Monday, February 24, 2020

Qualified lead, or outright fraud. When journalists help push snake oils and magic dust.

Journalists look for good stories.....  and sometimes someone serves them one that is too good to be true.  But a journalist isn't a security expert, so if the speech is really good, they too fall victim and inadvertently help market something they shouldn't.

Nothing gets me out of bed faster then receiving a message about an article showing a journalist falling for a manipulative marketing trick and actually become part of the unjustified hype machine that promotes unethical services. 

Well, ok... that's not exactly true... I can think of a few things that would get me up in the morning, but I digress.

All joking aside, this subject is so important, that I felt compelled to produce a video in both French and English to address the subject with my clients.

Their are hundreds of sites offering DarkWeb monitoring...

In fact, as I teach in various Universities and Colleges, I made it a mission to give an entire class on this subject over the last few months.



---

Just to be clear, this is about cybersecurity and lacking morals, willing to do anything to get business, not sales, but let me open with this.

Qualified leads.   The bread and butter of a heathy sales cycle.

What if we could find a way to drive customers directly into our sales pipeline....

Well, many companies are doing this today with the help of cool and frightening cybersecurity term that you may have heard.   "SEARCH THE DARK WEB".

So here is the problem with that.

Marketing and security do not play well together.  If your motivation is to sell something, chances are security is a secondary objective.

What if someone told you they could check out your health at the click of a button, and come back and tell you they found nothing wrong with you.  Or worst, they found two things wrong with you, and you can correct them with the "doctors" help.

You would feel great.  Thank goodness someone was nice enough to help me identify these two things so I could handle them.  

Well, the problem is, that "doctor" didn't actually check much of anything compared to what you perceive.  After all, are you qualified to know if that doctor did a good job.  Or even did anything qualified for that matter.

----

Searching the dark web and telling you if you have been breached so you can sleep well at night is as close to fraud as you can get unless it is clearly explained to you that the chances of finding your data is slim, and that you are mostly looking for passwords, not actual corporate data.

It isn't that you cannot find things on the dark web, it is that you cannot find your things on the dark web with any level of certainty.

Let me explain with a visual diagram, take a good look at these three tiers:





So lets break this down into logical and comparable pieces.

PART 1:  Surface web

The surface web is you everyday Google searchable results.  Compare that to a published catalog or menu of items.

If someone is selling your data on the surface web, you MAY find it by crafting a good search query in google.  It still remains unlikely to find it, because the internet is endless, but it is certainly possible.

Sites like PASTBIN are common grounds to at least start the exchange of data by providing samples, and an email to start the trade.

So lets compare this to visiting every bar in the world, sitting at every table, and asking every shady individual if they are selling your data.

Not impossible because of tools like google, but still a challenge.

PART 2:  Deep web

This is still on the regular public internet, but, it requires a user account to log in.  So imagine we compare this to visiting a bar again, well, this time, you have to find the right bar, AND when you sit at the table to chat, they have to know you, trust you, and decide they want to share information with you.  

Now some of these bars are listed in the phone book, and some aren't and you have to get a referral to find them. 

This is where it becomes IMPOSSIBLE to guarantee that a service can tell you if your data has been exposed.  So when marketing folks tell you that you can sleep tight, they have clearly committed an ethical fraud.   

PART 3:  Dark web

This is the funniest one.  Everyone uses this term to inspire fear and misunderstanding.  History has shown us many times how fear can be used to sell snake oils, and magical cures, and this is no different.

The dark web is an isolated network.

The dark web is similar to the deep web, some listings exists, but all the good stuff is not listed.  That is the point of the dark web.  So not only do you not know all the addresses for these bars you want to visit, but you most definitely need an invite to get into the good stuff.

Bottomline, it remains an impossible objective to infiltrate even a small number of actual dark web ecosystems that would yield results.

The best you could do, is manually navigate SilkRoad3 (the eBay of the darkweb) and maybe get lucky.  But this is not where the REAL exchanges of sensitive information takes place.

PART 4:  Cyber criminals
Yes folks, there is a part four......  The fact is, your information might be out in the criminal world and NEVER touch any of these "sites".  

You see, cybercriminals are smarter than you think.  If they have valuable information, they hang on to it, they share information behind closed doors, and they may never leak the information because of an espionnage golden rule.

"A tactic known is a tactic blown".  Your information looses value quickly once it is known.   Lets face it, once a data breach is published, people normally change their passwords.

So lets go back to these "services" that will allow you to sleep good at night because they checked the "Dark Web" cough cough for you.

Surely you have heard of these emails people get, that tells them their computer has been hacked and shows them a password they are familiar with.  They then ask you to pay a ransom in bitcoins or they will publish videos recorded from your laptops camera.  Now I have had people call me in a panic that didn't even have a built in camera on their computer.  So these tactics work.

These passwords are taken from LEAKED password databases.

There are tons of these sites.  RAIDFORUMS is one.  Several terabytes of leaked data.

But, you can also check for yourself for free at HAVE I BEEN PAWNED to see if your email address or domain name has been exposed in the past.

So just like these fraudulent emails, these "services" that claim to check the dark web only check the most basic of elements.... leaked password databases.

Now... how do you test this.

Well, it is actually quite simple:
  • You create a leak of false data representing a new and fictitious enterprise.
  • You insert it into several EASY places found on the Internet
  • You insert it into several known, but closed forums
  • You insert it into Silkroad3 (the darkweb market place)
  • You insert it into one or two REAL underground sites

And then you test the service.

You know what will come up.

Nothing.

And if you read the disclaimer on these services you are subscribing to, the legal wording makes it clear that you have no guarantees and it may become clear that they are not catching much.  I have read a dozen disclaimers from carious sites, and non of them made me feel good about the service.

So it's a great way to drive the uneducated and unqualified to your sales pipeline.  Great way to sell them something else after you have established a relationship.   But for many qualified security professional, this is unethical and immoral since the client perceives that their are somehow protected.

Lately, some articles have been published that in Quebec alone we have over 17,000 security resources.

No, we have less than a 1,000 in my view, and less then 100 in the highly qualified portion.  

This type of marketing proves that point.

Security is about maturity and about perception.  The fact that you add the word security in your marketing literature does not make you a valued security partner.

A false sense of security is what resulted in the sinking of a 46,328 ton vessel called the Titanic.

Now, to the journalists and websites that cover these less then ideal services and push referrals to them and actually help these snake oil salesmen sell more magic dust, please... please... validate your stories with vetted security professionals and make sure to explain the limits of these services.




_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies










Friday, February 21, 2020

DNA sequencing computer attacks - The large security gap chasm that enterprises face

I was having a discussion with a friend who works in a three letter agency about the large gap that most enterprises have in their security and overall maturity.

Overall, maturity across most enterprises remains low when you look at the full width of what would be expected of a secure enterprise.

In a humorous text message, my friend sent me an really cool conference on DNA sequencing used to attack a computer system.

Here I am arguing 

  • about the value of isolating a compromised workstation even if it is the CEO's laptop.
  • that Winter2019 is a terrible password 
  • that the user who changed his password when told it was a bad password, from Summer2019 to Winter2019 lack computer security competency
  • that if performing a simple vulnerability scan across your network causes major issues it means your systems are at the bottom end of the quality scale

.... and in a lab somewhere in Washington, they hacked a computer using DNA.

Yes, you read that right.

If you want to expand your views of the complexities enterprises face in defending against malicious attacks, listen to this 29 minute talk.




Summary (extract):
A group of researchers from the University of Washington has shown for the first time that it's possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.

Thats right folks, as security professionals, we have to test users for weak passwords, test computers for malware, and test software for out of band attacks coming in through DNA.

I thought this was a really cool image that is being painted about how wide protecting enterprises against attacks can be.

We have to explain to management that Winter2019 is a bad password AND we have to explain that software in an embedded system could be exploited by a DNA sample.  If they do not even understand the first one..... that second one is going to be a hard sell.

The reality is that attackers invest all their time in finding weaknesses that they can exploit.  Enterprises still struggle to have enough budget just to keep systems updated. 

Lets just say that breaches will continue to happen, and sites like databreachtoday.com might have to change their names soon to data breach this hour . com


So if you are competent in cyber security... job security is probably ensured.

This week, our local government announced yet another data breach where a user account was used to log in and steals the personal information of 360,000 employees (TVA Nouvelle - Ministère de l'Éducation).   

A single user account that can suck out all the records over the Internet.

What a wide chasm we indeed are facing.


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...