week. We talked about his small team, and the need for analysis, and as the conversation continued, he brought it back to the user. Here's what he said. It stuck with me...

Users get literally seconds to decide whether or not to click that email. They've gotten really good at recognizing run of the mill spam, and sometimes even catch the more advanced phishing, but still, our job is to give them the tools to help them during those few seconds. And if they make the wrong choice, then we need to be able to protect them. They really do try and do the right thing, but the emails can look very real. What are they to do? They rely on us.

So on the heels of yesterdays (blah) blog that I posted before hitting the road, I wanted to take a moment and address this very simple, but at the same time, very complex thought process.

This manager told me the story of an overzealous retired Air Force cyber guy who walked the halls, telling people, one at a time, that they needed help. He did threat briefs, helped users, and built a program --one office, one person at a time. Every office apparently has their own systems administration team, and none want to be 'that guy' who let their boss be embarrassed by having him or her click on spam. So they do an amazing amount of education and awareness. But again, it's not just the 90% that we must consider. And while it sounds unreachable, identification and mitigation of 100% of malicious emails must be the goal.

So how does that happen? Today, it doesn't. I've heard of email 'detonation' services that click on every link. DLP in this space is largely ineffective. Rule based systems have to little flexibility.

So I put this to you...

Thoughts? How do we achieve 100% guarantees of user protection in their email? How do we protect a diligent user when when they make the wrong choice?