You Can Run But You Can’t Hide


Running works for a while but hackers can, and will, find you. Every time we think we have outsmarted the little devils, they whip out another workaround and we become toast.

A classic example is bio-metrics.

Many cybersecurity analysts recently got excited about facial recognition technology. Finally, a silver bullet appears but zap, some enterprising security researchers just demonstrated a particularly disturbing new method of stealing a face. This one uses 3-D rendering and Internet stalking.

Earlier this month at the Usenix security conference, some guys from the University of North Carolina, Chapel Hill presented a system that uses digital 3-D facial models based on publicly available photos and displayed with mobile virtual reality technology that defeated facial recognition systems four out of five times. One out of five would be plenty, but this is a grand slam homer.

Biometric facial recognition systems use motion and depth clues to identify their targets so that a flat unidimensional photo won’t pass the snicker test. But a Virtual Reality-style face, rendered in three dimensions, can provide the magic stuff that these systems look for. And then if they can port it to a smartphone’s screen, so much the better. Which is what they did.

These guys of course used Facebook as their source, aka the new public library of biometric data, and they went about collecting images of their 20 volunteers the way any Google stalker might—through image search engines, professional photos, and publicly available assets on social networks like LinkedIn, and Google+ in addition to Facebook. They were able to collect at least 3 and as many as 27 photos of each subject.

One of the researchers pointed out that many of their study volunteers were computer science researchers themselves, and some most had made an active effort to protect their privacy online. Nonetheless, the group was able to find at least three photos of each of them.

They tested their virtual reality face renderers on five authentication systems—KeyLemon, Mobius, TrueKey, BioID, and 1D, all of which are available from the Google Play Store and the iTunes Store and are designed for protecting data and locking smartphones.

To test the security systems, the researchers had the subjects program each one to detect their real faces. Then they showed 3-D renders of each subject to the systems to see if they would accept them. In addition to making face models from online photos, the researchers also took indoor head shots of each participant, rendered them for virtual reality, and tested these against the five systems. Using the control photos, the researchers were able to trick all five systems in every case they tested.

Using just the public web photos alone, the researchers were able to trick four of the five systems with success rates up to 85 percent.

This is bad news for these facial authentication systems that have been proliferating in consumer products like laptops and smartphones lately. Google announced earlier this year that it’s planning to put a dedicated image processing chip into its smartphones to do image recognition which is intended to help improve Android’s facial authentication, which was proven to be well, a joke. In the same breath, Google warns, “This is less secure than a PIN, pattern, or password. Someone who looks similar to you could unlock your phone.” And, if that is so, then why bother at all?

While the UNC researchers agree that it would be possible to defend against their attack, the question remains as to how quickly facial authentication systems will evolve to keep up with new and rapidly evolving methods of spoofing. New systems will probably need to incorporate hardware and sensors in addition to mobile cameras and web cams, which will probably be challenging to implement on mobile devices where the hardware footprint is highly limited.

But none of this seems to dissuade vendors from ramming these immature and untested products out the door and from proud early adopters from glomming onto them. Documented risks be damned.

Reminder:  In the Office of Personnel Management breach last year, hackers stole data for 5.6 million people’s fingerprints. Those markers will be in the wild for the rest of the victims’ lives. That data breach debacle, and the UNC researchers’ study, should clearly illustrate the troubling nature of cyber-security fixes in general and biometric authentication in particular.

When your fingerprint or your mug slips into the ether, there is no password reset button.


NSA Leak Spotlights Critical Cyber-Security Problem For Business


“The Only Thing More Dangerous than Ignorance is Arrogance” ~A. Einstein, part-time theoretical physicist

The recent NSA leak has revealed a set of critical security vulnerabilities in market leading network products from companies like Cisco, Fortinet and Juniper.

The code samples released by the Shadow Brokers this week proved that they indeed were able to steal sensitive National Security information from what is supposed to be the best protected government agency on the planet, the National Security Agency.

Up until now, the Obama administration has required that agencies reveal any vulnerability it discovers exclusively to a White House review board prior to releasing any of that information to equipment manufacturers or software producers. The methods revealed by the hack have now been disclosed to the product vendors but as of this writing, not all have produced patches for their hardware. This conceit puts every user of those products at high risk until a patch is developed and applied.

Security experts are hoping the government will see this as a teachable moment. Baloney.

The United States law enforcement and intelligence agencies routinely purchase vulnerabilities unknown to manufacturers to hack into devices for the purposes of developing their own list of zero-days, resembling in a weird way a school-yard game of “Neener, neener, I’m smarter that you are.” Or, alternatively, “It’s my F**ing ball, and we’ll play by my rules or not at all.”

The NSA will say that this “Vulnerability Equity Process” (VEP) which allows them to justify which zero-days to keep for offensive purposes  is meant to minimize risk by keeping the risk arsenal as small as possible. Which might be acceptable if we were fighting a war in which the battlefield were contained to some physical coordinates and the source of weaponry were clearly identified as say, Berlin where we could “spy” on production and manufacturing and then get a step up on our adversaries methods and techniques. Or, even if we at least knew who our adversaries were.

By the administration’s own admission, hoarding zero-days makes commercial computing products less secure. And, it is not just The Shadow Brokers. Anyone with even the most rudimentary understanding of the landscape of cyber-security knows that other nations and cyber-gangs will be on to the same vulnerabilities at the same time or even before the NSA figures it out. The apparent belief that because they are the NSA, they are smarter than the bad guys not only fails the snicker test, it sets up a false sense of security for the citizens the agency is chartered to protect.

The agency is supposed to be responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes, and charged with the protection of U.S. government communications and information systems against penetration and network warfare. That ship sailed.

To make matters worse, the code samples offered by the Shadow Brokers appears to be from 2013, and regardless of their purpose in releasing it (many suspect it was held by the Russian government and is now being dangled in public as leverage against the U.S. fingering Russia in the Democratic Party hacks) had the NSA been under disclosure orders instead of the current protocols, the leak might not have been the security fiasco it is now.

The fiasco is that the vulnerabilities affect arguably 80% of the global network install base and because network infections typically lie in dwell for upwards of 300 days, it is possible that hundreds of thousands of networks are infected right at this moment. Cisco has quickly provided a workaround for one of two vulnerabilities and issued an advisory on the other, which was patched in 2011, in order to raise awareness among its customers. It doesn’t really matter that patches are being released. The damage is likely already done.

This leads to the inevitable questions related to IoT in the not so distant future. Should the NSA, NSC, FBI, or other government agencies, be required to inform Apple immediately when it finds a security hole? What if the subject of the investigation was a smart home alarm system, instead of an iPhone? What if it the vulnerability is in the infrastructure behind a city’s electrical grid, an airport communication system, a dam or water treatment facility or a hospital network?

As an example of the dangers implicit in the VEP, the Heartbleed Bug, which was made public in 2014, was a serious vulnerability in the widely-used OpenSSL cryptographic software library. The bug reportedly impacted the security of two-thirds of the world’s websites. It was widely reported that the NSA had been exploiting the Heartbleed Bug for two years prior to it being made public.

More recently, on April 14, 2016, the FBI, for the first time, disclosed to Apple a vulnerability affecting some iPhones and Macs. However, Apple announced later that the problem had already been discovered and repaired nine months prior to the FBI’s disclosure. This delay in disclosure raises serious questions about the effectiveness and the veracity of the VEP.

When the top hacking outfit on the planet is itself hacked, we should be concerned that keeping backdoors secure isn’t going to work.

Whether the Shadow Brokers hacked the NSA or the code was removed from the NSA by the Equation Group, the Agency’s own hacking group (more on them later), it appears to be a closely held secret that the agency was simply unable to protect. It is probably obvious that the theory that “the good guys” can create an encryption doorway that only the right intelligence agency will be able to pass through is bogus. Instead, it will always turn out that any back door of this nature will be easily hackable by anyone with a ten dollar toolkit.

For Cisco, the reveal may represent an unpleasant flashback to 2014, when Edward Snowden’s leaks demonstrated that the NSA was intercepting shipments of its equipment to install spyware. Then-CEO John Chambers wrote a letter to Obama at the time, arguing that the NSA’s practices had compromised his business. “We simply cannot operate this way,” Chambers wrote. “We need standards of conduct…to ensure that appropriate safeguards exist that serve national security objectives, while at the same time meet the needs of global commerce.”

It seems like it is beyond time that the government stops “protecting us” and starts reporting vulnerabilities it finds or acquires while there is still time for us to protect ourselves.

But, I don’t know. Maybe I missed a memo.

No pontificating, but I think it was some guy named Lincoln, while memorializing the sacrifices of war to ensure the survival of America’s representative democracy, mentioned that the “government of the people, by the people, for the people, shall not perish from the earth.”

We Are Better Prepared for a Zombie Apocalypse


Last week, a discussion panel of cyber security and electrical industry stakeholders examined what could be done to protect U.S. public utilities from cyber-attacks, and what steps could be taken during a high-risk event  to mitigate the effects on the grid.

It turns out that we now rely on our DoE regional coordinators in each of the 10 Federal Emergency Management Agency (FEMA) regions to work with first responders during the event of a natural disaster or a terrorist attack (which may be the same thing). The panel cited an agreement signed by the Secretary of Energy in February that identified these individuals as points of contact to share information with the DoE and states in the event of an energy supply disruption, as an important step toward cyber-security preparedness. This would supposedly serve to improve information sharing and communication during critical response activities.

I don’t know about you, but this sounds a lot like the ads for LifeLock where the “security monitor” tells the Bank manager that “Yep, it looks like a robbery”.  Except, those are supposed to be funny. This is not.

It gets worse. They went on to applaud the fact that they are working on preparedness exercises to be held by federal agencies and the private sector that would include annual studies on the risks and hazards that might affect the energy sector. And, we actually pay these people?

Someone should point out to this group that despite their heroic preparedness efforts, U.S. cyber security is not nearly as prepared as it appears. As Arthur House, commissioner for the state of Connecticut Public Utilities Regulatory Authority, warned, “The thing to remember about cyber security, we are far better on paper to take care of things than we are operationally. It’s not as if the president could turn to the secretary of energy in the event of a grid cyber-attack and say ‘turn it back on.’”

As we should have seen in the Ukraine power grid attack, the holistic strike vectors that disrupted restoration attempts immediately following the grid attack itself were the real problem faced by the Ukrainian security engineers and not just the initial strike on the grid. We are not even close to addressing let alone planning for a similar recovery disruption here.

It doesn’t take much imagination to conjure a scenario where an attack on the electric grid would be accompanied by an attack on our financial sector or another attack on our water supply at the same time. Or, simply an attack on our recovery efforts through brute force DDoS vectors against all of our FEMA sites and disruption of our communication protocols.

As recently as last year, Jehovah Johnson, Secretary of Homeland Security said “I’m sure FEMA has the capability to bring in backup transformers. If you want an inventory and a number, I couldn’t give you that.”

That might be because in fact, there is almost no such capability in the realm of large power transformers (LPT’s). Even if we had them as the STEP (Spare Transformer Equipment Program) people claim we do, how would we transport equipment weighing half a million pounds or more across interstate lines in a rapid response to a critical outage? According to FEMA representatives, as of this moment, that capability has never been tested.

LPTs are essential to the functioning of the grid. Because they are very expensive, only the largest and most profitable power companies can afford to keep backup transformers on hand. Because the transformers are custom-made, they are not easily interchangeable. Because the equipment is huge, it is not easily transported. Because these transformers are, on average, thirty-eight to forty years old, some of them were originally delivered by rail systems that no longer exist. Because the vast majority of LPTs are built overseas, it takes a very long time to replace them.

The federal response to federal response to Hurricane Sandy is an interesting case in point. In addition to hitting major sections of New Jersey and Long Island, Sandy flooded New York City streets, tunnels, and subways, effectively cutting off all electric power to Lower Manhattan.

They brought in power trucks, flown in from places as far away as California on DOD [Department of Defense] planes, to begin replacing the poles and the lines. At one point FEMA had about eighteen thousand people working in that area going door-to-door, bringing people food and removing them from unsafe buildings until they could get the power back on.

It took more than five days before any power was restored to Lower Manhattan, but 95 percent of New York’s customers did have their power back after thirteen days. Even with a relatively small emergency caused by a hurricane, thousands of homes were lost throughout the region and tens of thousands were rendered homeless.

Where, then, might you and I find advice on how to cope with the aftermath of such an attack?

Howard A. Schmidt, the former cybersecurity coordinator for the Obama administration, a principal in Ridge-Schmidt Cyber LLC, a Washington consultancy company in the field of cybersecurity and a board member of one of our technology partners, Taasera, says, “There is no answer.

No government agency has guidelines for private citizens because, according to Schmidt, there’s nothing any individual can do to prepare. “We’re so interconnected,” he said, that in terms of disaster preparation “it’s not just me anymore: it’s me and my neighbors and where I get my electricity from. There’s nothing I can do that can protect me if the rest of the system falters.”

The electrical industry panelists agreed that best practices for cyber security protection include layered defenses, regulatory oversight, external third party assessments and internal governance. Excuse me?

As Ted Koppel points out in his book, Lights Out, it would be helpful if the political world would just accept that there are two permanent conditions that are going to affect future generations: one is the global scourge of terrorism, the other is the digital forevermore. Within that world of the “digital forevermore” lies the prospect of a catastrophic cyber-attack on one of the U.S. power grids.

And that is the existential reality that the new president faces. I hope he or she is up to the job.

Back From BlackHat, Oh My!


One major online reporter recently returned from the BlackHat Conference in Las Vegas with a list of what he thinks are the four cybersecurity topics that were rooting many conversations, both on the expo floor and among experts and analysts in the briefing rooms. If what he says is true, I now know why we haven’t made any progress in Cyber-security in the last two years.

The BlackHat Conference started out as both an opportunity to share research and to demonstrate the fragility of computing systems, and a chance to show off new tools and technologies to defend against threats. I have no idea what it is now.

This was the 19th year (amazingly) of this six day event which began with four days of intense trainings for security practitioners of all levels followed by a two-day main event including over 100 independently selected briefings, exhibits and awards.

Let me explain why the four topics depress me.

First, Behavior Baselining.

This simple-minded notion is based on the idea that a good way to determine if you have had a network infection might be to establish a baseline of normalcy and then measure subsequent variations to that baseline over time.

In order to properly establish a useful baseline, this process requires a period of around 6-8 weeks of baselining to establish these norms and accommodate for occasional one-offs and anomalies.

Three years ago DarkTrace emerged on the Cyber-security software scene with a revolutionary approach to network infection detection using just that process followed by some pretty cool detection technology. DarkTrace has successfully raised over $85m in venture capital and purportedly has 1,000 customers worldwide.

DarkTrace was dismissed by most security analysts for two reasons: One, the baselining would not be able to identify an infection that already existed at the time the baselining began nor would it be able to detect an infestation during the baselining period. Two, it generated a ton of false positives requiring tuning down the filters to such an extent that the true positives might get easily lost in the noise.

The point is not that DarkTrace is a bad product, in fact we were their first American technology partner and I regard them highly.  The point is that they and their technique have been around now for 3 years and there have been several followers and lookalikes entering the market. So, to say that Behavior Baselining is one of the four hot topics at Black Hat 2016 is either indicative if a security community that has been napping for 3 years or just plain wrong. I’m hoping for the latter.

Second, Active Response

This topic is at least an indicator that our sensitivities have swung over to detection and away from prevention and that all alone is a good sign of progress. The premise here is that as organizations get better at detecting threats, the number of alerts their systems create also increases. This results in what security operations center (SOC) managers refer to as alert fatigue. Systems like DarkTrace don’t help. Due to the inability to respond, breaches persist for long periods of time. The Democratic National Committee hack is a good example of long-term resident infection.

Active response is suddenly a hot topic when we and others like us have been developing both human and automated processes that enable our ability to respond to an attack as soon as it is detected within the monitored environment. For 3 years.

This reporter outlines processes that include communication with secondary systems such as a ticketing system, or collecting additional data, or an automatic configuration change such as modifying a firewall to block communication with a bad actor. This is neither rocket science, nor should it be a new revelation.

What we should be talking about is improved machine response and artificial intelligence applied to the response mechanisms. It is hard for me to believe that active response is a hot topic in 2016.

Thirdly, Security Analytics.

This is where we have to shout out a loud, C’mon Man!

He says that identifying trends and patterns in an organization is a good starting point to mitigate systemic problems as well as identifying threats and that there is a clear need for security and IT teams to use analytics to broaden their security and operations insights.

Security analytics have been around forever. They are better now than they were but so are most things. This topic should have been extended or applied UBA, where we are looking for corollaries and using abductive reasoning algorithms to detect suspicious behaviors or to improve access authorities in complex systems.

He describes security analytics as data analysis across multiple sources of data, often log data enriched with non-log data such as threat intel, in order to provide actionable knowledge to the security analysts and to security managers. There are over 20 such systems on the market and in addition most major software products have embedded functional analytical capabilities into their threat detection suites to provide just this capability. Again, not new technology and not new applications.

The place where we should be focusing security analytics is in IoT and in ICS and SCADA infrastructure, because it is there that we can get the best leverage for both vulnerability management and detection. And God knows we’re going to need it.

Finally, Public Key Cryptology

I frankly have no idea why this topic is even relevant today. Beyond the fact that cryptography is embedded in most of the software and hardware systems that form the core of our financial systems and healthcare systems and has been leveraged by ransomware attackers, public key cryptology seems so old school that I am shocked it is even topical at this event.

We all know that public-key ciphers have never seriously challenged secret-key ciphers as techniques for encrypting large amounts of data and they are much slower than secret-key ciphers. It is also well-publicized that the public-key encryption process computes a mathematical formula using plaintext that has allowed attackers to exploit the mathematical nature of public-key encryption to uncover data in raw form.

Public-keys have also encouraged successful brute-force attacks that break them and grab the corresponding private keys which are used subsequently for masquerading during network attacks.

These are old and well-documented problems that have restricted ways that public-key encryption can be used safely.

One BlackHat training on public-key cryptology describes a focus on drawing out the foundations of cryptographic vulnerabilities and cryptographic exploitation primitives such as chosen block boundaries, and more protocol-related topics, including how to understand and trace authentication in complex protocols.

I’m sorry, but in my humble opinion if you haven’t got a solid handle on why you shouldn’t be using public-key cryptology by now, we are in deeper doo-doo than I thought.

So, there you are. Four topics from one of the premier conferences on Cyber-Security on the planet and we are talking about 3 year old issues and technologies and approaches to solving very real, very current and very severe problems. And, none of the issues are relevant.

The next time I scratch my head and tell you how confused I am by our lack of progress, please refer me to this blog post.

The Dark Overlord: One Bad Dude.


A New Twist to Healthcare Cyber-Attacks and it’s Not Just Healthcare.

The recent cyber-attack on Banner Health Care, which was reported on August 3rd and looks like it compromised the data of 3.7 million individuals, likely will be the largest healthcare data breach reported so far in 2016 and we are barely halfway through the year.

What is unique about this attack apart from the sheer volume of records stolen was the attack vector; one not used before in the healthcare sector but hugely popular in retail. Banner Health says the breach started when attackers gained unauthorized access to payment card processing systems at some of its food and beverage outlets which led to direct access through the administrative network to the entire PHI database.

The obvious big red flashing light here is that the two networks were connected … as in, not separated.

Rebecca Herold, CEO of The Privacy Professor and co-founder of SIMBUS360 Security and Privacy Services, says breaches involving payment systems at healthcare organizations are frequently undetected. “Such systems are often maintained separately from the rest of the network, and often with the heavy involvement of the vendor who is supporting the systems. The POS systems have been shown to be notoriously lacking in strong security protections – yes, even when they have passed all PCI DSS [Payment Card Industry Data Security Standard] requirements.”

As we have reported repeatedly in the past, the Dark Overlord who has now claimed to have breached databases of a number of healthcare entities, grabbing about 10 million patient records that he’s offering for sale on the dark web may have struck yet again.

Previously an expert in ransomware for cash, the Dark Overlord has lately switched to a more remunerative resource based on stolen PHI records. Among the healthcare providers that have recently confirmed cyberattacks by the Dark Overlord is Athens Orthopedic Clinic in Georgia which reportedly lost 1,500 Athens Orthopedic patient records due to missing a Dark Overlord “ransom” deadline.

This is one bad dude. And, he is now claiming a new victim: a large healthcare software developer.

His advertisement went up on July 12 on The Real Deal, an online bazaar for stolen data, fake IDs and drugs. He is offering for sale what he claims to be the source code, software signing keys and customer license database for a Health Level Seven interface engine, a type of middleware that enables different kinds of software applications to exchange information. HL7 is a set of standards describing how electronic health information should be formatted.

In an interview over encrypted instant messaging, he declined to name the U.S. software company. Many vendors sell HL7 interface engines as part of their products. He also declined to say how he was able to compromise the company, but claimed he gained root-level access – meaning total administrative control – to its servers.

The Dark Overlord claims he also obtained the software’s signing keys. Software applications are usually “signed” with a digital signature, which then can be verified to ensure that a new version hasn’t been tampered with. Software companies guard those secret keys carefully. If stolen, an attacker could insert spying code into the application and sign it with the private key, making the modification of the code appear legitimate.

Our Dark Overlord buddy claims there are two target buyers for this data. One, a smaller country outside the United States who may be looking to purchase a complete package for a fair price and use this in their own development or retail it directly after compilation. Or two, someone who has  nefarious intentions and would intend on using the keys to push a backdoor to the original customers of the victim company.

Over the last several weeks, The Dark Overlord has placed three other batches of data up for sale on The Real Deal: 48,000 records apparently from a clinic in Farmington, Mo.; 397,000 records allegedly from a healthcare provider in Atlanta; and 9.3 million records allegedly from an unnamed health insurance provider.

The Farmington breach victims have corroborated his story, and he has also provided additional information from that breach, including scans of driver’s licenses and insurance cards. The clinic has not responded to repeated queries.

Of the 165 major healthcare data breaches  – not yet including the Banner Health attack – added to the Department of Health and Human Service’s Office for Civil Rights’ “wall of shame” tally so far this year, 51 or nearly a third are listed as hacking incidents and represented 2.8 million individual records.

As of Aug. 5, the OCR tally of major health data breaches listed 1,624 incidents affecting a total of 159.2 million individuals since federal regulators began keeping track in September 2009. And while hacker incidents represent less than 13 percent of the total breaches, those incidents account for an astounding 74 percent of the individuals affected. So, where are those records going and for what purpose?

Healthcare records contain the most valuable information available, including Social Security numbers, home addresses and patient health histories — making them more valuable to hackers than other types of data. Stolen credit cards go for $1-$3 each. Social Security numbers are $15. But complete health care records are a gold mine, going for $60 each. Medicare records, which are rarer, start at around $400 each. The reason they are so valuable is because criminals can use such records to order prescriptions, pay for treatments and surgery and even file false tax returns.

With a common healthcare record, you can basically own a person. You have all the information necessary to create a new account and fake an entire identity.

The greatest threat to the healthcare industry today is not from one-off hackers seeking quick paydays, but from organized gangs and foreign governments that can store intimate personal health data for future use against individuals.

For example, hackers last year stole the records of about 80 million customers of Anthem Inc., the second largest U.S. health insurer.

The presumption was that they were state actors, and the purpose was to harvest the database in order to create a dossier of individuals that they could use for social engineering for future attacks.

In addition, foreign governments could use healthcare information to target government employees with emails containing notices related to medical conditions they may have. When a targeted individual opens one of those emails, malware infects his or her desktop computer and heads right into the network.

The research firm Forrester recently predicted that hackers would release ransomware specifically directed at medical devices in 2016. The Independent Security Evaluators study showed that through both physical USB plants and remote attacks, hackers could take over heart defibrillators, insulin pumps and machines that emit radiation.

Cyber security in hospitals is struggling to keep up with these threats. In addition to my own view which has been repeated ad nausea herein, other security experts like James Scott argue for more investment in security systems and personnel at hospitals. Scott’s think tank recently issued a paper that calls for better security too among medical device manufacturers but the real problem, according to the paper, is the Food and Drug Administration, whose policies don’t go far enough to make sure device manufacturers are proactively addressing cyber security issues.

The agency’s voluntary guidelines are “just standards, not regulatory,” says Scott. “It’s like, ‘Do it, don’t do it, whatever.’ It’s a ho-hum mentality.”

The Dark Overlord claims to have compromised some organizations using a zero-day vulnerability in Remote Desktop Protocol, which is implemented in many remote access clients. See our most recent post  It’s actually more probable that the attacks have been successful due to weak passwords and RDP clients that are accessible over the internet.

It’s not just a healthcare problem. Critical infrastructures from utilities to traffic lights to municipal personnel databases are fumbling through the same jungle of cyber security unknowns. And as more and more of our physical world becomes networked and connected to the internet–the embedded sensors in our streets, the Internet of Things in our kitchen appliances, the “smart” cities all around us–there’s a sharply growing potential for cyber-attacks that have not just digital but dangerously physical ramifications as well.

And massive health data breaches are not going away anytime soon. In fact, they will get worse. As hackers become more sophisticated and organizations continue to fail to even catch up, we will see more and more reports of these types of breaches and escalation of the impacts. PHI will continue to bring high value on black markets and more of it will be stolen.

Until everyone places a higher, determined and ongoing emphasis on cyber-security, our personal healthcare data along with all other forms of stored PII will continue to remain at risk.

And, soon our interconnected physical world will start to make headlines as attacks are successfully aimed at critical infrastructure in healthcare, energy, transportation and defense.

Cyber-Crime Outpaces Cyber-Defense

Just when you thought it couldn’t get any easier, cybercriminals have just received a new gift that lowers barriers to entry even further. is a newly re-launched Russian website that makes it easier even for less technically skilled individuals to become cybercriminals. It handles everything one needs to run an online store, including anonymity and security, payment services, website design, and protection against DDoS attacks, all of which allows even individuals with low and even non-existent technical skills to set up a cybercrime shop, and all for only $8/month (same as Hulu).

The service has quickly amassed over 25,000 subscribers who have earned a total of 253 million rubles or about $3.8 million US, and the most interesting thing about this service is that it is readily available on the surface web, the first of its kind that doesn’t hide down in the depths of the dark web. This is clearly a thumbing of the nose gesture on the part of the Russians aimed at US attempts to counter cyber-crime and economic insurgency.

Operating on the surface web however, doesn’t preclude the site form hosting nefariously illegal sites like, which is used to sell hundreds of millions of compromised user accounts from LinkedIn, Myspace, Twitter, and in fact a majority of the sites hosted on the platform specialize in social media accounts registered by bots, stolen credentials, coupons for services that provide social network followers, and accounts for banking and other services that are directly monetized.

This is one of the moving parts that has led to the fact that a record-breaking half of the six million fraud crimes committed in the UK in the 12 months ending March of 2016, are cyber-related. If you have to assemble your own exploit kit and if you don’t have a channel for distribution, it is hard to make a living selling stolen IDs. is aiming to solve that problem the same way that Alibaba created a market for everything and anything as the world’s biggest online marketplace.

One measure of this move into online crime means that people are now six times more likely to be a victim of plastic card fraud than a victim of theft from the person, and around 17 times more likely than robbery.

Victims of fraud differ from other crime victims. They come from higher income households than victims of violence. They tend to be in managerial and professional occupations rather than manual occupations, students or long-term unemployed. There is also a strong indication that those living in the most affluent communities are more likely to be affected than those in urban and deprived areas. This is not surprising since it is the same groups that are most likely to be involved in online financial transactions.

The threat grows daily and while we all continue to try and find technology solutions for technology threats, it remains largely up to the individual user to work toward combating this crime wave. As we have said so many times, people need to use reliable Internet security on all connected devices, apply security updates as soon as they become available, download software only from trusted sources and be cautiously paranoid about e-mail and other messages that include attachments and links – even and especially now if they appear to come from friends.

In spite of America’s reluctance to acknowledge we are losing the fight, most all other Western countries have echoed what the UK’s National Crime Agency (NCA) said in their recent Cyber Crime Assessment report for 2016, which is that criminal capability is outpacing industry’s ability to defend against attacks.

President Barack Obama on Tuesday instituted a new directive on cyber-attack coordination that aims to make clear how the federal government handles cyber incidents and better informs the public on what to do once they have been hacked. The directive institutes a Cyber Incident Severity Schema with a scale from level 0 to level 5 to classify a cyber-attack. According to the White House, any incident that ranks at a level 3 or higher is considered “significant.”

For the uninitiated, these attacks often take place months before they’re made public — leading to a system that’s largely in place to tell us about attacks that have already happened that we really can’t do anything about.

After all, it’s not like the criminals are tweeting that they have created a backdoor into OPM or spying on the Secretary of Defense or that they have access to Obama’s email.


In fact, the Cyber Incident Severity Schema is more likely a scoreboard for getting pwned (to conquer to gain ownership) by hackers and announcing just how badly it hurt. Instead of serving any useful purpose, this schema will, not unlike the Bush-era Homeland Security Advisory System, become a talking point on the 24-hour news cycle, a vehicle for spreading panic, a government handbook for how best to whip the population into a frenzy based on months-old threats — many of which will have seen the bulk of their damage done by the point we get to classifying it.

It is clear to us that crime and terror are becoming cyber-enabled as the world’s operational initiatives continue to become digital, and the enemies of freedom adapt to and learn to leverage technological advancements.

Without an increase in honest transparency around the scale of this problem and lacking a determined effort to create the digital equivalent of a Manhattan project,  we will continue to see news of increasingly catastrophic attacks on financial and government institutions and national infrastructure along with an increase in global cyber-crime.

The Cyber Incident Severity Schema is a disappointing and some might argue both a stupid and childish response to what is probably the greatest threat to our National security in history.

It is at least embarrassing.

If Cyber-Threats to Your Business Don’t Move You, Maybe the World is More Your Cup of Tea

Our cyber-security challenge goes far beyond our inability to secure our businesses and organizations over the past three years. As we continue to (some would say) ignore the business and financial cyber-threat on the ground here at home, there is a more serious threat developing that does indeed pose an existential test of our willingness to defend our way of life on an even larger stage.

We have seen in the last few weeks both the vulnerability and the resilience of ISIS as it struggles to hold on to territory in Syria and Iraq. A new analysis of the battlefield shows that territory held by ISIS has shrunk 12% this year, with losses in both western Iraq and northern Syria.

But then, who needs physical territory when you can build a Caliphate on the web? Cheaper, better, faster, more.

We now see that ISIS groups are using a clever variety of digital tools and online services that allow them to grow and maintain a strong online presence, while also helping them remain undetected by adversaries. This Jihadist tool box and the online campaigns are relatively unknown to the general public though their recent use of social media has begun to attract significant attention in security circles over the past few weeks.

Because mainstream communication applications do not offer the sophistication these groups require for their security needs, the jihadists are forced to seek alternative ways to communicate which now include secure browsers, Virtual Private Networks (VPNs) and proxy services, protected email services, mobile security applications, and encrypted messaging services. These guys have become cyber-smart.

In addition, they now employ mobile propaganda applications designed to help supporters disseminate and view propaganda with greater ease, speed, accessibility and complete anonymity.

They are using highly secured browsers like Tor and Opera which enable them to operate clandestinely without divulging their IP addresses and to avoid risking third-party surveillance, while the use of VPNs along with proxy services help them further obfuscate their identities during their online activities.

Their advanced use of protected email services prevent intelligence agencies from monitoring their messaging and they’re taking advantage of security features such as end-to-end encryption and temporary, anonymous account capabilities.

And just to be extra sure, ISIS now uses only encrypted messaging for social media to insure that the channels through which they broadcast their propaganda provide a layer of security that absolutely prevents detection and that their identities and the messages themselves are protected from all except their intended recipients.

Their reliance on and adoption of technology for expansion, growth and survival is now commonly known and almost impossible to defend against in an open Internet world. Even though the overall cyber capabilities of the Islamic State as an entity is still relatively weak and appears to be underfunded and poorly organized, the individual operators are managing to quickly learn, adapt, and advance through the most current and leading edge technological tools. It wouldn’t surprise me if they started showing up at DEFCON and competing in tournaments.

In addition, ISIS now employs a vast network of “fanboys” who monitor social media sites and disseminate the group’s online propaganda. It is currently estimated that ISIS’s followers have at least 96,000 accounts on Twitter, allowing it to easily distribute their favorite links to digital content hosted on other online platforms. If their Twitter accounts get closed down, they simply register under new names as they have demonstrated earlier this year on two occasions.

Thanks in large part to these Twitter and Facebook campaigns, thousands of Westerners are now fighting for ISIS in Syria and Iraq, and many who cannot reach the physical Syrian state have attempted “lone wolf” attacks in their homelands as we have recently seen both in the US and in Western Europe.

Although the jihadists’ skill at conducting information operations has thus far outstripped their capacity for cyberwar, they have managed to execute several high-profile attacks online. This past January, on the same day President Obama delivered a major address on cybersecurity, ISIS-affiliated hackers made an elaborate and well-timed statement by seizing control of CENTCOM’s official Twitter and YouTube accounts. The message wasn’t lost on many of us.

And in the incident that put the FBI and DOD on full alert, the “Islamic State Hacking Division” claimed responsibility for hacking into the social media accounts of hundreds of U.S. military personnel and published lists of more than 1,400 names, departments, email addresses, passwords, and phone numbers, warning: “We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data.”

There are at least three reasons why ISIS’s efforts to grow a cyber-warfare capability should be taken seriously.

First, the costs of acquiring a significant cyber capacity are low enough to allow weaker states — or non-state actors — to obtain capabilities that threaten U.S. interests. ISIS may lack the educational institutions or technological resources of nation-states like China or Russia which would enable them to produce large numbers of advanced cyber warriors, but the abundance of hacking talent available on the dark net means they can either hire the services of hackers from criminal groups around the world or buy sophisticated zero-day attacks on the Dark Web to deploy themselves. As we know, these exploit kits are cheap and require virtually no skill to deploy and they are even available on eBay.

Second, as we have just seen with the tools being used currently, ISIS’s cyberwarfare capacity will not remain in a primitive state indefinitely. Both China and Iran started with simple website defacements similar to the CyberCaliphate’s, before moving on to more sophisticated and destructive attacks like the one in 2013 where Iranian hackers infiltrated the U.S. Navy’s unclassified Intranet, an incident which one former U.S. official described as “a real eye-opener in terms of the capabilities of Iran to get into a Defense Department system and stay in there for months.”

Third, cyberattacks allow potential adversaries to bypass our conventional military superiority in order to directly attack civilian infrastructure and economic targets.

While the major actors in the cyber arena (Russia, China, etc.) who have the capability to initiate a “catastrophic” cyber-attack are deterred by economies which are sufficiently integrated with America’s that a catastrophic cyber-attack on U.S. infrastructure would insure a victory in which the perps would also suffer economic damage, ISIS does not face any similar restraints or deterrents that prevent it from pursuing a total cyber-war strategy.

So, it would be a mistake to dismiss ISIS’s hackers as the jayvee team of cyberwarfare and assume the threat they pose will remain static.

Late  last year, the FBI warned U.S. lawmakers of the challenges in monitoring encrypted online communications among Islamic State terrorists, while calling for new laws requiring technology firms to provide backdoors to decrypt messages among jihadists. To date, no one company has cooperated and it continues to be an important debate as to whether in fact they should.

In the meantime, the computer networks upon which U.S. critical infrastructure depends must be made far more cyber secure not just to assure the continued freedom to conduct business, move capital, operate and support public service organizations but  in preparation for the day that ISIS’s cyberwar capabilities swell to match their intent.

Many economists believe that we are on the brink of another bank-induced global economic crisis and if I were advising ISIS, I would suggest they target an International banking institution. Any new banking crisis will do more to undermine the West than a thousand cases of stolen email or hacked social media accounts. And since most economists believe our financial system is more precarious now than even before the “Great Recession”, banks should hold a special allure to cyber-terrorists

All banks today are networked and completely dependent upon inter-bank lending and derivative transactions, both domestically and internationally. Any perceived problem at one bank will quickly infect others and spread across the financial system in electronic time. Public finance problems will immediately follow as governments and central banks are forced to prop up the infected bank to ensure continuance of essential payment and credit flows. The outcome would be instantaneous and horrendous.

Although the effort to improve cybersecurity in both government and the private sector continues to crawl along as it has now for over a decade, the persistent flood of headlines trumpeting the latest major cyber-attack demonstrates that America is clearly losing this war.

Earlier this year, the Pentagon declared the start of our first cyber war against the ISIS jihad, aimed specifically at disrupting their command-and-control communications, and as President Obama said in April, to put pressure on their cyber-ambitions.

Last week, the White House released a framework for handling cyberattacks with a vague cyber-attack severity scale. Level 4 of 5 is called critical and is supposed to turn red when the threat is “likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties.”

The key word in level 5 or severity black is “immediate”.

As Ed Lucas says in his book Cyberphobia, “Possibly even more catastrophic are hackers at a national level that have begun stealing national security, or economic and trade secrets. The world economy and geopolitics hang in the balance.”

Do you think Ed might be on to something, or is he just hyper-phobic too? 



Outsourcing higher education cyber-security defense yields healthy payoffs for IT staff and institutions.

A growing trend right now in higher education is to turn toward managed security services providers for most cyber-security support. Foremost among the many reasons is the fact that today’s higher education landscape demands relentless vigilance from a security perspective, despite heavy constraints on the very resources that vigilance requires.

The threat landscape in higher education is more dangerous than ever. In 2016 to-date, the education sector rose to the No. 2 most targeted sector in Symantec’s most recent Internet Security Threat Report, moving up from the No. 3 spot last year.

Today, the question is not if colleges will experience an information breach, but when — and how bad the damage will be.

One of the driving factors in making higher education an attractive threat target is the recognition that colleges possess vast sums of sensitive personal data from students, from Social Security numbers to financial aid records. Colleges additionally generate, in academic research and through government and industry partnerships, valuable intellectual property that is at a high degree of risk right now in these unprotected environments.

The other compelling factor is the fact that colleges have historically lagged behind the corporate sector when it comes to paying attention to data security, embracing the best cyber-security technology available or modernizing their IT environment form a cyber-security defense point of view. Thus creating a weakness that hackers are all too happy to exploit.

Compounding the issue are tight budgets constrained by dwindling state-level funding and reduced funding for IT infrastructure spending. This translates to most colleges and universities being forced to address the cyber-security issues with fewer resources, including both technology and human.

Finally, higher education faces an even larger problem than most companies competing for the severely limited available security talent pool as they are frequently unable to retain the best and brightest IT experts, particularly CISOs and analytical security specialists. Due largely to restrictive salary structures designed by unions for inter-departmental parity, those who are most capable are snatched up into lucrative private-sector positions, leaving a dearth of talent in the industry sector that needs it most.

It’s easy to see why MSSPs have emerged as a desirable alternative.

Higher educational institutions can contract out many aspects of IT, but due to the complexity and difficulty in finding, attracting and affording available expert resources, cyber-security is rapidly becoming one of the most logical functions to outsource. MSSP arrangements in education are usually taking the form of remote management or cloud-based solutions paired with internal IT management participation. Hybrid models are emerging which allow these institutions to retain greater levels of control yet out-source the commodity-level and specialized analytical services like SIEM and SOC at a fraction of the cost that they would spend trying to do it themselves.

MSSPs also deliver advantages that in-house departments find hard to match, simply by virtue of scale and logistics. By servicing multiple customers, MSSPs can easily scale and adapt to shifts in demand. They not only invest the time and energy to vet and test the latest technologies, but can also pass on cost savings when it comes to acquiring best-of-breed hardware and software.

In addition, the best MSSPs are nimble when it comes to keeping pace with the ever-evolving demands for IT expertise. Part of what the customer is paying for of course, is the providers’ depth and breadth of expertise and knowledge and their continuing commitment to maintain that expert status which gives them their competitive edge. Conventional IT staffs face the never-ending evolution and rapid morphing of malware and its various strains, and even the most competent IT teams find it nearly impossible to consistently counteract, detect and respond to vulnerabilities alongside their other duties. Cyber-security has become a full-time job.

The other major assist that these institutions can get from a qualified and compliance-certified MSSP is that layer of reassurance that they are complying with all of the constantly changing and increasing regulatory and data privacy laws.

The rise over the last 12 months in cyber-crime should be a wake-up call to everyone. The most vulnerable are those who store and process the most personally identifiable, sensitive and private information, fall under the most wide-ranging specter of federal and state regulations and are least likely to attract and afford the kind of expertise required to defend against the current crime wave.

Yet, it seems the most vulnerable continue to be the least likely to make the leap to calling on outside experts to help them out.


Even if the first step is something as simple as a security and vulnerability assessment, these institutions need to accept the reality that a breach will have devastating and long-lasting consequences. And, not just to the immediate reputation and contingency budget pool but also to future funding and the ability to continue operating as a functional educational institution.

President Obama has said, “Higher education can’t be a luxury. It is an economic imperative that every family in America should be able to afford.”

Cyber-security is another economic imperative. And every educational institution should be able to afford it as well.

The True Business Impacts of a Cyber-Attack


There is a lot of data available about the true cost of a data breach, but the toll of cyberattacks is significantly underestimated. If you thought for one minute that you have a handle on the financial impact of a breach for your company let’s take a look at the actual costs resulting from a cyber-attack on one national health-care provider in 2015 (as reported by their auditors, Deloitte).

Above The Surface Costs

The (generally well-known) “above the surface” costs are tangible and direct and include line items like the costs to notify customers and/or provide personal credit protection. They are relatively straightforward to approximate using a combination of profile information for each company, publicly available data, and cost assumptions derived from industry and market research. This has cost the company $2 million so far, but is actually a small component of the real financial impact.

Customer Breach Notifications

Following this particular breach discovery, the healthcare provider spent six months notifying customers of the event, describing the steps they were taking and the potential impacts of the remediation process. This process took six months, at a cost of $10 million. And, now that the company has real reputational impact, you can be assured that this brand-rebuilding effort will continue well into the future.

Post-Breach Customer Protection

The technical investigation following the breach revealed that cyberattackers had gained access to the patient care application using privileged credentials from a stolen laptop and had created a significant number of credible user IDs. Consequently, before service could be restored, new user accounts had to be issued for all application users, and new application and system controls had to be created and put in place. The post-breach protection efforts will cost $21 million.

Regulatory Compliance (Actual Government Fines)

Regulatory compliance factors came in the form of HIPAA fines. These amounted to $2 million. Yes, actual FINES. Health and Homeland Security’s Office of Civil Rights has decided that the world wasn’t taking HIPAA regulations quite seriously enough, so the new fines are an attention-grabbing 10x above the old fines. Ouch!

Public Relations/Crisis Communications

As the incident unfolded, impact to reputation and damage to their trade name and marketplace image mounted. Lack of confidence in the company’s data protection practices resulted in the loss of customers for the last 12 months as many corporate clients and many more individual subscribers chose other health plan alternatives. The cost for a focused public relations and communications campaign over this last year was $1 million to-date and is still on-going. Again, this cost will continue to mount as the program evolves. Customers are very expensive to acquire but twice as expensive to recover once they are lost.

Attorney Fees and Litigation

The company has faced continuing and ongoing scrutiny for its handling of the incident; many months after the breach their cyber insurance premiums were raised and legal fees accumulated as the company faced identity theft lawsuits. The impact of legal fees for the last 12 months has cost $10 million. No further comment.

Cybersecurity Improvements

Before service could be restored, new user accounts had to be issued for all application users, and new security software, appliances, application and system controls had to be researched and implemented. The cost of cybersecurity improvements to-date has exceeded $14 million. And, of course, the company has yet to address the response and remediation portion and remains stuck in the prevention phase. Much more work to do.

Technical Investigations

As a result of the breach, the company had to immediately shut down physician access to the patient care application and activate its cyber incident response team. The application was kept offline for two weeks while the incident was investigated. The full technical investigation lasted six weeks, at a cost of $1 million.

Below The Surface: Hidden or Less Visible Costs

“Beneath the surface,” impacts are less tangible and more difficult to quantify, including costs associated with loss of intellectual property (IP) or contracts, credit rating impact, or damage to the value of a trade name. In situations where intangible assets are at risk, impact can be estimated using generally accepted standard financial measures, damage quantification methodologies, and valuation methods.

Almost 89 percent of the impact was associated with just three “beneath the surface” impact factors: value of lost contract revenue; devaluation of trade name; and lost value of customer relationships. The value is still being determined.

Insurance Premium Increases

The healthcare provider incurred significant increases in its insurance premiums. These amounted to $40 million over the next three years. Yikes.

Increased Cost to Raise Debt and Reduced Premium Revenue

Higher borrowing costs resulted in the delay of a strategic acquisition and the company has been forced to mitigate reputation damage and member loss by reducing its annual premium increase over the next five-year period. The increased cost to raise debt and lost premium revenue amounted to $60 million.

Operational Disruption or Destruction

In the short term, core business functions were disrupted by the shutdown of physician access to the patient care application. While the application was unavailable, physicians and providers relied on less effective and efficient means of receiving medical alerts, increasing risk to patients.

Without full access to health insurance coverage information, physicians and providers could not be certain of the financial implications—to both their institution and their patients—associated with the choice of care they provided.

Operational disruption impacted physician treatment plans resulting in more frequent visits and the exploration of more treatment options and has cost the healthcare provider $30 million to-date.

Lost Value of Customer Relationships

The decline in annual revenues due to lost members or customers caused the value of customer relationships to decline by $143 million over the last 12 months. This is of course an estimate. The actual cost will be much higher after the dust settles.

Value of Lost Contract Revenue

Even where contracts were not canceled, the company was forced to adjust the premium increase they had historically charged their members in an effort to mount some level of damage control. This created an estimated loss of $830 million over the next five years. An important and often overlooked factor in estimating damage from a cyber-attack. Aka, you want to keep doing business with me after you have introduced this risk, then fine; what’s my discount?

Devaluation of Trade Name

Due to erosion of revenue, the company’s trade name value decreased, resulting in a $46 million loss since the incident occurred.

Loss of Intellectual Property (IP)

Their auditors have yet to associate a dollar figure loss associated with intellectual property, because it was still trying to finalize a determination. The healthcare provider had not clearly identified all of its IP and/or assigned a valuation to each component. Most companies fail to properly identify or assess the value of their IP until after a loss. There is a lesson in here.

Thinking about how each of these components might affect your own organization should a similar cyber-event occur in your company could have a sobering effect on your own cyber-security planning and programs. Even if you don’t face all of the potential issues associated with a healthcare provider, there are many categories where all businesses share common vulnerabilities.

Trade name damage, reputational impact, customer notification, data and systems recovery, regulatory fines, insurance premium increases, attorney fees and litigation are just a few of the impacts that we all have in common.

No matter how distant a cyber-attack may seem at the moment or how little attention your board may have paid so far to the whole issue of cyber-risk, I would bet that a recitation of this $1.2+ Billion loss might just get their attention.



A little over one year ago, crypto ransomware accounted for barely 10% of all ransomware infections. Even six months ago, when over 400,000 companies were infected with a ransomware-style attack, less than 10% of the victims had experienced the encryption-style of ransomware attack.

Today, that number has soared to 54% with over 2 million users now affected by encrypted ransomware according to a report issued this month by Kaspersky Labs. The report included both encryption-style ransomware as well as screen-blocker ransomware.

Much of the growth came from the proliferation of encryption malware, as the number of companies hit with crypto-attacks surged more so far in 2016 to over 718,000.

This dramatic increase in the overall number of people encountering ransomware combined with the increased use of crypto tools broadcasts a very serious problem.

The most significant difference between blocker-style and encryption-style ransomware is that blocker damage is fully reversible. In even the worst possible scenarios, the infected PCs could be fully restored by simply reinstalling their Operating Systems.

Alternatively, encryption-style ransomware renders files completely irrecoverable without a decryption key providing infected victims with no options other than to pay the ransom or refuse and buy all new systems. Following which they will have to either recover from whatever useful backups they may have or start over from scratch.

Most of the ransomware samples detected recently have been popular crypto-malware strains of CryptoWall, Cryaki, TorretLocker, and CTB-Locker, all of which along with easy-to-use exploit kits are available on the dark web to anyone with a few bucks.

Since there is no reason to assume that this tide will ebb anytime soon, there are three things that all organizations should do right now:

  1. Every company large and small should immediately implement a backup and recovery plan that accommodates off-site and off-line data storage that cannot be tunneled into through the core network and don’t forget to test it frequently


  1. End-point behavioral analytics and sandboxing software should be implemented to detect and eradicate ransomware before it infects the networks along with network behavioral analytics that can identify ransomware strains that invade through other gateways like email, downloads or software tunnels and move laterally within the network to prepare for an attack , and


  1. Employee awareness must be tuned up through continuing training and education programs that demonstrate what a phishing email looks like and the known browsing dangers that facilitate a high percentage of network infections by a broad range of malware.

Given that almost 80% of over 1,100 companies surveyed across a wide spectrum of industries recently by KnowBe4 said that they were “very concerned about ransomware attacks”, I would expect that 8 out of 10 companies will be rushing out to implement these basic protections by first light tomorrow.

But somehow, I get the feeling that I should not hold my breath.

It’s interesting. If I told you that it is a proven and indisputable fact that 80% of us would die from cancer if we didn’t stop smoking, I would assume that everyone would stop smoking. Wouldn’t they?