A New Year with New Security Challenges

Posted Friday, 02 February 2018

January 2018 was a very high activity month for both Octopi and myself. Concern is growing around the building and use of cyber weapons and the potential harm they can to innocents. It’s an issue I have been thinking about ever since the International Committee of the Red Cross reached out to me about possibly working for them in this area. Although, I am still in a “process” I thought it prudent to turn my “exam” answer into a mini-essay on the subject and supply the various citations needed to complete the work. Here is it on the Tripwire blog, a huge thank you to Joe for fast tracking it for publication https://www.tripwire.com/state-of-security/featured/cyber-law-war/ .I’ve also had some luck to provide some industry commentary on the Tor Project, https://www.scmagazineuk.com/its-all-gravy-for-the-onion-router-as-tor-browser-beefs-up-security/article/739414/ and for CompTIA https://www.comptia.org/about-us/newsroom/blog/comptia-blog/2018/01/25/calm-common-sense-best-response-to-processor-chips-security-flaw-disclosure?utm_content=buffer9fb01&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer and once more for SC Magazine here: https://www.scmagazineuk.com/mobile-scada-application-landscape-less-secure-than-in-2015/article/736430/ It’s so great to be asked what I think? Because I think a lot.


I was not without an opportunity to kick 2018 with a creative if somewhat rant-y response when asked by Anna from Heimdal Security on “Why Security can’t be Simple?” https://heimdalsecurity.com/blog/why-cant-cybersecurity-be-simpler/?utm_source=Heimdal+Security+Newsletter+List&utm_campaign=11358dbb5d-EMAIL_CAMPAIGN_2018_01_25&utm_medium=email&utm_term=0_31fbbb3dbf-11358dbb5d-195531785#iantrump The complexity and challenge of running a business is increasing and the skill set required to keep everything running is becoming increasingly diverse.


Perhaps the best and most fun was my presentation at Bsides Leeds. Here is the full presentation here  https://www.youtube.com/watch?v=9B7QiHDvo9Y&feature=youtu.be which was covered in this wonderful blog https://appsecbloke.ghost.io/not-just-another-infosec-conference/ . Equally fun was a guest appearance on Eric Anthony’s “All Things MSP” video podcast which featured some great banter on Specter and Meltdown pre-show https://www.facebook.com/allthingsmsp/videos/388377611605495/ and the main show where I got to talk about how much you can leverage from the Windows Event Log for Host Intrusion Detection (HIDS) capability show https://www.facebook.com/allthingsmsp/videos/387643568345566/ you can download the featured white paper here: https://www.dropbox.com/s/8asuda9ac0elfjn/Octopi_Whitepaper_EN_091117.pdf?dl=0


If you are a follower of mine; you may have noted that I have a new job down in London – currently commuting from Edinburgh 3 days a week. It’s going to be an amazing fun challenge to build out a Vulnerability and Threat Hunting Team for a large company who is in the online gambling industry. If you are looking for someone to take a peek into a piece of malware or a spear phishing link that made it through your layered defense please check out are Octopi Identify Neutralize Kill (INK) and Black List Collective service on our new & fresh contact page here: http://www.octopitech.com/our-services/malware-and-analysis/


Keep patching & till next month then,


Phat Hobbit

Right Time, Right Quote

Posted Monday, 11 December 2017

Due to my Twitter profile, I was lucky enough to get on the radar of a journalist who reached out me to ask what I knew about Troy Hunt. That ended up in the New York Times, which was sort of an amazing moment as it’s the New York Times! Now to be fair it was actually an Associate Press article which was scooped up. I’ll take it as a win. Here is the article in all Troy’s glory: https://www.nytimes.com/aponline/2017/12/05/us/ap-us-youve-been-hacked-researcher.html


The same week ended up dropping another pretty epic quote on the Doppleganger Attacks for SC Magazine. https://www.scmagazineuk.com/market-leading-security-products-broken-by-doppelganging-attack/article/712522/ This “style of attack” is the early stages of file-less malware. I always write a fair amount of background and research for these requests so here is the entire submission:


“Process memory is such a popular attack vector, because traditional and even more advanced Anti-malware solutions are generally focused on file based attacks – not process “hijacks”. When I think about the attack surface it makes sense to spawn or hide in an existing process on an end point – that’s something very hard to see. A new binary downloaded onto an end-endpoint which then makes an outbound network call to some place sketchy, that is pretty easy to detect. Process hijacks where the malicious code is inserted directly into the memory of an existing running program is a deadly attack that can sit in memory on machines that don’t reboot very often (like servers). This is the now infamous “file-less malware” recently seen talked about by vendors and InfoSec press.


Why this attack vector? Well maybe we can blame the Australians in part. The DSD advocate that Application White Listing (included in the modern Windows Operating systems called “App Locker”) is the most effective security control #1 on their list of 35. Clearly, it may be super effective in stopping unauthorized Trojan’s and payloads from running on end points, so pushing code into memory with an exploit, maybe a cybercriminal response to the increasing popularity of a “white list” malware technique.”


This week also saw SolarWindsMSP dropping some more excellent content on “Onboarding clients for GDPR” https://www.solarwindsmsp.com/blog/building-gdpr-services-why-onboarding-or-re-onboarding-critical and I would be re-miss in not mentioning Trianz’s efforts to get the word out on Patch Management especially given the recent research from Fortinet: Fortinet’s findings (Q2 2017) show that 90 per cent of outfits were hacked with vulnerabilities that could have been sorted out with a patch three years ago, while 60 per cent of companies had vulnerabilities that are over a decade in the wild. Check out Trianz’s campaign here:  https://goo.gl/KukqUQ and follow them on twitter https://twitter.com/trianz


I’ve got a pretty cool, peer reviewed article on hunting an APT group and some quotes on the cybercrime economy in the Sunday Times coming soon. Also, mad props to Eric Anthony (follow him on Twitter here: https://twitter.com/EricAnthonyMSP for resurrecting some old video on Patch Management: https://www.youtube.com/watch?v=th8iA15xXBI That sweater was probably left to die at Bar Napoli.

Till next time then,

Phat Hobbit

A Blog on “Insights” – The Home Network Needs Patching Too & Other Stuff

Posted Tuesday, 21 November 2017

Almost everyone I know runs some sort of network at home, and if you do work from home that network needs to be safe and secure. With the influx of IoT devices into home networks, it’s quite possible a compromised device on your home network could breach the corporate network. https://trianz.com/info/ibm-bigfix/insights/secure-influx-mobile-devices-entering-workplace They would enjoy a follow on linkedin: https://www.linkedin.com/company/166498/ or Twitter too: https://twitter.com/trianz or visit the campaign page here: https://goo.gl/KukqUQ


In other news a podcast featuring my thoughts on a wide range of topics went live this week, if you have not checked it out here is the link: https://www.iotssa.com/secure-connections-ian-thornton-trump-make-clients-hard-target/


I’m giving a free webinar on behalf of CompTIA. I am going to be talking about cybercrime and cybercriminals that have been caught by law enforcement and what that tells us about what is in store for us in 2018 and beyond. You can sign up here: https://www.comptia.org/events/view/stories-from-the-cybercrime-battlefield-forward-into-2018?utm_source=Informz&utm_medium=Email&utm_campaign=Communities%2DUKChannel%2DWebinar%2D111417&_zs=3FeLG1&_zl=mmT94


Oh and one more thing, this is a really good piece on protecting web applications in a way that does not impact the user experience negatively and it may be worth your time to read if you have web applications: https://www.solarwindsmsp.com/blog/protecting-web-applications-world-gdpr


Till next time,

Phat Hobbit




“Insights” on the Importance of Patch Management

Posted Sunday, 19 November 2017

I’ve encountered a series of great blog posts addressing patch management or as it’s called vulnerability management.  You can see the posts here: https://trianz.com/info/ibm-bigfix/insights/reduce-time-security-compliance-days-minutes


User Security Training is Import for Security & Compliance


As it turns out, user security training is cost effective, a quick win for compliance requirements and security for your business. https://www.solarwindsmsp.com/blog/gdpr-quick-win-strategy-1-deliver-customer-employee-security-training

Dropping a GDPR Blog for all you all

Posted Tuesday, 14 November 2017

Super excited to see some of my efforts going live. One of the keys to understanding the new General Data Protection Regulation for EU UK is understanding the terminology used. Read more here: https://www.solarwindsmsp.com/blog/what-terms-you-need-know-get-your-business-gdpr-ready

What’s Next for Managed Services Providers?

Posted Tuesday, 07 November 2017

It’s a question that many ask and which I prefer explaining in eras. Not geological periods thousands of years in length, but specific times in the evolution of managed services.

Check out my Channel Pro Article here: http://www.channelpronetwork.com/article/extinction-next-step-msps


The Threat of a Future

Posted Wednesday, 18 October 2017

American author Chuck Palahniuk of Fight Club fame and author of Invisible Monsters remarked “When did the future switch from being a promise to being a threat?” Could it have been about the same time we decided to put highly dependable things on a very undependable network?


I was asked to provide some insight into where IT and IT security, which seems to be dragged along as an afterthought will be ten years in the future. The CREST & IISP Conference was held in London on the 19 April 2017, From April till October my presentation managed to reach a few thousand folks. Truth be told I have been thinking about the future for some time – personal and professional. As a former Intelligence Analyst let me preface my remarks by saying “everything is more complicated than you think it is.” This is the best way to say in a sense the future is less then certain, but we certainly will have a future. It’s perhaps time to start thinking about that future and attempting to shape it in a positive direction. Again, as a military intelligence analyst if you were right in your hypothesis it usually meant bad things were going to happen.


What we make of the future of IT is precisely what my presentation was about – the intention was to start a debate and engage the professionals, hobbyists and enthusiasts to avoid the dystopian Hollywood tropes we see portrayed in film and television. The biggest problem of continuing to be non-critical of the dystopian future trope is we forget that that trope is what we may end up living in – if we are not careful and if we are not committed to action, right now.


Lailah Gifty Akita, author of Think Great suggests “The present defines the future. The future builds on the foundation of the past.” Applying this to the present state of the Internet may prevent anyone from reading this article further. Our current online existence may be found in metaphor. The online experience for humans at work or play on the internet is like skating across a cold, deep, dark lake putting faith in the idea the ice surface is thick enough to support our weight.


The current state of the online world, is in a word “sickly”. The foundational protocols: DNS, BGP, NTP and others were never designed with security in mind. Thus, trying to place secure services on an unsecure foundation does not take an architect –network or otherwise – to see the flaw here. That was all fine and good when the worst that could happen was inconvenience or crippling financial loss. Now the sprint towards connecting Artificial Intelligence (AI), Robotic and Internet of Things (IoT) devices releases the possibility of kinetic, permanent harm from malicious actors armed with exploit code or mistakes.


It’s not comforting to anyone in the IT profession or for that matter anyone living today that some of the most influential and forward thinking individuals such as Shane Legg, state flatly, “I think human extinction will probably occur, and technology will likely play a part in this.”  As an IT security professional, I don’t think being anti-extinction is an unreasonable position to take. Suggesting this without a solution the problem is not responsible, I hope Shane was taken out of context or just trying to be impressive with the ladies.


There have been many in the IT security community talking about cyber war, what it is and if we are already in a cyber war. Looking back as far as 2001 we see incidents that appear “war-like” but it’s certainly not unreasonable to think if these incidents (that we know of) were inflicted on a country or region simultaneously or in quick succession real damage could occur. Certainly, combining cyber events with a kinetic event, natural or man-made could complicate the recovery and enhance casualties.

  • 2001 Maroochy Shire Council Sewage Spill, Queensland, Australia
  • 2008 the rumored BTC Pipeline Explosion
  • 2012 and 2016 Shamoon & Shamoon2 Saudi Amoco Cyber Attacks
  • 2013 Haifa, Israel Tunnel Lights Cyber
  • 2016 Hollywood Presbyterian Medical Center Ransomware Attack
  • 2015 Blast furnace at a German steel mill Explosion


In my mind, cyber war looks like all these attacks and others happening over a long weekend. The holiday family outing may be interrupted as the drawbridge is raised and lowered (allegedly, this attack took place by a Dutch hacker in 2008 armed with a Palm Pilot. https://www.youtube.com/watch?v=lIMwFhsLQ-o .


Another possible “cyber war-esk” attack may manifest itself using a cyber weapon of mass destruction such as BrickerBot, a worm that searches out, exploits and then destroys insecure IoT devices https://techcrunch.com/2017/04/25/brickerbot-is-a-vigilante-worm-that-destroys-insecure-iot-devices/ . Adapting and then unleashing this capability on hospital devices globally or with exploit capabilities like Double Pulsar https://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/ may when armed with a destructive payload could destroy 100’s of thousands of connected devices. If that device is connected to you, or you need the device for life safety we have the potential to see tragic effects in the physical world.


So, the question remains, “is cyber war the worst-case scenario?” the answer is unfortunately no. The “first” cyber war envisioned in my presentation will pale in comparison to the 2nd cyber war; where three future developments will collide in a potentially extremely dangerous way. AI, Robots and Climate Change. The combination of these two technologies and one, it would seem inevitable planetary change paints a combination of some sort of mash up of the Matrix moves with the Mad Max movies. Suddenly, those Y2K bunkers may come back into vogue.


Scientific achievement and the creation of both super-hero and super-villains has, for the most part taken a “let’s see what happens when…” approach. Without descending into an extended debate over climate change I think we can all accept the consequences of more humans on a warmer planet will have a potential impact – and technology, specifically robots may exacerbate that problem considerably – disruption will occur.


Daron Acemoglu and Pascual Restrepo, in a study titled “Robots and Jobs: Evidence from US Labor Markets” analyzed data from data from 2007 to 2015 and concluded, one industrial robot reduces employment by 7 jobs, one industrial robot per thousand workers reduces wages by 1.6% and Industrial robots are expected to increase to 4.5-6 million by 2025. Tasks such as the movement of goods in the transportation and logistics industries, pizza delivery, personal transportation and household cleaning will soon be relegated to robotic servants.


The number of unemployed persons globally in 2017 is forecast to stand at just over 201 million – with an additional rise of 2.7 million expected in 2018 – as the pace of labor force growth outstrips job creation. If 4.5 million industrial robots arrive on the scene in 2018 that could increase the unemployed persons from 2.7 million to 31.5 million. In 2016, a study suggested Hunger may motivate us more than thirst, fear, or anxiety http://www.medicalnewstoday.com/articles/313178.php Hacktivist causes may find a ready supply of recruits.


As one group fights over table scraps another group pushes the technological envelope even further than ever imagined. Since even before 2009 Scientists such as Dharmendra Modha head of the SyNAPSE project has been trying to quantify the human brain’s capabilities in computer terms.


At that time, it was suggested in a 2009 Scientific America article the brain has 38 petaflops of processing power & 3,584 terabytes of memory.  Elon Musk wants to connect brains to computers He said a “merger of biological intelligence and machine intelligence” would be necessary for humans to stay economically valuable.” But perhaps not as valuable as those 31.5 million folks consuming online videos on “How to Hack for Jobs/Food.”


In 2013, Markus Diesmann and Abigail Morrison succeeded in creating an artificial neural network of 1.73 billion nerve cells connected by 10.4 trillion synapses. It took 40 minutes of “brain like processing” using the combined resources of 82,944 processors in [a] K [super] computer to get just 1 second of biological brain processing time. While running, the simulation ate up about 1PB of system memory as each synapse was modeled individually.


This leads me to the conclusion and “aha” moment in my presentation that interfacing the human brain directly to the insecure internet (as it exists today), combined with a large, motivated, potentially skilled and groups of hostile hacktivists and a “let’s plug in AI to the internet and see what happens” approach may not be in the best interests of humanity.


So, what can we do about it? As it turns out we are in control of the world’s largest machine – we make the rules (until of course we turn that idea over to AI – bad idea) so in 2011 when Keith Alexander, floated the concept of a “. secure” network for critical services such as banking that would be walled off from the public Web.  Maybe we want to extend that secure network to include the devices and artificial intelligence entities we are building.


At the 2017 RSA infosec conference in San Francisco, Olaf Kolkman, the Internet Society’s chief internet technology officer, and Bruce Schneier, IBM Resilient’s CTO found themselves in an unlikely alliance on the matter of IoT security. Essentially, Kolkman has called for strict industry requirements to bring IoT defenses up to scratch. Schneier, an anti-regulation libertarian, agrees, yes, it’s time to draw up rules for internet-connected gadgets. I believe these gentlemen are on the right track, however; we need to look beyond IoT and consider what happens when a corrupted AI program makes a decision we don’t like –that’s an argument the humans can’t afford to lose.


Secured By miniOrange