What do paying cyber extortionists and dumping toxic sludge into the Chicago River have in common? A lot, actually! Decipher recently interviewed me on some of the research I’ve published and talks I’ve given on ransomware, incentives, negative externalities and how we, the defenders, can influence decisions.Read More
The San Francisco Chapter of the FAIR Institute had its latest meeting on June 21, 2018, generously hosted by Twilio at their company headquarters. It was a well-attended event and featured two great speakers; Jack Jones, Chairman of the FAIR Institute and Calvin Liu, Director of Operations at Ventura Enterprise Risk Management. Both talks elaborated on specific use cases of FAIR, quantitative risk analysis and techniques, with ample time to network and ask questions. As with all local FAIR chapters, the San Francisco meetings are a fantastic opportunity to hear great speakers, get tips on how to integrate quantitative risk into your risk program and meet new people — from newcomers to FAIR, to those with broad experience.Read More
On April 25, 2018, the online gaming company Gravity Interactive announced they are shutting down all games and services in the EU, effective May 25th– the day GDPR takes effect. All EU-based IP-addresses will be blocked. Understandably, there’s an uproar, especially from EU-based players of Ragnarok Online, one of Gravity Interactive’s most popular games. Gravity Interactive has operated EU-based servers for 14 years and to many, the sudden decision to pull out of the market entirely seems unfair and unexpected. It’s understandable that people would be upset. The company has been the subject of much derision over the decision. But clearly there’s more to the story disappointed gamers.Read More
From April 15–20 2018, the city of San Francisco hosts several simultaneous security conferences. The sub-field of quant, data driven cyber / information security / technology risk and metrics is very small, so I’ve started to compile a list of talks and events that week. To make it on this list, the talk should be about the sub-field described above OR presented by/hosted by someone who is active in that sub-field.Read More
The term “Black Swan event” has been part of the risk management lexicon since its coinage in 2007 by Nassim Taleb in his eponymous book titled The Black Swan: The Impact of the Highly Improbable. Taleb uses the metaphor of the black swan to describe extreme outlier events that come as a surprise to the observer, and in hindsight, the observer rationalizes that they should have predicted it.Read More
My New Year’s Day ritual has been the same for nearly 10 years now: a late breakfast, a cup of strong coffee and a scan of security blogs and news for two things that always make me chuckle: cyber predictions for the new year, and a retrospective that declares the past year the “Year of the Data Breach.” Kelly Shortridge perfectly parodied the former and I actually thought we might go a year without the latter, until I found this headline on Bloomberg news in which 2017 is named the Year of the Data Breach.Read More
Would you be surprised to find that “nearly 40% of ransomware victims pay attackers,” according to a recent article published by DarkReading? I sure was. The number of victims that pay ransomware and the amount paid has been an elusive figure for years now. To date, law enforcement has not collected and published ransomware crime statistics like they have for other forms of criminal activity.Read More
Word clouds are a great way to visualize text, especially on platforms like Twitter where a great amount of people can be talking about one subject. I recently spent the last 6 days at two San Francisco information security conferences: BSides San Francisco and RSA.
BSides this year was February 28–29 and RSA was February 29-March 4. There’s some overlap in attendees, but the talks and the feeling you get from being at the cons couldn’t be more different. BSides is community driven and the talks are mostly by security practitioners; RSA has a trade-show feel and most talks are conducted by people that work for security vendors.
I was curious about what words showed up most in tweets with the hashtags #BSidesSF and #RSAC and see how different or alike they were. I used the twitteR and wordcloud packages in R to generate these images.
and here’s #RSAC:
People were definitely tweeting about different things; BSides attendees generally had more positive language and tweeted about presenters. RSA attendees tweeted about keynote speakers (like Sean Penn) and contained a lot of retweets mentions. I am also not surprised the word “booth” was a top keyword in #RSAC, from vendors tweeting out “Come to our booth and get a free pen!”
It was interesting to see the similarities and differences. Let me know what you think.
Is using ad blocking software stealing or is it a sound security practice?
On one hand, many websites and content creators make money from advertising. They certainly deserve to be compensated for their time and effort. On the other hand, advertising — at best — can be annoying, and at worst, can serve up malware, suck up bandwidth and redirect confused users to websites without their knowledge.Read More
In May, Lastpass announced an intrusion on its network that led to a data breach of user account information. LastPass is a cloud-based password manager; users load the LastPass extension into their web browsers and all the pesky password management tasks are taken care of. The user is given one-click access to fill in the username and password on known sites and the option to generate a long password and save credentials on new sites.Read More
In 2009, Heartland Payment Systems suffered what was until recently the largest data breach in recorded history, at the hands of a skilled and malevolent hacker. After the attack, the company went on the offensive, implementing numerous protocols to safeguard against a future attack. And hey, lightening doesn’t strike twice, right?
The unfortunate thing about this incident is that Heartland, ever since its 2009 breach, dedicated quite a bit of effort into making sure its name wasn’t in the news again associated with a data breach. The lesson here is, while endeavoring to detect and respond to sophisticated attacks from advanced persistent threats, don’t forget the fundamentals of security.Read More
It’s been a tough few weeks for those of us that are responsible for patching vulnerabilities in the companies we work at. Not only do we have the usual operating system and application patches, we also have patches for VENOM and Logjam to contend with. The two aforementioned vulnerabilities are pretty serious and deserve extra attention. But, where to start and what to do first? Whether you have hundreds or thousands or hundreds of thousands of systems to patch, you have to start somewhere. Do you test and deploy patches for high severity vulnerabilities first, or do you continue to deploy routine patches, prioritizing systems critical to the functioning of your business?Read More
Last week, an interesting story made the rounds on social media about a researcher named Samy Kamkar who discovered a flaw in Master-brand combination locks and was able to open the lock in eight tries or less. It’s a great discovery and is of particular interest to security professionals because it teaches us about encryption, the concept of brute-force attacks and weaknesses in implementation.Read More
An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.Read More
Have you ever wanted to get in a time machine and go back to when security industry visionaries were just starting out? Imagine meeting Martin Roesch when he was writing the first version of Snort or Bruce Schneier as he was just putting his ideas down for Applied Cryptography. I don’t have a DeLorean, but I can do the next best thing. I can take you to a place where tomorrow’s thinkers are forming their ideas and honing presentation skills, today.Read More
In February 2015, The Daily Beast published an insightful article about cyber war activity between Russia and Ukraine. The article profiled Eugene Dokunin, a Ukrainian web security consultant who gave up his day job to launch cyber-attacks against Russian targets. He works with a team of volunteers and performs an innumerable amount of combative actions, from financial account takeovers to hacking into CCTV systems in order to report on troop activity.Read More
Tune in to just about any AM radio talk show or Sunday morning news program and you are likely to hear the terms “cyber war,” “cyber terrorism,” and “cyber vandalism” bandied about in tones of grave solemnity, depicting some obscure but imminent danger that threatens our nation, our corporate enterprises, or even our own personal liberties. Stroll through the halls of a vendor expo at a security conference, and you will hear the same terms in the same tones, only here they are used to frighten you into believing your information is unsafe without the numerous products or services available for purchase.Read More
One of the world’s largest security conferences, RSA 2015, is right around the corner. Beginning April 19, it’s bookended by two other great, but smaller, events: BSides and the Yahoo Privacy Unconference. Security professionals from all over the world will be in San Francisco that week, and this will arguably be the single best chance all year for those of us in the industry to network.Read More