An open letter from a Social Engineer

Hello! My name is social engineer. I like to use any and all information about you to gain access to your money, healthcare records and personal identity. It’s Halloween and it can be a scary time. Sometimes I’m scared by the amount of info people share about themselves and their loved-ones online.

A great way to wrap-up National Cyber Security Awareness Month is to limit the amount of info I have access-to by navigating to this page on facebook and clicking this button called, “Limit Old Posts.” This makes the amount of info available to me much more scarce! You can do this same thing on other social media sites too.

Of course if you need more scaring to be convinced, just sign-in to facebook and head over to http://www.takethislollipop.com for a close-to-home demo of how your own info might be used against you. IF YOU DARE!

Happy Halloween!

Free and reduced IT and Security Training for Vets

I have seen a lot of talk lately about Cyber Security training for Vets. So in observance of this upcoming Veterans Day I am publishing this list of free and reduced resources. Unlike a google search, I am sorting these by my percieved training value from a hiring manager's perspective as a seasoned InfoSec Practitioner.

But first an overview, employers are looking for people to work in InfoSec who have real skills, both hard and soft, many of which are acquired in military service. As always, OJT is what you make of the opportunity so YMMV.

Employers need people who have technical skills but in many cases those who solely have technical skills are less in demand than those who can also translate their technical knowledge into words, concepts and stories that business people can understand. The age-old paradigm of Knowledge, Skills and Abilities (like them or not) are hard at work here.

Much of security work is consulting. Consulting has been defined by some as the art of giving advice to those who haven't asked for it and may not want it, sometimes aggressively or violently so. This begs a focus on soft-skills, which is sure to be assessed as a part of any hiring process for an InfoSec gig. At least for the ones you want to have anyway. So each of us must work to find a balance between soft and hard skills. For these reasons, I am including both here.

Soft-skills Resources by Overall Value

     ISSA International - Dedicated to developing and connecting cybersecurity leaders globally. If you do nothing else join, attend and contribute. My first pure InfoSec role was a result of doing just this.

     ToastMasters International - a world leader in communication and leadership training. Enough said.

    BSides Security Conferences - Yes you can cite conference attendance as legit training on your resume and you should! It shows personal investment, current knowledge and industry involvement. Not to mention you might meet your next employer or recruiter there. Tickets can be had for 10's of dollars!  

     Selling Security to C-Level Executives - Tips on how to cut the hype and speak in terms business decision makers understand and relate to.

     The Challenger Sale Summary by HubSpot - A simple approach to selling just about anything in a way that makes an emotional connection.


Hard-skills Resources by Overall Value

     LinkedIn Premium for Vets - includes access to Lynda.com and ability to email outside of network! A tremendous gift from LinkedIn.

     Cybrary.it - Free IT and security training courses - many of these focus on basics or essentials which will be gauged in the interview process but also working toward certifications.

   Fortinet Veterans Program and launch of the Fortinet Network Security Academy (FNSA), designed to develop and train action-oriented cybersecurity experts to address the global skills shortage.

     DHS’s Federal Virtual Training Environment (Fed VTE) offers free online, on-demand cyber security training to government employees and Veterans. Veterans can sign up for an account through the Hire Our Heroes website and follow instructions through “ID me” to verify veteran status and register for a FedVTE account. - Includes just about every IT or security certification course you can think of! Course Catalog here.

     SANS CyberTalent VetSuccess Immersion Academy - FREE Industry-leading SANS training from world-class instructors in a hands-on immersion format, hyper current content, widely-recognized GIAC certifications, and a direct recruiting pipeline to top employers in cybersecurity.


Specific Conference Info:
FREE for Vets
     2016 Metro-Atlanta ISSA Conference, Building on the Foundations of Effective Security, Wednesday November 16th at the Loudermilk Center. This conference will focus on the basic building blocks of Process and Policy, Data Governance, Access Control, Encryption, Monitoring and Incident Response, and Continuity Planning. Seasoned veterans in the field will give presentations based on their experiences in one of these six areas. To view full conference agenda - http://www.gaissa.org/gaissa_conference_agenda_2016.html Veterans use code VETSISSA2015 at checkout for free admission.

CryptoMalware Resources

Some resources for CryptoMalware Detection, Prevention, and Remediation

Presy Slides (updated periodically): http://www.slideshare.net/AaronLancaster3/why-are-you-still-getting-cryptolocker

ISSA Journal April 2016 Feature Article - CryptoLocker by Carl Saiyed

http://c.ymcdn.com/sites/www.issa.org/resource/resmgr/JournalPDFs/feature0416.pdf

Prevention
J. Wolfgang Goerlich Preparing for malware - https://t.co/yn0CVpMtu6
FREE Training Course: https://info.varonis.com/introduction-to-ransomware

FBI IC3:
Ransomware Tri-fold: https://pdf.ic3.gov/Ransomware_Trifold_e-version.pdf
Sept. 2016 Advisory: https://www.ic3.gov/media/2016/160915.aspx

Microsoft Articles:
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Crowti 
http://blogs.technet.com/b/mmpc/archive/2015/07/14/msrt-july-2015-crowti.aspx 
https://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx

Expert Analysis:

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
http://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive/

http://www.cio.com/article/2448967/security0/6-ways-to-defend-against-drive-by-downloads.html

CryptoLocker Prevention Kit: http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
CryptoPrevent (workstations only): https://www.foolishit.com/cryptoprevent-malware-prevention/

BLADE (Block All Drive-by Download Exploits): www.blade-defender.org

Detection

Traffic Analysis:

https://isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/

Expert Analysis:

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx

Microsoft Server Techniques:

https://gallery.technet.microsoft.com/scriptcenter/Cryptowall-active-file-ad91b701

http://technet.microsoft.com/en-us/library/cc732074.aspx

Remediation

https://www.nomoreransom.org/

•Utilities and regain access to your files:

–RakhniDecryptor - http://support.kaspersky.com/viruses/disinfection/10556

–XoristDecryptor - http://support.kaspersky.com/viruses/disinfection/2911

–RectorDecryptor - http://support.kaspersky.com/viruses/disinfection/4264

•Attempt to retrieve your keys from:

–FireEye’s website http://www.decryptcryptolocker.com/

–Kaspersky’s Website: https://noransom.kaspersky.com/

-Cybrary.it article: https://www.cybrary.it/0p3n/ransomware-decryption-keys-released/

Other References

•IOCs https://github.com/CyberThreatAlliance/cryptowall_v3

•CoinVault and Bitcryptor keys & app: https://noransom.kaspersky.com/

•CryptoWall Dashboard: http://cyberthreatalliance.org/cryptowall-dashboard.html

•Scripts and Files related to the CyyptoWall v.3 threat: https://github.com/CyberThreatAlliance/cryptowall_v3

•CryptoLocker Scan Tool by Omnispear: http://omnispear.com/cryptolocker-scan-tool/

•Using PowerShell to Combat CryptoLocker: http://blog.varonis.com/using-powershell-combat-cryptolocker/

Baking in security

There's a long-standing synicism around development not taking security into account and security picking up the pieces. In fact it's lead to memes like this:

Author Unknown

For many this cynicism may be hard to take seriously but in light of recent research below it takes on a different real-world perspective. Security is serious business and has serious real-world implications in safety, identity, finance and other areas. It pays to think through what and how you are doing day-to-day life and business. Invest early and enjoy the rewards of that investment for a long time to come!

FBI Asking for Ransomware Reports

In an FBI Public Service Announcement published today the Bureau is requesting that vicitims of ransomware report what hit them, the rootcause and even what they paid out in ransom.

NOTE: Please be advised that the FBI is not duty bound to protect your information and you should consider the effects to your company should the FBI choose to make that info public.

From the FBI PSA:

What to Report to Law Enforcement

The FBI is requesting victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at www.IC3.gov, with the following ransomware infection details (as applicable):

1. Date of Infection
2. Ransomware Variant (identified on the ransom page or by the encrypted file extension)
3. Victim Company Information (industry type, business size, etc.)
4. How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
5. Requested Ransom Amount
6. Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
7. Ransom Amount Paid (if any)
8. Overall Losses Associated with a Ransomware Infection (including the ransom amount)
9. Victim Impact Statement

This is a lot of data considering the massive amount of data already available from the Cyber Threat Alliance's study and subsequent analysis report of CryptoWall v3 less than a year ago and their live dashboard.

Cyber Panel at Nashville Business Journal

A while back I participated in a Cyber panel with the Nashville Business Journal.

Read the article here.

July Threat Highlights

July was an interesting month from a threat landscape perspective.

We saw android security bulletins for RCE bugs as well as high-severity flaws, and the Jigsaw ransomware decrypted yet again. Perhaps the most dis-concerting is the newly reported use of Conficker in attacks against IoT devices.

InfoSec to Remote or Not? That is the question.

Lately, I've been hearing of more and more companies "reigning-in" their Cyber Security professionals. At first impression this may seem like a no-brainer. But may be more backlash against the casual and laze faire behavior of a small group of abusive remote workers than anything. This begs several questions:

1. Is it more efficient?

2. Are workers (especially of certain generations) more satisfied?

3. Does it provide companies access to better talent?

4. Do on-prem workers have the same access as remote SysAdmins in this de-perimeterized enterprise landscape?

5. Do today's modern collaboration tools enable all job functions of on-prem workers?

"Clients in this area don't grok telework.  They think it's evil." - Mark McCulough

BSides Knoxville 2016: CryptoMalware Talk

Had a great time presenting at BSides Knoxville 2016: CryptoMalware: The persistent, ubiquitious threat:

*update*
ICYMI: Watch the YouTube video of my presentation: https://www.youtube.com/watch?v=6dP5Zt49uA8

I'm greatly looking forward to next year!

Moving from RansomWare to LeakWare

One of the trends I have observed on the Cyber Security threat landscape is the movement from "Ransonware" like CyrptoLocker, TeslaCrypt and CryptoWall to a new category of malware I am calling "LeakWare." This is a distinct category of malware that needs its own category, defenses and and special attention.

Simply defined, we can expect LeakWare will hold a user or company's data for ransom (maybe, probably) and if the ransom is not paid the data will then be leaked to the world via sites like pastebin, wikileaks, and others. The aim here is to up the ante beyond merely data loss to data exposure. Imagine the Sony-like impact of this potentially life/business-ending exposure. This will merit new and special attention to defense and prevention further driving the market for new and innovative technologies to guard against this and previously-seen  similar threats.

The house judiciary committee hearing on FBI vs. Apple

The hearing listens like a user awareness training session boadcast via C-SPAN. This is a classic case of sacrificing the greater good for the emotional satisfaction (revenge?) of the few. It's cirtical during times like these when emotions run high to remember that two wrongs don't make a right. Obviously, this wrong choice won't make those crimes right either.

Congress, Please don't do this thing that can't be undone in an attempt to undo the crimes that can't be undone.

The FBI, Apple and privacy encryption: Why the FBI is putting pressure on Apple to hack a terrorist's iPhone

I've heard a lot of talk lately about why a federal agency would bother with a hardware and software vendor in the course of obtaining a known terrorists associates. Here's my analysis FWIW...

If you follow DOJ cases you'll notice a trend of late where in the course of establishing an air tight case judges are requesting very intimate details of how the FBI and others have come by their information. 

In one recent child porn ring case the FBI was asked to provide all Network Investigative Technique (NIT) methods including code for how they reverse engineered the dark web running on TOR to nail-down one site hosting over 80 percent of darkweb child porn called "PlayPen." But they didn't stop with taking down the site as in previous cases. Instead, they moved the site to their own data center and used it as click-bait to catch more bad guys.

Needless to say those methods and code will be entered into public record. The bad guys will patch the hole and the millions of dollars spent researching and developing said methods and code will be worthless.

Which brings us back to an iPhone and a shooter. My theory and that's really all it is at this point is this. The FBI doesn't really need Apple to crack the phone. Let's not fool ourselves into thinking the FBI and other federal agencies don't have the technical capability of cracking our personal devices. In fact the automatic update feature itself may be just that. Apple itself reports that the FBI has requested a "new version" of the OS that circumvents security features be installed on the phone. So rather  than take a gamble with revealing a high-value back door when the payoff is unknown the FBI is asking Apple to crack it for them. They don't want to show their cards yet.

Which brings us to how Apple will fight the Court order to hack the shooter's phone and Apple's 64-page response citing the unconstitutional nature of the order. Why is this case such a big deal? Why is seemingly everybody talking about it? In the grand scheme of things this case has the potential to have an incredibly profound impact on Constitutional law and will certainly shape the way we use technology and the privacy we (think) we enjoy in the years to come.

The case is slated to advance to a House Judiciary Committee for Encryption on March 1st.