Hack The Planet

Because if you don't, who will?

Friday, January 19, 2018

There is no edge…

I remember early in my career that when it came to security you had to protect the edge. You put in a firewall, then you would put in an IDS as we moved forward, and everything was about the edge. It was a castle model. Basically, we built the walls, the moats and all number of protections to keep the invaders out. I don’t need to rehash all of this because it has been talked about before.

Move forward to the last few years and the edge has dissolved. We have kept up our walls and protections but our business has moved beyond our walls. Our business is done in the fields, and other towns and castles, or all the way across the world. The invaders don’t need to come to our gates anymore, we take our treasures to them, in the shape of our mobile and cloud connected devices.

This week a new malware campaign, Skygofree, hit the news wire and it was completely focused on mobile endpoints. As I was reading different reports about the malware I thought about how easy we have made it for the invaders.

We built our defenses, but haven’t trained our people who were inside the gates how to defend themselves, or even what to look for in an attack. We gave our people access to our resources from anywhere in the world, but not the tools (mental or digital) to protect them. Then we wonder why we were breached.

The digital world continues to move forward at break neck speeds and our protections continue to dwell in the dark ages. Until we wake up to the new reality that there is no edge, we are leaving ourselves ripe for pillaging.

Train your users, build protections into your mobile workforce devices, and keep an eye to the future as there will be new, emerging technologies that will change our protection landscape again before we know it.

posted by holliday at 11:58 am  

Friday, January 12, 2018

…and a Happy New Year!

The New Year wasted no time in dropping some great (and terrible) vulnerabilities. Let’s hope the rest of this year can keep up with how it has started.

posted by holliday at 5:09 pm  

Monday, August 14, 2017

Defcon 25 Recap

This year marked the 25th anniversary of Defcon, and my 10th year attending. Defcon continues to grow, this year eclipsing 25,000 attendees. It is incredible to see all of the different people that attend every year and how we as a community continue to grow.

During the opening keynote, Alex Stamos of Facebook hit on a few key things that really resonated with me. One of which was that we need to build up the next generation of Engineers. The people that will be coming after us, that we need coming after us, to help secure the Internet going forward.

It hit home because this summer I helped set up a Cyber Skills Exercise for a program that was built for middle school girls called “Cyber Warrior Princess”. It was really cool to see the way the kids jumped in and were excited to learn. We could learn a lot from them on maintaining our enjoyment of technology and not becoming stale. These young women are going to be attending (possibly) Defcon in a few years time, and I want the conference to be something they can enjoy.

There were many other good briefs during Defcon, Digital Vengeance being one I really enjoyed. It was nice to see that malware, RATs specifically, were as buggy as any other code and could be used to strike back (within legal limits) at your adversaries.

Another brief, a talk by Kasparov, was really inspirational and helped re-energize me. His mind is incredible and it was great to see a talk with such big ideas.

A lot of Defcon has turned into “Hallway-Con” and that is okay. With such a large community it is hard to get to see everyone, and this is one of the few opportunities through out the year that we can all connect. I know that without Defcon I probably wouldn’t get to see a number of my close friend’s in person on an annual basis as we are geographically dispersed and all busy with our careers and families. So when people call it “Hacker Summer Camp” I wholeheartedly agree.

I am excited to see where the next year takes us. Hack the Planet!

posted by holliday at 9:24 am  

Sunday, September 11, 2016

Random thoughts on sharing information…

Good morning, World! Or should I say, Hello? A brief note, this is not about information security. It is more about information and how our world has shifted in the way that we share it.

Recently I have had the good fortune to speak at a few conferences and to sit down with other speakers and really talk. We didn’t discuss our talks, we discussed life and ideas. I was able to spend dinner with one colleague and speaker two nights in a row at the most recent event and our conversations drifted from work, to life, to faith and ideas on religion and humanity. It really impressed upon me the importance of in person communication and thoughtful conversation. My mind and heart were opened and I was able to really understand where this person was coming from and reflect on my life as well.

This morning, I decided against getting on Facebook. Stay with me, these thoughts are connected. I am tired of the false communication and false closeness social media promises. It wears me out. We have this fake connection to our “friends” but not in any truly meaningful way. It is funny to see how many of my friends I wouldn’t be friends with if I had met them through social media. One of the reasons for this, at least in my mind, is that we see little half thoughts. Little snippets of a false personality that we all show to the world through social media channels. There is no way to share, because it is all projection, our true selves. There is no way to really know someone through social media.

I am going to try my own social experiment and be truly social (he says as he types into his blog), and try to not communicate through memes and links, and sound bites. Sound bite friendships aren’t enough for me. I want to really communicate with people and to expand myself by really learning about them. In my mind’s eye, I see an old, English club where people sit around in leather chairs, drinking whiskey, smoking tobacco pipes and discussing the Universe.

Time to go build a time machine…

posted by holliday at 10:56 am  

Monday, March 7, 2016

Another year, another RSA conference…

As another RSA conference comes to an end and we all cycle back into our lives, I am glad I was able to attend so that I could meet with old friends and walk the floor to see how large our industry has become.

It is incredible how many vendors there are, and how many of them claim to solve the same problem. With so many companies that offer Threat Intelligence and the ability to protect against Advanced threats, it is a wonder we haven’t solved this whole Information Security thing by now. The truth is though, most of these companies are just putting new branding around old technology and hoping no one notices.

One positive change I saw was the number of companies offering training services to help make more people proficient in the Cyber. There is a severe lack of talent in this space, and with the continuing growth and maturation of the cybercrime industry, we need all the help we can get.

One interesting note is the head of the NSA saying Data Distortion is one of the three things keeping him up at night. It is good that intentional data manipulation is getting the discussion it deserves. After the OPM (Office of Personnel Management) breach I had many conversations about the effects it would have, not just on the information that was stolen, but on what information could be trusted after that type of breach. With the rise of Cyber Espionage, data breaches may be less about what they take, and more about what they add or modify. I am guessing that Data Integrity products (read: Encryption) will be the next products to get a makeover and re-branding.

I guess we will see if I am right at RSA next year, or maybe even Black Hat this year.

posted by holliday at 10:50 am  

Monday, February 22, 2016

Basic Economics is why we fail at Security…

In the InfoSec community we often rail against people not doing enough to secure their data. If they had only installed this, or hadn’t installed that. Why can’t these people understand?

The issue we run into is not that they don’t want to secure their information, they just can’t afford to do it. This week we saw a hospital and a school pay criminals to get ransomeware removed from their networks. The amount they paid was $17,000 and $8,500 respectively.

The reason I point this out is that they probably won’t be fined and so all they are out is a few thousand dollars and a little bad press. These institutions won’t really lose that much face though. They will be pitied that they were attacked by Big Bad Hackers, and then people will forget it happened. If you look at Target and Home Depot, two of the bigger breaches in the US, the overall impact to the business was minimal.

In the end it is more expensive to try and protect information, than it is pay the fine for a breach, or pay the criminals that encrypt your data and hold it for ransom. When you think about how much it costs just to hire someone capable of knowing how to protect your data you are already in the six figures, with just one person. You have already paid more than four times the amount that this hospital and school paid to get their information back, combined. This is all before you buy any security tools, which are never cheap.

At the end of the day, we are losing this battle because the cost of failure is acceptable.

How can we change the cost of failure to be in our favor? Do we increase the fines for being breached? Since share holders care about the bottom line, companies are incentivized through the lack of large fines, to be less secure. It could be argued that increasing fines would drive companies to not report breaches. There are laws today that require companies to report if they have been breached, but does it cost that much more to be fined for not reporting? Companies gamble all of the time this way, I’m looking at you VW. Our criminal counterparts at the same time, thinking like Walmart, know they can just charge less and keep getting paid.

Sadly, I don’t think the change will happen until attacks like the Sony hack become more frequent, forcing companies to re-evalute the cost of failure.

posted by holliday at 10:09 am  

Monday, February 15, 2016

How the years change us…

It is interesting to go back and reflect on what we have written, what we have created, and think about who we were then. I know that for me it is a pretty stark change. I hope that the change is good, but as with anything, that is in the eye of the beholder.

I think that when we look at people, at companies and nations, we need to be more forgiving of their past and, while not completely ignoring it, listen to who they want to be today. Many times we find that nations change more than individuals.

Just looking at the United States, I see a stark divide between where we were 20 years ago and where we are today. Sadly, from my perspective it is not actually better. I had a lot of hope that we were in the middle of something amazing. That technology and the internet were going to change our lives forever. They have, just not in a way I and many others expected.

When I read The Declaration of the Independence of Cyberspace I imagined another world. Today I just see another store front. But reading it again, 20 years later, I am filled with the same hope. We doers have the ability to make the Internet, the world wide webs, Cyberspace, whatever you want to call it, a place of Mind.

Or it can continue to be the Walmart of the future…

posted by holliday at 7:07 pm  

Monday, August 3, 2015

Off we go to camp!

Another summer is starting to come to a close and that means the largest gathering of hackers on the planet is about to go down. With three conferences all going on this week it won’t matter if you are at BSidesLV, BlackHat or Defcon, you are going to see something cool. With presentations on hacking cars, hacking guns, and hacking anything that isn’t tied down (and some things that are), there is always something new to learn.

My advice for the first timers, enjoy it. Don’t worry about seeing everything because there is just not enough time. Mostly, just have a good time and meet new people.

And remember, Hack the Planet!

posted by holliday at 9:45 pm  

Friday, June 19, 2015

OPM or Other People’s Mess

I have been reading a lot of the posts that have been written about the OPM (Office of Personnel Management) breach and watched the hearing, and think that we are getting stuck on whichever flavor of security we lean towards. “Well, if they had encryption, this wouldn’t have happened.” “Well encryption wouldn’t have helped in this case.” “If only they used Linux then they would be fine.” If only X, Y, Z. The issue is we (I say we, but if there are any non-US citizens reading this, I mean the US) have adversaries that don’t care what security tools we use, they will find a way in. Maybe even through non-technical means, like human agents. Discussing the OPM breach like it was just another company being breached is a mistake. The adversaries they are facing are very smart, and very persistent. Now, saying that, there were a bunch of big screw ups that left them wide open to the breach.

I was reading a post about the OPM hack on Bromium’s site and I found a statement at the end interesting. “If a security vendor tells you that you will be breached, what are they even selling you?” They are trying to sell you awareness that a persistent, and aggressive adversary will find a way into your environment, and that you should make it as difficult as possible for them and shorten the time to detection. Telling someone that they will always be protected from a breach as long as they use a specific solution is silly. I do like that the author mentions breaking through the status quo, but I think that is what admitting you have a serious adversary and the likelihood of them getting past whatever security you put in place is doing. Through that awareness you can start focusing on making it more difficult, so that your adversary has to spend more resources to gain entry, and focusing on detection, so that your adversary is in your environment for as little time as possible.

“If you know the enemy and know yourself you need not fear the results of a hundred battles” – Sun Tzu

“Know your enemy!” – Rage against the Machine

posted by holliday at 4:42 pm  

Monday, August 25, 2014

Does a “Cybersecurity Czar” need to be coder?

This was the question introduced last week when Michael Daniel, the White House Cybersecurity Czar, made comments that his lack of technical skills was an asset to his job. This, of course, caused a lot of debate about whether Mr. Daniel needed to be a “coder” to be effective at his job.

Here is my take. A CC (Cybersecurity Czar), CISO, CIO, etc., does not have to be a coder or developer to be able to function efficiently in their jobs. They do, however, have to have an understanding of how the technology that they are managing, purchasing, or building national policy around, works. If a CC does not have a proper (read: real world, not read from a book) understanding of how a firewall works, how can we expect them to make good strategic policy around how we should use them? One of the points Caitlyn Hayden, National Security Counsel spokesperson, makes is that from the POTUS on down, they rely on Mr. Daniel’s “expertise”. How can Mr. Daniel have any expertise in a field he doesn’t understand?

If you have not done heart surgery, you can’t claim to be a heart surgeon. The same holds true for technology. If you have not been in a “cyber” role before, how can we believe that you have any understanding of the risks involved in different cyber scenarios? If you are building policy around DDoS attacks and you don’t understand how they work, or what tools you would use to counter them, then what good is your policy?

One of the truly frightening things is any policy that is created that allows for a kinetic response to a cyber attack. Our ability to properly attribute attacks to countries or groups is pretty poor at this point. We can make assumptions but they are just that, assumptions. If Mr. Daniel does not understand how the technology works, we can get policy built that is based on false assumptions that could lead to escalations and violence in the real world.

I, for one, prefer my strategies and policies based on actual expertise, not the assumptions of an amateur.

posted by holliday at 9:34 pm  
Next Page »

Powered by WordPress