Thursday, December 21, 2017

The Sound Of Music

Okay, so I can’t let this one go. I know I’m way late to the game on this since I wasn’t able to blog about it when it happened. One of my big takeaways from the Equifax hack is that we still have a long way to go in the information security community in educating the public and the media about who we are particularly as it pertains to the digital forensics and incident response world. 

What spun me up this time wasn’t the predictable post-incident speculative blamestorming and vendor preening. I suspect most of us have long since grown numb to self-appointed information security experts trying to bring attention to themselves by speculating on things they don’t have much knowledge or credibility to speak on.

What vexed me about the post-game analysis on this one was the freak out in regards to Equifax’s Chief Security Officer having a - gasp - music degree.  Not to put too fine a point on it, but questioning someone’s qualifications in the information security world because they don’t have a technical degree is flaming nonsense on stilts.  There are tools and knowledge that we use daily in this community that were created and taught to us by people who didn’t have technical degrees or any college degrees at all.  Some of the finest technical people I’ve worked with didn’t have anything more than a high school degree or had college degrees that had nothing to do with technology.  What they did have was a burning passion for information security which drove them to become great at what they did and to contribute to the larger community.  One of the reasons why some of these people don’t have college degrees is because they just didn’t see the point in spending time going into crushing debt while languishing in general elective classes on Babylonian astrology while they could be teaching themselves skills like networking, coding, and how operating systems worked.

That isn’t to say that we haven’t gained an immense amount from people in our community who have highly technical degrees.  People whose last names I don’t need to use such as Harlan, Lenny, and Kristinn all have engineering degrees and we’re all the better for their academic backgrounds and their contributions when it comes to education and tools. 

I’m all about people who are passionate about getting into digital forensics and information security taking advantage of all of the various academic paths and options they have available these days.  With the increased demand for information security talent, we’ve seen plenty of quality purpose built information security degree programs in addition to the traditional degree programs in computer science, electrical engineering, computer engineering, and the like.  If you are interested in getting into fields like information security or digital forensics, you’ve got many more options than I ever did.  You’re only limited by your imagination and debt management.

Speaking of technical degrees, I think one of the things that really rubbed me the wrong way on this was the lack of understanding on what a long, hard slog a music degree is for someone to complete.  I don’t think music degrees are considered STEM degrees, but completing one tells me that your brain is formatted for working in technology because of all of the analytical work you had to do for the degree.  I remember back in the 1990s when employers were desperate for technical employees and hiring anyone with a Microsoft certification.  The employers in my area figured out that music majors made for awesome technical hires and started to actively recruit people with these degrees.

Even the United States Navy has gotten into the act.  It doesn’t surprise me at all that in 2016, they accepted someone with a music composition degree to their highly selective Navy Nuclear Propulsion Officer Program.  This is a program where the Navy seeks out the best and brightest people early in their college careers to get them onto the path of joining the nuclear portion of the United States Navy.

So, what is the take away for us? Be sullen and angry when the media gets it wrong? Nope. We need to be happy information security warriors and just realize when this sort of thing happens, we have to use it as an opportunity to educate others about our community and all of the wonderful people with diverse interests, abilities, and career paths who make it great.

Sunday, December 10, 2017

The Glaring Omission in Your Incident Response Planning

Chances are excellent that your incident response plan has a glaring omission in regards to one of the most critical aspects of success during an incident.

There has been an immense amount of time and treasure expended on what a proper incident response plan should look like.  Just throw “incident response plan” into your favorite search engine and you’ll get pages and pages of content. You’ll see all sorts of advice on how the various steps and phases of an incident response plan should play out and quite a bit of thought being put into things such as collecting contact information, identifying stakeholders and roles, inventory of tools to be used, determining secure communication methods (because you’re assuming the baddies got you email servers early and often), and the like.  Great stuff.

Does any of your plan talk about how to take care of your people during a major incident? I’m talking about those incidents that are measured in weeks or months where it’s an all hands to the pump 24/7 response measured in days or weeks of the response.  Once these incidents kick off, it’s too late for the preparation stage.  It’s show time and there is an immense amount of stress involved on all of the team whether it’s the CISO who is constantly being asked for updates by senior executives who are seeing their career dissipation lights cranked up to about a quarter million lumens or the lowest level incident responder who is cranking out digital forensic images or pouring through network logs.

An incident response plan for major incident responses isn’t fit for purpose unless it addresses how your incident responders border collies will be fed, watered, and rested. An organization should have a catering plan in place before an incident so that they can start getting a steady stream of food and drink to the people who are going to be putting in an immense number of hours all around the clock getting things under control.

If it’s a large organization (or a really nice start up in Palo Alto) chances are excellent that there is already an on-site cafeteria for employees that probably offers on-site catering services.  The incident response plan should specify how to engage those people and who the points of contact are.  You’re also going to want to talk to them before an incident to make sure that you can get food to cover a long term around the clock response.

If you don’t have anything on-site, you’re going to want to identify several external catering options and understand how to engage them on short notice for an extended response and to understand how scalable their services are since you might be feeding a very large team.  Their contact information, billing methods, and the like should be part of your incident response plan. You also need to discuss with your catering providers the menu options available before an incident. It’s important to give your people healthy food during an incident to keep them going.  Just saying you are going to order a steady stream of pizza from the take-out place down the road for weeks on end isn’t a great option.  You want to give your people some healthy options to keep them fueled up, feeling good, and ready to chase bad guys out of your network. 

You also want to make sure you are providing your people with a variety of non-caffeinated drink options in addition to the endless gallons of caffeinated sugar water or energy drinks that fuel most major incident responses.  

Keep in mind that you are going to be feeding not only your employees, but any consultants that parachute in to help you out of your bind.  There is a lot of dietary diversity these days so you’ll want to make sure you have options for people who need it due to medical, religious, or cultural reasons.  Popular options include vegetarian and gluten-free diets which works out well because you can get fantastic stuff that complies with either that everyone will enjoy.

The other thing that needs to be covered is transportation for your people.  Drowsy driving is a thing and it’s a thing you want nothing to do with during an incident.  Ride sharing services have made this much easier especially in major metropolitan areas.  The goal is to make sure you can get your people safely and efficiently back and forth between home (or the hotel rooms they are calling home during the incident) and work. Most of your people will be driving into work, but if they are too tired to drive because they ended up working a day or more in a row without sleep, it’s probably not a great idea to let them drive home and your plan should address that fact.

Which reminds me of an important point. If you are having people staying up for days on end, you’re very likely understaffed for your incident and you need to fix that quickly or you’re asking for more problems.  My general rule is that I don’t do forensics after ten hours because my chances for mistakes go up dramatically.  I’ve lost count of the amount of times that I struggled with something during a forensic exam at the end of a very long day only to solve it the issue in first fifteen minutes of being back in the office after getting some sleep.

As always, the keys to success are people, processes, and tools and your incident planning should reflect that fact. 

Thursday, December 7, 2017

Blockchains, Bubbles, and You

One of my technology obsessions interests is blockchain technology and how it will integrate itself into the world’s financial system. We’re still in the wild, wild west stage of the technology, but it’s not a matter of whether blockchain will be part of the future of finance – and therefore financial crime – but how it will manifest itself as the technology matures and becomes more widely understood and accepted by the general public. I started out as being deeply skeptical and borderline hostile to the idea of cryptocurrency, but I’ve long since come around.

We already seeing how Bitcoin has been used for criminal transactions such as B2B type transactions in the underground economy, good old-fashioned money laundering, or being used for victims to pay ransom as part of ransomware scams

Let me just start off with an acknowledgement that blockchain technology has many uses beyond payments.  There are nigh-endless possibilities on what can be done with a distributed ledger system well beyond exchanging payments and that is one of the reasons we’re seeing so much energy and funding being poured into the technology. I’m planning on devoting some future blog posts on explaining how blockchains are being used in innovated ways that aren’t just about exchanging payments and storing value.

If you read the blog in the past, you know that I like doing interviews.  I plan on starting them up again when I get the readership levels back to where I had them before I had to stop blogging. I’m basically starting from ground zero so I suspect this blog post is being read by, at most, a half dozen people and I don’t want to have an interview subject spend time on an interview that will be read by almost no one.  Thus, I’m going to just interview myself for a bit because it’s my blog and I can do weird things like that.

What is blockchain technology?

Great question, but one that I can’t answer better than what has already been done by others.  Head on over to Coin Center and read their excellent starter.  Take your time and click around the site while you are there. I’ll wait. You’re Back? Excellent! 

We’re talking about Bitcoin, right?

Bitcoin is “just” one of over 1,300 blockchains as I write this. That said, Bitcoin is the belle of the ball when it comes to media coverage, cryptocurrency advocacy, and public attention because it’s the blockchain that kicked this all off and because, as I write this, it has experienced a dramatic recent increase in its value. It has immense first mover advantage since it was the first to market and opened the minds of many to the possibilities of what can be done with a distributed ledger system. 

What exactly are we talking about? You’ve used the terms “blockchain”, “distributed ledger”, and now you just injected the term “cryptocurrency” into this.

It’s confusing, isn’t it?  I don’t think we’ve settled on the language aspect on this yet so I think we’ll see some language standardization as the technology continues to develop and gain public acceptance. I suspect it will be much like the term “APT” and “Cyber” in that it’s cute that the people who are deeply involved in a particular aspect of technology have an opinion on the terminology, but it’s the media and popular culture that will eventually define the language. 

The word blockchain is a good example.  The original white paper for Bitcoin used the term “Block Chain”, but the language evolved where it’s now one word.  Blockchain is one of the underlying technologies of cryptocurrencies like Bitcoin.

The Wikipedia entry on blockchain is useful.  It states:

blockchain[1][2][3] – originally block chain[4][5] – is a continuously growing list of records, called blocks, which are linked and secured using cryptography.[1][6] Each block typically contains a hash pointer as a link to a previous block,[6] a timestamp and transaction data.[7]By design, blockchains are inherently resistant to modification of the data. Harvard Business Review defines it as "an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way."[8]

Blockchain is how you get a distributed ledger system which is why I tend to just used the word “Blockchain” when I write about this sort of thing.

What I tend to stay away from unless I’m specifically writing about the currency related blockchains is the term “cryptocurrency”.   Wikipedia to the rescue again on this term.  The entry for cryptocurrency states:

cryptocurrency (or crypto currency) is a digital asset designed to work as a medium of exchange using cryptography to secure the transactions, to control the creation of additional units, and to verify the transfer of assets.[1][2][3] Cryptocurrencies are classified as a subset of digital currencies and are also classified as a subset of alternative currencies and virtual currencies.

I tend not to use the term cryoptocurrency unless I’m talking about a particular blockchain such as Bitcoin that is focused on acting as currency because there are so many different use cases for blockchains. That’s not to say that it’s not accurate to use the term for those blockchains and that’s why I’m curious to see how the language plays out in the end.  Ultimately, I’ll just adopt the terminology that ends up being established because I’ve long since given up swimming upstream against the language on these types of things.

Why should I care about any of this?

Back when dinosaurs roamed the earth and I was a recruit in a police academy, our physical fitness instructor told us that as soon as we signed up to be police officers, we lost the right to be physically unfit.  It’s the same thing with the situation with blockchains and crime.  If you are involved in the investigation of financial and/or computer crime, you’ve lost the right to be ignorant of this technology.

The burden of being good at what we do when it comes to law enforcement or information security is that we have to keep up on current and future trends otherwise we will be increasingly less effective at our jobs which makes us less valuable to our employers whether it’s a private entity or a law enforcement agency.

Fine. I care! I care! What’s the story with Bitcoin?

It’s the ground zero blockchain that kicked this all off.  Its primary focus is to act as a cryptocurrency and it has captured the imagination of countless people who are either still working on making Bitcoin better or have moved onto other blockchain projects.

Why has it increased in value so much so quickly?

Bitcoin is a nifty new digital currency technology, but the rules of economics still apply to everything. There is an increasingly scarce number of bitcoins because it’s become increasingly difficult to mine them and scarcity is built into this system.  Demand is driving a price increase.

The bad news is that part of the increase is a bubble. In fact, I think most of what we’re seeing right now is an old-fashioned bubble that will eventually burst in a pretty spectacular and healthy manner. The media attention of the sharp valuation increase is driving people into purchasing bitcoin who have no earthly idea what they are buying.

In other words, I think we have quite a bit of the greater fool theory going on right now.

What’s so healthy about a bubble bursting?

We’re in the very early stages of blockchain development and I think we’ll see blockchain mirror what we saw with the dot-com era where we have an immense amount of money, creativity, and, frankly, irrational hype mixing to get things moving. We’ll experience all of the talk about how this time things are different and the rules of economics don’t apply to technology right up until we have a massive bursting of the bubble.  The bubble bursting will result in marginal projects being swept away and a more mature approach that will drive capital and creativity into more viable projects.

We’re in the infrastructure stage of blockchain development where even the big names such as Bitcoin and Etherium still are struggling with issues such as control, scale, and how to truly become decentralized projects.  It’s an exciting time, but it’s also incredibly volatile and speculative. 

So should I be investing in blockchains?


Sorry, that was rude.

Seriously, I don’t give investment advice and what you shouldn’t be doing is taking investment advice from some random blogger on the Internet.

I will tell you my personal approach to blockchain investment which is to not do it.  It’s entirely too volatile of a market right now for someone like me to get involved in.  I’m not even thinking about touching any of this with a 39-and-a-half-foot pole until the after the bubble bursts and the market matures.

There are people who are putting money into this space and that’s great because there needs to be capital to spur innovation, but I’m leaving that up to the experienced sophisticated investors like various blockchain focused hedge funds, angel investors, and venture capital outfits who have capital, risk tolerance, and knowledge (like the ability to review code for the projects they are considering supporting) to make these calls.

There are some great projects that look very promising right now, some that look positively silly and/or mediocre, and some blockchains that are obvious fraud. 

I have a whopping 0.00203115 BTC left over some research I’ve done recently.  If I add anything more to that position, it’s only because I want to do more research. 

Fine. It’s a bubble.  Who are of the blockchain world?

No idea.  I’m guessing that just like the dot-com era, we’ll see only a few survivors who will go onto thrive and turn into something big like Google.  Most of the 1,300+ blockchains right now aren’t going to amount to much in the end and that’s just how the market works. 

For example, I doubt we’ll have more than a handful of successful cryptocurrencies once things shake out.   One of the people who I follow closely in this space is Naval Ravikant and I heard him recently speculate that we might end up with someone putting together a successful digital currency option that is based on a basket of cryptocurrencies.  If you have ten cryptocurrencies and one disappears overnight, you’ve only lost a fraction of value rather than everything.

So, I should be doing short selling to exploit this bubble, right?


This is a bubble, but we don’t know how long it will go on and how much capital will flow into it before it bursts or how a bubble bursting would look. It could be days, months, or years

Is it just one blockchain like Bitcoin or something more systemic?  Is it a one big bubble bursting event or a rolling bit of mini-bubbles? Will we see any bubble re-inflation?

I know I’m not smart enough to know when or how this it will go, but it will go.

What blockchains do you find interesting?

Bitcoin for obvious reasons that its blockchain prime and is the cryptocurrency that is getting the most attention from media and investors.  I am a bit of a cautious Bitcoin skeptic over the long haul for reasons I’ll address in a future blog post.

Etherium is super interesting to me since its a platform for decentralized applications fueled by tokens and that’s caused an immense amount of creativity both in that particular blockchain as well as many affiliated projects. 

Zcash and Monero are the most interesting crypto currencies to me other than Bitcoin at this stage because there have very serious financial and technical backing from various entities.  That’s the stuff of a future blog post also.

Cryptokitties is pretty cool because just reading the website alone is a great way to conceptualize the possibilities of how blockchains can be used in unique ways. Plus, cats.

Bananacoin is another one of those blockchains that can show the possibilities on how the technology can be harnessed as a sort of security. It also poses some interesting questions regarding how blockchains should be regulated.  Are they currencies, commodities, securities, or something else?  Fodder for another blog post down the road, of course.

There are more, but this is a good start if you want to do some reading and research.

Wait. There are fraudulent blockchains?

You’re not allowed to be surprised, but I followed one fraudulent initial coin offering recently that ended up with the fraudsters getting a reasonable amount of money for their efforts before closing up shop.  Bad guys are all about leveraging blockchain whether it’s just stealing token from people or setting up their own evil blockchains in attempt to con people into giving them money. 

Definitely the stuff of future blog posts. More to come soon!