Feb 18

No, you’re not.

According to a survey released by endpoint security solution vendor Bromium, 79 percent of surveyed information security professionals view end users as their “number 1 security risk.”

What security people need to understand is that the end users are not the problem.  The end users are our customers (and one of the main reasons we have jobs).  The problem arises from the increasing sophistication of attackers and their tools and ruses.  In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money).  Since then, the attackers have been getting better and better at their jobs.  They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails.  They do their homework, mining social media for personal and business information to make their clickbait more convincing.  End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.

I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks.  It has a great return on investment for just about every organization.

We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them.  Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).

End users are not stupid.  They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day.  We have to step up our efforts to protect them, not call them a problem.  That’s what we get paid for.

Go hug an end user today.

Nov 30

als, bls, cissp

By alberg deep thoughts, systemic risk Comments Off

Those of you who have the misfortune to know me personally know that information security is but one piece of the pie that is Al Berg.  (mmmm…. pie…)  On Friday nights, I swap my desk for an ambulance of the Weehawken Volunteer First Aid Squad where I am an Emergency Medical Technician.  Most of the time, these two parts of my life don’t really intersect, but this week, I saw something that seems to bridge the gap.

So, there are two different kinds of ambulances here in the US.  BLS (Basic Life Support) rigs are staffed by EMTs who are trained in basic life support techniques focused on airway, breathing and circulation.  EMTs do not administer drugs – we cannot even give you a Tylenol for pain.  If you are unfortunate enough to be meeting us on a day when you are having a cardiac arrest, we will do CPR, give you oxygen and maybe zap you with a automated defibrillator.  We’ll also call for our ALS (Advanced Life Support) colleagues – the paramedics – to respond and give you the advanced monitoring and interventions (EKG, intubation, intravenous drugs, and the like) that we can’t.

As an EMT, I am always happy to have paramedics on any call, especially a cardiac arrest, so I was really surprised to read an article this week which described a study published in the Journal of the American Medical Association which found:

90 days after hospitalization, patients treated in BLS ambulances were 50 percent more likely to survive than their counterparts treated with ALS. The basic version was also “associated with better neurological functioning among hospitalized patients, with fewer incidents of coma, vegetative state or brain trauma.”

Now, to be clear, your chances of surviving an out of hospital cardiac arrest are pretty lousy… 9 out of 10 patients who ‘code’ in the field will not survive to hospital discharge.  CPR works way better on TV than it does in real life.

Anyway, while I am a bit skeptical of this study’s results, it does seem to me that there is a bit of an information security aspect to this.  Time and again we hear of companies who have spent big on flashy technology still getting owned by hackers.  For example, Target had purchased advanced anti malware defenses from FireEye as well as outsourced monitoring for those defenses.  According to reports, the people and tech detected the bad guys, but failing to do “information security BLS” by examining the systems which were showing signs of trouble sealed Target’s place on the front page.

There are a lot of “information security BLS” measures that don’t use flashy technology or wheelbarrows of money that we can take to protect our systems:

  • Documented policies and procedures
  • Least privilege for user accounts
  • Segmentation of internal networks
  • Applying security patches and updates in a timely fashion
  • Security awareness training
  • Sharing information with other organizations

These (and many other) “information security BLS” interventions go a long way towards keeping hackers away from corporate data.  They aren’t complicated, and you don’t need to buy all sorts of blinkie light boxes to implement them.  Yet, time and again, companies fail to pay enough attention to them.  Part of the problem is that infosec professionals want to get hands on with the latest technology and doing some of these low tech interventions requires serious time and planning to avoid negative impacts to the business.

So, my resolution for 2015 is to take another look at the Council on CyberSecurity’s Critical Security Controls list and make sure my organization is doing everything we can to implement them.   As an industry we need to make sure we are doing the BLS interventions right and apply the ALS level security-fu when it is needed.

Nov 23

There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely.  My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment.  Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs.  This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs.   For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.

I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier.  MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.

It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine.  If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection.   So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.



Nov 02

It seems that car thieves have been targeting the keyless entry systems of high end vehicles, taking advantage of insecure security in their on board computers.  In addition to stolen cars, this has also caused some insurers in the UK to refuse coverage for certain models of Range Rovers in London unless their owners take additional security measures.  This is an interesting development – if your potential customers can’t get insurance coverage because your car (or other device’s) computer enabled systems aren’t secure, then you have a real incentive to fix the problem.   Now how do we apply this to other types of systems?

Nov 02

When your co workers or family members ask what to do about passwords, have them watch this brief, easy to understand and information packed video from the folks at Sophos…


Nov 01

racing the patch clock

By alberg best practices, CSO Comments Off

all too true, usually

When previously undisclosed vulnerabilities in the Drupal web content management system used by many large companies to manage their web sites were announced, hackers were busy exploiting those weaknesses within hours.  This incident highlights the bind that security people and system administrators are increasingly find themselves in – we need to patch critical vulnerabilities quickly to protect our systems from compromise, but rolling patches out without proper testing can also lead to downtime (witness Microsoft’s recent run of faulty security patches).    Having the skills to mitigate vulnerabilities while patches are tested and rolled out is a something we need to cultivate as security pros.

Oct 31

VA court gives tech savvy criminals the finger

Now, here is a head scratcher… a circuit court in Virginia has ruled that while law enforcement cannot force you to reveal the passcode for your mobile phone, they CAN force you to unlock your phone with a fingerprint, since a passcode requires you to divulge knowledge while a fingerprint is a form of physical evidence.  While this seemingly nonsensical decision is not binding on other courts, it can be used as precedent in future cases.  I guess the moral of the story is that you should disable TouchID on your iPhone before embarking on your life of mobile phone assisted crime.  Alternatively, you could reboot your iPhone as John Q Law closes in, since TouchID will not work until you have entered your passcode after a reboot.

Jul 13

In August of last year, a security researcher at UC Berkeley found two security vulnerabilities in LastPass while researching the security of web based password managers.  He reported the problems to LastPass, who quickly remediated them.

One of the vulnerabilities would have allowed an attacker to gain access to unencrypted credentials IF the user accessed a malicious web site and then used the LastPass “BookMarklet” to log into that site  – if you use the browser extensions for Chrome, IE, Firefox, or Safari (as 99% of LastPass users do), your account was not vulnerable to this attack.  BookMarklets are only used if the browser in use does not support LastPass directly.

The other vulnerability would have allowed an attacker who knew a user’s log in ID to retrieve an user’s encrypted password file, but not the key needed to decrypt this file.

LastPass states that they have no evidence that either of these vulnerabilities were exploited by anyone other than the researchers.

I still use and recommend LastPass – after all, if we stopped using software every time a security vulnerability was found and fixed, we would not be using Windows, Mac OS, or any browsers and plugins.   The extra security provided by using LastPass to manage unique strong passwords for the sites you log into far outweighs the risk of being compromised by vulnerabilities such as the ones described.

There is a lesson to be learned for LastPass users, though.  The security of your account is as only as good as the master password you choose for your LastPass account.  Make sure that it is hard to guess, and is constructed using letters, numbers and special characters in order to make it as hard as possible for someone to crack.

I am disappointed in how long it took LastPass to reveal this issue – when you are entrusted with users’ “keys to the kingdom,” you have a responsibility to be transparent about issues like this in a timely fashion.  I think that this is also a good time for LastPass to open up their code for third party security review to be proactive about finding and fixing security issues before the bad guys do.



Jul 12

While the “Internet of Things” has great potential, it also opens up new attack surfaces for those with nefarious intent to exploit.  A good example of this was found by a security researcher last week.  LIFX offers wifi controlled LED light bulbs that can be turned on an off as well as color adjusted via an iOS or Android app.  In order to operate, the light bulbs must authenticate to the wireless network in the user’s home or office.  The researcher found that it was possible to retrieve the wireless network password from the bulbs themselves, giving them access to the rest of the devices on the same network.  LIFX has issued a patch to correct this issue, but this serves as a reminder that all of those new, whiz bang network connected devices are part of your network’s security perimeter.   Many of these devices are coming from startup companies which may not have a security culture embedded in their development process.   To be fair, the researcher had to do some fairly sophisticated to pull off this hack, but as IoT devices begin to proliferate, the payback for attackers will be worth the extra effort.

Jul 04


BAE Systems Spokeman

An update on the “hedge fund hacking” story from a couple of weeks ago… it appears that this attack (in which it was alleged that hackers penetrated hedge fund trading , delayed HFT orders and sent order information to servers in eastern Europe) did not actually happen. Apparently, this scenario was used internally at BAE Systems as a “what if” during table top exercises. For some reason, a BAE employee described this scenario to a reporter as if it was an actual incident. This is a real black eye for BAE (which probably explains why they waited for the holiday weekend to announce this).

More information:


I still think that the kind of attack described in this scenario is bound to happen in the future as organized crime figures out that the capital markets provide much more profit potential than stealing credit card info – but there is no confirmed case of such an attack happening so far.

preload preload preload