It Really Was the Lazarus Group, in North Korea with SWIFT


Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.


Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.


Ransomware Updates

We’ve got some new stuff out there. First, for those who torrent, be careful. If you torrent on a Mac, be very careful.  For the second time, ransomware has been designed for the Mac OS.In this case, “Patcher” is poor quality, shoddy code, to the extent that if the victim pays the ransom, they don’t get their files back because that code doesn’t work. It’s getting dropped via fake Adobe Premier Pro and Microsoft Office for Mac.

Second, if Google is telling you “Hoefler test not found”, don’t think you need to install that font. It’s a ploy on certain compromised websites to drop Spora ransomware. And very few AV or anti-malware programs can detect this one.

spora.JPG But, if you play it safe and do as Google says, click Discard and don’t download.  You’ll avoid ransomware.

If you want to know more, I’ve got a Ransomware page.

And saved the best for last. This amazing map from F-Secure shows the timeline of ransomware.  You can see the explosion that took place in 2016.



Back it up! Back it UP!

Because today is World Backup Day – A cautionary tale and my little take on “Shake It Off” by Taylor Swift

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up

If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

Ransomware: Don’t Get LOCKY’d Out


LOCKY made its debut a week ago, and impacted half a million users around the globe in a day. The numbers have escalated alarmingly since then as this latest crypto-ransomware, developed by the same dark minds behind Dridex banking malware, spreads across platforms and continents.

What YOU Can Do

We’re warning users to beware of phishing emails. Even if it says it is from your bank, they will not send you an email for something requiring your urgent attention with a link or an attachment. The same goes for the CRA or other major financial institutions. MS Word documents masquerade as invoices requiring urgent payments, or bank statements. These will contain malicious macros that launch the malware. Once it gets onto a computer connected to ANY network, it will spread and contaminate rapidly. And any removable devices will also become contaminated, putting others at risk.

If you suspect you’ve been hit, time is crucial. Contact your support people immediately. We’re here for you. And shut your computer down. You need to cut yourself off from the network immediately. Expect that you will not be using your computer for some time and that you may need to shutdown the network. Given that the encryption is so powerful, the only recourse victims have is to restore from an untainted backup. Or face paying the ransom with no guarantees.


As detailed by researchers at Naked Security for Sophos, LOCKY encrypts a wide range of file types. These include videos, images, PDFs, program source code, and Office files. As well as files in any directory on any mounted drive that the infected computer can access. This is important because this will also include removable drives plugged in at the time or network shares that are accessible like servers and other people’s computers. That is a lot of potential damage. Extend that to a case where an infected user is connected to the network using administrator access and controls; the damage could be widespread. Locky will also encrypt Bitcoin wallet files it finds, thereby stealing any bitcoin that could have paid ransom.
Where’s My Shadow Copy Backup?

But then LOCKY takes things further by removing any Volume Snapshot Service (VSS) files or “shadow copies.” If you use Windows, you know those are the current of live backups Windows takes of work in progress – we all rely on those for when we forget to save, or the system crashes. Unfortunately, for some users these shadow copies have simply become their backup system.

Steps to Stay Safer

  • Make regular backups and keep one off-site
  • Do not enable macros in emails and attachments
  • Be suspicious of attachments from unknown/untrusted sources
  • Do not stay signed on with administrator privileges any longer than you need
  • Keep your security patches up to date
  • Have a DRP with a business continuity plan in place to minimize downtime


Watching Your Backdoor

It’s a thing. Backdoors. Add no, not the fun kind with screens that keep out mosquitoes. The kind I’m going to reference here are the ones that actually let worse things in.


Backdoors in tech aren’t just the stuff of legend, or part of the plot in tales of espionage. They are very real,  and there is nothing secure about them. They exist as an intrusion point, hidden, secret. These deliberate manipulations of code allow access into a network or application and bypass the necessary security protocols.  What matters to me isn’t so much that these are used by foreign governments to spy on us, or for corporate espionage. Rather, it’s the further legitimization of attacks on our privacy.  How do we secure against this mindset? Backdoors are essentially a weakness built into the code. Something unsecured that when discovered can be readily exploited, because nobody is supposed to know it’s there. Until it’s too late.

Several backdoors have recently been revealed just over the past few months.Here’s the rundown of shame by John E Dunn in his article in Forbes:

NSA Clipper Chip, 1993

The most reviled backdoor in history, the NSA’s infamous Clipper chip, endorsed by the Clinton administration, still gets people’s backs up more than two decades on from its heyday. In 1993, encryption was new and strange. Few used it but the experts and Government spooks could, however, imagine a world in which they might. Their answer was to neuter the possibility of unbreakable security with an escrow-based system based around the Clipper chip that would cache keys. Assuming anyone had agreed to use it the NSA would have had a ready means to decrypt any content.

As Whitfield Diffie, creator of the famous Diffie-Hellman key exchange protocol observed at the time, the problem with building in backdoors is that they are deliberate weaknesses. Should a third-party find them they become less a backdoor than an open one.

Borland InterBase backdoor, 2001

This weakness in the firm’s InterBase database was essentially a secret backdoor account that allowed anyone with knowledge of it access to data. Making the serious comic, the username and password in question were ‘politically’ and ‘correct’. At the time, the assessment was that while deliberate the hole was probably put there by one or a small number of programmers as a convenience. But we’ve included it because the fact that perhaps only one person knew about it doesn’t mitigate its seriousness for the seven years until it was discovered.

Huawei v the US, 2011

The huge Chinese equipment maker spent millions trying to reform its image after being accused of building backdoors into its telecoms equipment. In 2012 a US Congressional investigation concluded that the firm (and mobile vendor ZTE) should be banned from the world’s largest market over state surveillance worries. In the UK BT had been installing Huawei equipment since 2007 so it was all too late to do much about it beyond GCHQ setting up a special unit to monitor its systems in cooperation with the company itself.

Irony or all ironies, a Snowden leak then suggested that the NSA’s Tailored Access Operations (TAO) had set up an operation to spy on Huawei to work out how far any collusion went.

The modern (i.e. post-Aurora and Stuxnet era of backdoor scandal began here.

Cisco et al, 2013

Dragged out of Snowden’s famous cache by a German newspaper, this concerned unpublished security flaws in the networking equipment of a group of vendors, headed by Cisco but including Juniper, Samsung among others. These weren’t classic backdoors except in the sense that they allegedly offered a huge amount of surveillance control over the equipment. Very unusually, Cisco’s CSO John Stewart issued a statement denying any knowledge of the compromise.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products,” he stated. The fact he was even having to say this was a sign of changed times.

More recently in 2015, a backdoor compromise called SYNful Knock was discovered on Cisco equipment. Described by security fir FireEye as a Cisco router implant, already it was clear that the simple idea of intelligence engineers building in massive holes from day one of a product’s life was probably out of date. Why build them in when juicy ones could be found later on?

Juniper, 2015

Discovered just before Christmas 2015, this looked like a biggie in Juniper’s NetScreen ScreenOS from the off. The company finally admitted to suspicious researchers that the Dual_EC_DRBG encryption random number generator contained a backdoor that would allow anyone with knowledge of it to eavesdrop on secure VPN connections. This flaw might or might not have been deliberately put there by the NSA, which was he source of the RNG, but it was exploited at some point, possibly by a third-party government. A backdoor in a backdoor or just weak coding?

Fortinet, 2016

Hard-coded passwords are an absolute no-go for any system these days so it was disconcerting to discover that Fortinet appeared to have one in an SSH interface accessing its FortiOS firewall platform. Researchers looked on this as a backdoor although Fortinet strenuously denied this interpretation. In fairness, this was probably correct although the lack of transparency still bothers some.


Was the revelation that this protocol, promoted by the UKs CESG for end-to-end encryption in VoIP phone calls, a real backdoor or simply part of the spec? According to Dr Steven Murdoch of University College London the escrow architecture used with MIKEY-SAKKE simply has not been fully explained. Was this a way to spy on conversations without anyone knowing? According to GCHQ, that’s exactly what it was. As an enterprise product, escrow was perfectly appropriate and organisations deploying this technology needed a system of oversight.

In fairness to MIKEY-SAKKE setting up end-to-end encryption without some form of backdoor is now unthinkable for large enterprises that need control over their encryption infrastructure. Whether this compromises the system in a wider sense seems over-blown assuming the architecture has been correctly documented.


My First ShmooCon – This Time It’s Personal

There are many security cons you can attend. Only one is Shmoo.

In our security community, Shmoo is beloved. Testament to that is how people will go out of their way to attend. The ticket sales tell the story. Two rounds were sold out in mere seconds. Say F5 and everyone knows which con you mean. Yet, no one wants to increase the number of attendees, because then it wouldn’t be Shmoo. This is as far from the hacker throngs at DefCon as it gets. Nor is it the suited industry version, like RSA. Steve Ragan or @SteveD3 put it best: Shmoo is family.

This is a con where hackers come to play. You can set up the actual network on the night before things get started. There’s a massive wireless CTF; a crypto challenge; Hack Fortress; locks to pick; the Tour de ShmooCon contest. You can even win a prize by hacking the barcode.  Because we learn when we play.

Lobbycon at Shmoo is legendary.  A who’s who of InfoSec stand shoulder to shoulder in hoodies with beer. Or Bourbon. Or shine. I loved having my fellow Canuck and very Infosec mentor, Lee Brotherston @synackpse, as my intrepid guide. I got to meet Dave Kennedy – yes, one of the nicest and most knowledgeable members of our community – amidst those mysterious Friday night fire alarms. I was also thrilled to meet the fabulous Katie Moussouris @K8em0 in her Karaoke attire.

But there is nothing like that moment when you actually meet a friend you’ve only known online. For me that was Sarah Clarke @s_clarke22 @infospectives, who came all the way from Britain.  You can read her witty account of ShmooCon here on her blog Infospectives, and I highly recommend reading her regularly.  And then there is the joy of reconnecting with those you already know, like @fl3uryz, @theSweetKat, @snoww, @mzbat and so many more. ❤ to you all. For me, one of the best rewards came when introducing extraordinary people to each other, and facilitating those conversations that would spark ideas, launch projects, and encourage change. This is why we Shmoo.



With so many great moments to share, here are some of my favourites:

  • Playing Cards Against Humanity with @da_667. You haven’t lived til you do
  • Being swung around the dance floor by @bigendiansmalls – who knew!
  • Having Georgia Weidman @georgiaweidman sign my copy of her Pentesting book
  • Meeting up with @maliciouslink and enjoying a great lockpick session.
  • Saturday night Lobbycon pizza from a mysterious benefactor
  • Enjoying the creative force who is Tarah Wheeler Von Vlack @tarah at play
  • A wonderful celebration of Rance @revrance, filling the lobby with his spirit and our voices

At con, there is no bedtime. I’ll have memories that last a lifetime from staying up to listen and learn from @ihackedwhat, @ussjoin, @steveD3 and @viss.  Oh the things you can do with Windows XP.

There were, of course, outstanding talks.  Fire Talks are always great, and the line-up this year featured a good mix of new voices and heavy hitters. First timer Wendy Knox Everette @wendyck came to win, but I have to admit my bias for @da_667’s gift for storytelling.

Jesse Irwin shared her distinctive wit and wisdom on bringing non-tech users in. I caught an excellent panel discussion, “You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement” addressing some of the hot-button issues we all love to hate when it comes to government and cyber.  Kristin Paget brought her creative brilliance to preventing RFID tags from being read in “Be Free, Little GuardBunny”.  And “Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning” by Andrew Ruef and Rock Stevens explored another attack vector on our ever-increasing and vulnerable data.

I’m truly grateful I got to see Andrew Kallat @lerg’s talk, “Online No One Knows Your Dead”.  I love the rapid fire banter between Andrew and Jerry on their Defensive Security podcast, but this talk was different. It addressed the unimaginable issues of putting our digital affairs in order when we’re overcome by grief and loss. There were hard lessons offered through the poignant retelling of a real-life story. Thank you to Beth for being both brave and generous enough to share her experience.

Something I heard mentioned often was “Imposter Syndrome.  The term was created in 1978 by clinical psychologists Dr. Pauline Clance and Suzanne Imes, “referring to high-achieving individuals marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a fraud.” Ironically, a good many of us feel just this way. I know I do – I’m no hacker. I don’t have a comp sci degree, or any tech degree. But as we exchanged stories over drinks in Lobbycon, it was reassuring to learn I wasn’t alone in my convoluted path to InfoSec. The truth is that the diversity of our backgrounds and experiences is what makes our community so strong and vibrant. We all belong here; we all have a meaningful contribution to make.


And that led to the Saturday night community building sessions. We pulled up more chairs as people joined, to talk openly about diversity, gender issues, learning styles. How to make first-timers and those new to InfoSec feel welcome. Here are some of the great ideas by an enthusiastic group of great people:

  • Create opportunities, like scholarships, to help more people get to these cons
  • Have ice-breaker events to help n00bs meet more of the community faster
  • Have a welcome/orientation event for con first-timers so they don’t feel overwhelmed and miss things.

In the end, it isn’t about the actual events like parties and talks so much as it is the overall experience and what we come away with. What matters is how Shmoo, and other smaller cons, are more personal; they encourage us to open up and share in a very relaxed and welcoming environment. Shmoo feels like family. For some of us, however, our families haven’t been there. Support and acceptance enable us to pursue our aspirations and to be confident in ourselves.  In my experience, InfoSec is a haven, and a home, because this community takes care of its own.  And that made this con very personal for me. Thanks to the kindness and generosity of good friends, I was able to attend Shmoo. You know I’ll be paying it forward, finding ways to bring people here, to learn, grow, and share with family. A reverent ‘Thank You’ to Heidi and Bruce Potter, and to their fantastic team who made it happen. Shmoo all the things!

Embracing the Shadow – wait! What?

Let me share a few more thoughts about Shadow IT with you as we head into 2016. The good folks at AlienVault were kind enough to ask, and let’s just say that we don’t expect the Shadow to fade anytime soon…


There was a time when the IT security lords ruled. Mere mortals only had whatever devices and access they were issued. Companies had “standards” and if you wanted something it had to exist on the approved equipment list. But decisions took time and the lines of business didn’t always get the answer they wanted. Regulating tech was getting in the way of getting stuff done. Security had become an inconvenience.

It was easier to regulate things back then, when there were fewer things. The available tech was enough to get the job done. But that’s the thing. Tech is always evolving, to meet the demands for faster, better, more. And how do you do more better and faster? Shadow IT and Shadow Data.

Welcome to GenMobile, “a flexible, transparent and collaborative presence, ” which actually means folks who don’t follow the rules. Yes, Houston, we have a problem and it’s called self-service IT. Guess what percentage of workers are doing it for themselves? Aruba Networks cites 77%. Hello Shadow.

Be afraid. Be very afraid. Because we can’t see all the stuff, all the time. Easy-to-use devices are everywhere, creating an unprecedented level of end user entitlement. And a little knowledge has become a very dangerous thing by letting people “help themselves” to data and network access.

So what do you do when employees make independent decisions about devices, data storage and transmission? Accept it? Regulate it? Or ban it? Because “keep it secret” definitely does not keep IT safe.

No Idea What They’re Using, No Idea What They’re Losing

We need to start by getting our head in the cloud. Ah, the Cloud. It’s the solution to everything: storage, countless productivity applications, Office 365, Google Docs. Face it. Cloud is accessible anytime, anyplace, anywhere, anywhen. But the truth hurts:

  • 15x more cloud services are used to store critical data than CIOs have authorized
  • IT says 51 active cloud services. Survey says 730
  • Use growing exponentially
  • 1000 external services per company by 2016
  • 30% of business critical info is in the cloud

Here’s where we worry: The combination of Insider Threat plus Shadow IT. What if the interfaces and APIs with which users interact aren’t secure? Attackers are actively searching for these types of vulnerabilities to exploit them. And how do you protect against what you don’t know, because there’s a whole lotta activity going on up there unreported.

Shadow as the New Norm?

What if I said to you Shadow IT isn’t going away. In fact, it’s being heralded as the new norm, the way work is going to get done. Ponemon Institute reports an average of 50% of cloud services are deployed by departments other than corporate IT. And an average of 44% of corporate data stored in the cloud is neither managed not controlled by the IT department. Control over network infrastructure and physical hardware like firewalls is supposed to be the realm of the IT folks in charge of securing proprietary data. But the cloud has a way of making things go all fuzzy.

Twelve years ago technology spending outside of IT was 20 percent of total technology spending. But according to the experts at Gartner, it will become almost 90 percent by the end of the decade. At the Gartner Symposium in Orlando in June this year, the new attitude toward Shadow IT was this: “to empower their organizations to innovate, grow, and succeed, IT departments must embrace and manage this phenomenon.”

Hank Marquis, research director at Gartner, declared:

“Shadow IT looks a lot more scary than it is. Shadow IT is the future happening today. It’s called innovation. It’s happening in the edges where we don’t deliver the solutions. You might not agree with it but you should think that way. You’re not going to stop shadow IT. It’s not going to go away. You’re not going to suppress it. You might as well embrace it, leverage it, use it.”

His is not the only voice out there with that message. Jeanne Ross, Research Director and Principal Research Scientist, Center for Information Systems Research, MIT Sloan School of Management expressed similar sentiments in the HP Enterprise blog for December 10, entitled “Why Smart Companies are Embracing Shadow IT.” She talks about how business is using “demand shaping”, where companies identify their most “valuable and achievable business –change opportunities”, and then use this to select those projects best suited to invest IT dollars in. As for those rejected projects that would find their way into Shadow IT:

“This all comes down to relationships, and to the right conversations happening between people at all levels of IT and business. But if mutual respect exists between IT architects and program managers and their counterparts within the business units, demand shaping and shadow IT can forge an extraordinarily productive partnership.” Read more.

And then world peace can happen?

Ed Macnair, CEO, CensorNet, weighs in with this. “There is a case here for innovation versus risk. By allowing shadow IT, new solutions that will benefit the wider business can be found. However, shadow IT is a security nightmare as those members of staff who are likely to use their own solutions will inherently be from the generation of risk takers and will therefore be less concerned by the need for all encompassing security measures.”

The Innovation Trade Off

The recommendation by Gartner is that Shadow IT not be contained but encouraged and allowedwithin established boundaries to abide by existing compliance, regulatory and security rules. Innovation without peril. Even better, it’s a more prevalent and well-understood aspect of technology management among companies, and leaders might want to take a completely different approach to handling this matter.

As illustrated by IDC Senior Research Analyst Mark Yates, employees are operating with tacit permission, making their own decisions, and nobody is in control. The business environment has become a “Wild West.” Entitlement and empowerment are enabling employees to fake compliance and use what they want.

Simon Mingay, Vice President of Research, Gartner Inc., drives the point home. “For most IT organizations, resistance is futile. Better to embrace it and acknowledge that employee IT and digital skills in the increasingly digital workplace are an opportunity to innovate and create more value from IT and digital investments.”

And there we have the corporate buy-in. Lower IT costs, increased flexibility, speedier task completion and less interference from IT. Yes, it is being echoed from suite to suite. Because innovation leads to profit. But at what price to security?

A New Hope for The Phantom Menace?

Again, there is a collective chorus on the new approach to take. There need to be guidelines and boundaries to help corral Shadow IT without driving it completely underground and out of scope. Mingay advised “bring shadow IT out of the shadows, make it transparent, provide services that support it.” He advocates “Rather than try to eradicate shadow IT, let’s rename it “dispersed IT,” since everyone has a piece of it.” Frank discussions need to happen to identify why Shadow IT is happening, and those users and business units engaging most heavily identified and consulted. Why are existing policies and rules being circumvented when the consequences are known?

Is it possible to construct a mutually viable arrangement whereby IT can assume the role of broker, an intermediary between users and their apps? Gartner recommends IT organizations engage the business as a partner, and ask senior executives what they think IT’s role should be. And the conversation should extend to outliers and users not operating within the daily confines. Marquis reiterates points we’ve all been saying, like the importance of having visible support from the top execs. Of great importance is IT collaborating efficiently with audit and asset management to ensure compliance.

Clearly, the game has changed and there’s no going back. We have to shift gears, project from the rapid developments of Cloud, Everything as a service, and Big Data. It’s going to mean moving out of our comfort zone to get a better handle on what people really need and want. Buy-in comes when we show the CSuites how security is the strategic partner to help them move toward innovation. It’s a different terrain, but we’ve still got to run it faster, better than the guys who are out there waiting, counting on what our end users will do and the rules they won’t follow.

Thanks for reading!


BSidesTO: Bringing IT Home

In my first year of security cons, and sharing them with the world, it means a lot to pen this tribute to BSidesTO, the one in my hometown. Hitting its stride in its third year, tickets sold out in advance, there was an excellent roster of speakers, and I was thrilled to be selected.

Let me start with kudos and congratulations to the small but powerful organizing team who put together a terrific event and made themselves readily available.  The venue was packed with an appreciative audience of over 160 security folk who engaged each of the speakers in lively question and answer sessions following their talks.  And yes, there was such a thing as a free lunch, which was served up with smiles by the BSidesTO team. They even arranged a movie to end the session, for those not already engaged in the post-con convos. If anything went awry, it wasn’t evident.


Given that our space was full to bursting, and that Toronto is Canada’s largest city, and one of the largest cities in North America, I think it’s time we had a major hacker con, along the lines of ShmooCon, GrrCon, or DerbyCon. Because it isn’t a corporate event, BSides has that potential, and has established itself as a much-loved, homegrown series of security cons that started in the US and have been spreading because of the community they build and the innovation and exploration they encourage.  It’s where the security community shares their hacks to learn, to improve, and to make the world a safer place. I really look forward to participating again next year, and to getting involved.


Unfortunately, that isn’t always how hacking is perceived. This past year brought us the short-sighted Wassenaar agreement, which would penalize those who hack to protect, and several governments working to ban encryption. But someone has to scrutinize the ever-growing devices added to the Internet of Things; to dissect the code that builds the websites we are all accessing. Decision makers need us to give them regular reminders that hackers watch over all the connections we make, and that they serve as our early warning security system.

Which is why having a local BSides really matters – it fosters the free exchange of ideas and supports this community in their varied approaches to security. Because as the impact of breaches continues to increase, and average users discover the extent of their vulnerability online, the world needs to know that hackers are here – for good.

Digital Literacy: Reading Between the Lines

The great folks at Tech Soup Canada host a monthly series of talks, Tech Tuesday, and they recently invited me to share what I know about “Digital Literacy”.  Little did I realize what I’d actually taken on. Digital Literacy isn’t just one tidy little topic. It’s actually a bunch of concepts, interwoven and far-reaching. Confused? You should be. I was.  Which instantly galvanized me to distill a meaningful definition without diluting the impact of all the contributing factors as shown below:

Because Digital Literacy really means multiple literacies. So what we should fully appreciate is that it goes far beyond simply being able to use the technology, but also entails:

“The ability to locate, organize, understand, evaluate and analyze information using digital technology”. Wikepedia

I also very much liked this definition of what it wasn’t:

“Digital literacy is not simply a means by which we consume ever-increasing amounts of data and information, but a critical and creative means of interacting with the world.” Matt Dean

I’ll break it down to 3 core competencies:

USE: do we know how to use the range of technology available to us? And that’s a whole lot of devices

UNDERSTAND:  can we comprehend the information, put it into context? More importantly, can we critically evaluate it? 2 words kept coming up when I did the research: Critical Thinking.

CREATE: Can we produce content, and then successfully communicate and share that content using the tools available?  Content isn’t just words on a page. It’s graphic, visually impactive. It’s audio. It’s sensory.

Another big question raised repeatedly: What can you contribute to the online conversations that is unique? Websites, memes, infographics, blogs, videos and anything beyond that.


It’s all well and good to be familiar with the tech available and know how to use it. But baby, baby it’s a wide world out there and not everyone has the same techno advantages. Yes, I’m talking disparity aka known as “The Digital Divide.”  One of the caveats I learned when researching Digital Literacy is that freedom of expression comes with digital constraints.

Being digitally literate requires that we understand our responsibility for accurately and safely curating and disseminating information. Think on that for a moment. Then think about our kids, in schools everywhere, and how they are actively engaging in online media as part of their curriculum.  It would be nice to think there is a level playing field out there, especially when it comes to our kids in the classroom, but that’s far from the reality.  According to CBC Tech columnist Jesse Hirsch, it’s “a pressing social issue.”

“The digital divide is a problem that goes beyond schools that needs to be closed not just with social policies but with the technology industry making sure their products are affordable.”

And this matters vis a vis Digital Literacy because it’s how we learn; how we engage; and how we work.

“Individual freedom and creativity, and societal and economic development, are becoming dependent on a degree of digital literacy.”

But regardless of what devices we use, the key to digital literacy keeps coming back to this:  Critical Thinking.  Just as we critically evaluate print media, we must also critically evaluate digital media. “Don’t believe everything you read” fully applies, especially when it comes to social media. Advertising has morphed along with marketing to target your preferences, and to trace your digital footsteps. It’s all about what we don’t know so I have put together a checklist of things we need to stay safe in our digital communities.

  1. Look for discrepancies, bad grammar, spelling errors.  These are tip-offs that somebody is looking for something you don’t want to give them. Like access or personal information
  2. Don’t follow blindly.  Not everyone is your friend, even on Facebook
  3. Wait! Don’t click that link.  You’ve heard of breaches a lot over this past year. Well, phishing is how many victims get lured in. Malicious code is hidden in that cute attachment of kittens. Or in that website link you were sent. Evaluate!
  4. Malvertising. This is another way the bad guys go looking for easy targets. Many of those online ads actually contain malicious code that can redirect you to a website you never wanted to visit. And the worst is, it will follow you home and help itself to your information.
  5. Sponsored Ads.  Technically, if someone is paid to promote something online, that’s sponsored and it needs to be disclosed. But that isn’t happening. You’d be surprised how they get around it and I’ll talk about that in a moment.
  6. Privacy.  You have a right to your privacy. And your information should be kept private. But the internet is Pandora’s box. Once it’s out there, it’s out there for good and you no longer have control over it. Be very selective about what you sign up for and what you choose to reveal. Select All isn’t always the right answer.

This matters for everyone, but in particular it matters to our kids. This generation is growing up with technology in the classroom, at home, at play.  The onus is on us, as their parents, to understand what they can and will be exposed to.  Which is no small feat especially regarding privacy issues.  The collection of personal information online has become commonplace, and is still done without our knowledge or consent.

Read through privacy statements to see how this works. An example comes from Lucid Press, who make a free design and publication app to integrate with Google Classroom.  They encourage educators to sign up for a free educational upgrade and accounts for all their students. According to the privacy statement for Lucid Press:


Now, we  know these aren’t the cookies that you dunk in milk.  But what about web beacons or pixel tracking technology?  A web beacon is typically a transparent graphic image (usually 1 pixel x 1 pixel) that is placed on a site or in an email. The use of a web beacon allows the site to record the simple actions of the user opening the page that contains the beacon. Because web beacons are the same as any other content request included in the recipe for a web page, you cannot opt out or refuse them. However, where they are used in conjunction with cookies they can be rendered ineffective by either opting out of cookies or by changing the cookie settings in your browser. This is from the site “All About Cookies”  a free resource to help marketers and consumers understand the issues surrounding the use of cookies.

If I’ve made you stop and think, then this blog has served a purpose. Hopefully, I’ve given you answers to some questions, and prompted some questions you will now try to find answers for. To help you in that quest, these are some online resources you can look into:

As always, really glad you stopped by and thanks for reading!

Always Watch for the Dark Horse: Brazil Enters the Cybercrime Ring

We’ve seen it happen in horse races and elections.  Two well-known hot contenders go neck and neck. Everyone is so completely focused on the two leads that no one sees the dark horse come charging up the middle. Until it’s already there.

In the murky waters of deepweb cybercrime, that dark horse is Brazil.  China and Russia may be attribution’s favourite poster twins but we cannot afford to lose sight of other, future contenders. “Nobody saw it coming” are the wrong words to hear when dealing with cybersecurity. And over the past year, breach after massive breach has shown that, despite our best efforts, we can’t seem to stay ahead of the curve. It isn’t just about the threats and attacks, but about who and why. We really need to know our adversaries. Brazil is the new kid on the block, and he’s big.


As early as 2011, InsightCrime was reporting a surge in cybercrime out of Latin America. What country did they identify at the epicenter? Brazil.  Both Norton’s Cybercrime Report and Symantec’s Intelligence Reports for 2011 put Brazil in that same top spot. Fast forward to July 2014.  Purported as what could be the largest electronic theft ever reported, a cybercrime op was discovered by RSA security. Approximately $3.9 billion was stolen through  “Boleto Bancario”. That catapulted Brazil into the headlines, establishing what had been building steadily yet unnoticed and unchecked for three years, since 2011.

The unnerving truth about cybercrime is that a lot can happen in just a very short time.  Which is why Brazil should have registered earlier on threat radar. The country is a perfect storm for cybercrime. The stats speak volumes. Per Kaspersky, Internet users in Brazil are the most targeted by cybercriminals in Latin America. Out of 400 million incidents logged over a period in 2015, 31% affected Brazil versus 21% in Mexico, Peru, Colombia and Venezuela.  There has been a drastic increase in new users corresponding with an increase in malicious activity of 197% between 2014-2015. This relates directly to the fact that users have no idea of what they should be doing to stay safe.  Avast reports that 65% of wireless network routers still used the default ID and password.  Symantec showed that in 2013 61% of adults connected to unsecured and public wireless.  And what about the fact that Brazil has the highest internet penetration for the region?  Or that Brazil is going through some economic turmoil, which means cuts, and that includes cuts to security.

How does that play out in a country where there is no requirement to disclose any information about breaches? Apparently, not well. At least 75% of those who use the internet in Brazil have been victims of online crime. Brazil passed its first cybercrime law in 2012, but that proved to be ineffective and inefficient.  Penalties are little more than a slap on the wrist, with house arrests or fines being levied. The lack of staff and lack of funding further limit any real action.  And here’s the kicker:  there is no law currently in place to protect personal information. That means – wait for it – that this info, this PII we fight so hard to protect, can be sold or given to anyone in Brazil, legitimate or criminal, with no repercussions.

PandaLabs Report Q1 2015 Infection rates

PandaLabs Report Q1 2015 Infection rates

According to Juan Andres Guerrero, senior security researcher with Kaspersky Labs:

“As far as global fraud is concerned Brazil is almost exclusively at the top …They are fantastically creative …Brazil actually takes an inordinate amount of time [to monitor] because of the amount of malware, the amount of schemes. They are constantly creating these phishing campaigns. They are incredibly elaborate.”

Brazil is a nation plugged in and online banking reigns supreme, at 41% of all transactions, according toe Trend Micro’s white paper from 2014 “The Brazilian Underground Market:  The Market for Cybercriminal Wannabes.”  One of Brazil’s better-known exports are banking trojans, perfected for the “Boleto” payment system there.  malware changes the bar codes on the boletos to redirect payments to attackers.  DNS poisoning is also employed to redirect users. Fake browser windows scoop credentials that are keyed in. Malicious browser extensions capture personal data and send it off to attackers.  That bestowed upon Brazil the dubious ranking of second worldwide for online banking malware infections, and almost 9% of global malware infected systems.


From Trend Micro white paper “The Brazilian Underground Market” 2014

William Beer, Managing Director of Cybersecurity at Alvarez & Marsal, told ZDNet

“There is a lack of focus on cybersecurity both in the public and private sector. Senior executives at organizations don’t really see that as a priority.”

High internet penetration rate, high credit card penetration rate, high user base unaware of good security practices, and a unique banking payment system based on “boletos” have set Brazil apart by creating a cybercrime training ground that’s open for business.  For the entry level fee of $579 US, wannabe cybercriminals can learn fraud training, FUD crypter programming, trojan coding. Like its peers, Brazil offers the same range of choices as China and Russia. And in the true spirit of staying competitive, the price of crimeware and service offerings in Brazil has steadily gone down since 2011. But wait – there’s more! They’ve been very good at evading security researchers and law enforcement.

It doesn’t bode well when the criminals openly use social media to flaunt and advertise their business.  Whereas cybercrime tends to opt for obscure channels to remain untraceable, the Brazilians are all over Facebook, YouTube, Twitter and WhatsApp to communicate and organize their lives and their business.  And why shouldn’t they, in a country where the gains far outweigh the risks. All of which makes Brazil very appealing, and very much the dark horse threat we should have been watching for.