Tag Archives: Security

Internet Search is Changing – Is it for the better?

Have you noticed how internet search is changing?
As long as I can remember, search worked by feeding it a few keywords or a question and it would return back thousands, or even hundreds of thousands of results. These results were prioritized by custom algorithms that take in multiple factors to prioritize them to direct you to a website for more information.
This is what most of us think of when we refer to “Googling” something. It is akin to the idea of going into a library and asking the librarian where to find a specific section of books. It didn’t lead to any direct answers, just a pointer to shelves full of books that we would then spend time searching through to find the answer we wanted.

Google Regular Search

As AI has started to take hold, I have seen how it has been embedded into our internet searches. This was a pretty cool enhancement in that the search engine would put together a simple response to your request in summary. I don’t know the statistics of it, but I am really interested to know how many searches end here, and the user never needs to click into one of the reference links.
This became more of a hybrid approach where it would give you a quick answer, but then provide a list of results like before to continue searching the book shelves for the answer you wanted.

Google AI Summary

Google’s new AI Mode takes it to the next step of a conversation. At this level, it is like you are holding a conversation with a guru of any subject. You are able to ask questions to get the answers. If the answer wasn’t quite right, you could change your question to get more specific. You keep asking questions until the response is acceptable. You will still see a list of references, related to the answer, but you won’t get hundreds of links. Think of it as if the guru gives you an answer and also provides a list of the books he used to get it. This is helpful because you may want more context or to even verify for yourself that the guru is correct.

Google AI Mode

Why do I bring this up? There was an interesting discussion on the Down the Security Rabbithole podcast, Episode 671 – It’s the End of the Internet As We Know It, that this was mentioned.
The discussion really got me thinking about how search is changing and the effects it has on the internet as a whole. I want to talk about two examples.

Effect on critical thinking
The advancement of how we search for information is absolutely amazing. The speed that we are able to find the answer to most questions has improved our ability to our jobs, grow our knowledge and help advance key research for things like technology, medicine, etc. The time it would have taken to look something up in a book was long when we were going to the library or digging through our collection of encyclopedias. I am amazed every day at the information that is available to my kids that I could have only dreamed of growing up.
I must consider the cost as well. Without guardrails in place, how do we ensure that people are still able to think critically about a problem? The results we are seeing come back from these search results can be pretty good, but they can also be pretty bad. How do people know when to believe the answer, or when to question it and dig deeper to verify the results?
The longer we go just taking the default answer from a search engine’s AI system, the further we get from spending cycles verifying the answers on our own.
These systems are getting better, but I am sure will always have their faults or build their own biases. What happens when a person asks what is 2+2 and the system returns 5? 20 years ago, I would have believed every person would question that based on their fundamental education. Today, in 2025, I believe there are people that would take this answer as fact without a question at all.
As time goes on, and people turn to Googling everything, at some point we lose that fundamental knowledge. We stop learning how to do simple addition because “why waste my time on that, when I can just ask ChatGPT?”.
Another example I give on the podcast is around cooking recipes. Have you ever just Googled how to make something simple, like chocolate chip cookies? With the new results we get from AI searches, they will just spit out a recipe. Sure, there might be some links to actual cooking sites, but why not just take the initial AI answer?
Do you know enough about food ingredients to trust the answer provided? What happens when the ingredients include something that is actually dangerous to humans? Would you know not to use that and question the recipe?
There are real world consequences to this.
Don’t get me wrong, there are similar consequences to you just following the recommendations on some random cooking site, or that influencer’s TikTok channel.

Ad Revenue
The other thing I find interesting is around ad revenue that powers both search engines and the organizations behind the links you click during historic searches. Search is free because they are making money through the ads payed by many of those links displayed and clicked. How will this affect the search providers when links are no longer displayed or they are not clicked because the AI answer was enough?
This question actually takes me back up to the pervious section where I discussed consumers just taking the AI answer and not digging deeper. What happens when the answers are biased by the target companies buying the promotions? Does this end up distorting the answers toward paid bias, and if so, how long does it take before one can easily sway the world to start believing something that just isn’t true? It just seems true because enough money was put into it to make it the theme of the answer. Then add to it that people no longer perform critical thinking and just take the answer as fact.

On the organization side, the side that pays for their ads to be in the search results, what effect do we see? If the consumer is just interacting with a bot and no links are displayed, you lose the visibility you once had. The chances of someone just finding you from a simple search decreases and less traffic may come to your site. Maybe there is some path that this tactic changes to be part of the AI results somehow, but that gets us back into the bias in those results if they are driven by sponsors.

It could just be that marketing has left search results behind. Maybe organizations have solved this through the use of social media channels. Maybe we will see commercials or ad banners start appearing in the AI chat bots.

Final Thoughts
It is an interesting time when we think about internet search offerings and how they are changing. Change isn’t always bad and the positive value in this case may outweigh the negatives. Our ability to get to answers more quickly has a lot of positive value to advancing a lot of things. However, there are some negatives that just need to be considered. We need to make sure that the responses provided are accurate and unbiased as to not start retraining our knowledge on inaccurate information. A small shift in our understandings can have a huge ripple effect years down the road.

Does “Research” Terminology Reduce Adoption Rates?

Leave a reply

What is your reaction to this tweet?

In the drive to “do something,” many applaud this as a reasonable step. I think it actually might harm our efforts and slow our progress.

Words matter.

Does the use of the term “research” reduce adoption rates vs. if we used the term QA or QC?

What is wrong with the term security research? Why might QA or QC be a better selling point?

Consider how businesses handle “research” versus quality assurance/control. In most cases, businesses have budget for quality work. They recognize the importance of producing to the level of quality expected in the marketplace.

The role of QA/QC is one of trust. Partnering together to produce a better product. A way to protect the company while growing the bottom line.

Research is a confusing concept. It either harkens back to grade school papers, college projects, or huge corporate investments. And in the corporate world, research is tightly controlled and wrought with failure. The hope is a small amount of success to make up the difference.

Research is about the future. Quality is about the current state.

Confusing the opportunity: security research

Security research is not well understood. Not even within the “research” community – Bug Bounties refer to their testers as “researchers”, “bounty hunters”, etc.Combining two expensive, confusing terms together creates additional barriers and hurdles.

Where does it fall within the budget? Is it a security item, an application item?

Does this make security testing or research bad? No. It highlights the fact that when working with an organization, perception matters.

When you approach an organization regarding security testing and approval, are they more apt to go with something that sounds familiar, they understand the value, and fits their model, or go with an option that is often interchanged with “hacker”, and they really don’t understand the value? You hear all the time how different groups need to speak the language of their consumer. While I am not a fan of the idea of all these different languages, I do think that using terminology that is familiar to the consumer provides a better connection and opportunity.

In this case, you are selling testing services. These are QA/QC services to offset the internal testing they are doing, while adding a specific focus on a limited classification of bugs. Would changing our terminology change the adoption rate?

I would love to hear others opinions on how they think choice of terminology affects adoption rate.

Security Budget: How Much vs. How it is Used

Leave a reply

I recently saw an article on Forbes that identified some of the major banks and how much money they will be spending on cybersecurity. We are talking about companies like Wells Fargo, Citibank, J.P. Morgan Chase. We are talking about budgets starting around $250 Million a year for cybersecurity. That is a big budget.

In information security it is common to hear questions about how much a company spends on security. There are random numbers thrown out that 10% of the IT budget, or 10% of the total budget should be reserved for security. We also see, with every breach that happens, people claiming that the company didn’t take security seriously. My initial question when I saw the article was “does this mean these banks take security seriously enough?”

The issue is that it is impossible to determine how that money is used. Great, you are spending $200 million a year, but what are you doing with that money? The number really doesn’t mean anything. It doesn’t help other companies determine how to increase their security. Is the answer just spend more money? No. The answer is spend that money more efficiently.

What I want to see is a break down of how that money is allocated.

How much of it is going to employee resources, hardware, software, monitoring, etc.

How much of that is focused on Firewalls, IDS, IPS, Antivirus and other controls.

Is that money used for training, Static or Dynamic analysis tools, scanning tools, 3rd party engagements?

I want to know what they are doing and what appears to be most effective. This information can then be useful to other companies that are still struggling with increasing their security.

Throwing big numbers around gets the user to be interested, but it is that breakdown of information that is what will help others improve their security.

Don’t stop short and just look at overall budget, or get hung up on just those numbers. Dig deeper into how that money is used. You can get the latest and greatest do all flashy light device for a lot of money, or you can get a little less flashy devices that may actually do a better job and be more cost effective. Lets get more discussion around what is actually working vs. what is not working rather than focusing on the size of your budget.

Hacking Cars: Taken Seriously?

Leave a reply

Turn on an ad for new vehicles and you are bound to see how connected they are to our lives. Gone are the days when your vehicle is just a stand alone product. Now we are seeing cars that have internet connectivity. We are moving past the simple satellite radio or GPS systems and becoming connected to a lot of data. Security folks have been talking about vehicle security for a while now and a few researchers have been focusing on showing how serious the security of these vehicles is.

Today, a story was released on Wired “Hackers Remotely Kill a Jeep on the Highway – With Me In It” (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/) describing how a Jeep was remotely controlled by a laptop 10 miles away. For the full details, check out the link I just provided. Once the story hit the airwaves, it received lots of attention, both good and bad.

Lets start with the positive side of things that were shown. It is possible to actually show the capability to breach a vehicles systems (remotely) and then control many of the functions. These functions include the radio, wipers, temperature controls, transmission and brakes to name a few. It is a concern that this can be done without authorization. I certainly do not want my vehicle to be taken over while I am driving it making it unsafe for myself or my family. The highlight: Security is important for vehicles with them being more reliant on software and internet connectivity.

Rumor is that there is a patch for the vehicle to fix this issue. The issue we now have to address is how do we efficiently and effectively get these patches to the vehicles. At this point, bringing the vehicle in to a dealership to have the software updated is the only real option.

The negative reception is where it gets interesting. They decided to do this experiment on a highway with other vehicles around traveling at the speed limit (70 MPH). At one point the driver is explaining how he can’t see because the windshield wipers are going with the fluid spraying. At another point, they cut out the transmission and the vehicle slows way down on the highway where there was no breakdown lane. That is a brief and probably insufficient summary, however the point is that a lot of people are upset.

This type of testing in a public place like this puts the other drivers on that highway at risk. This is not much different than the plane hacking bonanza that happened a few months ago (http://www.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/) causing a huge backlash. It is one thing to look for security issues that may help make things safer, but it is critical that the testing of these theories are done in a controlled environment, not putting people at risk. They don’t test vehicle crash ratings on the highway, they do it in a secluded area where safety is a priority.

If you are going to research security issues, no matter what they are, it is critical to think about this type of stuff before you just jump on in. While I understand that this type of stunt hacking is great for advertising an upcoming talk at your local hacker conference, it is not acceptable when directly putting other people at risk. You want to hack a plane? Get an airline to get you into a hangar in a controlled environment. The other option, by a plane to test out yourself. But don’t do it on a plane full of passengers at 30,000 feet. In this case, the researchers went out and acquired the vehicle and researched in their own facilities. The issue arose when they did their testing on a highway and not on a closed course. Security research is walking a fine line and it will require the best foot forward to push it in a positive direction. If all people see is the stunt hacking they will lose sight of the real issue at hand and just see these stunts as reckless. It will have the opposite effect of what the end goal is: to increase security awareness and security of the devices or products.

If you are in the market for a new vehicle, don’t be afraid to ask questions about the security of the vehicles communication systems. The more we dig as consumers the more aware the manufacturers will be. At some point, promoting security as a feature will be critical to beating out the competition ultimately forcing everyone to get on board. Be smart and stay safe.

Ashley Madison site breached

If you are keeping up with the news you have probably already heard about the breach of the adult site known as Ashley Madison.   Here is a link to one of the articles about it: http://money.cnn.com/2015/07/20/technology/ashley-madison-hack/index.html. Like the breach at Adult Friend Finder (http://money.cnn.com/2015/05/22/technology/adult-friendfinder-hacked/) a few months ago, this type of incident is a little different than the usual breach.   This breach is less about identity information (although at the root has a lot to do with it), financial information, or even health information.   The focus of this type of site/service is on secrecy and discreetness.   It is about sharing sensitive information about an individual’s private life.

As we become more content with the Internet and the freedoms it provides us, we often start to overlook the reality that it creates.  Some people think what they do on a computer isn’t real, rather, more of a game.   That the effects are not real.   We have this notion that everything we do is anonymous, leading us to take more risks than we might have otherwise.  Take a moment and think about some things you might have said or done online that you most likely wouldn’t have done in person.  Think about how quickly that can snowball out of control.  

The breach at Ashley Madison should serve as a reminder that what we do may not be as anonymous as we thought.   That the effects of our actions may turn out to have some real life consequences.   Is it possible someone was just curious and meant no harm signing up on the site?  Maybe they got in a fight with their spouse, had a bad day at work, were just bored.   Of course those may not be acceptable excuses for joining a site that promotes adultery, but it could be something that small that led to the initial curiosity.  There are also people just looking for another relationship.  Anyone who has their name released as being a member has the same potential consequences.  You may be publicly criticized, sorry.. that is what society does now.  Your job or career could be effected. Your relationship with your significant other and/or children can be effected.  The list goes on.

We are all still learning the effects our online actions have on us over time. Our parents didn’t have nearly as much technology so many of us are learning on our own. We need to understand that, just like business, we assume a level of risk when acting online.  There is no 100% secure systems.  It doesn’t matter if we are talking online banking, adult sites, social media, or password managers.  There is always some level of risk.  We must learn to calculate that risk and determine if it is worth it.  We are often quick to blindly accept the risk for the quick reward.  Share your contacts for some coins in a game.  Post atrocious comments for a chance to feel like you stood for something.  

Is there a risk to joining an adult site like this?  Of course there is.  For many, that risk is acceptable for their own personal reasons.  Some members may had not really considered the risks, while others may have given great thought to joining.  Either way, the risk is there.   The big question in this situation is regarding what that risk now means to the individuals involved.

The media hypes this up to be devastating.  However if we look back at Adult Friend Finder, after a few days, you stopped hearing much about it.  This doesn’t mean that there were no consequences suffered by users effected by that breach, but it did quiet down a lot.  Maybe it was because of the personal nature that people didn’t want to put it out for everyone to see.  That makes it difficult to judge the real effect that this breach will have.

It will be interesting to see what types of effects this has going forward.  In the meantime, we should ensure that we are thinking about the risks. Be safe everyone.

What Happens When All SSNs are Breached

Visit any news site or social media outlet and you are bound to see news of some new company getting breached. It is a lot of what we talk about these days. Whether it is passwords, credit card information, health information or social security numbers, if it is breached it is headline news. With the exception of those trying to scam the system and get a quick payday, it is getting to the point where most people outside of the information security industry just write it off and don’t give it much thought.

There is a difference between social security numbers or health information that distinguish them from passwords or credit card numbers. They are much harder to replace. Taking a quick look at passwords we can see that it is easy to change them. If my password gets breached, I create a new one. It is usually a simple process that takes very little time. This is especially true if using different passwords for different sites. Credit cards are also fairly simple to replace and come with zero liability. If my card gets breached and there are fraudulent charges I just report them and they are removed. The bank sends me a new credit card and if I am doing regular monitoring of my statements the biggest hassle is changing the credit card that is stored on the different sites.

With social security numbers it is much more difficult to replace them. While they were not meant to be used as identifiers in all of these systems, they unfortunately are. Countless numbers of sites store your social security number increasing the risk to it. Getting a new number can be very difficult, not just the process of getting the new number but also updating everyplace that has it.

What happens if all of the social security numbers get breached? With under 400 million people in the united states how long will it take with all of these breaches for all numbers to have been breached? I know, we could just create all of the numbers that fit the format of xxx-xx-xxxx, but I am talking number with other identifying information. If all of the numbers get breached, what do we do next? Is it still worth spending so much money trying to protect them in our systems? We can’t get people to encrypt them now, will they continue to do it when they are all in the public domain? Do we finally start moving to a new identifier, albeit probably too late? Maybe it is just a money ticket for identity monitoring and credit monitoring companies. Will the duty to protect this information be removed when it is public domain? As we have seen with other breaches, once something is in public domain, no matter how it got there, it is fair game. It raises an interesting situation when a finite set of data is at risk. Do you know what your company is doing to protect this type of information? Better yet, as a consumer, do you have any concern about your SSN being stolen? Chances are very good it is already out there somewhere.

Winning and Infosec: The largest CTF Ever?

Leave a reply

You have heard it over and over from the “offensive” side of information security:

“The defense has to be right 100% of the time, but the offense only needs to be right once”

or

“The offense always wins and the defense always loses.”

Naturally, you see a lot of really good professionals that focus on defense take offense to that. No one wants to hear absolutes like this and frankly they don’t make sense in the info sec world. These statements are morale killers and really don’t do much more than one group telling another they are better than them. Here are a few thoughts on the winning in info sec.

What are Your Goals?
As a business, inherently making you the defense, you have a goal to protect certain assets. A majority of the time it is sensitive information such as copyrights, intellectual property, customer data, etc. In the process of protecting this data, the company performs many different tasks to keep that data safe. One may implement technical controls, such as firewalls, IDS/IPS, network segmentation and egress filtering. They may also write great information security policies and procedures. There are different levels of security that can be implemented, and are usually aligned with the risk the company is willing to accept. To determine this risk, a company will analyze their sensitive assets and determine what the cost of protection is versus the cost of loss and evaluate which is right for the company.

If your goal as a company is to protect consumer credit card numbers (yes this is very narrow in scope for example purposes) and a breach occurs that steals name and address, but no credit card numbers, did you “lose?” Even if credit card numbers get stolen, is it still a “win or lose” situation?

If you are breached, but stay in business, continuing to provide services to your customers in a positive way, did you “lose?”

What Defines the Game?
If there are winners and losers then there must be a game right? What is the definition of the game to determine when a winner is crowned? Currently, it appears as though the game starts when you create a presence on the Internet. There are only two ways to end the game: Leave the Internet or get breached (the offenses self proclaimed victory). What happens if you get breached and stay on the Internet? I guess a new game starts. At the most, a breach means that the offense has scored, but lets not get ahead of ourselves.

Lets look at some breaches and see if the breach should constitute a win.

  • Target, sure they lost a lot of credit card data, yet they are still in business and people still shop there.
  • Sony got owned in a major way, but look, still alive and running.
  • Staples, JimmyJohns, even Chick-fil-a all were breached yet all still running their day to day business with what would appear to be very little fallout.
  • T.J. Maxx was huge in the news a few years ago, still going.
  • Many, many more companies just like this and still running strong.

I don’t see any “winning”, by the offense, in the above breaches.. I see scoring. Scoring that usually doesn’t even come close enough to claim a victory.

If we really look at the situation, the defense actually wins 99% of the time. Web applications and networks are under constant attack from the bad guys and we are not seeing every company sitting on a breach list. Yeah, I know that there are probably a lot of companies that are currently breached and just don’t know it. How many attacks are happening that don’t succeed? Unfortunately, we only hear about that one time the attack works and breaches a company. Going back to the Goals idea above, who are you trying to keep out, the script kiddie or the highly skilled, highly paid attacker that is willing to take years learning your company to attack it. I get it, nothing is 100% secure and an attacker with enough motivation can get into anything, but should that thought overpower the so-called game?

Is it a Game?
There is a huge community in security that looks at the Internet as the greatest capture-the-flag (CtF) ever created. With hundreds of millions of connected systems and web sites it is a plethora of fun and probably quite easy to “score.” I liken it to a golf course that has a ridiculous amount of holes for each tee. So much so that hitting the ball with your eyes closes still has a high chance of landing in one of the holes. Although, as in golf, putting the ball into the hole on one green doesn’t constitute a win, it constitutes a score that is later calculated to determine a winner.

Final Thoughts
We need to get away from the idea that “defense sucks” and “offense is so easy and great.” Sure, some companies are not doing as much on the defensive side as they should, but that doesn’t mean they always lose. Even companies that have great security can fall victim to a breach, but that is usually all it is. I have fallen victim to saying I like the offensive side because it is easier. That I can easily find something to ding you on with your app or network. The reality is that not everything identified as a security flaw or risk is a “win” or even something someone should fix. It goes back to the risk acceptance of the company. I bet I could walk around your house and find problems too, but that doesn’t mean I won.. what would I have even been playing. I would also just be distancing myself from you looking like a jerk. We need to do better at bringing our two sides together, working together to have the information needed to make risk acceptance more accurate.

QA and Security Pt. 1: What QA Are You Talking About?

There has been a lot of chatter recently regarding QA and the role it plays in security testing. Hashing this out over Twitter with 140 characters per post just makes things more confusing. While I think that Twitter helps start some of the most important discussions, there is a need for other mediums to expand on the topic. In this series of posts, I want to take the opportunity to bring up some of these topics and hopefully expand on then a little bit. We all have our opinions and we will certainly not all agree on everything, however these are conversations we need to have.

What do you think of when you hear Quality Assurance (QA) mentioned in a conversation? Is it just a process that documents or processes go through to make sure they are sound? Do you think of that group of people that test applications to make sure they function as they should? It is important for everyone in the discussion to understand the context in which the term QA is being used to ensure everyone is on the same page.

As mentioned above, there are a few different things we think of when we hear the term QA. The one that comes to mind the most to me is the team that tests applications or software to ensure that they are working properly. Most likely I go this route because I come from a lengthy development background and that is the QA I mostly dealt with. This QA team is responsible for identifying bugs in the system, documenting them and getting them back to developers to resolve them. This team is engaged after software is written (well, during the iterative development process) and before it is released to the production environment. Even this group can be very different between companies which I will talk about in future posts in this series.

Other people when they hear about QA think about a different group (most likely) that is responsible for reviewing documents and procedures to ensure accuracy. One example of this is sending requirements or design documents through a QA process to ensure they are correct.

Of course there are other types of QA, but those are the two we will focus on throughout this series. If you have other examples, please feel free to send them my way on twitter (@jardinesoftware) or james@jardinesoftware.com. The more we start distinguishing the context we are discussing the more we can get done by cutting through the confusion. Defining our context is a critical first step.

In the rest of this series I will dive into the different types of QA and how they relate to security. What role can they play. What should they be able to do and what should they not be able to find. Can QA find security flaws? Follow me on this short journey to see what we find out.

When Breaches Get Personal

Leave a reply

Unless you have been living under a rock, you have probably heard about the breach of privacy against some celebrities who had some indecent images stolen. It is easy to get caught up in the hoopla that surrounds this latest intrusion due to the racy images that were stolen, but there is a bigger question around all of this. Lets pull away those top layers and see what the deal is.

The story goes that images were taken with mobile devices, and that device then synced the data to some form of cloud storage. You have seen cloud storage before right? DropBox, Sync, Box, ICloud, etc. There are a lot of services that allow storing your data into “The Cloud”. Some of this is just for backup purposes, others help sync data across multiple devices.

Lets start by talking about this mysterious cloud. If you saw the recent movie “Sex Tape” you may have heard it mentioned. You might be shocked that the only thing about the cloud that actually resembles a cloud is its representative image on a network diagram. There are lots of definitions and everyone will tell you something different when describing the cloud. The key point is that these services have servers running in multiple data centers and when you send your data to them it gets stored on those servers. You don’t know where the data actually is, and in most cases it doesn’t matter. It is, in this scenario, an offsite storage mechanism.

Many of these services make it easy to sync files between devices. Wait, you really don’t have more than one device? It is becoming much more common for people to have a phone, tablet, computer, etc. Wouldn’t it be great if when you created a file (photo, document, etc) that it was available on all your devices? The cloud services help with that. Some programs, like the IOS photos feature will automatically sync your pictures to all your devices.

Whether people are aware of how this works, or the implications is hard to really determine. I think most people really don’t think about the mechanism by which the photo made it from their phone to their tablet. They just care that it got there, not thinking about a copy being stored somewhere else. Just like in law, ignorance is no excuse for not knowing what is going on with your devices and services.

As we have seen in the past few years, breaches are an every day occurrence. Usually we see them at big businesses or retailers. These cloud services are also targets due to the types of data they store. Sure, in the most recent case it was nude photos, but think of some of the other stuff that you store from your device. There is a lot of potential for sensitive information being stored.

Do you stop using cloud services because of an incident? Personally, I keep on trucking as usual. I use ICloud, DropBox, and other cloud services all the time. Understand, there is a risk to using any of these services, although I wonder if that risk of the service getting compromised is less than or greater than your own personal device getting compromised. Like everything we do dealing with life, you have to be aware and take responsibility for what you do. Hey, if you want to take nude photos, that is your business. If those images get compromised, and if on an electronic device there is a chance of that, then you determine how to handle the situation. This goes for any data you store, not just photos.

There is so much finger pointing and blame game going around the internet about the recent nude photo breaches. It is the celebrities fault, it is the hackers fault, it is the cloud service provider’s fault. I don’t see how any blame is put on people that take pictures and use a service. We were all given a choice and that doesn’t give anyone else the right to exploit it. Depending on how the accounts were compromised, maybe user, maybe provider. If the provider did something completely negligent, then I can see some problem there. But lets not let any of that detract from the true malicious user here; the attacker that broke in and stole the information. There are going to be people that do this all the time and we are seeing more of it everyday. Lets be clear, there is no way to remove the blame from the attacker in any of these scenarios.

As users, we need to stay focused on doing the right security practices. Strong pass phrases, less password reuse across sites, don’t click stuff you shouldn’t, stay away from shady sites, and think about what you are doing. Don’t get caught up in the hype of news headlines, but rather take in the details and determine what the real issue is. All of the talk about nude photos is not the issue. Data stolen by an attacker is the issue. Be safe and enjoy the internet.

Breaches Happen: Call to Action

Leave a reply

I loaded up Twitter this morning and was bombarded with even more reports of companies getting breached. Latest on the radar include the likes of JPMorgan Chase and some Dairy Queen locations. I won’t even attempt to guess at the number of breaches that have occurred already this year, but at what point to companies sit down and decide to look at their own network and systems?

I am not talking about reaching out to a company to perform a penetration test, or even a risk audit. I am thinking about looking at your actual systems for any signs of compromise like what we are seeing in all of these breaches. Lets just assume that everyone is breached, what would you as a company do? You have an incidence response plan right? Disaster recovery is in place? If any of those above don’t sound familiar, you are already late to the game.

If you are a retailer or have any type of POS system, take a moment and check your systems. There is known malware that may just be sitting on there without your knowledge. You have to go looking for this, rather than just waiting on the Feds to let you know that you have a problem.

If you are a franchise, I recommend you look at your policies for franchisee’s regarding security. Do you have a way to check how they are doing in regards to security? While a breach may occur at an individual location, it is YOUR brand name that will be pasted all over the news. It is debatable whether or not any news is good news, so I don’t recommend taunting that bear.

As an industry we try to put so much effort into defending our systems, which will always be needed. However, we also have to focus on the ability to determine if something has successfully gotten through those defenses. Ordering another Penetration Test will just try to help identify where the gaps are, it will most likely not identify that someone has already exploited it.

I know, I know, we are short on cyber security professionals and we just don’t have the man power. That is excuse for not properly utilizing the resources that you have. You don’t have to be a cyber security professional to understand networking and computer systems. To monitor network traffic looking for anomalies. Network admins and analysts should know what normal traffic looks like and what a normal installation looks like. Changes in that information should spark some interest. We can’t just wait for the network to tell us… we have to start thinking about going and searching for these differences.

We also need to get better at sharing the details of what happened in one breach so the rest of the industry can learn from it. If you are hit by some unknown malware, what are the signs and signatures of it? How did you identify it so the rest of us can go look? We have so many “researchers” testing sites for things like XSS and SQL Injection, lets get some of them researching how the malware can be identified and creating tools to help sniff it out to eradicate it before it effects millions of sites? Crowd sourcing is working great to find things like XSS, why not use it to help snuff bugs quickly.

We need to start digging deep into how we approach security and come up with better ways to protect systems. We need to focus on the ability to identify breaches more quickly. We need to analyze those breaches to get tools available to quickly block the attack methods. Lets start working together to make a difference.