Crimson Blog

Security Bytes - Issue 5

Written by Jim Tiller | Aug 11, 2022 10:30:29 AM

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

 

I feel like these are getting longer. I believe it was Mark Twain that once said, “I didn't have time to write you a short letter, so I wrote you a long one.” It’s a strange place to have so much to share, but not enough time to write efficiently. I’ll seek to do better moving forward.

OK… in this week’s Security Bytes we find that crypto scammers see us as nothing more than an animal to fatten up and haul to the slaughterhouse; on a positive note, the UK and US strengthen their cyber partnership, which is good for everyone; we look at the age-old debate between privacy and crime; I admittedly pick on the FBI, just a touch.. don’t worry, they have thick skin; and finally, I finish it off with a somewhat silly personal story from 20 years ago.

 

Let’s get started…

 

-----------------------

 

Crypto Pig Butchering

Another great investigative article by Brian Krebs on the systemic and rapid growth of a complex crypto investment scam called pig butchering where it’s estimated millions have been taken from victims. This is the natural evolution of crypto, frankly. What started out as small scams and scaled to pump and dumps (to the tune of billions), we now have sweatshops of human trafficking victims working all day on scamming people – in a relatively well-structured way.

 

The internet is deeply intertwined with our global social fabric, and the human brain is simply not prepared. Moreover, the techniques, tactics, and procedures (TTP) have been proven over the decades from con games to intelligence communities. It’s called “MICE” – Money, Ideology, Coercion, and Ego and makes up the very basic framework for manipulating someone. Scams of this nature are enabled by technology (internet and the digitization of currency) and the refined approach to take advantage of people’s social status-based condition. It’s very difficult to do face-to-face and that’s why organizations, like the five eyes, look for specific people. But now the obfuscation the internet provides makes it trivial to manipulate people when the method is tuned to who you are.

 

From a business cybersecurity this resonates in a few ways. Most notably, is concern about the wellbeing of employees. We need to provide a work environment that offers support and assistance for what can be a devastating and frankly embarrassing type of attack. Of course, if we don’t ensure we’re offering help, conditions – especially financial – can lead to white-collar crime impacting the company and other employees. Finally, we have to recognize that the level of sophistication of even the most basic attacks have far exceeded our innate defense mechanisms. We refer to examples as phishing, but that word doesn’t effectively reflect the massive damages it can cause.

 

Our vCISO practice can help in a number of different ways. First, is ensuring your security awareness training and the like is effective, meaningful, and is reflective of today’s professional. Most training is boring, non-engaging, and has no value to the employee as a person and in their lives. Next, technology is and can be an effective defense, but it won’t be unless architected meaningfully, and that starts with setting expectations and building a threat enabled defense program. Lastly, we can help plan, design, and implement, and optimize practices that can help to not only inoculate your environment, but ensure it can identify and respond to changing threat dynamics.

 

(For those whose interests were sparked by MICE, also research RASCLS: Reciprocation, Authority, Scarcity, Commitment and Consistency, Liking, and Social Proof. Makes for good reading. Then read Donn Parker’s Fighting Computer Crime from 1998.. and SKRAM: Skills, Knowledge, Resources, Authority, and Motive.)

 

Links:

Krebs’s must-read article: https://krebsonsecurity.com/2022/07/massive-losses-define-epidemic-of-pig-butchering/

Scams and Trafficking: https://www.vice.com/en/article/n7zb5d/pig-butchering-scam-cambodia-trafficking

Five Eyes: https://www.dni.gov/index.php/ncsc-how-we-work/217-about/organization/icig-pages/2660-icig-fiorc

 

Peas in a Pod

Despite having our “differences” in the past, the relationship between the US and the UK has been strong. It’s a great partnership that has proven itself many times throughout world history. Much can be learned from the history concerning the development of partnership activities between our two nations, which sheds interesting light on the US’s Cybersecurity and Infrastructure Security Agency (CISA) announcement this week about the opening of an office in London. Which is on the heels of other cyber activities, such as the MI5/FBI speech I highlighted on in early July.

 

Of course, we’ve been working together, as with other nations, regarding cyber security, but this is more specific – more tangible. I’m not trying to make a mountain from a molehill, but admittedly I may be grasping at straws. But can you blame me? I’ve been in this rodeo for pushing 3 decades and it’s bad… as in not good… the bad guys are currently winning. So, any dedicated and focused effort on this scale has the potential to be quite productive – time will tell.

 

From a business perspective, this is a good sign. More emphasis by governments to recognize that cybercrime is, by its very definition, omnipresent and borderless, is a good step. This isn’t as simple as “think globally, act locally”… it’s “act globally”, full stop. Global organizations face a complex array of multinational operational challenges, and cybercrime is one small part of that equation. Government and agencies interacting with focus act as a resource, even if only to help with alignment of information and resources in a cohesive manner.

 

The key part for companies and especially cybersecurity leaders is having a well-established relationship with law enforcement at every level and in every country. Additionally, familiarize yourself with the sites, tools, and established processes for engaging with law enforcement. Of course, add to your collection of options by reassessing your strategy. Yeah, IR tabletops are good, but what is your overall strategy and, importantly, how are you ensuring it’s updated with the latest processes, standards, and tools that are offered on a global scale?

 

Links:

CISA Announcement: https://www.cisa.gov/news/2022/07/18/cisa-announces-opening-attache-office-london-uk

MI5 Joint address: https://www.mi5.gov.uk/news/speech-by-mi5-and-fbi

 

Encryption Verses Child Safety

The UK’s GCHQ puts forward a compelling argument concerning child safety, specifically highlighting sexual abuse and the use of end-to-end encryption (VPNs) used by criminals to access and share illicit material, and the fact that encryption blocks detection technologies. It’s important to know there are several technologies that exist to help detect images of this nature, but many have disabled that because of the focus on user privacy. The paper proposes more emphasis on client-side detection because much of the content is secured when stored elsewhere and in transit.

 

This is a challenge we face on multiple levels and can be boiled down to privacy verses what’s best for society. Of course, this gets quite complicated for a myriad of reasons I clearly don’t need to get into, but we can all agree on that child abuse is abhorrent and unacceptable. But we also all can agree that privacy is critically important to digital survivability.

 

From a business cyber perspective, we have to recognize that not all hacks are about ransomware. There are a lot of reasons to access your systems, most notably – resources. In the “old days” it was about bandwidth and botnets (which the latter is still mainstream), then storage, and now with crypto mining, processing power. However, I can recall as far back as the early 90’s helping organizations expunge vast amounts of illicit material that was surreptitiously stored on their systems. It is a reality and something that must be added to your overall security strategy. And no surprise that this is difficult. Just finding legitimate assets can be difficult, much less encrypted images intentionally hidden. Add to this cloud computing and there are far more advantages to the cybercriminal.

 

Links:

Article: https://www.theregister.com/2022/07/22/british_encryption_scanning/

Paper: https://arxiv.org/pdf/2207.09506.pdf

Apple: https://www.theregister.com/2021/12/16/apple_deletes_csam_scanning_plan/

 

May be Next Time

This week the FBI and DOJ reported that a seizure warrant filed in May has resulted in the capture of a half a million dollars in crypto that was paid by healthcare organizations in Kansas as part of a ransomware attack linked to North Korea. Ok, I’m going to be a bit cynical here, but let me say it again – a half a million dollars. To put another way, that’s two-hundredths of a percent of the estimated stolen by North Korea. The FBI, as well as other major crime fighting units around the world, have capabilities that can be used to improve the state of crypto. I know it can be a slippery slope, but it seems there’s more we can do. I will close by saying that at least this is $500k less the criminals have to fund human trafficking and other criminal enterprises that are cash rich thanks to ransomware.

 

Links:

DOJ press release:  https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors

 

Friday’s Silly Story

Back at the turn of the century, just as the Y2K clouds were clearing, I wrote extensively on the concept of a Digital Pearl Harbor, or in today’s vernacular… Cyber War, enough so that Information Security Magazine reached out to me to do a “Face-Off”. At the time they were running a series where Bruce Schneier and Marcus Ranum – giants in security – would essentially debate a topic in a printed article. The editor wanted me to do a face-off article with Marcus, who at the time was completely against the concept and was quite vocal that it was nonsense. Although I met Marcus years later and found him to be a truly amazing person, when we had the call with the editor to discuss the article he was not what I would characterize as inviting and our opinions clashed like an immovable object and an unstoppable force… you could hear the editor drooling, it had the potential to be epic.

 

Of course, Marcus was and still is a huge name in the security industry. He’s credited with inventing the firewall for goodness’s sake; although he denies it, which only makes him that much cooler. It was a bit intimidating, but I wasn’t going to let him know that. Then came the details. I was to write my argument for why Cyber War is a real threat (keep in mind that this was laughable at the time), then Marcus would write a counterpoint, and then they’d publish it. I asked if I was going to get a chance to respond to the counterpoints and interact, and from that a face-off article would be created, which is generally how it was done. Unfortunately, the answer was “no”. 

 

I pictured Marcus tearing me to shreds, which he absolutely would have done. I’m not the best writer and therefore poorly articulated thoughts lead to the inevitable open holes in a position paper. Of course, even if I was perfect I was 1) a no body going up against a giant, 2) writing on a topic that was considered, at best, ridiculous, and 3) I would have no option to offer a counterpoint. To their disbelief, I declined. You could almost hear Marcus’s eyeroll as he hung up the phone and the editor stayed on a few more minutes to try to convince me to change my mind unsuccessfully.

 

Cyber war is a term and a condition that is deeply entrenched in today’s collective reality. And it got me thinking… what are some of the conversations happening that seem ludicrous today but in a few short years will define our modern world? Well, I got a few thoughts on that. Stay tuned.

 

About vCISO

The vCISO (Virtual Chief Information Security Officer) practice is comprised of a global community of highly experienced security professionals that we can connect with customers looking to address challenging cybersecurity pressures in a cost effective and resource efficient delivery model. This provides organizations flexible and focused access to cybersecurity expertise in a time when finding, attracting, and affording skills at this level is virtually impossible or impractical.

https://www.nashsquared.com/vciso