Technology + Management + Innovation

New Years Security Resolutions

by Jake Bennett

Seven steps that will make this year the most secure year yet.

Screen displaying Happy New Year

It’s the New Year, which means it’s time for the annual human ritual of making personal promises to give up bad habits and commit to living life better going forward. While most people are focused on renewing their gym memberships or cutting out carbs, my New Years resolution is to help make the Internet a safer place. As an industry, our collective security bad habits caught up with us last year, and it’s time for a change. Last year was a very bad year in terms of security. Here is but a small sampling of the headline-grabbing breaches that happened in 2015:

  • Toy manufacturer VTech suffered a breach that exposed 4.8 customer records, including personal information about kids, as a result of weak password security.
  • Security researchers published a method for hacking a Jeep Cherokee, giving attackers the ability to violently stop the car. Virginia State Policy revealed that their police cars could be compromised. Chrysler recalled 1.4 million cars to patch their in-car software to fix a security flaw.
  • CIA director John Brennan’s email was hacked by a teenager through a social engineering attack.
  • Credit agency Experian lost 15 million T-Mobile customer records to hackers, including names, addresses, social security numbers, birth dates and passport numbers.
  • Ransomware became a big deal in 2015. Cyber extortionists starting using it more prevalently and more broadly, expanding beyond the desktop to encrypt websites and mobile devices for ransom.
  • Infidelity match-maker Ashley Madison lost customer records on 30+ million registered cheaters. Poor software development practices, and bad password management were likely contributors.
  • Italian hacking consultancy Hacking Team was itself hacked, unleashing untold zero-day exploits into the wild and exposing its list of largely government clients.
  • The U.S. Office of Personnel Management suffered a breach affecting 22 million government workers, including the theft of entire background checks, fingerprint data, and other highly sensitive personal information. Great fodder for blackmail.
  • LastPass, a password management provider, was hacked, resulting in the theft of its customers’ passwords. Fortunately, the stolen passwords were encrypted, so it’s unclear if they were ever actually used. Adding to an already bad year for LastPass, security researchers then published multiple methods for compromising LastPass’s security.
  • The biggest hack of 2015, however, was the security breach of healthcare provider Anthem/Bluecross/BlueShield, which resulted in the theft of a whopping 80 million customer records, and an additional 19 million records of rejected customers. That’s about a third of the entire U.S. population.

2015 was abysmal for security—there is no denying it—but there is a silver lining. I’m hopeful that we’ll look back at 2015 as a watershed moment, the year the industry hit rock bottom, motivating us to get off the couch and start working our infosec muscles again. To that end, I’ve drafted a set of New Years security resolutions to get the ball rolling.

1. No Patch Left Behind

The bad guys are constantly scanning our networks for older software with known vulnerabilities. Even if a vulnerability shouldn’t be exploitable under normal circumstance or it only leaks a little information, it is still one piece of the puzzle that hackers are assembling to gain access. I want to take all of the these pieces off the board. That means maximizing the capabilities of vulnerability scanning tools (e.g. using agent-based or credentialed scans on every host), scanning every node on the network and getting every host to a “green” status. Think of this as the “broken windows” approach to patch management.

The challenge to patch management in the real world isn’t the time it takes to patch hosts (although that’s still a huge hurdle), it’s creating a process whereby we feel safe installing patches with minimal effort and little risk of breaking production systems. Effective patch management is a math problem:

Cost/time of patch management =
(# of hosts * time to patch) +
(# of hosts * time to fix post-patch problems) +
(lost productivity from post-patch problems)

If you feel a twinge of hesitation to install the latest patch on a mission-critical system, that would be you mentally calculating the last two terms of the equation. You need to reduce this hesitation if you’re going to get to “green.” This can be managed by classifying systems into three buckets: 1) systems that result in a call from the CEO if they break, 2) systems that result in a call from a VP if they break, 3) all others. The number of hosts in bucket #1 is going to be small. Focus your time and energy on these patches by running them on test systems first and testing them thoroughly before patching. Or, alternatively, have a good rollback plan if things go wrong. For the systems in bucket #2, do a quick assessment of the latest patches, and run them if there are no obvious breakers. As for the hosts in bucket #3, put those on autopilot, running patches automatically and asking for forgiveness later if they break.


Six Practical Steps You Should Take to Protect Yourself from Cyber Criminals

by Jake Bennett

By dissecting the methods used by hackers in the recent wave cyber attacks, we can identify ways to help us stay more secure online.

Binary Key

A rash of cyber attacks and security news hit over the Labor Day weekend, impacting The Home Depot, Healthcare.gov, Goodwill and Apple. But at least this recent flurry of security activity is positive in one respect: it gives us a glimpse into the mechanics of real world attack scenarios.  The more we can use this as a learning opportunity, the safer we’ll be. Here are a few lessons we should take away from the attacks:

1. Understand that even if you do everything right, you’re still not safe

During the first few days of the September iCloud breach, in which explicit pictures of several celebrities were hacked via Apple’s iCloud backup service, many people were saying that the victims should have used two-factor authentication to protect their information (sadly, another example the “blame the victim” mentality). It was later disclosed, however, that Apple’s two-factor authentication didn’t actually cover iCloud backups. So, even if you are one of the rare, paranoid people who use two-factor authentication, it wouldn’t have protected you.

In a similar vein, having the most secure password in the world, wouldn’t have helped the customers of Home Depot or Goodwill, who’s stolen credits cards were used in-store. If the people processing your credit cards get hacked, no amount of cyber protection will save you.



Ukrainian Hacker Strikes Again. Creepy Hacker Community Compromises Apple iCloud.

by Jake Bennett

A wave of high profile security breaches was recently discovered, potentially affecting millions of people. Each attack had a unique footprint, giving us an interesting glimpse into the scary world of cyber crime.

Three Cartoon Hackers

Somewhere in the PR offices of the Goodwill, the Department of Health and Human Services, and The Home Depot, a crisis-management specialist is enjoying a small moment of thanks. On the one hand, they’ve probably had a pretty terrible week, dealing with the press and trying to explain the causes and impacts of major security breaches within their organizations. On the other hand, they are probably considering themselves lucky. They know that the best way to divert attention away from their own crises is for another, more interesting crisis to hit at the same time.  Fortunately for them, their unspoken prayers were answered. At the same time stories broke about their breaches, it was revealed that naked photographs of high profile, female celebrities were stolen from Apple’s iCloud service.  Hacking + Apple + celebrities + naked selfies = a four-of-a-kind in the tech news world, and trumps even news about a security breach that might be bigger than Target’s 2013 attack. Let’s face it, Jennifer Lawrence has a lot more charisma than Home Depot credit card numbers.

Although this string of hacks might have been an unexpected deus ex machina for a few lucky PR professionals, for the rest of us, it’s a really scary series of events that forces us to take a step back and ask the question: is anything safe online? Let’s review each of these breaches and see what we can learn from them so we can be better protected ourselves in cyber space.



CIA’s Top Security Innovator Proposes Some Ideas That Are Crazy Enough to Work

by Jake Bennett

Dan Geer, the top security chief at the CIA’s VC firm In-Q-Tel, gave a thought provoking keynote at this year’s Black Hat security conference, arguing that thoughtful government regulation was the best hope for shoring up our cyber defense. He may just be right.

The Iconoclast

Dan Geer has never been one to walk away from a fight. In 2003, he was fired from security firm @Stake after authoring a report released by the Computer and Communications Industry Association arguing that Microsoft’s monopoly over of the desktop was a national security threat. Given that Microsoft was a client of @Stake at the time, it’s not a shocker that he didn’t make employee of the month. Somewhat humorously, in an interview with Computerworld after the incident, Dan remarked, “It’s not as if there’s a procedure to check everything with marketing.”  Somehow I think a guy with degrees from MIT and Harvard didn’t need to check-in with marketing to gauge what his firm’s reaction to the paper would be.

Fortunately for the Black Hat audience (and those of us who watched the presentation online), Dan continued to live up to his reputation. He outlined a 10-point policy recommendation (well summarized here) for improving cyber security. In the preamble leading up to the policy recommendations, he made two key points that provide critical support for his policy argument:

  1. The pace of technology change is happening so quickly now that security generalists can no longer keep up. Highly specialized security experts and governments are now needed to protect our information assets.
  1. If you want to increase information security, you have to be pragmatic and willing to make compromises. As Dan succinctly put it: “In nothing else is it more apt to say that our choices are Freedom, Security, Convenience—Choose Two.”

These points are important to keep in mind when listening to his presentation because they provide critical context for his potentially unpalatable policy recommendations.

To Regulate or Not to Regulate

As a card-carrying capitalist, I’m naturally wary of government technology regulation. But as a digital technologist I’m absolutely terrified of it.