Public Speaking, Loathe it or Love it? Top Tips to Help You Shine!

I’ve been public speaking for almost 25 years now and I’m often asked how I look so comfortable and as engaging/passionate as I am, this isn’t how I’ve always been…

I was a very shy and nervous child, teenager and even in to my early career in retail; although working in retail helped me immensely in getting over the shyness. I was fine talking one to one, but the very though of having to speak to a group filled me with complete and utter dread. I was paralysed at the thought.

When I moved in to IT I was sent on the Dale Carnegie course in the early 90’s, this included having to do a two minute talk to the rest of the class every week for the length of the course….scary wasn’t the word! However, it did help me to overcome my initial panic (panic was the correct word), and even some of my anxiety/nerves. But, it was a small group, no more than 20 people, not hundreds or thousands!

The first time I did a conference, back in 1996 (to several hundred delegates) I couldn’t stand up because I was so nervous (my legs would not support me; luckily the lectern microphone was faulty, so I got to sit down at the moderators desk, phew!) The following year I presented at the same conference and I actually stood up to deliver my talk; I was still very nervous, however, since then it has become easier (less stressful) & now I actually enjoy presenting at conferences, events and training sessions all over the world.

“I was a very anxious and shy person, I am not an extrovert; although many people believe I am, they often tell me that I am a very engaging and passionate and that I come across as a very natural and confident speaker.’

So, what can you learn from my personal experiences, so that you can tame the nerves and shine when you next have to present?

Here are my top tips to make it as painless for you, and engaging for your audience:

1. Use stories, real world stories help to bring a subject to life, and help to engage your audience (everyone likes a story).

2. Know your stuff, it may sound obvious, but if you don’t know your material (topic) then it will show and be more stressful for you and uncomfortable for your audience. I love sharing the knowledge, tricks and tips that I’ve acquired over the last 31 years…

3a. Never do a live demo (record it instead). Also, any videos or other material you use, make sure you have a local copy (internet connectivity may be patchy or non-existent).

3b.Try and use your own laptop as relying on the organisers one may prove problematic. Issues could include; lack of the correct codecs (meaning your videos won’t play, or won’t play correctly), the laptop the organiser is using may use a different language or Operating System that you don’t know. If you must use the organisers laptop, etc. test that it works as expected with your material, don’t just wing it!

3c. Pictures really do help, (as the old saying goes “A picture is worth a thousand words” by all means use text on your slides, but make it clear that this is for reference, as you will share the slides with the audience afterwards.

4. Rehearse (especially if it is new material, or not your slide deck/talk). If you don’t know your material intimately, then it will show, practice, practice, practice and know your stuff! Speak clearly, and use a measured pace (don’t talk too fast; I’m still guilty of doing this at times). But equally don’t talk too slow, and definitely use a varying tone (it is better for the audience, believe me). Breathe, leave space after you have made a point (to let it sink in).

5. Make it personal, Talk to your audience, ask them questions, ask for feedback/confirmation during the talk (not just at the end).

6. Make it fun (memorable), use humour to make a point and to raise the interest level, especially if it is a rather dry or scary subject. Cartoons can help raise the interest level, as can jokes (but be careful not to offend).

7. Give actionable takeaways (no not food or gifts ;-)) Give your audience things (useful tricks/techniques/best practice, etc.) they can use both at home (in their personal life) and at work.

8. If you are nervous use the nerves to your advantage. Nerves can help give you energy to make your talk sparkle. Be passionate about your subject, you will feel less anxious as a result.

9. Move about, don’t hide behind the lectern/podium, use the stage/floor; this helps you to engage with more of the audience than you could otherwise do. Look as many in the eye as you can (not just those at the front).

10. Enjoy yourself, when you follow the above, you can actually enjoy the experience; this makes it more engaging/comfortable for the audience. Go on, do it, if I can then you can too…

I now present all over the world at event and conferences to audiences from 30 up to over 5,000!

There are probably others that have slipped my mind at this moment, what are your top tips?

OMG Cyber! Episode 5 – The one about The Curious Case of Conficker (aka Downadup) – Interview with Ken Bechtel

The latest episode of my podcast is now available, hope you enjoy it…

Episode 5 – The one about The Curious Case of Conficker (aka Downadup) – Interview with Ken Bechtel

This episode is mainly an interview and discussion with Ken Bechtel, who like me has been in Cyber Security for over three decades. We discuss “the Curious Case of Conficker (aka Downadup), the Botnet that Never Bit..”

This includes what we (as an industry, as a victims) learnt from it. We also discuss AVIEN, Intelligence Sharing, SNORT signatures (for new malware) as well as honeypots, Opaserv (where I was, jokingly, accused of writing new variants of this family of share crawling worms), AutoRun risks, and various other things.

You can find out more about us on our website, including how to contact us, here: https://omgcybersecurity.co.uk You will also find show notes there…

You can subscribe to it via Apple, Anchor.fm, Google, Pocket Casts, Spotify, Breaker, PodBeam, RadioPublic and Overcast (others to follow)

Question of the Day: How do I become a security specialist (ethical hacker, malware researcher, digital forensics, etc.)

First things, do you like solving puzzles, do you like a challenge, can you stare at a screen for many hours, poring through code, logs, etc?

Were you the sort of child that liked to take things apart to understand how they worked, and more importantly could you put them back together again, without having left over pieces, and did the thing still work at least as well as it did before?

Do you look at things and think, well that should work as expected if I follow the logic, but, if I do this instead, it will bypass that logic and let me access another part of the site/code or infrastructure?

Or, maybe when hearing about a new threat, you quickly see how it works and how you can either slow it down, or stop it dead in its tracks using simple techniques or processes, or by using an existing security control in a different way?

If you answered yes to several or more of the above, then you might have the right mindset for a career in cyber security as an ethical hacker, social engineer, malware analyst or in digital forensics and incident response. If you didn’t answer yes to one or more of the above, don’t worry, you can still work very successfully in other areas of cyber security, just probably not as an ethical hacker or in incident response or malware research.

“If you have the right mindset, you can be taught the skills,
but it is very hard to teach a mindset…”

So, if you do have the right mindset, how should you develop the required skills to get into cyber security?

First, decide, do you like technology or the human side of the problem. That will be your first step. If you are lucky you might be able to do both…

The next step is dependant on the answer to the first question. If technology, then you need to become very familiar with as many operating system, applications, programming languages as you can (you don’t have to be proficient in all of them to start off, just pick one or two for starters).

If the human side is more your bag, then learn about cons, social engineering, and psychology in as much depth as you can. Then try some of the techniques on friends and family (without breaking the law).

After that, find a mentor, someone that is skilled in the discipline you want to learn, soak up as much knowledge from them as you can.

Read everything you can on the subjects, if available, go on courses, go to events, conferences, local meets to meet likeminded people, be they newbies like you, or security professionals with a decade or more of real world experience to mine for tips and tricks, etc.

If you are looking at doing malware research, ethical hacking or forensics, you will find lots of CTF and analysis challenges that are freely available, do as many as you can; when you fail (and you will) learn from the failure, it won’t be the last time. Even the best fail often, but they always learn as much (if not more)  from the setbacks ass the successes. Often doing security work is hard and even boring, but when you solve a problem (reverse a malware and understand how it works and how to stop it, or gain access to a system or network, or identify how a bad guy or girl got in, the rush is amazing).

Expect to have to start in a junior role, maybe even working on an IT Helpdesk, doing patching, hardening, server/system builds, etc. We all have to start somewhere.

I started by building and configuring PC’s (building them and installing the OS and applications, configuring them, etc.) Then I moved on to reviewing hardware and software for the same company (doing research, etc.), then I got involved with security (malware at first), worked on the IT Helpdesk, did AIX support (a Unix flavour), and finally I built and ran the Internet Security team (defence, as well as ethical hacking). It takes 5-10 years to become proficient enough with a wide range of operating systems, applications, hardware, networking, security tooling, attack methods, malware analysis, and so on. Be patient, don’t take shortcuts, as it will not help you in the long run.

You don’t need degrees or certificates to do well in this area, you do need the right mindset, be willing to learn and experiment, and work long and odd hours, as the job will not be your usual 9-5 one. I left school at 16 and have no degrees or diplomas and have only been on two cyber security courses in over 31 years of working in this field. (One on advanced hacking and the other on advanced digital forensics, both of which I attended to confirm that what I had learnt and been doing for over 20 years (at that time), being mainly self-taught, was right after all, it was! In fact I taught the course instructors a few things that they didn’t know)

Be very wary of the problem of stress; this is a major risk when working in cyber security, especially in Incident Response. Burn out is quite common, if you don’t manage stress correctly.

One thing I will strongly recommend is to look back in history, see what has happened in the past, both from breaches, attack methods, malware types and tricks, etc. There is very little that is “new”, most of the things you will encounter will build on old (tried and trusted) tricks and methodology; usually just updated to the latest OS versions, applications, etc. or re-used to take advantage of the new victim pool (ones that were not around or didn’t take notice the first, second or third time that technique was used).

If you want to learn about web application testing, then there a several training VMs out there, such as SecurityShepherd that will test your skills in a safe and secure environment quite legally.

On the subject of legality, whatever you do, do not be tempted to step over the line and do something illegal with your skills, as you will constantly be looking over your shoulder waiting for law enforcement to apprehend you. It will also make you less employable in the cyber security world.

You don’t have to be a black hat to be a skilled hacker or to understand how an attack is done or how malware works. As I said earlier in this episode, good ethical hackers may be able to think like a bad guy or girl, they just don’t act like one, in other words you don’t need to break the law to be very skilled in any security field.

After that, expect a lifetime of learning, building on and refining you existing skills, and as things are right now, you will have a long and productive, well paid career helping to counter the bad guys and girls, rather than being one of them…

Anyone that states that you “need to be a thief to catch a thief” or that you “need to be a poacher to be a gamekeeper” or any of the other examples, I say to them, rubbish! There are very few real world cases where being an ex-criminal has made a difference that hasn’t or couldn’t have been made, more effectively by a good researcher that can think like a bad guy or girl, but hasn’t gone over to the dark side to prove their skills.. In fact many of those that were caught, even though the press made them out to be some form of Uber hacker or malware writer, the vast majority had very poor skills, they often used other criminals code/techniques to carry out the attack… what most of us in cyber security would call “script kiddies”…

You can make a difference, be on the right side, help defend and protect those in society that are often the victims of the many cyber crimes that happen each and every minute of every hour or every day…

To quote Del Boy Trotter, from Only Fools and Horses, You know it makes sense, don’t be a plonker

If you think I have missed anything important, or I should add something to this article, please let me know.

OMG Cyber! Episode 4 – The one about End User Education and Testing, What it takes to work in Cyber Security, and what BYOD means, and more!

The latest episode of my podcast is now available, hope you enjoy it…

Episode 4 – The one about End User Education and Testing, What it takes to work in Cyber Security, and what BYOD means, and more!

This episode does a fairly deep dive on End User Education and Testing and why everyone should be a part of any organisations security defences.

I also talk about the latest news around the Wipro and Microsoft breaches, MalwareTech’s guilty plea, and the Docker breach, etc….

This episodes Question of the Day discusses what it takes to be a cyber security specialist, especially around ethical hacking, forensics or malware research.

here are a number of companion blog postings, these can be found here: https://omgcybersecurity.co.uk/blog

You can find out more about us on our website, including how to contact us, here: https://omgcybersecurity.co.uk You will also find show notes there…

You can subscribe to it via Apple, Anchor.fm, Google, Pocket Casts, Spotify, Breaker, PodBeam, RadioPublic and Overcast (others to follow)

Cyber Catalyst; Dead Cert or Rank Outsider?


Disclaimer: The views in this article/blog posting are my own opinion based on the available data that Marsh has made public.

As mentioned in episode 3 of my OMG Cyber! podcast, a number of insurers/brokers have joined a new cyber ratings project known as “Cyber Catalyst”.

More details can be found here: https://www.darkreading.com/risk/insurers-collaborate-on-cybersecurity-ratings/d/d-id/1334258 and direct from Marsh here: https://www.marsh.com/us/campaigns/cyber-catalyst-by-marsh.html

Here are a few snippets from the article on the Marsh site:

In the Cyber CatalystSM program, leading cyber insurers evaluate and identify solutions they consider effective in reducing cyber risk. Participating insurers include Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America. Microsoft is a technical advisor to the program.

Cybersecurity products and services viewed as effective in reducing cyber risk will be designated as “Cyber CatalystSM”. Organizations that adopt Cyber Catalyst-designated solutions may qualify for enhanced terms and conditions on cyber insurance policies from participating insurers.

I applaud Marsh for doing something to try and address the lack of cyber risk analysis, profiling, etc. However, I do question the value of this initiative; I will outline below my concerns and thoughts on why this is, I believe, not a helpful offering.

I do not see the value of Insurers/brokers carrying out product/solution ratings, as:

1. They (the insurers/brokers) are not experts in this area, and
2. There are already plenty of other independent testing/rating organisations that have been doing this for many years, to a very high standard. These include ISCA, NIST, AV-Test, and so on… It would have been far more sensible to partner with one of these instead, and it would have added more credibility…

So, this seems to be a strange thing to attempt; a bit like reinventing the wheel and coming up with a different shape that is not as efficient as the one we already have which has served us rather well, so far.

The program is, by my understanding, stating that if a client/insured has product/service x, y or z from the list of “approved/recommended” ones, that the client will get better rates (such as higher limits/lower premiums) and so on.

1. Now, this is fine, apart from the perspective that just because the client/insured has purchased an “approved/recommended” product/solution, it does not mean that they have rolled it out or installed it.
2. Even if they have done so, where are the checks and balances to confirm this, that it is not only rolled out, but actually configured correctly?
3. Furthermore, where is the ongoing validation? Without that, this is pretty much just a box ticking exercise, and therefore no better than the existing risk rating mechanisms they already use.
4. They state that “Microsoft is a technical advisor to the program.”, this does not really help, as they are not a trusted independent review organisation/body. What happens when Microsoft review their own products and solutions?
5. Their disclaimer doesn’t exactly offer a ringing endorsement of the value of the program, read it for yourself and see if you agree?

I would say that this is little more than a “beauty contest” and it doesn’t really do anything to address cyber risk in a new way.

Now, just to be completely transparent, I used to work for AIG as a Cyber Risk Specialist (and so I understand Cyber Insurance quite well). I helped AIG design their Cyber rating solution known as “CyberMatics”. Let me be very clear, I have no axe to grind with any of the insurers, and receive no financial benefit from “CyberMatics” or AIG on this, or any other article/blog posting that covers cyber insurance.

The difference with “CyberMatics” is that is collects telemetry and/or meta data to validate that:

1. The insured has the solution/service installed correctly, and more importantly
2. That it is being used correctly; not just once, but on-going, and this is shared with the client/insured via a secure portal, to help them further improve their cyber defences and resilience.

That is a huge difference!

You can find out more about “CyberMatics” here: https://www.aig.com/business/insurance/cyber-insurance/cybermatics

What are your thoughts on this?  Please let me know…

“Cyber Catalyst” and “Cyber Catalyst by Marsh” are registered trademarks of Marsh LLC
“CyberMatics” is a registered trademark of AIG

OMG Cyber! Episode 3 The one about Sextortion, Social Engineering, SIEM and SOAR

The latest episode of my podcast is now available, hope you enjoy it…

Episode 3- The one about Sextortion, Social Engineering, SIEM and SOAR

This episode does a fairly deep dive on Sextortion scams and Social Engineering.

I also talk about the latest news around the FIN6 Cyber Crime gang, Credential Stuffing attacks and a new Insurance initiative…

This episode uses a new microphone, improved workflow and  post-production tools, this has hopefully produced better (more consistent/levelled) final audio. As usual, all feedback is most welcome.

There are a number of companion blog postings, these can be found here: https://omgcybersecurity.co.uk/blog

You can find out more about us on our website, including how to contact us, here: https://omgcybersecurity.co.uk You will also find show notes there…

You can subscribe to it via Apple, Anchor.fm, Google, Pocket Casts, Spotify, Breaker, PodBeam, RadioPublic and Overcast (others to follow)

Insurance, Silent Cyber, and Refused Claims, Oh My!

This is a companion blog posting to my Episode 1 Podcast about Insurance, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.

Disclaimer

I am not an insurance specialist, I am a techie with over 30 years of real-world experience in malware, over 15 years of ethical hacking experience and over 10 years of digital forensics (incident response) as well as working for a large cyber insurer for over 2 years (note past tense) where I worked hand-in-glove with underwriters, brokers and claims staff in helping them understand cyber risks, defences and remediation. I also used to meet with CISOs, IT Security Managers and Risk Managers/Legal Council to understand their risks and processes, procedures, technologies, business partners, supply chain and cloud/outsourced services.

I run my own business; I do not work for an insurer or sell insurance (of any type). However, when I did work for an insurer, along with being the cyber risk specialist assisting underwriters, brokers and claims adjusters. I also trained many cyber underwriters, helping them to understand the technology, the lingo (acronyms) and what are the right questions to ask (and what are good answers), when to ask them, and to who (so that they could have meaningful risk dialogue with CISOs, IT Managers, etc.) The underwriters then can understand the answers given and price the risk appropriately, rather than just fearing a worse case scenario, and pricing according to their fears/expectations (which is far better situation (both on cover/limits and pricing) for the insured/client too)!

“Silent” Cyber

For those of you that are not in the insurance industry, you may not be aware of this term and what the implications are to existing (non-Cyber) policies, such as Property, Casualty, D&O, Kidnap and Ransom or Crime.

In simple terms, Silent Cyber is used to describe the case where cover for Cyber threats is not explicitly mentioned in the policy wording/coverage. As the insurers would say, these non-Cyber policies do not have “affirmative” cover.

What this means to you as a policy holder is that the insurer may not honour a claim if it is Cyber related for a non-Cyber policy (even if you have a Cyber extension to that non-Cyber policy). Why, because the wording and terms and conditions in force will be those from the master policy (the non-Cyber one/the main policy). This can cause claims to be rejected, as can be seen in the next section of this article.

Refused Claims

There have been two recent cases reported where the insurer has declined to pay a claim in relation to the NotPetya attacks back in June 2017, these are Hiscox vs DLA Piper and Modelez vs Zurich.

Despite what the press and other media has claimed, in both cases that the policy was a cyber policy and the reason stated by the press or other media for the claim being declined was down to an “act of war, or hostile action”.

From what I have found out, neither of these claims are in relation to Cyber Insurance policies, in fact they both are related to Property policies (which are, even with a cyber extension added on, not the same as a dedicated Cyber Policy.   Very sloppy reporting, which doesn’t help anyone…

So, this has resulted in every person and their pet of choice making statements, such as “well, what is the point of buying insurance as the insurer will weasle their way out of having to pay” and “there is no point in buying cyber insurance, as I’ve seen what happened to the claims from Mondelez and DLA Piper”.

Expecting wide-ranging/expert Cyber coverage from a Property policy is like expecting wide-ranging/expert Health insurance from your House and Contents policy! Not surprisingly you will not get comprehensive health cover backed by experts in this area. It’s a bit like expecting your gardener to offer health screening (without them being a medical practitioner).

A few days a go a written statement was sent to SC Media UK (owner of the SC Magazine) in which Kylie O’Connor, the head of group communications at Hiscox stated “The dispute we are in with DLA Piper, is not about a cyber policy and has nothing to do with a war exclusion.” This just proves that the press and other media were (shock, horror) making things up so that they could publish (without little things like “facts” get in the way!

However, in the case of Norsk Hydro, they do have a dedicated Cyber policy, and therefore are covered under that policy (up to their limit, and after taking into account any excess, waiting period, and loss adjustment).

Why do companies invest in cyber insurance?

Well, for lots of reasons, including the ones listed below:

  • Hacking (external or internal misuse)
  • Physical loss of data (left on train, back of cab, accidents (sending data to the wrong person, etc.)
  • Data corruption or eraser (cost to recover or recreate), even paying for ransomware decryption keys.
  • Business Interruption, such as DDoS, Ransomware, etc. including loss of business
  • Costs for first response (forensics, legal, PR), etc. covered under the policy
  • PCI and other fines covered (where legally allowed)
  • Bricking (where a device becomes unusable due to a firmware or other update failing).
  • Legal or contractual requirements (from industry, business partners, etc.)
  • In some cases the insurer will offer services/solutions/products to help the insured improve their overall security posture/maturity for free (as part of the policy) or at a discounted price.

At the end of the day suffering a cyber breach has almost become “normal” and “expected” as not a day seems to go by when we don’t hear about yet another breach (new or historical); a good cyber insurance policy can help offset the risk and related costs for such breaches/incidents.

Then there are new risks/attacks such as CryptoJacking and Password Spraying (O365 and GSuite targeted via IMAP and even if 2FA or MFA is enabled they may be able to get in to your account).

What are  the ways that companies could avoid falling into this crevasse?

Check the policy you have is fit for purpose, check with your insurer or broker. I strongly suggest that you ask your insurer or broker which scenarios/risks you are covered for by the policy and if you identify gaps in your existing coverage decide if the cost of taking out extra insurance is a good risk/benefit trade-off or solution.

Check that the coverage includes first response (forensics, legal and PR services), that you have enough cover for business interruption, including lost business and remediation costs. Also consider the brand/reputational damage and knock-on customer effects, loss of trust, etc.

Check to see that the policy will cover financial fraud, such as BEC/Fake CEO, employee fraud, if not, find a crime policy that includes this. Crime policies are not the same as a Cyber policy as what they cover is different, or from a different perspective.

Make sure that the Limits, waiting period and excess is suitable for your business needs.

Don’t go for the cheapest, especially if the insurer/broker only ask 5-10 questions and doesn’t sit down with your CISO or IT Manager, etc. to discuss the answers afterwards (very few questions can be answered yes or no; they are usually a bit of both and the answer may vary across a typical organisation), as may the questions that should be asked by the Insurer or Broker.

The Future?

Even though a dedicated Cyber policy is a far better bet in today’s incident/breach strewn world, there are some things that they still don’t cover.

I want to see the Insurance industry step up and make Cyber policies more inclusive; it would be better if Crime cover was also included (including not only crime and fraud due to hacking, but also fraud due to social engineering or insiders/insider collusion). This should include BEC/Fake CEO and Invoices, etc. even when NO hacking or breach has occurred!

In Summary

Organisations need to ensure (no pun intended) that the existing Insurance policy or policies they have are fit for purpose and will actually pay-out when needed. You need to purchase the right policy type for the right risk, as otherwise you could end up in the same situation as DLA Piper and Mondelez… If in doubt check with your insurer or broker, before it is too late!

Update 15th April, 2019: It has come to my attention that Merck is also suing their insurer for refusing a claim; again it is NOT a Cyber policy, it is in relation to their Property policy.

Ransomware – Extortion by any other name, would be as bad!

This is a companion blog posting to my Episode 0.5 (the Teaser) Podcast about Ransomware, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.

Ransomware is not new, but how many of you actually know when it first appeared?

Believe it or not, the very first Ransomware appeared in 1989; yes you read that right! Want to know more, then read on, and I’ll explain the history and major changes that have occurred since that very first Ransomware way back in 1989…

Back in Time

The very first Ransomware was the so-called AIDS Trojan which was supplied on a 5.25″ Floppy Disc to thousands of  attendees of the World Health Organisation’s AIDS Conference and also mailed out to over 20,000 individuals across Europe.

The disc was created by PC Cyborg which was the company run by Dr. Joseph Popp and it contained a program that claimed to work out your risk/chance of catching AIDS (now called HIV). If you inserted the disc into your IBM (or compatible) PC and ran the program, it would indeed do what it claimed; however after 90 boots/reboots the malicious payload (encryption) would trigger and you would see the following:

AIDS Trojan Ransomware

Ironically, if you actually read the EULA that came with the disc, it clearly explained that you needed to pay a licence fee to use it and that it would encrypt your system if you didn’t pay, sound familiar?

Here is part of the text of the supplied EULA:

"If you install [this] on a microcomputer...
then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs...
In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use...
These program mechanisms will adversely affect other program applications...
You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life...
and your [PC] will stop functioning normally...
You are strictly prohibited from sharing [this product] with others..."

Here is the full version:

EULA from the AIDS information diskette

Luckily the program used trivial encryption and soon a decryption tool was written by Jim Bates and given away for free. He also wrote up his analysis of the Trojan (the term Ransomware didn’t exist in 1989).

An arrest warrant was issued by New Scotland Yard and Popp was eventually arrested at Schiphol airport in Amsterdam during a routine baggage inspection.

From that date his behaviour became very erratic; he was held in Brixton prison until he was due to go to appear at court. There have been reports that he was known to wear a cardboard box whilst in prison, and that when he finally appeared in court, that he had curlers in his beard and a condom (prophylactic) on his nose, allegedly “to ward off radiation”. Whatever the real state of his appearance in court, he was declared “mentally unfit to stand trial” and returned to the United States without charge.

Other researchers (Yung and Young) analysed the Trojan in more detail and wrote a paper on it (in 1996) pointing out its many flaws, but the major one was that is used Symmetric (single key) encryption rather than Asymmetric (Public Key Cryptography, that uses two keys, a Public and a Private key). Most modern Ransomware uses the latter, and this means that unless you have access to the Private key, you can’t decrypt the encrypted data (unless the encryption methodology used is not properly implemented).

The Rebirth…

Not surprising, the Bad Guys n Girls were taking notes, and in the early Noughties we saw the re-birth of (or birth of modern) Ransomware. Of course it used Public Key Cryptography (PGP/GPG). Some of the early new versions were named PGP or GPGCoder. However, the problem was how to get the money from a victim without being caught or unmasked (always a tricky issue for any extortionist or blackmailer in the days before cryptocurrencies existed).

We saw a small (compared to the explosion that was to follow) number of these new Ransomware, but all was about to change in 2009 with the first launch of a little cryptocurrency called Bitcoin (invented in 2008).

It took a few years for the cyber-criminals (the Bad Guys n Girls) to catch on to the value of Bitcoin as a method of payment for Ransomware and other crimes, but by around the start of 2013, they had started to embrace Bitcoin and Ransomware exploded over the next 4-5 years. The first modern Ransomware that took full advantage of not only Public Key Cryptography, but also Bitcoin was known as Cryptolocker. Many saw the success of this malware, and promptly developed their own Ransomware strains.

The Business

Once Cryptolocker had arrived, Ransomware quickly became a thriving way to make money for the Bad Guys n Girls. Estimates appeared that claimed that in 2015 Ransomware netted (according to the FBI) over $24 Million USD, in the first three months of 2016 this had grown to over $209 Million USD, and Kaspersky claimed that Ransomware attacks tripled in 2016. Things just got worse in 2017 as we saw the first Worm-enabled Ransomware (which can move from system to system without human help). 2017 is remembered for two major Ransomware attacks, Wannacry in May, and then NotPetya in June (both Worms). The problem with NotPetya was although it acted like Ransomware, it was in reality a wiper, so even if you paid up, you wouldn’t get your data back!

According to Cybersecurity Ventures, they predict that Ransoware will cost $6 Trillion USD annually by 2021.

But read on dear reader, things are about to change, in 2018!

The Future?

As mentioned previously things were about to change in 2018 (actually from the last quarter of 2017)…

During 2018 we saw the number of Ransomware attacks shrink, but the average Ransom being charged increased (significantly), why?

  • The Bad Guys and Girls moved to a more targeted approach, often manually hacking an organisations infrastructure, mapping out there network, and then encrypting the organisations “crown jewels”. Often part of this mapping would identify where the backups were and these would either be erased (securely) or encrypted too. They started to look for high value targets, rather than use the previous scatter-gun (mass-mailing) approach they had used during 2015-2017.
  • Writing Ransomware is not trivial (if done properly), so the Bad Guys n Girls were also looking for other ways to monetise vulernable systems (ones they can hack, either manually or via an automated script). They decided to steal the processing power of compromised systems to “mine” cryptocurrency. Less work, less risk and more profit; it was a match made in heaven!

I blogged about the “Curse of Cryptojacking” recently.

However, I don’t think we have seen the back of Ransomware, the Bad Guys n Girls may have moved on to Cryptojacking and Sextortion scams, however, they will continue to hold data and systems to ransom where the payout is worth the effort. Increasingly this means Public Services (Government), Healthcare, Education, and Law Enforcement (including Law firms), as well as the more traditional targets (Retail, Travel, Finance, etc.)

Update March 20th: Ironically less than 24 hours after I posted this blog, Norsk Hydro was hit by manually deployed Ransomware (in this case is was LockerGoga) which uses the same approach as other manually deployed Ransomware (such as SamSam); the victims infrastructure in penetrated via a vulnerability or insecure open port, and the Bad Guys n Girls map out the network and then deploy their Ransomware personally.

Protection?

  • Harden and patch all systems, applications and Cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN. That includes RDP (Terimal Services), Telnet, SSH and others
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • Take BACKUPS, and store them physically off-site (not in the Cloud), and test that they work (do a RESTORE). That way you have the option to recover your systems and data without having to pay the Bad Guys n Girls.
  • If you are using O365 or GSuite enable 2FA/MFA and do NOT allow the services to be accessed via IMAP or POP3, as this will bypass Multi-Factor Authentication (you have been warned!)
  • If you have cyber or crime insurance, check that Ransomware is covered by the policy (most cyber insurance policies currently do cover this, but Property and Casualty policies usually don’t)…

Until next time, stay safe out there!

The Curse of CryptoJacking!

Since around the end of 2017 there arose a new threat to organisations and individuals alike, cryptojacking; with Ransomware starting to become less favoured as a mass-attack method, the Bad Guys n Girls were looking at new ways to make money with the least amount of work and risk as possible.

So, in 2018 we saw a huge jump in a new tactic; this was the use of scripts and malware to “mine” cryptocurrency using your or your organisations systems (usually without your knowledge, or approval). We also saw the move towards targeted Ransomware attacks, often asking for huge ransoms to be paid to get access to your data, on your systems, or hosted/cloud based servers.

So, what is CryptoJacking, what is cryptocurrency “mining”, and what does it mean to you and your systems or organisation, do you need to be worried, and what can you do to help reduce the risk from this new threat?

Let me explain:

Hopefully you all know about cryptocurrencies, at least at the basic level? If not, or for those of you that know the basics, here’s a more in-depth look at it (but not too deep), it should also help those of you that don’t yet know about cryptocurrencies.

Cryptocurrencies

When most people are asked about what they know about cryptocurrencies, they will usually reply that they know of, or have heard of Bitcoin (and possibly they may also mention Blockchain, which is not a cryptocurency at all, it is the Distributed Ledger [transaction log] used by all cryptocurrencies, and it can be used for lots of other things too, but that’s another story).

In simplest terms a cryptocurrency (like Bitcoin) is a digital currency that unlike other currencies, is decentralised (no single person or entity has control over it), unlike real “phyiscal” currencies (British Pound, US Dollar, Euro, etc.). It is also, for most purposes anonymous (that’s why the cyber criminals like to use them). It instead relies on Blockchain and what you might call a democratic method of recording and approving all transactions.

Cryptocurrency Mining

“Mining” in the world of cryptocurrencies is the act of “approving or validating a transaction and adding it to the  blockchain” each validation or approval of a transaction earns new cryptocurrency for the miner.

To do this is a case of using huge amounts of processing power; unlike “physical” mining, where you have to expend manual effort, cryptocurency mining is all done on a computer. There are many crypto-mining groups and individuals, often with dedicated “rigs” to carry out this activity. One of the real-world concerns with crypto-mining, is that because the systems used are “maxed-out”, they require lots of power and as a by-product produce lots of heat; requiring extra power to cool the room they are housed in. This, it is suggested, may also affect (increase) global warming!

Cryptojacking

Cryptojacking is when your site, server or application has been compromised (hacked), either via a vulnerability (bug), weak or default credentials (maybe re-used credentials), poor security controls such as open ports (that shouldn’t be), social engineering (phishing, vishing or smishing, etc.) Once compromised an unauthorised script, binary or other file is uploaded and executed (run); this then starts to crypto-mine using your systems processor to carry out intensive processing to validate transactions (mine cryptocurrency).

So what, I hear you say?

Well, for one thing, if it is an end point (laptop, workstation, etc.) it will slow to a crawl, now image this happening on a webserver, database server, etc. Now throw in the scenario of Cloud (where you are often charged by the CPU cycle), imagine what your next bill from them will look like. It will be between hundreds and thousands of time more than your “normal” bills! All the while the Bad Guys n Girls are making money and slowing (and possibly damaging) your business…

Now there are Worms that perform cryptojacking! Worms are automated malicious code that can move from system to system without human help.

No real surprise there, as the technique is the same as we saw with many of the Ransomware Worms in 2017 and 2018 (such as WannaCry and NotPetya). It is an obvious evolutionary step. In fact the same exploit code is being used (EternalBlue, which was stolen from the NSA by the ShadowBrokers).

What do you need to do?

  • Harden and patch all systems, applications and cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Regularly check you systems for high or unusual CPU usage (beyond the normal range).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN.
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • If you have cyber or crime insurance, check that cryptojacking is covered by the policy (most cyber insurance policies currently do NOT cover this)…

Until next time, stay safe out there!

Have the Spammers Become Lazy?

Is it just me or are spammers getting lazy?

I ask as the latest trick being used by them, that I’ve seen recently, seems to be to get the recipient <victim> to click on one of two buttons in the spam email. Nothing odd about that right? Normal tactics to get victims to go to a fake or booby-trapped website.

However, this is not the case, and there appears to be no malicious code or links in these, so what does it do when you click on one of the buttons in the email?

If you hover over the button, you will see lots of mailto: links (which will send email to the intended recipient specified), in this case it includes not just one mailto: but usually between 10 and 30! So if you clicked on one of the buttons, it simply sends the same email to a bunch of other email addresses…

Furthermore, It makes no difference which button you select as they both do the same thing!

Here’s an example using Facebook as the spoofed sender, but I’ve also seen ones that use FedEx, Google and a whole load of other well known brands….

 

And here’s one claiming to be from Google:

Most odd!

Please be careful out there…

Anyone out there have any idea why they are using this technique?